Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases now! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon

Tech Guides - Security

59 Articles
article-image-businesses-are-confident-in-their-cybersecurity-efforts-but-weaknesses-prevail
Guest Contributor
10 Dec 2019
8 min read
Save for later

Businesses are confident in their cybersecurity efforts, but weaknesses prevail

Guest Contributor
10 Dec 2019
8 min read
Today, maintaining data integrity and network security is a primary challenge for businesses everywhere. The scale of the threats they face is enormous. Those that succeed go unheralded. Those that fail end up in the headlines. Despite the risks, a shocking number of security decision-makers seem confident that their companies have no vulnerabilities to exploit. According to a recent research report by Forrester, more than 85% of those decision-makers believe that they've left no gaps in their organization's security posture. A cursory look at the available data, however, should be enough to indicate that some of them are going to be proven wrong – and that they're at a much greater risk than they realize or are willing to admit. The threat landscape is stark. There have already been at least 3,800 data breaches in 2019 alone, which is a huge increase over prior years. The environment is so dangerous that Microsoft and Mastercard are spearheading an effort alongside other tech firms to create a joint-cyberdefense organization to help targeted firms fend off determined attackers. None of that squares with the high confidence that businesses now seem to have in their security. It is clear that there is quite a bit of distance between how digital security experts judge the preparedness of businesses to defend themselves and how the business decision makers view their own efforts. The best way to remedy that is for businesses to double-check their security posture to make sure they are in the best possible position to fend off cyberattacks. To help, here's a rundown of the most common security vulnerabilities that tend to exist in business organizations, to use as a checklist for shoring up defenses. 1. Physical vulnerabilities Although it's often overlooked, the physical security of a company's data and digital assets is essential. That's why penetration testing firms will often include on-site security breach attempts as part of their assessments (sometimes with unfortunate results). It's also why businesses should create and enforce strict on-site security policies and control who possesses what equipment and where they may take it. In addition, any devices that contain protected data should make use of strong storage encryption and have enforced password requirements – ideally using physical keys to further mitigate risk. 2. Poor access controls and monitoring One of the biggest threats to security that businesses now face isn't external – it's from their own employees. Research by Verizon paints a disturbing picture of the kinds of insider threats that are at the root of many cybersecurity incidents. Many of them trace back to unauthorized or improper systems access, or poor access controls that allow employees to see more data than they need to do their jobs. Worse still, there's no way to completely eliminate the problem. An employee with the right know-how can be a threat even when their access is properly restricted. That's why every organization must also practice routine monitoring of data access and credential audits to look for patterns that could indicate a problem. 3. Lack of cybersecurity personnel The speed with which threats in the digital space are evolving has caused businesses everywhere to rush to hire cybersecurity experts to help them defend themselves. The problem is that there are simply not enough of them to go around. According to the industry group (ISC)2, there are currently 2.93 million open cybersecurity positions around the world, and the number keeps on growing. To overcome the shortage, businesses would do well to augment their security personnel recruiting by training existing IT staff in cybersecurity. They can subsidize things like online CompTIA courses for IT staff so they can upskill to meet emerging threats. When it comes to cybersecurity, a business can't have too many experts – so they'd best get started making some new ones. 4. Poor employee security training Intentional acts by disgruntled or otherwise malicious employees aren't the only kind of insider threat that businesses face. In reality, many of the breaches traced to insiders happen by accident. Employees might fall prey to social engineering attacks and spear phishing emails or calls, and turn over information to unauthorized parties without ever knowing they've done anything wrong. If you think about it, a company's workforce is it's largest attack surface, so it's critical to take steps to help them be as security-minded as possible. Despite this reality, a recent survey found that only 31% of employees receive annual security training. This statistic should dent the confidence of the aforementioned security decision-makers, and cause them to reevaluate their employee security training efforts post-haste. 5. Lack of cloud security standards It should come as no surprise that the sharp rise in data breaches has coincided with the headlong rush of businesses into the cloud. One need to only look at the enormous number of data thefts that have happened in broad daylight via misconfigured Amazon AWS storage buckets to understand how big an issue this is. The notoriety notwithstanding, these kinds of security lapses continue to happen with alarming frequency. At their roots is a general lack of security procedures surrounding employee use of cloud data storage. As a general rule, businesses should have a process in place to have qualified IT staff configure offsite data storage and restrict settings access only to those who need it. In addition, all cloud storage should be tested often to make sure no vulnerabilities exist and that no unauthorized access is possible. 6. Failure to plan for future threats In the military, there's a common admonition against "fighting yesterday's war". In practice, this means relying on strategies that have worked in the past but that might not be appropriate in the current environment. The same logic applies to cybersecurity, not that many businesses seem to know it. For example, an all-machine hacking contest sponsored by DARPA in 2016 proved that AI and ML-based attacks are not only possible – but inevitable. Conversely, AI and ML will need to be put to use by businesses seeking to defend themselves from such threats. Still, a recent survey found that just 26% of business security policymakers had plans to invest in AI and ML cybersecurity technologies in the next two years. By the time many come around to the need for doing so, it's likely that their organizations will already be under attack by better-equipped opponents. To make sure they remain safe from such future-oriented threats, businesses should re-evaluate their plans to invest in AI and ML network and data security technology in the near term, so they'll have the right infrastructure in place once those kinds of attacks become common. The perils of overconfidence At this point, it should be very clear that there are quite a few vulnerabilities that the average business must attend to if they hope to remain secure from both current and emerging cyber threats. The various surveys and data referenced here should also be more than enough proof that the confidence many decision-makers have in their current strategies is foolhardy at best – and pure hubris at worst. More importantly, all signs point to the situation getting far worse before it gets better. Every major study on cybersecurity indicates that the pace, scale, and scope of attacks is growing by the day. In the coming years, the rapid expansion of new technologies like the IoT and the hyper-connectivity driven by 5G cellular data networks is going to amplify the current risks to an almost unimaginable level. That means businesses whose security is lacking now don't have much time left to get up to speed. The bottom line here is that when it comes to cybersecurity, nothing is more expensive than regret. It's a dangerous thing for business leaders to be too overconfident in their preparations or to underestimate the size of the security challenges they face. It's a situation where there's no such thing as being too prepared, and they should never be satisfied with the status quo in their efforts to stay protected. Would-be attackers and data thieves will never rest on their laurels – and neither should businesses. Author Bio Andrej Kovačević is a cybersecurity editor at TechLoot, and a contributing writer for a variety of other technology-focused online publications. He has covered the intersection of marketing and technology for several years and is pursuing an ongoing mission to share his expertise with business leaders and marketing professionals everywhere. You can also find him on Twitter. Glen Singh on why Kali Linux is an arsenal for any cybersecurity professional [Interview] CNCF announces Helm 3, a Kubernetes package manager and tool to manage charts and libraries Puppet’s 2019 State of DevOps Report highlight security integration into DevOps practices result into higher business outcome  
Read more
  • 0
  • 0
  • 4311

article-image-the-state-of-the-cybersecurity-skills-gap-heading-into-2020
Guest Contributor
11 Nov 2019
6 min read
Save for later

The state of the Cybersecurity skills gap heading into 2020

Guest Contributor
11 Nov 2019
6 min read
Just this year, several high-profile cyber breaches exposed confidential information and resulted in millions of dollars in damages. Cybersecurity is more important than ever — a big problem for employers facing millions of unfilled cybersecurity positions and a shortage of talented workers. As for the exact number of openings, the estimates vary — but none of them look good. There may be as many as 3.5 million unfilled cybersecurity positions by 2021. As a result, cybersecurity professionals currently in the field are facing serious pressure and long working hours. At cybersecurity conferences, it's not uncommon to see entire tracks about managing mental health, addiction, and work stress. A kind of feedback loop may be forming — one where skilled professionals under major pressure burn out and leave the field, putting more strain on the workers that remain. The cycle continues, pushing talent out of cybersecurity and further widening the skills gap. Some experts go further and call the gap a crisis, though it's not clear we've hit that level yet. Employers are looking at different ways to handle this — by broadening the talent pool and by investing in tools that take the pressure off their cybersecurity workers. Cybersecurity skills gap is on the rise When asked about the skills their organization is most likely to be missing, cybersecurity nearly always tops the list. In a survey conducted by ESG this year, 53% of organizations reported they were facing a cybersecurity shortage. This is 10% more than in 2016. In every survey between this year and 2016, the number has only trended up. There are other ways to look at the gap — by worker hours or by the total number of positions unfilled — but there's only one real conclusion to draw from the data. There aren't enough cybersecurity workers, and every year the skills gap grows worse. Despite pushes for better education and the increasing importance of cybersecurity, there are no signs it's closing or will begin to close in 2020. The why of the skills gap is unclear. The number of graduates from cybersecurity programs is increasing. At the same time, the cost and frequency of cyberattacks are also rising. It may be that schools can't keep up with the growing levels of cybercrime and the needs of companies, especially in the wake of the past few years of high-profile breaches. Employers look for ways to broaden the Talent Pool One possible reason for the skills gap may be that employers are looking for very specific candidates. Cybersecurity can be a difficult field to break into if you don't have the resources to become credentialed. Even prospective candidates with ideal skill sets — experience with security and penetration testing, communication and teamwork skills, and the ability to train nontechnical staff — can be filtered out by automatic resume screening programs. These may be looking for specific job titles, certificates, and degrees. If a resume doesn't pass the keyword filter, the hiring team may never get a chance to read it at all. There are two possible solutions to this problem. The first is to build a better talent pipeline — one that starts at the university or high school level. Employers may join with universities to sponsor programs that encourage or incentivize students to pick up technical certificates or switch their major to cybersecurity or a related field. The high worth of cybersecurity professionals and the strong value of cybersecurity degrees may encourage schools to invest in these programs, taking some of the pressure off employers. This solution isn't universally popular. Some experts argue that cybersecurity training doesn't reflect the field — and that a classroom may never provide the right kind of experience. The second solution is to broaden the talent pool by making it easier for talented professionals to break into cybersecurity. Hiring teams may relax requirements for entry-level positions, and companies may develop training programs that are designed to help other security experts learn about the field. This doesn't mean companies will begin hiring nontechnical staff. Rather, they'll start looking for skilled individuals with unconventional skill sets and a technical background that they can be quickly brought up to speed — like veterans with security or technology training. It's not clear if employers will take the training approach, however. While business leaders find cybersecurity more important every year, companies can be resistant to spending more on employee training. These expenditures increased in 2017 but declined last year. AI tools may help cybersecurity workers Many new companies are developing AI antiviruses, anti-phishing tools and other cybersecurity platforms that may reduce the amount of labor needed from cybersecurity workers. While AI is quite effective at pattern-finding and could be useful for cybersecurity workers, the tech isn't guaranteed to be helpful. Some of these antiviruses are susceptible to adversarial attacks. One popular AI-powered antivirus was defeated with just a few lines of text appended to some of the most dangerous malware out there. Many cybersecurity experts are skeptical of AI tech in general and don't seem fully committed to the idea of a field where cybersecurity workers rely on these tools. Companies may continue to invest in AI cybersecurity technology because there doesn't seem to be many other short-term solutions to the widening skill gap. Depending on how effective these technologies are, they may help reduce the number of cybersecurity openings that need to be filled. Future of the Cybersecurity skills gap Employers and cybersecurity professionals are facing a major shortage of skilled workers. At the same time, both the public and private sectors are dealing with a new wave of cyberattacks that put confidential information and critical systems at risk. There are no signs yet that the cybersecurity skills gap will begin to close in 2020. Employers and training programs are looking for ways to bring new professionals into the field and expand the talent pipeline. At the same time, companies are investing in AI technology that may take some pressure off current cybersecurity workers. Not all cybersecurity experts place their full faith in this technology, but some solutions will be necessary to reduce the pressure of the growing skill gap. Author Bio Kayla Matthews writes about big data, cybersecurity, and technology. You can find her work on The Week, Information Age, KDnuggets and CloudTweaks, or over at ProductivityBytes.com. How will AI impact job roles in Cybersecurity 7 Black Hat USA 2018 conference cybersecurity training highlights: Hardware attacks, IO campaigns, Threat Hunting, Fuzzing, and more. UK’s NCSC report reveals significant ransomware, phishing, and supply chain threats to businesses
Read more
  • 0
  • 0
  • 3518

article-image-6-tips-to-prevent-social-engineering
Guest Contributor
03 Oct 2019
10 min read
Save for later

