Posts

Showing posts from December, 2019

Recorded Future - The Value in Sharing Your Experience With the World

Joining us this week is Espen Johansen, product security director at Visma , an information technology and services company headquartered in Oslo. He shares insights on the types of attacks he sees targeting organizations like Visma, as well as the lessons learned from a nation-state attack that Visma experienced in August 2018. He’ll give us his take on threat intelligence , as well as advice for organizations just beginning their own threat intelligence journeys. We sat down with Espen Johansen at Recorded Future’s RFUN: Predict 2019 conference in Washington, D.C. This podcast was produced in partnership with the CyberWire . The post The Value in Sharing Your Experience With the World appeared first on Recorded Future . from Recorded Future https://www.recordedfuture.com/podcast-episode-139/

Schneier - Hacking School Surveillance Systems

Lance Vick suggesting that students hack their schools' surveillance systems . "This is an ethical minefield that I feel students would be well within their rights to challenge, and if needed, undermine," he said. Of course, there are a lot more laws in place against this sort of thing than there were in -- say -- the 1980s, but it's still worth thinking about. from Schneier on Security https://www.schneier.com/blog/archives/2019/12/hacking_school_.html

Krebs - Happy 10th Birthday, KrebsOnSecurity.com

Image
Today marks the 10th anniversary of KrebsOnSecurity.com! Over the past decade, the site has featured more than 1,800 stories focusing mainly on cybercrime, computer security and user privacy concerns. And what a decade it has been. Stories here have exposed countless scams, data breaches, cybercrooks and corporate stumbles. In the ten years since its inception, the site has attracted more than 37,000 newsletter subscribers, and nearly 100 million pageviews generated by roughly 40 million unique visitors. Some of those 40 million visitors left more than 100,000 comments. The community that has sprung up around KrebsOnSecurity has been truly humbling and a joy to watch, and I’m eternally grateful for all your contributions. One housekeeping note: A good chunk of the loyal readers here are understandably security- and privacy-conscious, and many block advertisements by default — including the ads displayed here. Just a reminder that KrebsOnSecurity does not run third-party ads and has

Krebs - Ransomware at IT Services Provider Synoptek

Image
Synoptek , a California business that provides cloud hosting and IT management services to more than a thousand customer nationwide, suffered a ransomware attack this week that has disrupted operations for many of its clients, according to sources. The company has reportedly paid a ransom demand in a bid to restore operations as quickly as possible. Irvine, Calif.-based Synoptek is a managed service provider that maintains a variety of cloud-based services for more than 1,100 customers across a broad spectrum of industries , including state and local governments, financial services, healthcare, manufacturing, media, retail and software. The company has nearly a thousand employees and brought in more than $100 million in revenue in the past year, according to their Web site. A now-deleted Tweet from Synoptek on Dec. 20 warned against the dangers of phishing-based cyberattacks, less than three days prior to their (apparently phishing-based) Sodinokibi ransomware infestation. News of

Schneier - Friday Squid Blogging: New Species of Bobtail Squid

Euprymna brenneri was discovered in the waters of Okinawa. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here . from Schneier on Security https://www.schneier.com/blog/archives/2019/12/friday_squid_bl_709.html

Schneier - Chinese Hackers Bypassing Two-Factor Authentication

Interesting story of how a Chinese state-sponsored hacking group is bypassing the RSA SecurID two-factor authentication system. How they did it remains unclear; although, the Fox-IT team has their theory. They said APT20 stole an RSA SecurID software token from a hacked system, which the Chinese actor then used on its computers to generate valid one-time codes and bypass 2FA at will. Normally, this wouldn't be possible. To use one of these software tokens, the user would need to connect a physical (hardware) device to their computer. The device and the software token would then generate a valid 2FA code. If the device was missing, the RSA SecureID software would generate an error. The Fox-IT team explains how hackers might have gone around this issue: The software token is generated for a specific system, but of course this system specific value could easily be retrieved by the actor when having access to the system of the victim. As it turns out, the actor does not actuall

Schneier - ToTok Is an Emirati Spying Tool

The smartphone messaging app ToTok is actually an Emirati spying tool : But the service, ToTok, is actually a spying tool, according to American officials familiar with a classified intelligence assessment and a New York Times investigation into the app and its developers. It is used by the government of the United Arab Emirates to try to track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones. ToTok, introduced only months ago, was downloaded millions of times from the Apple and Google app stores by users throughout the Middle East, Europe, Asia, Africa and North America. While the majority of its users are in the Emirates, ToTok surged to become one of the most downloaded social apps in the United States last week, according to app rankings and App Annie, a research firm. Apple and Google have removed it from their app stores. If you have it on your phone, delete it now. from Schneier on Security https://www.schn

