Posts

Showing posts from June, 2018

US-CERT - VMware Releases Security Updates

Original release date: June 30, 2018 VMware has released security updates to address vulnerabilities in VMware ESXi, Workstation, and Fusion. An attacker could exploit these vulnerabilities to obtain sensitive information. NCCIC encourages users and administrators to review the VMware Security Advisory VMSA-2018-0016 and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy. from US-CERT: The United States Computer Emergency Readiness Team https://www.us-cert.gov/ncas/current-activity/2018/06/30/VMware-Releases-Security-Updates

KnowBe4 - KnowBe4’s Year-Over-Year Sales DOUBLE Q2 2018

Image
We doubled our year-over-year sales for Q2, bringing us to well over 19,000 customers worldwide.  This makes 21 consecutive up quarters.  from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/knowbe4s-year-over-year-sales-double-q2-2018

Schneier - Friday Squid Blogging: Fried Squid with Turmeric

Good-looking recipe . As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here . from Schneier on Security https://www.schneier.com/blog/archives/2018/06/friday_squid_bl_631.html

SANS - Issue #51 - Volume XX - SANS Newsbites - June 29th, 2018

from SANS Institute | Newsletters - Newsbites - RSS https://www.sans.org/newsletters/newsbites/xx/51

TrustedSec - First Came the GDPR, Now Comes “The California Consumer Privacy Act of 2018”

Image
If you count California residents amongst your customers, or those whose data you have (and given that California is one of the 10 largest economies in the world, there is a good chance that you do), it is likely that The California Consumer Privacy Act of 2018 could significantly change the way that you must handle data. Note that the recent legislation, set to take effect on January 1 st , 2020, can still be modified prior to implementation; there have been many reports of affected parties furiously lobbying to do just that.   What Protections Are Afforded to Citizens? Described as the most comprehensive data protection law in the US (Massachusetts, are you going to let that stand?), this law is going to require many companies to change a number of their business and technical processes. The bill ensures the following rights to consumers: (1) The right of Californians to know what personal information is being collected about them. (2) The right of Californians to know whe...

Schneier - Conservation of Threat

Here's some interesting research about how we perceive threats. Basically, as the environment becomes safer we basically manufacture new threats. From an essay about the research: To study how concepts change when they become less common, we brought volunteers into our laboratory and gave them a simple task ­-- to look at a series of computer-generated faces and decide which ones seem "threatening." The faces had been carefully designed by researchers to range from very intimidating to very harmless. As we showed people fewer and fewer threatening faces over time, we found that they expanded their definition of "threatening" to include a wider range of faces. In other words, when they ran out of threatening faces to find, they started calling faces threatening that they used to call harmless. Rather than being a consistent category, what people considered "threats" depended on how many threats they had seen lately. This has a lot of implication...

Black Hills InfoSec - Offensive SPF: How to Automate Anti-Phishing Reconnaissance Using Sender Policy Framework

Kent Ickler// TL;DR: This post describes the process of building an active system to automatically recon SPF violations. Disclaimer: There are parts of this build that might not be legal in your area. Use in the wild at your own risk. Discuss with your peeps before implementing. BHIS @Krelkci are not liable for your actions. Background: In our […] The post Offensive SPF: How to Automate Anti-Phishing Reconnaissance Using Sender Policy Framework appeared first on Black Hills Information Security . from Black Hills Information Security https://www.blackhillsinfosec.com/offensive-spf-how-to-automate-anti-phishing-reconnaissance-using-sender-policy-framework/

Krebs - Plant Your Flag, Mark Your Territory

Image
Many people, particularly older folks, proudly declare they avoid using the Web to manage various accounts tied to their personal and financial data — including everything from utilities and mobile phones to retirement benefits and online banking services. The reasoning behind this strategy is as simple as it is alluring: What’s not put online can’t be hacked. But increasingly, adherents to this mantra are finding out the hard way that if you don’t plant your flag online, fraudsters and identity thieves may do it for you. The crux of the problem is that while most types of customer accounts these days can be managed online, the process of tying one’s account number to a specific email address and/or mobile device typically involves supplying personal data that can easily be found or purchased online — such as Social Security numbers, birthdays and addresses. Some examples of how being a modern-day  Luddite can backfire are well-documented, such as when scammers create online ac...

TrustedSec - Another Standard to Keep in Mind

Image
In TrustedSec’s Advisory division, one question we often hear is, “how can we prioritize our information security efforts?” It is not surprising, as there are many things organizations can and often should be doing from an information security perspective, but there are only so many hours in the day, and so many dollars in the budget. Without fully understanding an organization’s operations and risk tolerance, it is challenging to determine what security controls and program elements are of the highest priority. With that being said, there are tons of standards and frameworks that provide guidance around these components. Many of these can be overwhelming for an organization wondering where to start implementing an information security program. On June 25, the Cabinet Office in the UK released a new Minimum Cyber Security Standard. At first glance, it is hard miss the similarities to the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). As with the N...