6 Tips to Prevent Social Engineering

Guest Contributor
03 Oct 2019
10 min read
Social engineering is a tactic where the attacker influences the victim to obtain valuable information. Office employees are targeted to reveal confidential data about a corporation while non-specialists can come under the radar to disclose their credit card information. One might also be threatened that the attacker will hack/his her system if he isn’t provided the asked material. In this method, the perpetrator can take any form of disguise, but at most times, he/she poses as tech support or from a bank. However, this isn’t the case always, although the objective is the same. They sniff the information, which you conceal from everybody, by gaining your trust. Social Engineering ends successfully when the wrongdoer gets to know the victim’s weaknesses and then manipulates his trust. Often, the victim shares his private information without paying much heed to the one who contacts him. Later, the victim is blackmailed by providing his sensitive data otherwise he will be charged under unlawful situations. Examples of Social Engineering attacks As defined above, the attacker can take any form of disguise, but the most common ways will be described here. The wrongdoers update themselves daily to penetrate your system, and even you should be extremely wary of your online security. Always stay alert whenever providing someone with your private credentials. The listed examples are variations of the others. There are many others as well, but the most common has been described. The purpose of all of them is to configure you. As the name states, Social Engineering merely is how an individual can be tricked to give up everything to the person who gains his trust. Phishing Attack Phishing is a malicious attempt to access a person’s personal and sensitive information such as financial credentials. The attacker behind a phishing attack pretends as an authentic identity or source to fool an individual. This social engineering technique mainly involves email spoofing or instant messaging to the victim. However, it may steer people to insert their sensitive details into a fraudulent website, which is designed to look exactly like a legitimate site. Unwanted tech support Tech support scams are becoming wide and can have an industry-wide effect. This tactic involves fraudulent attempts to scare people while putting them into the thought that there is something wrong with their device. Attackers behind this scam try to gain money by tricking an individual into paying for the issue which never exists. Offenders usually send you emails or call you to solve issues regarding your system. Mostly, they tell you that there’s an update needed. If you are not wary of this bogus, you can land yourself in danger. The attacker might ask you to run a command on your system which will result in it getting unresponsive. This belongs to the branch of social engineering known as scareware. Scareware uses fear and curiosity against humans to either steal information or sell you useless pieces of software. Sometimes it can be harsher and can keep your data as a hostage unless you pay a hefty amount. Clickbait Technique Term clickbait refers to the technique of trapping individuals via a fraudulent link with tempting headlines. Cybercriminals take advantage of the fact that most legitimate sites or contents also use a similar technique to attract readers or viewers. In this method, the attacker sends you enticing ads related to games, movies, etc. Clickbait is most seen during peer-to-peer networking systems with enticing ads. If you click on a certain Clickbait, an executable command or a suspicious virus can be installed on your system leading it to be hacked. Fake email from a trusted person Another tactic the offender utilizes is by sending you an email from your friend’s or relative’s email address claiming he/she is in danger. That email ID will be hacked, and with this perception, it’s most likely you will fall to this attack. The sent email will have the information you should give so that you can release your contact from the threat. Pretexting Attack Pretexting is also a common form of social engineering which is used for gaining sensitive and non-sensitive information. The attackers pretext themselves as an authentic entity so that they can access the user information. Unlike phishing, pretexting creates a false sense of trust with the victim through making stories, whereas, phishing scams involve fearing and urgency. In some cases, the attack could become intense, such as in the case when the attacker manipulates the victim to carry out a task which enables them to exploit the structural lacks of a firm or organization. An example of this is, the attacker masking himself as an employee from your bank to cross-check your credentials. This is by far, the most frequent tactic used by offenders. Sending content to download The attacker sends you files containing music, movies, games or documents that appear to be just fine. A newbie on the internet will think about how lucky his day is that he got his wanted stuff without asking. Little does he know that the files he just downloaded are virus embedded. Tips to Prevent Social Engineering After understanding the most common examples of social engineering, let us have a look at how you can protect yourself from being manipulated. 1) Don’t give up your private information Will you ever surrender your secret information to a person you don’t know? No, obviously. Therefore, do not spill your sensitive information on the web unnecessarily. If you do not identify the sender of the email, discard it. Nevertheless, if you are buying stuff online, only provide your credit card information over an HTTP secure protocol. When an unknown person calls or emails you, think before you submit your data. Attackers want you to speak first and realize later. Remain skeptical and converse over a conversation regarding when the other is digging into your sensitive information. Therefore, always think of the consequences if you submit your credentials to an authorized person. 2) Enable spam filter Most email service providers come up with spam filters. Any email that is deemed as suspicious shall automatically be thrown away in the spam folder. Credible email services detect any suspicious links and files that might be harmful and warn a user to download them at your own risk. Some files with specific extensions are barred from downloading. By enabling the spam feature, you can ease yourself from categorizing emails. Furthermore, you shall be relieved from the horrendous tasks of detecting mistrustful messages. The perpetrators of social engineering will have no door to reach you, and your sensitive data will be shielded from attackers. 3) Stay cautious of your password A pro tip for you is that you should never use the same password on the platforms you log onto. Keep no traces behind and delete all sessions after you are done with surfing and browsing. Utilize the social media wisely and stay cautious of people you tag and the information you provide since an attacker might loom there. This is necessary in case your social media account gets hacked, and you have the same password for different websites, your data can be breached up to the skin. You will get blackmailed to pay the ransom to prevent your details from being leaked over the internet. Perpetrators can get your passwords pretty quickly but what happens if you get infected with ransomware? All of your files will be encrypted, and you will be forced to pay the ransom with no data back guarantee which is why the best countermeasure against this attack is to prevent it from happening primarily. 4) Keep software up to date Always update your system’s software patch. Maintain the drivers and keep a close look on your network firewall. Stay alert when an unknown person connects to your Wifi network and update your antivirus according to it. Download content from legitimate sources only and be mindful of the dangers. Hacks often take place when the software the victim’s using is out of date. When vulnerabilities are exposed, offenders exploit the system and gain access to it. Regularly updating your software can safeguard you from a ton of dangers. Consequently, there are no backdoors left for hackers to abuse. 5) Pay attention to what you do online Think of the time that you got self-replicating files on your PC after you clicked on a particular ad. Don’t what that to happen again? Train yourself to not click on Clickbait and scam advertisements. Always know that most lotteries you find online are fake. Never provide your financial details there. Carefully inspect the URL of a website you land on. Most scammers make a copy of a website’s front page and change the link slightly. This is done with such efficiency, that the average eye cannot detect a change in the URL and the user opens the website and enters his credentials. Therefore, stay alert. 6) Remain Skeptical The solution to most problems is that one should remain skeptical online. Do not click on spam links, do not open suspicious emails. Furthermore, do not pay heed to messages stating that you have won a lottery or you have been granted a check of a thousand grand. Remain skeptical of the supreme pinnacle. With this strategy, a hacker will have no attraction of reaching you out since you aren’t paying attention to him. Most of the time, this tactic has helped many people from staying safe online and has never been intercepted by hackers digitally. Consequently, as you aren’t getting attracted to suspicious content, you will be saved from social engineering. Final Words All the tips described above summarize that you are doubting, is vital for your digital secrecy. As you are doubtful, of your online presence, you are entirely protected from online manipulation. Not even you, your credit card information and other necessary information will be shielded as well since you never mentioned it to anyone in the first place. All of this was achieved when you were doubtful of what’s occurring online. You inspected the links you visited and discarded suspicious emails, and thus you are secure. With these actions taken, you have prevented social engineering from occurring. Author Bio Peter Buttler is a Cybersecurity Journalist and Tech Reporter, Currently employed as a Senior Editor at PrivacyEnd. He contributes to a number of online publications, including Infosecurity-magazine, SC Magazine UK, Tripwire, Globalsign, and CSO Australia, among others. Peter, covers different topics related to Online Security, Big data, IoT and Artificial Intelligence. With more than seven years of IT experience, he also holds a Master’s degree in cybersecurity and technology. @peter_buttlr Researchers release a study into Bug Bounty Programs and Responsible Disclosure for ethical hacking in IoT How has ethical hacking benefited the software industry 10 times ethical hackers spotted a software vulnerability and averted a crisis
Read more
  • 0
  • 0
  • 6609

article-image-10-times-ethical-hackers-spotted-a-software-vulnerability-and-averted-a-crisis
Savia Lobo
30 Sep 2019
12 min read
Save for later

10 times ethical hackers spotted a software vulnerability and averted a crisis

Savia Lobo
30 Sep 2019
12 min read
A rise in multiple cyber-attacks and the lack of knowledge and defenses to tackle them has made it extremely important for companies to use ethical hacking to combat hackers. While Black Hat hackers use their skills for malicious purposes to defraud high-profile companies or personalities, Ethical Hackers or White Hat hackers use the same techniques (penetration testing, different password cracking methods or social engineering) to break into a company’s cyber defense but to help companies fix these vulnerabilities or loose ends to strengthen their systems. Ethical hackers are employed directly by the company’s CTO or the management with a certain level of secrecy without the knowledge of the staff or other cybersecurity teams. Ethical hacking can also be crowdsourced through bug bounty programs (BBP) and via responsible disclosure (RP). There are multiple examples in just the past couple of years where ethical hackers have come to the rescue of software firms to avert a crisis that would have potentially incurred the organizations huge losses and put their product users in harm’s way. 10 instances where ethical hackers saved the day for companies with software vulnerabilities 1. An ethical hacker accessed Homebrew’s GitHub repo in under 30 minutes On 31st July 2018, Eric Holmes, a security researcher reported that he could easily gain access to Homebrew’s GitHub repo. Homebrew is a popular, free and open-source software package management system with well-known packages like node, git, and many more, and also simplifies the installation of software on macOS. Under 30 minutes, Holmes gained access to an exposed GitHub API token that opened commit access to the core Homebrew repo; thus, exposing the entire Homebrew supply chain. On July 31, Holmes first reported this vulnerability to Homebrew’s developer, Mike McQuaid. Following which, McQuaid publicly disclosed the issue on Homebrew blog on August 5, 2018. After receiving the report, within a few hours the credentials had been revoked, replaced and sanitized within Jenkins so they would not be revealed in the future. In a detailed post about the attack invasion on Medium, Eric mentioned that if he were a malicious actor, he could easily make a small unnoticed change to the openssl formulae, placing a backdoor on any machine that installed it. 2. Zimperium zLabs security researcher disclosed a critical vulnerability in multiple high-privileged Android services to Google In mid-2018, Tamir Zahavi-Brunner, Security Researcher at Zimperium zLabs, informed Google of a critical vulnerability affecting multiple privileged Android services. This vulnerability was found in a library, hidl_memory, introduced specifically as part of Project Treble and does not exist in a previous library which does pretty much the same thing. The vulnerability was in a commonly used library affecting many high-privileged services. The hidl_memory comprises of: mHandle (HIDL object which holds file descriptors, mSize (size of the memory to be shared), mName (represents the type of memory). These structures are transferred through Binder in HIDL, where complex objects (like hidl_handle or hidl_string) have their own custom code for writing and reading the data. Transferring structures via 64-bit processes cause no issues, however, this size gets truncated to 32 bit in 32-bit processes, so only the lower 32 bits are used. So if a 32-bit process receives a hidl_memory whose size is bigger than UINT32_MAX (0xFFFFFFFF), the actually mapped memory region will be much smaller. Google designated this vulnerability as CVE-2018-9411 and patched it in the July security update (2018-07-01 patch level), including additional patches in the September security update (2018-09-01 patch level). Brunner later published a detailed post explaining technical details of the vulnerability and the exploit, in October 2018. 3. A security researcher revealed a vulnerability in a WordPress plugin that leaked the Twitter account information of users Early this year, on January 17, a French security researcher, Baptiste Robert, popularly known by his online handle, Elliot Alderson found a vulnerability in a WordPress plugin called Social Network Tabs. This vulnerability was assigned with the vulnerability ID- CVE-2018-20555  by MITRE. The plugin leaked a user’s Twitter account info thus exposing the personal details to be compromised. The plugin allowed websites to help users share content on social media sites. Elliot informed Twitter of this vulnerability on December 1, 2018, prompting Twitter to revoke the keys, rendering the accounts safe again. Twitter also emailed the affected users of the security lapse of the WordPress plugin but did not comment on the record when reached. 4. A Google vulnerability researcher revealed an unpatched bug in Windows’ cryptographic library that could take down an entire Windows fleet On June 11, 2019, Tavis Ormandy, a vulnerability researcher at Google, revealed a security issue in SymCrypt, the core cryptographic library for Windows. The vulnerability could take down an entire Windows fleet relatively easily, Ormandy said. He reported the vulnerability on March 13 on Google’s Project Zero site and got a response from Microsoft saying that it would issue a security bulletin and fix for this in the June 11 Patch Tuesday run. Further on June 11, he received a message from Microsoft Security Response Center (MSRC) saying “that the patch won’t ship today and wouldn’t be ready until the July release due to issues found in testing”. Ormandy disclosed the vulnerability a day after the 90-day deadline elapsed. This was in line with Google’s 90 days deadline for fixing or publicly disclosing bugs that its researchers find. 5. Oracle’s critical vulnerability in its WebLogic servers On June 17, this year, Oracle published an out-of-band security update that had a patch to a critical code-execution vulnerability in its WebLogic server. The vulnerability was brought to light when it was reported by the security firm, KnownSec404. The vulnerability tracked as CVE-2019-2729, has received a Common Vulnerability Scoring System score of 9.8 out of 10. The vulnerability was a deserialization attack targeting two Web applications that WebLogic appears to expose to the Internet by default—wls9_async_response and wls-wsat.war. 6. Security flaws in Boeing 787 Crew Information System/Maintenance System (CIS/MS) code can be misused by hackers At the Black Hat 2019, Ruben Santamarta, an IOActive Principal Security Consultant in his presentation said that there were vulnerabilities in the Boeing 787 Dreamliner’s components, which could be misused by hackers. The security flaws were in the code for a component known as a Crew Information Service/Maintenance System. Santamarta identified three networks in the 787, the Open Data Network (ODN), the Isolated Data Network (IDN), and the Common Data Network (CDN). Boeing, however, strongly disagreed with Santamarta’s findings saying that such an attack is not possible and rejected Santamarta’s “claim of having discovered a potential path to pull it off.” He further highlighted a white paper released in September 2018 that mentioned that a publicly accessible Boeing server was identified using a simple Google search, exposing multiple files. On further analysis, the exposed files contained parts of the firmware running on the Crew Information System/Maintenance System (CIS/MS) and Onboard Networking System (ONS) for the Boeing 787 and 737 models respectively. These included documents, binaries, and configuration files. Also, a Linux-based Virtual Machine used to allow engineers to access part of the Boeing’s network access was also available. A reader on Bruce Schneier’s (public-interest technologist) blog post argued that Boeing should allow SantaMarta’s team to conduct a test, for the betterment of the passengers, “I really wish Boeing would just let them test against an actual 787 instead of immediately dismissing it. In the long run, it would work out way better for them, and even the short term PR would probably be a better look.” Boeing in a statement said, "Although we do not provide details about our cybersecurity measures and protections for security reasons, Boeing is confident that its airplanes are safe from cyberattack.” Boeing says it also consulted with the Federal Aviation Administration and the Department of Homeland Security about Santamarta's attack. While the DHS didn't respond to a request for comment, an FAA spokesperson wrote in a statement to WIRED that it's "satisfied with the manufac­turer’s assessment of the issue." Santamarta's research, despite Boeing's denials and assurances, should be a reminder that aircraft security is far from a solved area of cybersecurity research. Stefan Savage, a computer science professor at the University of California at San Diego said, "This is a reminder that planes, like cars, depend on increasingly complex networked computer systems. They don't get to escape the vulnerabilities that come with this." Some companies still find it difficult to embrace unknown researchers finding flaws in their networks. Companies might be wary of ethical hackers given these people work as freelancers under no contract, potentially causing issues around confidentiality and whether the company’s security flaws will remain a secret. As hackers do not have a positive impression, the company fails to understand it is for their own betterment. 7. Vulnerability in contactless Visa card that can bypass payment limits On July 29 this year, two security researchers from Positive Technologies, Leigh-Anne Galloway, Cyber Security Resilience Lead and Tim Yunusov, Head of banking security, discovered flaws in Visa contactless cards, that can allow hackers to bypass the payment limits. The researchers added that the attack was tested with “five major UK banks where it successfully bypassed the UK contactless verification limit of £30 on all tested Visa cards, irrespective of the card terminal”. They also warned that this contactless Visa card vulnerability can be possible on cards outside the UK as well. When Forbes asked Visa about this vulnerability, they weren’t alarmed by the situation and said they weren’t planning on updating their systems anytime soon. “One key limitation of this type of attack is that it requires a physically stolen card that has not yet been reported to the card issuer. Likewise, the transaction must pass issuer validations and detection protocols. It is not a scalable fraud approach that we typically see criminals employ in the real world,” a Visa spokesperson told Forbes. 8. Mac Zoom Client vulnerability allowed ethical hackers to enable users’ camera On July 9, this year, a security researcher, Jonathan Leitschuh, publicly disclosed a vulnerability in Mac’s Zoom Client that could allow any malicious website to initiate users’ camera and forcibly join a Zoom call without their authority. Around 750,000 companies around the world who use the video conferencing app on their Macs, to conduct day-to-day business activities, were vulnerable. Leitschuh disclosed the issue on March 26 on Google’s Project Zero blog, with a 90-day disclosure policy. He also suggested a ‘quick fix’ which Zoom could have implemented by simply changing their server logic. Zoom took 10 days to confirm the vulnerability and held a meeting about how the vulnerability would be patched only 18 days before the end of the 90-day public disclosure deadline, i.e. June 11th, 2019. A day before the public disclosure, Zoom had only implemented the quick-fix solution. Apple quickly patched the vulnerable component on the same day when Leitschuh disclosed the vulnerability via Twitter (July 9). 9. Vulnerabilities in the PTP protocol of Canon’s EOS 80D DSLR camera allows injection of ransomware At the DefCon27 held this year, Eyal Itkin, a vulnerability researcher at Check Point Software Technologies, revealed vulnerabilities in the Canon EOS 80D DSLR. He demonstrated how vulnerabilities in the Picture Transfer Protocol (PTP) allowed him to infect the DSLR model with ransomware over a rogue WiFi connection. Itkin highlighted six vulnerabilities in the PTP that could easily allow a hacker to infiltrate the DSLRs and inject ransomware and lock the device. This could lead the users to pay ransom to free up their camera and picture files. Itkin’s team informed Canon about the vulnerabilities in their DSLR on March 31, 2019. On August 6, Canon published a security advisory informing users that, “at this point, there have been no confirmed cases of these vulnerabilities being exploited to cause harm” and asking them to take advised measures to ensure safety. 10. Security researcher at DefCon 27 revealed an old Webmin backdoor that allowed unauthenticated attackers to execute commands with root privileges on servers At the DefCon27, a Turkish security researcher, Özkan Mustafa Akkuş presented a zero-day remote code execution vulnerability in Webmin, a web-based system configuration system for Unix-like systems. This vulnerability, tracked as CVE-2019-15107, was found in the Webmin security feature and was present in the password reset page. It allowed an administrator to enforce a password expiration policy for other users’ accounts. It also allowed a remote, unauthenticated attacker to execute arbitrary commands with root privileges on affected servers by simply adding a pipe command (“|”) in the old password field through POST requests. The Webmin team was informed of the vulnerability on August 17th 2019. In response, the exploit code was removed and Webmin version 1.930 created and released to all users. Jamie Cameron, the author of Webmin, in a blog post talked about how and when this backdoor was injected. He revealed that this backdoor was no accident, and was in fact, injected deliberately in the code by a malicious actor. He wrote, “Neither of these were accidental bugs – rather, the Webmin source code had been maliciously modified to add a non-obvious vulnerability,” he wrote. TD;LR: Companies should welcome ethical hackers for their own good Ethical hackers are an important addition to our cybersecurity ecosystem. They help organizations examine security systems and analyze minor gaps that lead to compromising the entire organization. One way companies can seek their help is by arranging Bug bounty programs that allow ethical hackers to participate and report vulnerabilities to companies in exchange for rewards that can consist of money or, just recognition. Most of the other times, a white hat hacker may report of the vulnerability as a part of their research, which can be misunderstood by organizations as an attempt to break into their system or simply that they are confident of their internal security systems. Organizations should keep their software security upto date by welcoming additional support from these white hat hackers in finding undetected vulnerabilities. Researchers release a study into Bug Bounty Programs and Responsible Disclosure for ethical hacking in IoT How has ethical hacking benefited the software industry 5 pen testing rules of engagement: What to consider while performing Penetration testing Social engineering attacks – things to watch out for while online
Read more
  • 0
  • 0
  • 8746