Recorded Future - OSINT, Influence Operations, and the Dark Web: Our Top 5 Podcast Episodes From 2019

OSINT, Influence Operations, and the Dark Web: Our Top 5 Podcast Episodes From 2019 Permalink: top-podcasts-2019 As a cybersecurity professional, it’s easy to become siloed into your own specialist area. After all, it’s a huge field, and nobody could ever hope to become an expert in everything. Nonetheless, it’s valuable to have a broader understanding of the cybersecurity landscape – that’s where the Recorded Future podcast comes in. Each podcast episode runs approximately 30 minutes and covers a specific topic related to cybersecurity. At this point, we’ve released 138 episodes, and we’re proud to say that we have a strong listenership. So as 2019 comes to a close, we wanted to highlight some of our favorite episodes from the year, and give you a quick overview of what they covered. 1. Intelligence for the OSINT Curious Open source intelligence (OSINT) has huge potential to inform cybersecurity programs. Threat intelligence solutions like Recorded Future use countless open so

Schneier - Friday Squid Blogging: Streamlined Quick Unfolding Investigation Drone

Yet another squid acronym . As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here . from Schneier on Security https://www.schneier.com/blog/archives/2019/12/friday_squid_bl_708.html

Recorded Future - State and Local Government Ransomware Attacks Surpass 100 for 2019

The 100th publicly reported ransomware attack against state and local governments catalogued by Recorded Future this year occurred on December 8, and it was an unusual one. Nestled between high-profile attacks against the cities of Pensacola and New Orleans, this attack was against The Eastern Band of Cherokee Indians (EBCI). It was remarkable for a few reasons. First, there have not been a lot of publicly reported ransomware attacks against Tribal Nations. Second, unlike most ransomware attacks, this was an inside job. The Cherokee Indian Police Department quickly identified and arrested the attacker, who had an initial hearing on December 11. Most of the ransomware attacks that Recorded Future has tracked this year were not resolved nearly as quickly or efficiently as the EBCI attack. Since this 100th attack, there have been at least four others: New Orleans, LA; Baton Rouge Community College, LA; Galt, CA; and St Lucie, FL. If previous years’ patterns hold up, there should be ev

SBS CyberSecurity - Top 5 Ways Mitigate Your Risk – the Basics

To protect yourself from falling victim to a cyberattack, consider these five basic cybersecurity steps to mitigate your risk and begin understanding what your network looks like to an attacker from the outside. from SBS CyberSecurity https://sbscyber.com/resources/top-5-ways-mitigate-your-risk-the-basics

SBS CyberSecurity - Modern Cyberattack’s Big Secret: We Are All Targets

Many organizations make the mistake of thinking that most cyberattacks are “targeted” attacks against large businesses or high-value targets. In today’s environment, nothing could be further from the truth. from SBS CyberSecurity https://sbscyber.com/resources/modern-cyberattack-s-big-secret-we-are-all-targets

Schneier - Lousy IoT Security

DTEN makes smart screens and whiteboards for videoconferencing systems. Forescout found that their security is terrible: In total, our researchers discovered five vulnerabilities of four different kinds: Data exposure: PDF files of shared whiteboards (e.g. meeting notes) and other sensitive files (e.g., OTA -- over-the-air updates) were stored in a publicly accessible AWS S3 bucket that also lacked TLS encryption (CVE-2019-16270, CVE-2019-16274). Unauthenticated web server: a web server running Android OS on port 8080 discloses all whiteboards stored locally on the device (CVE-2019-16271). Arbitrary code execution: unauthenticated root shell access through Android Debug Bridge (ADB) leads to arbitrary code execution and system administration (CVE-2019-16273). Access to Factory Settings: provides full administrative access and thus a covert ability to capture Windows host data from Android, including the Zoom meeting content (audio, video, screenshare) (CVE-2019-16272). These

Black Hills InfoSec - ‘Twas the Week Before Hackmas

Dakota Nelson // ‘Twas the week before HackmasAnd all through their housesNot a tester was workingNor moving their mouses The findings were listed in reports with careIn hopes that bugfixes would soon be thereThe hackers were nestled all snug in their chairsWhile bitstreams of 0day flowed through twisted pairs And Heather on her treadmill desk, […] The post ‘Twas the Week Before Hackmas appeared first on Black Hills Information Security . from Black Hills Information Security https://www.blackhillsinfosec.com/twas-the-week-before-hackmas/