Schneier - Manipulative Social Media Practices

The Norwegian Consumer Council just published an excellent report on the deceptive practices tech companies use to trick people into giving up their privacy. From the executive summary: Facebook and Google have privacy intrusive defaults, where users who want the privacy friendly option have to go through a significantly longer process. They even obscure some of these settings so that the user cannot know that the more privacy intrusive option was preselected. The popups from Facebook, Google and Windows 10 have design, symbols and wording that nudge users away from the privacy friendly choices. Choices are worded to compel users to make certain choices, while key information is omitted or downplayed. None of them lets the user freely postpone decisions. Also, Facebook and Google threaten users with loss of functionality or deletion of the user account if the user does not choose the privacy intrusive option. [...] The combination of privacy intrusive defaults and the use of da...

HACKMAGEDDON - May 2018 Cyber Attacks Statistics

It’s time to publish the statistics derived from the Cyber Attacks Timelines of May (Part I and Part II). Let’s from HACKMAGEDDON https://www.hackmageddon.com/2018/06/28/may-2018-cyber-attacks-statistics/

SANS - Issue #50 - Volume XX - SANS Newsbites - June 26th, 2018

from SANS Institute | Newsletters - Newsbites - RSS https://www.sans.org/newsletters/newsbites/xx/50

Schneier - IEEE Statement on Strong Encryption vs. Backdoors

The IEEE came out in favor of strong encryption: IEEE supports the use of unfettered strong encryption to protect confidentiality and integrity of data and communications. We oppose efforts by governments to restrict the use of strong encryption and/or to mandate exceptional access mechanisms such as "backdoors" or "key escrow schemes" in order to facilitate government access to encrypted data. Governments have legitimate law enforcement and national security interests. IEEE believes that mandating the intentional creation of backdoors or escrow schemes -- no matter how well intentioned -- does not serve those interests well and will lead to the creation of vulnerabilities that would result in unforeseen effects as well as some predictable negative consequences The full statement is here . from Schneier on Security https://www.schneier.com/blog/archives/2018/06/ieee_statement_.html

Schneier - Bypassing Passcodes in iOS

Last week, a story was going around explaining how to brute-force an iOS password. Basically, the trick was to plug the phone into an external keyboard and trying every PIN at once: We reported Friday on Hickey's findings, which claimed to be able to send all combinations of a user's possible passcode in one go, by enumerating each code from 0000 to 9999, and concatenating the results in one string with no spaces. He explained that because this doesn't give the software any breaks, the keyboard input routine takes priority over the device's data-erasing feature. I didn't write about it, because it seemed too good to be true. A few days later, Apple pushed back on the findings -- and it seems that it doesn't work. This isn't to say that no one can break into an iPhone. We know that companies like Cellebrite and Grayshift are renting/selling iPhone unlock tools to law enforcement -- which means governments and criminals can do the same thing -- and tha...

KnowBe4 - CyberheistNews Vol 8 #26 [Heads-up] New Sleeper Strain of SamSam Ransomware Bypasses AV And Stays Hidden On Your Network

Image
from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/cyberheistnews-vol-8-26-heads-up-new-sleeper-strain-of-samsam-ransomware-bypasses-av-and-stays-hidden-on-your-network

KnowBe4 - Do employees open your network to the bad guys by using hacked passwords?

Image
A whopping 25%  of employees are using the same password for all logins . What if that password is available on the dark web? A massive amount of passwords are compromised due to data breaches and used by the bad guys for attacks. Are any hacked passwords in use within your organization?  Using breached passwords puts your network at risk . Password policies often do not prevent employees using known bad passwords. Making your users frequently change their password s isn’t a good solution either. It only takes one compromised password match for the bad guys to gain access. KnowBe4’s complimentary NEW Breached Password Test (BPT) checks to see if your users are currently using passwords that are in publicly available breaches associated with your domain. BPT checks against your Active Directory and reports compromised passwords in use right now so that you can take action immediately! from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/do-employees-o...

TrustedSec - Check Yo Privilege

Image
Many of our customers follow the best practice of creating separate accounts for day-to-day tasks and administrative ones. In the event of an attack, using separate accounts is often a great way to slow things down and give security teams a little extra time for discovery and identification of an attack. Because many attacks happen in the user context, this creates an extra step for an attacker, who must escalate the privileges to administrative permissions. Unfortunately, something I have discovered on a number of engagements is that users don’t like to remember multiple passwords. Many users just set the same password for both accounts. This practice circumvents the whole purpose of having separate accounts. Many organizations even make it easy for an attacker to identify these accounts by using “tags” in the naming convention to designate if the user is administrative or not. For example, the user John Smith’s regular account may be jsmith , while the administrative account assi...

KnowBe4 - Don't Underestimate The Economic Side of Russia's Cyber Warfare

Image
I just ran into an excellent article by Boris Zilberman, deputy director of congressional relations and a Russia analyst at the Foundation for Defense of Democracies. It was posted at The Cipher Brief, which is a digital, security-based conversation platform that connects the private sector with the world`s leading security experts. You should check it out , warmly recommended. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/dont-underestimate-the-economic-side-of-russias-cyber-warfare

HACKMAGEDDON - 16-31 May 2018 Cyber Attacks Timeline

Here it comes! The second timeline of May is ready (first timeline here), covering the main cyber attacks occurred between from HACKMAGEDDON https://www.hackmageddon.com/2018/06/26/16-31-may-2018-cyber-attacks-timeline/

US-CERT - SB18-176: Vulnerability Summary for the Week of June 18, 2018

Original release date: June 25, 2018 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD , which contains historical vulnerability information. The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 Medium - Vulnerabilities will be labeled Medium severity...