article-image-how-has-ethical-hacking-benefited-the-software-industry
Fatema Patrawala
27 Sep 2019
8 min read
Save for later

How has ethical hacking benefited the software industry

Fatema Patrawala
27 Sep 2019
8 min read
In an online world infested with hackers, we need more ethical hackers. But all around the world, hackers have long been portrayed by the media and pop culture as the bad guys. Society is taught to see them as cyber-criminals and outliers who seek to destroy systems, steal data, and take down anything that gets in their way. There is no shortage of news, stories, movies, and television shows that outright villainize the hacker. From the 1995 movie Hackers, to the more recent Blackhat, hackers are often portrayed as outsiders who use their computer skills to inflict harm and commit crime. Read this: Did you know hackers could hijack aeroplane systems by spoofing radio signals? While there have been real-world, damaging events created by cyber-criminals that serve as the inspiration for this negative messaging, it is important to understand that this is only one side of the story. The truth is that while there are plenty of criminals with top-notch hacking and coding skills, there is also a growing and largely overlooked community of ethical (commonly known as white-hat) hackers who work endlessly to help make the online world a better and safer place. To put it lightly, these folks use their cyber superpowers for good, not evil. For example, Linus Torvalds, the creator of Linux was a hacker, as was Tim Berners-Lee, the man behind the World Wide Web. The list is long for the same reason the list of hackers turned coders is long – they all saw better ways of doing things. What is ethical hacking? According to the EC-Council, an ethical hacker is “an individual who is usually employed with an organization and who can be trusted to undertake an attempt to penetrate networks and/or computer systems using the same methods and techniques as a malicious hacker.” Listen: We discuss what it means to be a hacker with Adrian Pruteanu [Podcast] The role of an ethical hacker is important since the bad guys will always be there, trying to find cracks, backdoors, and other secret ways to access data they shouldn’t. Ethical hackers not only help expose flaws in systems, but they assist in repairing them before criminals even have a shot at exploiting said vulnerabilities. They are an essential part of the cybersecurity ecosystem and can often unearth serious unknown vulnerabilities in systems better than any security solution ever could. Certified ethical hackers make an average annual income of $99,000, according to Indeed.com. The average starting salary for a certified ethical hacker is $95,000, according to EC-Council senior director Steven Graham. Ways ethical hacking benefits the software industry Nowadays, ethical hacking has become increasingly mainstream and multinational tech giants like Google, Facebook, Microsoft, Mozilla, IBM, etc employ hackers or teams of hackers in order to keep their systems secure. And as a result of the success hackers have shown at discovering critical vulnerabilities, in the last year itself there has been a 26% increase in organizations running bug bounty programs, where they bolster their security defenses with hackers. Other than this there are a number of benefits that ethical hacking has provided to organizations majorly in the software industry. Carry out adequate preventive measures to avoid systems security breach An ethical hacker takes preventive measures to avoid security breaches, for example, they use port scanning tools like Nmap or Nessus to scan one’s own systems and find open ports. The vulnerabilities with each of the ports is studied, and remedial measures are taken by them. An ethical hacker will examine patch installations and make sure that they cannot be exploited. They also engage in social engineering concepts like dumpster diving—rummaging through trash bins for passwords, charts, sticky notes, or anything with crucial information that can be used to generate an attack. They also attempt to evade IDS (Intrusion Detection Systems), IPS (Intrusion Prevention systems), honeypots, and firewalls. They carry out actions like bypassing and cracking wireless encryption, and hijacking web servers and web applications. Perform penetration tests on networks at regular intervals One of the best ways to prevent illegal hacking is to test the network for weak links on a regular basis. Ethical hackers help clean and update systems by discovering new vulnerabilities on an on-going basis. Going a step ahead, ethical hackers also explore the scope of damage that can occur due to the identified vulnerability. This particular process is known as pen testing, which is used to identify network vulnerabilities that an attacker can target. There are many methods of pen testing. The organization may use different methods depending on its requirements. Any of the below pen testing methods can be carried out by an ethical hacker: Targeted testing which involves the organization's people and the hacker. The organization staff will be aware of the hacking being performed. External testing penetrates all externally exposed systems such as web servers and DNS. Internal testing uncovers vulnerabilities open to internal users with access privileges. Blind testing simulates real attacks from hackers. Testers are given limited information about the target, which requires them to perform reconnaissance prior to the attack. Pen testing is the strongest case for hiring ethical hackers. Ethical hackers have built computers and programs for software industry Going back to the early days of the personal computer, many of the members in the Silicon Valley would have been considered hackers in modern terms, that they pulled things apart and put them back together in new and interesting ways. This desire to explore systems and networks to find how it worked made many of the proto-hackers more knowledgeable about the different technologies and it can be safeguarded from malicious attacks. Just as many of the early computer enthusiasts turned out to be great at designing new computers and programs, many people who identify themselves as hackers are also amazing programmers. This trend of the hacker as the innovator has continued with the open-source software movement. Much of the open-source code is produced, tested and improved by hackers – usually during collaborative computer programming events, which are affectionately referred to as "hackathons." Even if you never touch a piece of open-source software, you still benefit from the elegant solutions that hackers come up with that inspire or are outright copied by proprietary software companies. Ethical hackers help safeguard customer information by preventing data breaches The personal information of consumers is the new oil of the digital world. Everything runs on data. But while businesses that collect and process consumer data have become increasingly valuable and powerful, recent events prove that even the world’s biggest brands are vulnerable when they violate their customers’ trust. Hence, it is of utmost importance for software businesses to gain the trust of customers by ensuring the security of their data. With high-profile data breaches seemingly in the news every day, “protecting businesses from hackers” has traditionally dominated the data privacy conversation. Read this: StockX confirms a data breach impacting 6.8 million customers In such a scenario, ethical hackers will prepare you for the worst, they will work in conjunction with the IT-response plan to ensure data security and in patching breaches when they do happen. Otherwise, you risk a disjointed, inconsistent and delayed response to issues or crises. It is also imperative to align how your organization will communicate with stakeholders. This will reduce the need for real-time decision-making in an actual crisis, as well as help limit inappropriate responses. They may also help in running a cybersecurity crisis simulation to identify flaws and gaps in your process, and better prepare your teams for such a pressure-cooker situation when it hits. Information security plan to create security awareness at all levels No matter how large or small your company is, you need to have a plan to ensure the security of your information assets. Such a plan is called a security program which is framed by information security professionals. Primarily the IT security team devises the security program but if done in coordination with the ethical hackers, they can provide the framework for keeping the company at a desired security level. Additionally by assessing the risks the company faces, they can decide how to mitigate them, and plan for how to keep the program and security practices up to date. To summarize… Many white hat hackers, gray hat and reformed black hat hackers have made significant contributions to the advancement of technology and the internet. In truth, hackers are almost in the same situation as motorcycle enthusiasts in that the existence of a few motorcycle gangs with real criminal operations tarnishes the image of the entire subculture. You don’t need to go out and hug the next hacker you meet, but it might be worth remembering that the word hacker doesn’t equal criminal, at least not all the time. Our online ecosystem is made safer, better and more robust by ethical hackers. As Keren Elazari, an ethical hacker herself, put it: “We need hackers, and in fact, they just might be the immune system for the information age. Sometimes they make us sick, but they also find those hidden threats in our world, and they make us fix it.” 3 cybersecurity lessons for e-commerce website administrators Hackers steal bitcoins worth $41M from Binance exchange in a single go! A security issue in the net/http library of the Go language affects all versions and all components of Kubernetes
Read more
  • 0
  • 0
  • 6054

article-image-uk-ncsc-report-reveals-ransomware-phishing-supply-chain-threats-to-businesses
Fatema Patrawala
16 Sep 2019
7 min read
Save for later

UK's NCSC report reveals significant ransomware, phishing, and supply chain threats to businesses

Fatema Patrawala
16 Sep 2019
7 min read
Last week, the UK’s National Cyber Security Centre (NCSC) published a report on cyber incident trends in the UK from October 2018 to April 2019. The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has recommended this report to better understand and know how to defend against most prevalent cyber security threats. The NCSC report reveals five main threats and threat vectors that affected UK organizations: cloud services (Office 365 in particular); ransomware; phishing; vulnerability scanning; and supply chain attacks. The NCSC report examined each of these, presented specific methods used by threat actors and provided tips for preventing and mitigating incidents. NCSC report reveals Cloud services and Office 365 as primary targets The NCSC report highlights the primary target of the attackers as Cloud services, and Office 365. The large scale move to cloud services has put the IT infrastructure of many enterprises within reach of internet-based attacks as these services are only protected by a username and password.  Tools and scripts to try and guess users’ passwords are abundant. And a successful login gives access to corporate data stored in all Office 365 services. For example, both SharePoint and Exchange could be compromised, as well as any third-party services an enterprise has linked to Azure AD. Another common way of attacking Office 365 mentioned in the report is password spraying. In this method the attackers attempt a small number of commonly used passwords against multiple accounts. In most cases, they aren’t after just one specific account as this method can target a large number of accounts in one organisation without raising any suspicions.  Other than this, credential stuffing is another common approach to attack Office 365. Credential stuffing takes pairs of usernames and passwords from leaked data sets and tries them against other services, such as Office 365. According to the report it is difficult to detect the vulnerability in logs as an attacker may only need a single attempt to successfully log in if the stolen details match those of the user's Office 365 account. The report further suggests a few remediation strategies to prevent compromising Office 365 accounts. Ransomware attacks among enterprises continue to rise Since the WannaCry and NotPetya attacks of 2017, ransomware attacks against enterprise networks have continued to rise in number and sophistication. The NCSC report mentions that historically, ransomware were delivered as a standalone attack. But today, attackers are using their network access to maximise the impact of the ransomware attack.  Ransomware tools such as Cybercrime botnets like Emotet, Dridex and Trickbot are commonly used as an initial infection vector, prior to retrieving and installing the ransomware. The report also highlights the use of Pen-testing tools such as Cobalt Strike. Ransomware such as Ryuk, LockerGoga, Bitpaymer and Dharma were seen to be prevalent in recent months. Cases observed in the NCSC report often tend to have resulted from a trojanised document, sent via email. The malware will exploit publicly known vulnerabilities and macros in Microsoft Office documents. Some of the remediation strategies to prevent ransomware include: Reducing the chances of the initial malware reaching devices Considering the use of URL reputation services including those built into a web browser, and Internet service providers. Using email authentication via DMARC and DNS filtering products is highly recommended Making it more difficult for ransomware to run, once it is delivered. Having a tested backup of your data offline, so that it cannot be modified or deleted by ransomware.  Effective network segregation to make it more difficult for malware to spread across a network and thereby limit the impact of ransomware attacks. Phishing is the most prevalent attack delivery method in NCSC report According to the NCSC report, phishing has been the most prevalent attack delivery method over the last few years, and in recent months. Just about anyone with an email address can be a target. Specific methods observed recently by the NCSC include: targeting Office 365 credentials - the approach here is to persuade users to follow links to legitimate-looking login pages, which prompt for O365 credentials. More advanced versions of this attack also prompt the user to use Multi Factor Authentication. sending emails from real, but compromised, email accounts - quite often this approach will exploit an existing email thread or relationship to add a layer of authenticity to a spear phish. fake login pages - these are dynamically generated, and personalised, pulling the real imagery and artwork from the victim’s Office 365 portal. using Microsoft services such as Azure or Office 365 Forms to host fake login pages - these give the address bar an added layer of authenticity. Remediation strategies to prevent phishing attacks include implementing a multi-layered defence against phishing attacks. This will reduce the chances of a phishing email reaching a user and minimises the impact of those that get through. Additionally you can configure Email anti-spoofing controls such as Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF) and Domain-Keys Identified Mail (DKIM). Vulnerability scanning is a common reconnaissance method NSCS report mentions that vulnerability scanning is a common reconnaissance method used to search for open network ports, identify unpatched, legacy or otherwise vulnerable software and to identify misconfigurations, which could have an effect on security. It further details that attackers identify known weaknesses in Internet-facing service which they then target using tested techniques or 'exploits'. This approach means the attack is more likely to work for the first time, making its detection less likely when using traditional Intrusion prevention systems (IPS) and on-host security monitoring. Once an attacker has a foothold on the edge of your infrastructure, they will then attempt to run more network scans and re-use stolen credentials to pivot through to the core network. For vulnerability remediation NSCS suggests to ensure that all internet-facing servers that an attacker might be able to find should be hardened, and the software running on them must be fully patched. They also recommend penetration test to determine what an attacker scanning for vulnerabilities could find, and potentially attack. Supply chain attacks & threat from external service providers Threats introduced to enterprise networks via their service providers continue to be a major problem according to the report. Outsourcing – particularly of IT – results in external parties and their own networks being able to access and even reconfigure enterprise services. Hence, the network will inherit the risk from these connected networks.  NSCS report also gives several examples of attackers exploiting the connections of service providers to gain access to enterprise networks. For instance, the exploitation of Remote Management and Monitoring (RMM) tooling to deploy ransomware, as reported by ZDNet. And the public disclosure of a “sophisticated intrusion” at a major outsourced IT vendor, as reported by Krebs on Security. Few remediation strategies to prevent supply chain attacks are: Supply chain security should be a consideration when procuring both products and services. Those using outsourced IT providers should ensure that any remote administration interfaces used by those service providers are secured. Ensuring the way IT service provider connects to, or administers the system, meets the organisation’s security standards. Take appropriate steps to segment and segregate the networks. Segmentation and segregation can be achieved physically or logically using access control lists, network and computer virtualisation, firewalls, and network encryption such as Internet Protocol Security. Document the remote interfaces and internal accesses in use by your service provider to ensure that they are fully revoked at the end of the contract. To read the full report, visit the official NSCS website. What’s new in security this week? A new Stuxnet-level vulnerability named Simjacker used to secretly spy over mobile phones in multiple countries for over 2 years: Adaptive Mobile Security reports Lilocked ransomware (Lilu) affects thousands of Linux-based servers Intel’s DDIO and RDMA enabled microprocessors vulnerable to new NetCAT attack  
Read more
  • 0
  • 0
  • 3217
Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at $19.99/month. Cancel anytime
article-image-understanding-security-features-in-the-google-cloud-platform-gcp
Vincy Davis
27 Jul 2019
10 min read
Save for later

Understanding security features in the Google Cloud Platform (GCP)

Vincy Davis
27 Jul 2019
10 min read
Google's long experience and success in, protecting itself against cyberattacks plays to our advantage as customers of the Google Cloud Platform (GCP). From years of warding off security threats, Google is well aware of the security implications of the cloud model. Thus, they provide a well-secured structure for their operational activities, data centers, customer data, organizational structure, hiring process, and user support. Google uses a global scale infrastructure to provide security to build commercial services, such as Gmail, Google search, Google Photos, and enterprise services, such as GCP and gsuite. This article is an excerpt taken from the book, "Google Cloud Platform for Architects.", written by Vitthal Srinivasan, Janani Ravi and Et al. In this book, you will learn about Google Cloud Platform (GCP) and how to manage robust, highly available, and dynamic solutions to drive business objective. This article gives an insight into the security features in Google Cloud Platform, the tools that GCP provides for users benefit, as well as some best practices and design choices for security. Security features at Google and on the GCP Let's start by discussing what we get directly by virtue of using the GCP. These are security protections that we would not be able to engineer for ourselves. Let's go through some of the many layers of security provided by the GCP. Datacenter physical security: Only a small fraction of Google employees ever get to visit a GCP data center. Those data centers, the zones that we have been talking so much about, probably would seem out of a Bond film to those that did—security lasers, biometric detectors, alarms, cameras, and all of that cloak-and-dagger stuff. Custom hardware and trusted booting: A specific form of security attacks named privileged access attacks are on the rise. These involve malicious code running from the least likely spots that you'd expect, the OS image, hypervisor, or boot loader. There is the only way to really protect against these, which is to design and build every single element in-house. Google has done that, including hardware, a firmware stack, curated OS images, and a hardened hypervisor. Google data centers are populated with thousands of servers connected to a local network. Google selects and validates building components from vendors and designs custom secure server boards and networking devices for server machines. Google has cryptographic signatures on all low-level components, such as BIOS, bootloader, kernel, and base OS, to validate the correct software stack is booting up. Data disposal: The detritus of the persistent disks and other storage devices that we use are also cleaned thoroughly by Google. This data destruction process involves several steps: an authorized individual will wipe the disk clean using a logical wipe. Then, a different authorized individual will inspect the wiped disk. The results of the erasure are stored and logged too. Then, the erased driver is released into inventory for reuse. If the disk was damaged and could not be wiped clean, it is stored securely and not reused, and such devices are periodically destroyed. Each facility where data disposal takes place is audited once a week. Data encryption: By default GCP always encrypts all customer data at rest as well as in motion. This encryption is automatic, and it requires no action on the user's part. Persistent disks, for instance, are already encrypted using AES-256, and the keys themselves are encrypted with master keys. All these key management and rotation is managed by Google. In addition to this default encryption, a couple of other encryption options exist as well, more on those in the following diagram: Secure service deployment: Google's security documentation will often refer to secure service deployment, and it is important to understand that in this context, the term service has a specific meaning in the context of security: a service is the application binary that a developer writes and runs on infrastructure. This secure service deployment is based on three attributes: Identity: Each service running on Google infrastructure has an associated service account identity. A service has to submit cryptographic credentials provided to it to prove its identity while making or receiving remote procedure calls (RPC) to other services. Clients use these identities to make sure that they are connecting to an intended server and the server will use to restrict access to data and methods to specific clients. Integrity: Google uses a cryptographic authentication and authorization technique at an application layer to provide strong access control at the abstraction level for interservice communication. Google has an ingress and egress filtering facility at various points in their network to avoid IP spoofing. With this approach, Google is able to maximize their network's performance and its availability. Isolation: Google has an effective sandbox technique to isolate services running on the same machine. This includes Linux user separation, language and kernel-based sandboxes, and hardware virtualization. Google also secures operation of sensitive services such as cluster orchestration in GKE on exclusively dedicated machines. Secure interservice communication: The term inter-service communication refers to GCP's resources and services talking to each other. For doing so, the owners of the services have individual whitelists of services which can access them. Using them, the owner of the service can also allow some IAM identities to connect with the services managed by them.Apart from that, Google engineers on the backend who would be responsible to manage the smooth and downtime-free running of the services are also provided special identities to access the services (to manage them, not to modify their user-input data). Google encrypts interservice communication by encapsulating application layer protocols in RPS mechanisms to isolate the application layer and to remove any kind of dependency on network security. Using Google Front End: Whenever we want to expose a service using GCP, the TLS certificate management, service registration, and DNS are managed by Google itself. This facility is called the Google Front End (GFE) service. For example, a simple file of Python code can be hosted as an application on App Engine that (application) will have its own IP, DNS name, and so on. In-built DDoS protections: Distributed Denial-of-Service attacks are very well studied, and precautions against such attacks are already built into many GCP services, notably in networking and load balancing. Load balancers can actually be thought of as hardened, bastion hosts that serve as lightning rods to attract attacks, and so are suitably hardened by Google to ensure that they can withstand those attacks. HTTP(S) and SSL proxy load balancers, in particular, can protect your backend instances from several threats, including SYN floods, port exhaustion, and IP fragment floods. Insider risk and intrusion detection: Google constantly monitors activities of all available devices in Google infrastructure for any suspicious activities. To secure employees' accounts, Google has replaced phishable OTP second factors with U2F, compatible security keys. Google also monitors its customer devices that employees use to operate their infrastructure. Google also conducts a periodic check on the status of OS images with security patches on customer devices. Google has a special mechanism to grant access privileges named application-level access management control, which exposes internal applications to only specific users from correctly managed devices and expected network and geographic locations. Google has a very strict and secure way to manage its administrative access privileges. They have a rigorous monitoring process of employee activities and also a predefined limit for administrative accesses for employees. Google-provided tools and options for security As we've just seen, the platform already does a lot for us, but we still could end up leaving ourselves vulnerable to attack if we don't go about designing our cloud infrastructure carefully. To begin with, let's understand a few facilities provided by the platform for our benefit. Data encryption options: We have already discussed Google's default encryption; this encrypts pretty much everything and requires no user action. So, for instance, all persistent disks are encrypted with AES-256 keys that are automatically created, rotated, and themselves encrypted by Google. In addition to default encryption, there are a couple of other encryption options available to users. Customer-managed encryption keys (CMEK) using Cloud KMS: This option involves a user taking control of the keys that are used, but still storing those keys securely on the GCP, using the key management service. The user is now responsible for managing the keys that are for creating, rotating and destroying them. The only GCP service that currently supports CMEK is BigQuery and is in beta stage for Cloud Storage. Customer-supplied encryption keys (CSEK): Here, the user specifies which keys are to be used, but those keys do not ever leave the user's premises. To be precise, the keys are sent to Google as a part of API service calls, but Google only uses these keys in memory and never persists them on the cloud. CSEK is supported by two important GCP services: data in cloud storage buckets as well as by persistent disks on GCE VMs. There is an important caveat here though: if you lose your key after having encrypted some GCP data with it, you are entirely out of luck. There will be no way for Google to recover that data. Cloud security scanner: Cloud security scanner is a GCP, provided security scanner for common vulnerabilities. It has long been available for App Engine applications, but is now also available in alpha for Compute Engine VMs. This handy utility will automatically scan and detect the following four common vulnerabilities: Cross-site scripting (XSS) Flash injection Mixed content (HTTP in HTTPS) The use of outdated/insecure libraries Like most security scanners, it automatically crawls an application, follows links, and tries out as many different types of user input and event handlers as possible. Some security best practices Here is a list of design choices that you could exercise to cope with security threats such as DDoS attacks: Use hardened bastion hosts such as load balancers (particularly HTTP(S) and SSL proxy load balancers). Make good use of the firewall rules in your VPC network. Ensure that incoming traffic from unknown sources, or on unknown ports, or protocols is not allowed through. Use managed services such as Dataflow and Cloud Functions wherever possible; these are serverless and so have smaller attack vectors. If your application lends itself to App Engine it has several security benefits over GCE or GKE, and it can also be used to autoscale up quickly, damping the impact of a DDOS attack. If you are using GCE VMs, consider the use of API rate limits to ensure that the number of requests to a given VM does not increase in an uncontrolled fashion. Use NAT gateways and avoid public IPs wherever possible to ensure network isolation. Use Google CDN as a way to offload incoming requests for static content. In the event of a storm of incoming user requests, the CDN servers will be on the edge of the network, and traffic into the core infrastructure will be reduced. Summary In this article, you learned that the GCP benefits from Google's long experience countering cyber-threats and security attacks targeted at other Google services, such as Google search, YouTube, and Gmail. There are several built-in security features that already protect users of the GCP from several threats that might not even be recognized as existing in an on-premise world. In addition to these in-built protections, all GCP users have various tools at their disposal to scan for security threats and to protect their data. To know more in-depth about the Google Cloud Platform (GCP), head over to the book, Google Cloud Platform for Architects. Ansible 2 for automating networking tasks on Google Cloud Platform [Tutorial] Build Hadoop clusters using Google Cloud Platform [Tutorial] Machine learning APIs for Google Cloud Platform
Read more
  • 0
  • 0
  • 8542

article-image-winnti-malware-chinese-hacker-group-attacks-major-german-corporations-for-years
Fatema Patrawala
26 Jul 2019
9 min read
Save for later

Winnti Malware: Chinese hacker group attacks major German corporations for years, German public media investigation reveals

Fatema Patrawala
26 Jul 2019
9 min read
German public broadcasters, Bavarian Radio & Television Network (BR) and Norddeutscher Rundfunk (NDR), have published a joint investigation report on a hacker group spying on certain businesses since years. Security researchers, Hakan Tanriverdi, Svea Eckert, Jan Strozyk, Maximilian Zierer and Rebecca Ciesielski have contributed to this report. They shed light on how this group of hackers operate and how widespread they are. The investigation started with one of the reporters receiving this code daa0 c7cb f4f0 fbcf d6d1 which eventually led to the team discovering a hacking group with Chinese origins operating on Winnti Malware. BR and NDR reporters, in collaboration with several IT security experts, have analyzed the Winnti malware. Moritz Contag of Ruhr University Bochum extracted information from different varieties of the malware and wrote a script for this analysis. Silas Cutler, an IT security expert with US-based Chronicle Security, confirmed it. The report analyses cases from the below listed targeted companies: Gaming: Gameforge, Valve Software: Teamviewer Technology: Siemens, Sumitomo, Thyssenkrupp Pharma: Bayer, Roche Chemical: BASF, Covestro, Shin-Etsu Hakan Tanriverdi one of the reporters wrote on Twitter, “We looked at more than 250 samples, wrote Yara rules, conducted nmap scans.” Yara rules is a tool primarily used in malware research and detection. Nmap is a free and open source network scanner used to discover hosts and services on a computer network. Additionally in the report, the team has presented ways to find out if one is infected by the Winnti malware. To learn about these methods in detail, check out the research report. Winnti malware is complex, created by “digital mercenaries” of Chinese origin Winnti is a highly complex structure that is difficult to penetrate. The term denotes both a sophisticated malware and an actual group of hackers. IT security experts like to call them digital mercenaries. According to a Kasperky Lab research held in 2011, the Winnti group has been active for several years and in their initial days, specialized in cyber-attacks against the online video game industry. However, according to this investigation the hacker group has now honed in on Germany and its blue-chip DAX corporations. BR and NDR reporters analyzed hundreds of malware versions used for unsavory purposes. They found that the hacker group has targeted at least six DAX corporations and stock-listed top companies of the German industry. In October 2016, several DAX corporations, including BASF and Bayer, founded the German Cyber Security Organization (DCSO). The job of DCSO’s IT security experts was to observe and recognize hacker groups like Winnti and to get to the bottom of their motives. In Winnti’s case, DCSO speaks of a “mercenary force” which is said to be closely linked with the Chinese government. The reporters of this investigation also interviewed few company staff, IT security experts, government officials, and representatives of security authorities. An IT security expert who has been analyzing the attacks for years said, “Any DAX corporation that hasn’t been attacked by Winnti must have done something wrong.” A high-ranking German official said to the reporters, “The numbers of cases are mind-boggling.” And claims that the group continues to be highly active—to this very day. Winnti hackers are audacious and “don’t care if they’re found out” The report points out that the hackers choose convenience over anonymity. Working with Moritz Contag the reporters found that the hackers wrote the names of the companies they want to spy on directly into their malware. Contag has analyzed more than 250 variations of the Winnti malware and found them to contain the names of global corporations. According to reporters, hackers usually take precautions, which experts refer to as Opsec. But the Winnti group’s Opsec was dismal to say the least. Somebody who has been keeping an eye on Chinese hackers on behalf of a European intelligence service believes that they didn’t really care: “These hackers don’t care if they’re found out or not. They care only about achieving their goals." The reporters believed that every hacking operation leaves digital traces. They also believe that if you notice hackers carefully, each and every step can be logged. To decipher the traces of the Winnti hackers, they took a closer look at the program code of the malware itself. They used a malware research engine known as “VirusTotal” created by Google. The hacker group initially attacked the gaming industry for financial gain In the early days, the Winnti group of hackers were mainly interested in money making. Their initial target was Gameforge, a gaming company based in the German town of Karlsruhe. In 2011, an email message found its way into Gameforge’s mailbox. A staff member opened the attached file and unaware to him started the Winnti program. Shortly afterwards, the administrators became aware that someone was accessing Gameforge’s databases and raising the account balance. Gameforge decided to implement Kaspersky antivirus software and  arranged for Kaspersky's IT security experts to visit the office.The security experts found suspicious files and analyzed them. They noticed that the system had been infiltrated by hackers acting like Gameforge’s administrators. It turned out that the hackers had taken over a total of 40 servers. “They are a very, very persistente group,” says Costin Raiu, who has been watching Winnti since 2011 and was in charge of Kaspersky’s malware analysis team. “Once the Winnti hackers are inside a network, they take their sweet time to really get a feel for the infrastructure,” he says. The hackers will map a company’s network and look for strategically favorable locations for placing their malware. They keep tabs on which programs are used in a company and then exchange a file in one of these programs. The modified file looks like the original, but was secretly supplemented by a few extra lines of code. Thereafter the manipulated file does the attackers’ bidding. Raiu and his team have been following the digital tracks left behind by some of the Winnti hackers. “Nine years ago, things were much more clear-cut. There was a single team, which developed and used Winnti. It now looks like there is at least a second group that also uses Winnti.” This view is shared by many IT security companies. And it is this second group which is getting the German security authorities worried. One government official says, “Winnti is very specific to Germany. It is the attacker group that's being encountered most frequently." Second group of Winnti hackers focused on industrial espionage The report says that by 2014, the Winnti malware code was no longer limited to game manufacturers. The second group’s job was mainly industrial espionage. Hackers targeted high-tech companies as well as chemical and pharmaceutical companies. They also attacked companies in Japan, France, the U.S. and Germany. The report sheds light on how Winnti hackers broke into Henkel’s network in 2014. The reporters present three files containing the website belonging to Henkel and the name of the hacked server. For example, one starts with the letter sequence DEDUSSV. They realized that server names can be arbitrary, but it is highly probable that DE stands for Germany and DUS for Düsseldorf, where the Henkel headquarters are located. The hackers were able to monitor all activities running on the web server and reached systems which didn't have direct internet access: The company also confirmed the Winnti incident and issued the following statement: “The cyberattack was discovered in the summer of 2014 and Henkel promptly took all necessary precautions.” Henkel claims that a “very small portion” of its worldwide IT systems had been affected— the systems in Germany. According to Henkel, there was no evidence suggesting that any sensitive data had been diverted. Other than Henkel, Winnti also targeted companies like Covestro, manufacturers of adhesives, lacquers and paints, Japan’s biggest chemical company, Shin-Etsu Chemical, Roche, one of the largest pharmaceutical companies in the world. Winnti hackers also penetrated the BASF and Siemens networks. A BASF spokeswoman says that in July 2015, hackers had successfully overcome “the first levels” of defense. “When our experts discovered that the attacker was attempting to get around the next level of defense, the attacker was removed promptly and in a coordinated manner from BASF’s network.” She added that no business relevant information had been lost at any time. According to Siemens, they were penetrated by the hackers in June 2016. “We quickly discovered and thwarted the attack,” Siemens spokesperson said. Winnti hackers also involved in political espionage The hacker group also is interested in penetrating political groups and there were several such indicators according to the report. The Hong Kong government was spied on by the Winnti hackers. The reporters found four infected systems with the help of the nmap network scan, and proceeded to inform the government by email. The reporters also found out a telecommunications provider from India had been infiltrated, the company happens to be located in the region where the Tibetan government has its headquarters. Incidentally, the relevant identifier in the malware is called “CTA.” A file which ended up on VirusTotal in 2018 contains a straightforward keyword: “tibet”. Other than this the report also throws light on attacks which were not directly related to political espionage but had connection among them. For example, the team found out Marriott hotels in USA was attacked by hackers. The Indonesian airline Lion Air networks were also penetrated by them. They wanted to get to the data of where people travel and where they were located, at any given time. The team confirmed this by showing the relevant coded files in the report. To read the full research report, check out the official German broadcsaster’s website. Hackers steal bitcoins worth $41M from Binance exchange in a single go! VLC media player affected by a major vulnerability in a 3rd library, libebml; updating to the latest version may help An IoT worm Silex, developed by a 14 year old resulted in malware attack and taking down 2000 devices
Read more
  • 0
  • 0
  • 4704

article-image-a-cybersecurity-primer-for-mid-sized-businesses
Guest Contributor
26 Jul 2019
7 min read
Save for later

A cybersecurity primer for mid sized businesses

Guest Contributor
26 Jul 2019
7 min read
The decision to which information security measures should be used across the company’s IT infrastructure and which ones should be left out may be a tough one for midsized companies. The financial resources of a midsized company cannot allow applying all the existing cybersecurity elements to protect the network. At the same time, midsized businesses are big enough to be targeted by cybercriminals. In this article, our information security consultants describe cybersecurity measures a midsized business can’t do without if it wants to ensure an appropriate network protection level and show how to implement them and arrange their management. Basic information security measures Among the range of existing cybersecurity measures the following ones are essential for all mid sized businesses irrespective of the type of business: A firewall is responsible for scanning incoming and outgoing network traffic. If set properly, the firewall prevents malicious traffic from reaching your network and possibly damaging it. Antivirus software checks each file your company’s employees download from external resources like the internet or USB flash drives for virus signatures. Regular updates to your antivirus will give an alarm each time ransomware, viruses, Trojan horses, and other types of malware tries to reach your company’s network. Network segmentation implies the division of the entire company’s network into separate fragments. As a result, the networks of your company’s departments are separated from each other. In case hackers reach the computer in one segment, they won’t be able to access the computers in the other network segments separated from the infected network. Thus, cyberattacks can’t move between the network segments and damage them, and you significantly reduce the risk of facing corporate data theft or leakage. Email security techniques include filtering spam and applying password rotations. An email security solution is designed to make sure that only verified letters reach their addresses in the process of communication between interacting parties. It aims at keeping corporate data secure from malware, spoofing attacks, and other cyberthreats in the communication happening both inside and outside the company’s network. Intrusion detection (IDS) and intrusion prevention system (IPS) are responsible for analyzing all the incoming and outgoing network traffic. Using pattern matching or anomaly detection, IDS identifies possible cybersecurity threats, while IPS blocks the identified information security attacks, thus not allowing them to turn into major threats and spread across the entire network. Advanced information security measures To strengthen the protection of a midsized company operating in a regulated industry (such as banking, healthcare) and having the need to comply with security regulations and standards like PCI DSS, HIPAA, SOX, GDPR, the following information security measures can’t be omitted: Endpoint security is responsible for defending each entry point like desktops or mobile devices connecting to the company’s network from attacks before harmful activities spread all over the network. When installed both on the corporate network management server and end users’ devices, endpoint security software provides your company’s system administrators with transparency over the actions that can potentially damage the network. Data loss prevention (DLP) allows to avoid the leakage of confidential data, such as clients’ bank account details. DLP systems scan the data passing through a network to ensure that no sensitive information was leaked and got into the hands of cybercriminals’. DLP is designed to avoid the cases when your employees deliberately or unintentionally send an email with proprietary corporate data outside the corporate network. Security information and event management (SIEM) software gathers and aggregates the logs from the servers, domain controllers, and all other sources located in your network to analyze them and provide you with a report highlighting suspicious activities. Thus, you can use these reporting results to know whether your systems need special attention and curative measures. Implementing and managing information security measures There are three options to implement and manage information security measures. The choice will depend on the nature of industry you operate in (regulated/non-regulated) and available financial and human resources. Arranging your own information security department This method provides you with transparency of security activities happening within your network. However, it implies large expenses on organizing the work of a skilled security team, as well as buying necessary cybersecurity software. Thus, this option is most suitable for a midsized company that is rapidly expanding. Turning to a managed security service provider (MSSP) Deciding to work with an MSSP may be a more time and cost-effective option than arranging your own information security department. You entrust your company’s information security protection to a third party and stay within your financial capabilities. However, this option is not suitable for companies in regulated industries since they may find it risky to give a third-party security services provider control over all aspects of their corporate network security. Joining the efforts of your security department and an MSSP This option is an apt choice for those midsized companies that have to comply with security regulations and standards. While a reliable MSSP will provide you with a security monitoring service and report on suspicious activities or system errors happening across the network, your information security department can focus on eliminating the detected information security issues that can damage the corporate confidential data and customer personal information. Ensuring the robustness of information security measures Regardless of the set of measures applied to protect your IT infrastructure and their management option, your information security strategy should provide for the ongoing assessment of their efficiency. Vulnerability assessment that is usually followed by penetration testing should be conducted quarterly or annually (depending on the necessity of a company to comply with security regulations and standards). When combined, they not only help you to stay constantly aware of any security gap in your company’s network but also assist in reacting to the detected information security issues promptly. As a supplementary practice necessary for midsized businesses from regulated industries, threat monitoring must be ensured to check the network for indicators of cyber protection breaches like data exfiltration attempts. You’ll also need a structured incident response (IR) plan to identify the root causes of the cyber protection incidents that have already happened and remediate them rapidly not to cope with system outages or data losses in the future. Finally, train your staff regularly to increase their cybersecurity consciousness, and determine the appropriate behavior for your employees, such as an obligatory use of complex passwords and an awareness of how to dodge spamming or phishing attacks. In a nutshell Midsized companies can ensure effective cyber protection within their limited budget by employing such cybersecurity measures as antiviruses, firewalls, and email security. In case they need to stay compliant with security standards and regulations, they should also implement such protection measures as network segmentation, install IDS/IPS, SIEM and DLP, and ensure endpoint security. Either the company’s information security department and/or an MSSP can organize these measures in the network. Last but not least, the CIOs of CISOs of midsized companies must ensure that the security of their networks is monitored and regularly assessed to identify suspicious activities and cybersecurity breaches, and close security gaps. Author Bio Uladzislau Murashka is a Certified Ethical Hacker at ScienceSoft with 5+ years of experience in penetration testing. Uladzislau’s spheres of competence include reverse engineering, black box, white box and gray box penetration testing of web and mobile applications, bug hunting and research work in the area of Information Security. An attack on SKS Keyserver Network, a write-only program, poisons two high-profile OpenPGP certificates How Verizon and a BGP Optimizer caused a major internet outage affecting Amazon, Facebook, CloudFlare among others Amazon launches VPC Traffic Mirroring for capturing and inspecting network traffic
Read more
  • 0
  • 0
  • 4166

article-image-3-cybersecurity-lessons-for-e-commerce-website-administrators
Guest Contributor
25 Jun 2019
8 min read
Save for later

3 cybersecurity lessons for e-commerce website administrators

Guest Contributor
25 Jun 2019
8 min read
In large part, the security of an ecommerce company is the responsibility of its technical support team and ecommerce software vendors. In reality, cybercriminals often exploit the security illiteracy of the staff to hit a company. Of all the ecommerce team, web administrators are often targeted for hacker attacks as they control access to the admin panel with lots of sensitive data. Having broken into the admin panel, criminals can take over an online store, disrupt its operation, retrieve customer confidential data, steal credit card information, transfer payments to their own account, and do more harm to business owners and customers. Online retailers contribute to the security of their company greatly when they educate web administrators where security threats can come from and what measures they can take to prevent breaches. We have summarized some key lessons below. It’s time for a quick cybersecurity class! Lesson 1. Mind password policy Starting with the basis of cybersecurity, we will proceed to more sophisticated rules in the lessons that follow. The importance of secure password policy may seem obvious, it's still shocking how careless people can be with choosing a password. In e-commerce, web administrators set credentials for accessing the admin panel and they can “help” cybercriminals greatly if they neglect basic password rules. Never use similar or alike passwords to log into different systems. In general, sticking to the same patterns when creating passwords (for example, using a date of birth) is risky. Typically, people have a number of personal profiles in social networks and email services. If they use identical passwords to all of them, cybercriminals can steal credentials just to one social media profile to crack the others. If employees are that negligent about accessing corporate systems, they endanger the security of the company. Let’s outline the worst-case scenario. Criminals take advantage of the leaked database of 167 million LinkedIn accounts to hack a large online store. As soon as they see the password of its web administrator (the employment information is stated in the profile just for hackers’ convenience), they try to apply the password to get access to the admin panel. What luck! The way to break into this web store was too easy. Use strong and impersonalized passwords. We need to introduce the notion of doxing to fully explain the importance of this rule. Doxing is the process of collecting pieces of information from social accounts to ultimately create a virtual profile of a person. Cybercriminals engage doxing to crack a password to an ecommerce platform by using an admin’s personal information in it. Therefore, a strong password shouldn’t contain personal details (like dates, names, age, etc.) and must consist of eight or more characters featuring a mix of letters, numbers, and unique symbols. Lesson 2. Watch out for phishing attacks With the wealth of employment information people leave in social accounts, hackers hold all the cards for implementing targeted, rather than bulk, phishing attacks. When planning a malicious attack on an ecommerce business, criminals can search for profiles of employees, check their position and responsibilities, and conclude what company information they have access to. In such an easy way, hackers get to know a web store administrator and follow with a series of phishing attacks. Here are two possible scenarios of attacks: When hackers target a personal computer. Having found a LinkedIn profile of a web administrator and got a personal email, hackers can bombard them with disguised messages, for example, from bank or tax authorities. If the admin lets their guard down and clicks a malicious link, malware installs itself on their personal computer. Should they remotely log in the admin panel, hackers steal their credentials and immediately set a new password. From this moment, they take over the control over a web store. Hackers can also go a different way. They target a personal email of the web administrator with a phishing attack and succeed in taking it over. Let’s say they have already found out a URL to the admin panel by that time. All they have to do now is to request to change the password to the panel, click the confirmation link from the admin’s email and set a new password. In the described scenario, the web administrator has made three security mistakes of using a personal email for work purposes, not changing the default admin URL, and taking the bait of a phishing email. When hackers target a work computer. Here is how a cyberattack may unfold if web administrators have been reckless to disclose a work email online. This time, hackers create a targeted malicious email related to work activities. Let’s say, the admin can get a legitimate-looking email from FedEx informing about delivery problems. Not alarmed, they open the email, click the link to know the details, and compromise the security of the web store by giving away the credentials to the admin panel to hackers. The main mistake in dealing with phishing attacks is to expect a fraudulent email to look suspicious. However, phishers falsify emails from real companies so it can be easy to fall into the trap. Here are recommendations for ecommerce web administrators to follow: Don’t use personal emails to log in to the admin panel. Don’t make your work email publicly available. Don’t use work email for personal purposes (e.g., for registration in social networks). Watch out for links and downloads in emails. Always hover over the link prior to click it – in malicious emails, the destination URL doesn’t match the expected destination website. Remember that legitimate companies never ask for your credentials, credit card details or any other sensitive information in emails. Be wary of emails with urgent notifications and deadlines – hackers often try to allay suspicions by provoking anxiety and panic among their victims. Engage two-step verification for an ecommerce admin panel. Lesson 3.  Stay alert while communicating with a hosting provider Web administrators of companies that have chosen a hosted ecommerce platform for their e-shop will need to contact the technical support of their hosting provider now and then. Here, a cybersecurity threat comes unexpected. If hackers have compromised the security of the web hosting company, they can target its clients (e-commerce websites) as well. Admins are in serious danger if the hosting company stores their credentials unencrypted. In this case, hackers can get direct access to the admin panel of a web store. Otherwise, more sophisticated attacks are developed. Cybercriminals can mislead web administrators by speaking for tech support agents. When communicating with their hosting provider, web administrators should mind several rules to protect their confidential data and the web store from hacking. Use unique email and password to log in your web hosting account. The usage of similar credentials for different work services or systems leads to a company security breach in case the hosting company has been hacked. Never reveal any credentials on request of tech support agents. Having shared their password to the admin panel, web administrators can no longer authenticate themselves by using it. Track your company communication with tech support. Web administrators can set email notifications to track requests from team members to the tech support and control what information is shared. Time for an exam As a rule, ecommerce software vendors and retailers do their best for the security of ecommerce businesses. Thus, software vendors take the major role in providing for the security of SaaS ecommerce solutions (like Shopify or Salesforce Commerce Cloud), including the security of servers, databases and the application itself. In IaaS solutions (like Magento), retailers need to put more effort in maintaining the security of the environment and system, staying current on security updates, conducting regular audits and more (you can see the full list of Magento security measures as an example). Still, cybercriminals often target company employees to hack an online store. Retailers are responsible for educating their team what security rules are compulsory to follow and how to identify malicious intents. In our article, we have outlined the fundamental security lessons for web administrators to learn in order to protect a web store against illicit access. In short, they should be careful with personal information they publish online (in their social media profiles) and use unique credentials for different services and systems. There are no grades in our lessons – rather an admin’s contribution to the security of their company can become the evaluation of knowledge they have gained. About the Author Tanya Yablonskaya is Ecommerce Industry Analyst at ScienceSoft, an IT consulting and software development company headquartered in McKinney, Texas. After 2+ years of exploring the cryptocurrency and blockchain sphere, she has shifted the focus of interest to ecommerce industry. Delving into this enormous world, Tanya covers key challenges online retailers face and unveils a wealth of tools they can use to outpace competitors. The US launched a cyber attack on Iran to disable its rocket launch systems; Iran calls it unsuccessful All Docker versions are now vulnerable to a symlink race attack 12,000+ unsecured MongoDB databases deleted by Unistellar attackers
Read more
  • 0
  • 0
  • 6202
article-image-how-not-to-get-hacked-by-state-sponsored-actors
Guest Contributor
19 Jun 2019
11 min read
Save for later

How not to get hacked by state-sponsored actors

Guest Contributor
19 Jun 2019
11 min read
News about Russian hackers creating chaos in the European Union or Chinese infiltration of a US company has almost become routine. In March 2019, a Russian hacking group was discovered operating on Czech soil by Czech intelligence agencies. Details are still unclear, however, speculations state that the group is part of a wider international network based out of multiple EU countries and was operating under Russian diplomatic cover. The cybercriminal underground is complex, multifaceted, and by its nature, difficult to detect. On top of this, hackers are incentivized not to put their best foot forward in order to evade detection. One of the most common tactics is to disguise an attack so that it looks like the work of another group. These hackers frequently prefer to use the most basic hacking software available because it avoids the unique touches of more sophisticated software. Both of these processes make it more difficult to trace a hack back to its source. Tracing high-level hacking is not impossible; however, there are some clear signs investigators use to determine the origin of a hacking group. Different hacker groups have distinct motivations, codes of conduct, tactics, and payment methods. Though we will be using Russian and Chinese hacking as our main examples, the tips we give can be applied to protecting yourself from any state-sponsored attack. Chinese and Russian hacking – knowing the difference Russian speaking hacker forums are being exposed with increasing frequency, revealing not just the content shared in their underground network, but the culture that members have built up. They first gained notoriety during the 90s when massive economic changes saw the emergence of vast criminal networks – online and offline. These days, Russian hacks typically have two different motivations: geopolitical and financial. Geopolitical attacks are generally designed to create confusion. The role of Russian hackers in the 2016 US election was one of the most covered stories by international media. However, these attacks are most effective and most common in countries with weak government institutions. Many of them are also former Soviet territories where Russia has a pre-existing geopolitical interest. For example, the Caucasus region and the Baltic states have long been targeted by state-sponsored hackers. The tactics of these “active measures” are multivariate and highly complex. Hacking and other digital attacks are just one arm of this hybrid war. However, the hacks that affect average web users the most, tend to be financially motivated. Russian language forums on the dark web have vast sections devoted to “carder” communities. Carder forums are where hackers go to buy and sell everything from identity details, credit card details, data dumps, or any other information that has been stolen. For hackers looking to make a quick buck, carder forums are bread and butter. These forums and subforums include detailed tutorials on how to spoof a credit card number. The easiest way to steal from unsuspecting people is to buy a fake card. However, card scanners that steal a person’s credit card number and credentials are becoming increasingly popular. Unlike geopolitical hacks, financial attacks are not necessarily state-sponsored. Though individual Western hackers may be more skilled when it comes to infiltrating more complex system, Russian hackers have several distinct advantages. Unlike in Western countries, Russian authorities tend to turn a blind eye to hacking that targets either Western countries or former Soviet states. This allows hackers to work together in groups, something they’re discouraged from doing in countries that crack down on cyber attacks. This means Russian hackers can target more people at a greater speed than individual bad actors working in other countries. Why the Chinese do it? There are a number of distinct differences when it comes to Chinese hacking projects. The goal of state-sponsored Chinese attacks is to catch up to the US and European level of technological expertise in fields ranging from AI, biomedicine, alternative energy to robotics, and space technology. These goals were outlined in Xi Jinping's Made in China 2025 announcement. This means, the main target for Chinese hackers is economic and intellectual property, which can be corporate or government. In the public sector, targeting US defense forces yields profitable designs for state-of-the-art technology. The F-22 and F-35, two fighter aircraft developed for the US military, were copied and produced almost identically by China’s People’s Liberation Army. In the private sector, Chinese agents target large scale industries that use and develop innovative technology, like oil and gas companies. For example, a group might attack an oil firm to get details about exploration and steal geological assessments. This information would then be used to underbid their US competitor. After a bilateral no-hacking agreement between the US and Chinese leaders was signed in 2016, attacks dropped significantly. However, since mid-2018, these attacks have begun to increase again. The impact of these new Chinese-sponsored cyber attacks has been farther reaching than initially expected. Chinese hacking groups aren’t simply taking advantage of system vulnerabilities in order to steal corporate secrets. Many top tech companies believed they were compromised by a possible supply chain attack that saw Chinese microchips secretly inserted into servers. Though Chinese and Russian hackers may have different motivations, one thing is certain: they have the numbers on their side. So how can you protect yourself from these specific hacking schemes? How to stay safe – tips for everyday online security Cyber threats are a part of life connected to the internet. While there’s not a lot you can do to stop someone else from launching an attack, there are steps you can take to protect yourself as much as possible.  Of course, no method is 100% foolproof, but it’s likely that you can be protected. Hackers look for vulnerabilities and flaws to exploit. Unless you are the sole gatekeeper of a top-secret and lucrative information package that you’ve placed under heavy security, you may find yourself the target of a hacking scheme at some point or another.  Nevertheless, if a hacker tries to infiltrate your network or device and finds it too difficult, they will probably move onto an easier target. There are some easy steps you can take to bolster your safety online. This is not an exhaustive list. Rather, it’s a round-up of some of the best tools available to bolster your security and make yourself a difficult – and therefore unattractive – target. Make use of security and scanning tools The search tool Have I Been Pwned is a great resource for checking if your accounts have been caught up in a recent data breach. You can enter your email address or your password for any account to see whether either has been exposed. You can also set up notifications on your accounts or domains that will tell you immediately if they are caught in a data breach. This kind of software can be especially helpful for small business networks, which are more likely to find themselves on the receiving end of a Chinese hack. Hackers know that small businesses have fewer resources than large corporations, which can make their attacks even more devastating. Read Also: ‘Have I Been Pwned’ up for acquisition; Troy Hunt code names this campaign ‘Project Svalbard’ Manage your passwords One of the most common security mistakes is also one of the most dangerous. You should use a unique, complicated password for each one of your accounts. The best way to manage a lot of complicated passwords is with a password manager. There are browser extensions but they have an obvious drawback if you lose your device. It’s best to use a separate application. Use a passphrase, rather than a password, to access your password manager. A passphrase is exactly what it sounds like. Rather than trusting that hackers won’t be able to figure out a single word, using multiple words to create a full phrase is both easier to remember and harder to hack. If your device offers biometric access (like fingerprint), switch it on. Many financial apps also offer an additional layer of biometric security before you send money. Use a VPN A VPN encrypts your traffic, making it unreadable to outsiders. It also spoofs your IP address, which conceals your true location. This prevents sensitive information from falling into the hands of unscrupulous users and prevents your location details being used to identify you. Some of the premium VPNs integrate advanced security features into their applications. For example, malware blockers will protect your device from malware and spyware. Some also contain ad-blockers. Read Also: How to protect your VPN from Data Leaks Keep in mind that free VPNs can themselves be a threat to your online privacy. In fact, some free VPNs have been used by the Chinese government to spy on their citizens. That’s why you should only use a high-quality VPN like CyberGhost to protect yourself from hackers and online trackers. If you’re looking for the fastest VPN on the market, ExpressVPN has consistently been the best competition in speed tests. NordVPN is our pick for best overall VPN when comparing it based on price, security, and speed. VPNs are an important tool for both individuals and businesses. However, because Russian hackers prefer individual targets, using a VPN while dealing with any sensitive data, such as a bank, will help keep your money in your own account. Learn to identify and deal with phishing Phishing for passwords is one of the most common and most effective ways to extract sensitive information from a target. Russian hackers were famously able to sabotage Hillary Clinton’s presidential campaign when they leaked emails from campaign manager John Podesta. Thousands of emails on that server were stolen via a phishing scam. Phishing scams are an easy way for hackers to infiltrate companies especially. Many times, employee names and email addresses are easy to access online. Hackers then use those names for false email accounts, which tricks their coworkers into open an email that contains a malware file. The malware then opens a direct line into the company’s system. Crucially, phishing emails will ask for your passwords or sensitive information. Reputable companies would never do that. One of the best ways to prevent a phishing attack is to properly train yourself, and everyone in your company, on how to detect a phishing email. Typically – but not always – phishing emails use badly translated English with grammatical errors. Logos and icons may also appear ill-defined. Another good practice is to simply hover your mouse over the email, which will generally reveal the actual sender. Check the hosting platform and the spelling of the company name as these are both techniques used by hackers to confuse unwitting employees. You can also use a client-based anti-phishing software, like one from avast! or Kaspersky Labs, which will flag suspicious emails. VPNs with an anti-malware feature also offer reliable protection against phishing scams. Read Also: Using machine learning for phishing domain detection [Tutorial] Keep your apps and devices up-to-date Hackers commonly take advantage of flaws in old systems. Usually, when an update is released, it fixes these vulnerabilities. Make a habit of installing each update to keep your devices protected. Disable Flash Flash is a famously insecure piece of software that hackers can infiltrate easily. Most websites have moved away from flash, but just to be sure, you should disable it in your browser. If you need it later you can give Flash permission to run for just video at a time. What to do if you have been hacked If you do get a notice that your accounts have been breached, don’t panic. Follow the steps given below: Notify your workplace Notify your bank Order credit reports to keep track of any activity Get identity theft insurance Place a credit freeze on your accounts or a fraud alert Chinese and Russian hackers may seem impossible to avoid, but the truth is, we are probably not protecting ourselves as well as we should be. Though individuals are less likely to find themselves the target of Chinese hacks, most hackers are out for financial gain above all else. That makes it is more crucial to protect our private data. The simple tips provided above are a great baseline to secure your devices and protect your privacy, whether you want to protect against state-sponsored hacking or individual actors. Author Bio Ariel Hochstadt is a successful international speaker and author of 3 published books on computers and the internet. He’s an ex-Googler where he was the Global Gmail Marketing Manager and today he is the co-founder of vpnMentor and an advocate of online privacy. He’s also very passionate about traveling around the world with his wife and three kids.   Google’s Protect your Election program: Security policies to defend against state-sponsored phishing attacks, and influence campaigns How to beat Cyber Interference in an Election process The most asked questions on Big Data, Privacy, and Democracy in last month’s international hearing by Canada Standing Committee
Read more
  • 0
  • 0
  • 4238

article-image-defensive-strategies-industrial-organizations-can-use-against-cyber-attacks
Guest Contributor
20 Mar 2019
8 min read
Save for later

Defensive Strategies Industrial Organizations Can Use Against Cyber Attacks

Guest Contributor
20 Mar 2019
8 min read
Industrial organizations are prime targets for spies, criminals, hacktivists and even enemy countries. Spies from rival organizations seek ways to access industrial control systems (ICS) so they can steal intelligence and technology and gain a competitive advantage. Criminals look for ways to ransom companies by locking down IT systems. Hacktivists and terrorists are always looking for ways to disrupt and even endanger life through IT and international antagonists might want to hack into a public system (e.g. a power plant) to harm a country's economic performance. This article looks at a number of areas where CTOs need to focus their attention when it comes to securing their organizations from cyber attacks. Third Party Collaboration The Target breach of November 2013 highlighted the risks of poor vendor management policies when it comes to cybersecurity. A third party HVAC (Heating, Ventilation, and Air Conditioning) provider was connected into the retailer's IT architecture in such a way that, when it was hacked, cybercriminals could access and steal credit card details from their customers. Every third party given access to your network–even security vendors–need to be treated as possible accidental or deliberate vectors of attack. These include catering companies, consultants, equipment rental firms, maintenance service providers, transport providers and anyone else who requests access to the corporate network. Then there are sub-contractors to think about. The IT team and legal department need to be involved from the start to risk assess third-party collaborations and ensure access if granted, is restricted to role-specific activities and reviewed regularly. Insider and Outsider Threat An organization's own staff can compromise a system's integrity either deliberately or accidentally. Deliberate attacks can be motivated by money, revenge, ideology or ego and can be among the most difficult to detect and stop. Organizations should employ a combination of technical and non-technical methods to limit insider threat. Technical measures include granting minimum access privileges and monitoring data flow and user behavior for anomalies (e.g. logging into a system at strange hours or uploading data from a system unrelated to their job role). One solution which can be used for this purpose is a privileged access management system (PAM). This is a centralized platform usually divided into three parts: an access manager, a session manager, and a password vault manager. The access manager component handles system access requests based on the company’s IAM (Identity and Access Management) policies. It is a good practice to assign users to specific roles and to limit access for each user to only those services and areas of the network they need to perform their role. The PAM system automates this process with any temporary extra permissions requiring senior authorization. The session manager component tracks user activity in real time and also stores it for future audit purposes. Suspicious user activity can be reported to super admins who can then terminate access. The password vault manager component protects the root passwords of each system and ensures users follow the company’s user password policy. Device management also plays an important part in access security. There is potentially a big security difference between an authorized user logging on to a system from a work desktop and the same user logging on to the same system via their mobile device. Non-technical strategies to tackle insider threat might include setting up a confidential forum for employees to report concerns and ensuring high-quality cyber security training is provided and regularly reviewed. When designing or choosing training packages, it is important to remember that not all employees will understand or be comfortable with the technical language, so all instructions and training should be stripped of jargon as far as possible. Another tip is to include plenty of hands-on training and real-life simulations. Some companies test employee vulnerability by having their IT department create a realistic phishing email and recording how many clicks it gets from employees. This will highlight which employees or departments need refresher training. Robust policies for any sensitive data physically leaving the premises are also important. Employees should not be able to take work devices, disks or flash drives off the premises without the company’s knowledge and this is even more important after an employee leaves the company. Data Protection Post-GDPR, data protection is more critical than ever. Failure to protect EU-based customer data from theft can expose organizations to over 20 million Euros worth of fines. Data needs to be secure both during transmission and while being stored. It also needs to be quickly and easily found and deleted if customers need to access their data or request its removal. This can be complex, especially for large organizations using cloud-based services. A full data audit is the first place to start before deciding what type of encryption is needed during data transfer and what security measures are necessary for stored data. For example, if your network has a demilitarized zone (DMZ), data in transit should always end here and there should be no protocols capable of spanning it. Sensitive customer data or mission-critical data can be secured at rest by encrypting it and then applying cryptographic hashes. Your audit should look at all components of your security provider. For example, problems with reporting threats can arise due to insufficient storage space for firewall logs. VPN Vulnerabilities Some organizations avoid transmitting data over the internet by setting up a VPN (Virtual Private Network). However, this does not mean that data is necessarily safe from cybercriminals. One big problem with most set-ups is that data will be routed over the internet should the VPN connection be dropped. A kill switch or network lock can help avoid this. VPNs may not be configured optimally and some may lack protection from various types of data leaks. These include DNS leaks, WebRTC, and IPV6 leaks. DNS leaks can occur if your VPN drops a connection and your browser defaults to default DNS settings, exposing your IP address. WebRTC, a fairly new technology, enables browsers to talk to one another without using a server. This requires each browser to know the other’s public IP address and some VPNs are not designed to protect from this type of leak. Finally, IPV6 leaks will happen if your VPN only handles IPV4 requests. Any IPV6 requests will be sent on to your PC which will automatically respond with your IP address. Most VPN leaks can be checked for using free online tools and your vendor should either be able to solve the issue or you may need to consider a different vendor. If you can, use L2TP (layer 2 tunneling protocol) or, OpenVPN rather than the more easily compromised PPTP (Point-to-Point Tunneling Protocol). Network Segmentation Industrial organizations tend to use network segmentation to isolate individual zones should a compromise happen. For example, this could immediately cut off all access to potentially dangerous machinery if an office-based CRM is hacked. The Purdue Model for Industrial Control Systems is the basis of ISA-99, a commonly referenced standard, which divides a typical ICS architecture into four to five zones and six levels. In the most basic model, an ICS is split into various area or cell zones which sit within an overall industrial zone. A demilitarized zone (DMZ) sits between this industrial zone and the higher level enterprise zone. Network segmentation is a complex task but is worth the investment. Once it is in place, the attack surface of your network will be reduced and monitoring for intrusions and responding to cyber incidents will be quicker and easier. Intrusion Detection Intrusion detection systems (IDS) are more proactive than simple firewalls, actively searching the network for signs of malicious activity. An IDS can be a hardware device or a software application and can use various detection techniques from identifying malware signatures to monitor deviations from normal traffic flow. The two most common classes of IDS are network intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS). While NIDS focus on incoming traffic, HIDS monitor existing files, and folders. Alarm filtering (AF) technology can help to sort genuine threats from false positives. When a system generates a warning for every anomaly it picks up, agents can find it hard to connect failures together to find the cause. This can also lead to alarm fatigue where the agent becomes desensitized to system alarms and misses a real threat. AF uses various means to pre-process system alarms so they can be better understood and acted upon. For example, related failures may be grouped together and then assigned to a priority list. System Hardening and Patch Management System hardening means locking down certain parts of a network or device or removing features to prevent access or to stop unwanted changes. Patching is a form of system hardening as it closes up vulnerabilities preventing them from being exploited. To defend their organization, the IT support team should define a clear patch management policy. Vendor updates should be applied as soon as possible and automated where they can. Author Bio Brent Whitfield is CEO of DCG Technical Solutions, Inc. DCG provides a host of IT services Los Angeles businesses depend upon whether they deploy in-house, cloud or hybrid infrastructure. Brent has been featured in Fast Company, CNBC, Network Computing, Reuters, and Yahoo Business. RSA Conference 2019 Highlights: Top 5 cybersecurity products announced Cybersecurity researcher withdraws public talk on hacking Apple’s Face ID from Black Hat Conference 2019: Reuters report 5 lessons public wi-fi can teach us about cybersecurity
Read more
  • 0
  • 0
  • 4988

article-image-fosdem-2019-designing-better-cryptographic-mechanisms-to-avoid-pitfalls-talk-by-maximilian-blochberger
Prasad Ramesh
13 Feb 2019
3 min read
Save for later

FOSDEM 2019: Designing better cryptographic mechanisms to avoid pitfalls - Talk by Maximilian Blochberger

Prasad Ramesh
13 Feb 2019
3 min read
At FOSDEM 2019, Belgium, Maximilian Blochberger talked about preventing cryptographic pitfalls by avoiding mistakes while integrating cryptographic mechanisms correctly. Blochberger is a research associate at the University of Hamburg. FOSDEM is a free and open event for software developers with thousands of attendees, this year’s event took place on second and third February. The goal of this talk is to raise awareness of cryptographic misuse. Preventing pitfalls in cryptography is not about cryptographic protocols but about designing better APIs. Consider a scenario where a developer that values privacy intends to add encryption. This is about integrating cryptographic mechanisms into your application. Blochberger uses a mobile application as an example but the principles are no specific to mobile applications. A simple task is presented—to encrypt a string which is actually difficult. A software developer who doesn't have any cryptographic or even security background would search it online. They will then copy paste a common answer snippet available on StackOverflow. Even though it had warnings of not being secure, but had upvotes and probably worked for some people. Readily available code like that has words like “AES” or “DES” and the software developer may not know much about those encryption algorithms. Using the default algorithms listed in such template code, and using the same keys is not secure. Also, the encryption itself is not CPA (chosen-plaintext attack) secure, the key derivation can be unauthenticated, among other things. 98% of security-related snippets are insecure according to many papers. It’s hard to get encryption right. The vulnerability is high especially if the code is copied from the internet. Implementing cryptographic mechanisms should be done by cryptographic engineers who have expertise in the field. The software developer does not need to develop or even know about the details of the implementation. Doing compiler checks instead of runtime checks is better since you don’t have to wait for something to go wrong before identifying the problem. Cryptography is harder than it actually looks. Many things can and do go wrong exposing encrypted data due to incorrect choices or inadequate measures. He demonstrates an iOS and macOS example using Tafelsalz. For more details with the demonstration of code, you can watch the video. Introducing CT-Wasm, a type-driven extension to WebAssembly for secure, in-browser cryptography Sennheiser opens up about its major blunder that let hackers easily carry out man-in-the-middle attacks Tink 1.2.0: Google’s new multi-language, cross platform, cryptographic library to secure data
Read more
  • 0
  • 0
  • 3829
article-image-how-to-protect-your-vpn-from-data-leaks
Guest Contributor
26 Jan 2019
7 min read
Save for later

How to protect your VPN from Data Leaks

Guest Contributor
26 Jan 2019
7 min read
The following news story was reported by the Nine Network just a week after New Year's Day: an English teacher from Sydney was surprised when she found that her Facebook account was changing in strange ways. Jennifer Howell first noticed that her profile photo had changed, thus prompting her to change her password; however, she was abruptly logged out and locked out of her account upon attempting to do so. Later, she noticed that her profile had been hijacked by someone from the Middle East for the purpose of spreading radical propaganda. Nine Network journalists tracked down another Facebook user in Melbourne whose account had been similarly hijacked by hackers in the Middle East, and the goal was essentially the same. Even though both cases were reported to the Australian Cybercrime Online Reporting Network, nothing could be done about the hijacking, which may have been facilitated by password sniffing over unsecured connections. The Need for VPN Protection [Image courtesy of CNET.com] Seeing such worrisome reports about hacking is prompting many people to use virtual private networking (VPN) technology to secure their internet connections; however, these connections must be checked for potential leaks or they could be a waste of money. In essence, VPN connections protect online privacy by creating a secure tunnel between the client (who typically uses a personal computing device to connect to the internet) and the internet. A reliable VPN connection masks the user's geographical location by means of providing a different internet protocol (IP) address, which is the calling card of every online connection. Moreover, these connections encrypt data transmitted during sessions and provide a form of anonymous browsing. Like with almost all internet tools, VPN connections can also be subjected to certain vulnerabilities that weaken their reliability. Data leaks are a concern amongst information security researchers who focus on VPN technology, and they have identified the following issues: WebRTC Leaks Web Real-Time Communication (WebRTC) is an evolution of the Voice over Internet Protocol (VoIP) for online communications. VoIP is the technology that powers popular mobile apps such as Skype and WhatsApp; it has also replaced the legacy PBX telephone systems at many businesses. Let's say a company is looking to hire a new personnel. With WebRTC enabled on their end, they can direct applicants to a website they can access on their desktop, laptop, tablet, or smartphone to conduct job interviews without having to install Skype. The problem with WebRTC is that it can leak the IP address of users even when a VPN connection is established. DNS Hijacking The hijacking of domain name system (DNS) servers is an old malicious hacking strategy that has been appropriated by authoritarian regimes to enact internet censorship. The biggest DNS hijacking operation in the world is conducted by Chinese telecom regulators through the Great Firewall, which restricts access to certain websites and internet services. DNS hijacking is a broad name for a series of attacks on DNS servers, a common one involves taking over a router, server or even an internet connection for the purpose of redirecting traffic. In other words, hackers can impersonate websites, so that when you intend to check ABC News you will instead be directed to a page that resembles it, but in reality has been coded to steal passwords, compromise your identity or install malware. Some attacks are even more sophisticated than others. There is a connection between WebRTC and DNS hijacking: a malware attack known as DNS changer that can be injected into a system by means of JavaScript execution followed by a WebRTC call that you will not be aware of. This call can be used to determine your IP address even if you have connected through a VPN. This attack may be enhanced by a change of your DNS settings for the purpose of enlisting your computer or mobile device into a botnet to distribute spam, launch denial-of-service attacks or simply hijack your system without your knowledge. Testing for Leaks [Image courtesy of HowToGeek.com] In addition to WebRTC leaks and DNS queries, there are a few other ways your VPN can betray you: public IP address, torrents, and geolocation. The easiest way to assess if you’ve got a leakage is to visit IPLeak.net with your VPN turned off. Let this nifty site work its magic and make note of the information it offers. Leave the site, then turn your VPN on, and repeat the tests. Now compare the results. The torrents and geolocation tests are interesting but probably not as useful or as likely a culprit as the DNS. Your device navigates the internet by communicating with DNS servers that translate web URLs into numeric IP addresses. Most of the time, you’ll have defaulted through your ISP servers, which often leak like cheesecloth. The bad news is that, even with a VPN in place, leakage through your local servers can give up your physical location to spying eyes. To combat this, VPN services route their customers through servers separate from their ISP. Now that you’ve proven your data is leaking, what can you do about it? Preventing Leaks and Choosing the Right VPN Something you can do even before installing a VPN solution is to disable WebRTC in your browser. Some developers have already made this a default configuration, but many still ship with this option enabled. If you search for "WebRTC" within the help file of your browser, you may be able to find instructions on how to modify the flags or .config file. However, proceed with caution. Take the time to read and understand reliable guides such as this one from security researcher Paolo Stagno. Here are other preventative measures: When configuring your VPN, go with the servers it suggests, which will likely not be those of your ISP but rather servers maintained by the VPN company. Not all VPN companies have their own servers, so be aware of that when considering your options.  Be aware that the internet is transitioning its IP address naming system from IPv4 to IPv6. Without diving too deep into this topic, just be aware that if your VPN has not upgraded its protocols, then any site with a new IPv6 address will leak. Look for a VPN service compatible with the new format.  Make sure your VPN uses the newest version of the OpenVPN protocol.  Windows 10 has an almost impossible to change default setting that chooses the fastest DNS server, resulting in the chance it might ignore your VPN server and revert back to the ISP. The OpenVPN plugin is a good way to fight this. Final Thoughts In the end, using a leaky VPN defeats the security purpose of tunneled connections. It is certainly worth your while to evaluate VPN products, read their guides and learn to secure your system against accidental leaks. Keep in mind this is not a ‘set it and forget it’ problem. You should check for leakage periodically to make sure nothing has changed with your system. The winds of change blow constantly online and what worked yesterday might not work tomorrow. As a final suggestion, make sure the VPN you use has a kill-switch feature that breaks your connection in the event it detects a data leak. Author Bio Gary Stevens is a front-end developer. He’s a full-time blockchain geek and a volunteer working for the Ethereum foundation as well as an active Github contributor. Dark Web Phishing Kits: Cheap, plentiful and ready to trick you How to stop hackers from messing with your home network (IoT) Privacy Australia - can you be tracked if you use a VPN? What you need to know about VPNFilter Malware Attack
Read more
  • 0
  • 0
  • 5100

article-image-go-phish-what-do-thieves-get-from-stealing-our-data
Guest Contributor
24 Dec 2018
7 min read
Save for later

Go Phish! What do thieves get from stealing our data?

Guest Contributor
24 Dec 2018
7 min read
If black hats were sharks, then our emails would be a school of innocent, unsuspecting guppies nonchalantly drifting along. For black hats or malicious hackers, getting into the average person’s email is as challenging as overeating at a buffet. After all, e-mail is the most successful federated communication system ever built, with over 281 billion emails sent per day and growing. We’re helpless without email. Most people cannot imagine an hour going by without checking and answering emails, let alone a day. Over email, you send updates on your address and banking information to your service providers or clients, health information to your university or insurance agent, and more. Despite this, email traffic generally does not have end-to-end encryption, leaving it highly vulnerable. And 91% of cyber attacks are carried out through e-mail. Fish, meet barrel. And for whatever e-mail scanners or antivirus you have running, know that black hats are developing their own predatory tools at a much faster rate. Social engineering, baiting, and placing malicious links in places as seemingly harmless as unsubscribe buttons are just a few items from their arsenal of tricks. Cybersecurity companies are getting better at detecting threats and identifying suspicious emails or links, but most people are just not tech savvy enough to avoid these pitfalls. Many think that they don’t even need to bother, which you have to realize is like walking blindfolded through the Temple of Doom and expecting to get out of there unscathed. Don’t be that person. Don’t be in that school of fish just waiting to be a shark snack. It’s time to understand why protecting your email is so important and how black hats are plotting your demise. Data exploitation and ransom With the amount of conversation happening lately about the importance of having control over your data, it should be clear how valuable data can be. Data can be used for consumer and marketing purposes or misused to fraudulently conduct purchases on e-commerce sites. It can be sold to other parties who will use it for illicit or illegal purposes, or even just to steal even more data from your friends and family. Equifax was one of the more famous data breaches that occurred recently. It affected over 200,000 people and compromised their credit card information, social security numbers, credit scores, and other very sensitive information. Now if you’re not in the 1%, you probably think you’re not the type to be subject to be a ransom attack, but you’d be wrong. You don’t need to be famous or powerful for people to try to bleed you dry in this way. Ransomware attacks, or attacks that are meant to hold on to your data in return for ransom money, rose by 250% in 2017. WannaCry is an example of an infamous ransomware attack, which caused an estimated $1B in damage or more. Identity Theft The dangers of identity theft may be obvious, but many people don’t understand to what extent it can really affect their future. Identity theft may actually be the worst thing a hacker can do with your information. In 2017, the direct and indirect cost of identity theft in the US was estimated at $16.8 billion. Identity theft harmed 16.7 million people,  which is about 7% of American adults! And one weakness leads to another - back in 2014, the Department of Justice estimated that about ⅓ of Americans who suffered a data breach subsequently became victims of financial fraud. Now in 2018, this is only likely to have increased. Here are just a few things thieves can do with your identifying information: Open credit cards or take out loans Aside from your name, if black hats also obtain your Social Security number, birthdate, and address, they can open credit cards and apply for loans in your name. Intercept your tax refund The tax refund you are excited about may not come after all if you get hacked. People who wait until the last moment to declare are more vulnerable and thieves may counterfile a fake tax return using your identity. Use it to receive medical treatment By obtaining your SSN and health insurance account numbers, black hats can use or sell your information in order to receive medical treatment. According to a study from Michigan State University, there were nearly 1,800 incidents of medical data breaches with patients’ information from October 2009 to December 2016. These breaches can be used to receive treatments, prescriptions, and even put your own health at risk if the thief’s medical information is now mixed up with yours. Travel with your airline miles Airline miles can be exchanged for cash, gift cards, and products or upgrades. Millions of miles have been stolen easily through phishing emails and other simple email scams. Open utility accounts 13% of 2016’s fraud incidents were related to phone and utility accounts. Thieves can open an account with a gas, phone, or electric company using your stolen SSN and then run up huge bills in your name, right under your nose. Outsmarting the sharks The first and simplest step you can take to defend against email fraud is to learn to avoid phishing schemes. A phishing scheme is when someone emails you pretending to be someone they’re not. (Think Nigerian princes or friends who suddenly find themselves abroad without a wallet when you could have sworn they were at the bar Friday night.) They could also be pretending to be from your email or healthcare provider asking you to log in. These e-mails often include links to phishing sites that will collect your passwords and personal information. You may have heard that using passphrases instead of passwords can help protect you, and it’s true that they are more secure. They’re even stronger when you include special characters like quotation marks, and use languages other than English. This is the best known practice for generating strong passwords. But these passphrases can still be stolen through phishing, just like any password. So don’t let a clever passphrase lull you into a false sense of security. Phishing is extremely prevalent. About 1.4 million of these fake sites are created each month, and around 135 million phishing attempts are made via email every single day. Here are some main rules of thumb to avoid phishing, and all they take are common sense: Don’t follow any links that don’t have https in the URL. Avoid links that lack the S. Don’t enter your password after following any link from any e-mail. Even if it really looks legit. If it’s from your bank, for example, just enter your banking app normally to complete whatever the e-mail is asking you to do. Do not follow the e-mailed link. Chances are, you’ll discover your account is normal and requires no attention at all. Bullet dodged. Keep your accounts secure with two factor authentication - that means adding an extra step to your login process, like receiving a security code to your phone. This is annoying for sure, but it does help keep predators out until a better solution is offered to the masses. We’re looking at you, e-mail security industry! We’re in dangerous waters these days, and the hacker sharks are circling, but you’re not helpless if you pay attention. Treat your e-mail with the same careful consideration with which you’d (hopefully) treat your wallet or other tangible assets, and you’ll go a long way towards avoiding the worst. Good luck out there! Author Bio Georg Greve is the Co-founding Chairman and Head of Product Development at Vereign, an intuitive software platform on a mission to bring authenticity and privacy to day-to-day online communication. Georg is also a software developer, physicist, and entrepreneur, with two decades of experience working closely with Red Hat, IBM, and Google as well as the United Nations, European Commission and various countries. His interest in information security dates back even further. He previously worked on the secure messaging platform Kolab, and as Founding President of the Free Software Foundation Europe (FSFE), where he received the German Federal Cross of Merit on Ribbon for his groundbreaking work on Open Standards and Free Software. Dark Web Phishing Kits: Cheap, plentiful and ready to trick you. Using machine learning for phishing domain detection [Tutorial] Meet ‘Gophish’, the open source Phishing Toolkit that simulates real-world phishing attacks
Read more
  • 0
  • 0
  • 3451