Recorded Future - The Engine Behind Security Intelligence Explained

Image
Recorded Future captures all information gathered from the internet for over a decade and makes it available for analysis in a structured and organized way. We call this the Security Intelligence Graph, and it is at the heart of all services offered by Recorded Future. Having all information readily available in the Security Intelligence Graph offloads a tremendous amount of work from analyst teams. It could take an organization thousands of man hours to build out a fraction of what is now available, and that time can instead be spent on analysis. By adding their own analyst notes , security teams can even connect their own findings to the Security Intelligence Graph. Navigation in the graph is what powers the easy pivoting between different views in the Recorded Future® Platform , and relationships in the graph underlie the risk score calculations that enable analysts to make quick, informed decisions. To make full use of Recorded Future, it helps to have a good understanding of our

Schneier - Attacker Causes Epileptic Seizure Over the Internet

This isn't a first, but I think it will be the first conviction : The GIF set off a highly unusual court battle that is expected to equip those in similar circumstances with a new tool for battling threatening trolls and cyberbullies. On Monday, the man who sent Eichenwald the moving image, John Rayne Rivello, was set to appear in a Dallas County district court. A last-minute rescheduling delayed the proceeding until Jan. 31, but Rivello is still expected to plead guilty to aggravated assault. And he may be the first of many. The Epilepsy Foundation announced on Monday it lodged a sweeping slate of criminal complaints against a legion of copycats who targeted people with epilepsy and sent them an onslaught of strobe GIFs -- a frightening phenomenon that unfolded in a short period of time during the organization's marking of National Epilepsy Awareness Month in November. [...] Rivello's supporters -- among them, neo-Nazis and white nationalists, including Richard Spence

HACKMAGEDDON - November 2019 Cyber Attacks Statistics

I can finally summarize the statistics derived from the timeline of November. In this month I have collected 135 events, corresponding to a 11% decrease compared with October when the timelines included a total of 156 events. from HACKMAGEDDON https://www.hackmageddon.com/2019/12/18/november-2019-cyber-attacks-statistics/

Krebs - Nuclear Bot Author Arrested in Sextortion Case

Image
Last summer, a wave of sextortion emails began flooding inboxes around the world. The spammers behind this scheme claimed they’d hacked your computer and recorded videos of you watching porn, and promised to release the embarrassing footage to all your contacts unless a bitcoin demand was paid. Now, French authorities say they’ve charged two men they believe are responsible for masterminding this scam. One of them is a 21-year-old hacker interviewed by KrebsOnSecurity in 2017 who openly admitted to authoring a banking trojan called “ Nuclear Bot .” On Dec. 15, the French news daily Le Parisien published a report stating that French authorities had arrested and charged two men in the sextortion scheme. The story doesn’t name either individual, but rather refers to one of the accused only by the pseudonym “Antoine I.,” noting that his first had been changed (presumably to protect his identity because he hasn’t yet been convicted of a crime). “According to sources close to the inves

Recorded Future - How to Begin Your Security Intelligence Journey

Editor’s Note : Over the next several weeks, we’re sharing excerpts from the newly released second edition of our popular book, “The Threat Intelligence Handbook: Moving Toward a Security Intelligence Program.” Here, we’re looking at chapter 14, “Moving Toward a Security Intelligence Program.” To read the entire chapter, download your free copy of the handbook. Contextualized, real-time security intelligence helps everyone in cybersecurity — no matter the team or department — better anticipate threats, respond to attacks faster, and make smarter decisions on how to reduce risk. Intelligence can be applied to numerous facets of an organization’s security strategy to enable a shift toward a more proactive, comprehensive approach. As the military strategist and Taoist philosopher Sun Tzu once said, “Know your enemy and know yourself, and you can fight a hundred battles without disaster.” This infamous quote perfectly sums up security intelligence — an approach that amplifies the effec

Schneier - Iranian Attacks on Industrial Control Systems

New details : At the CyberwarCon conference in Arlington, Virginia, on Thursday, Microsoft security researcher Ned Moran plans to present new findings from the company's threat intelligence group that show a shift in the activity of the Iranian hacker group APT33, also known by the names Holmium, Refined Kitten, or Elfin. Microsoft has watched the group carry out so-called password-spraying attacks over the past year that try just a few common passwords across user accounts at tens of thousands of organizations. That's generally considered a crude and indiscriminate form of hacking. But over the last two months, Microsoft says APT33 has significantly narrowed its password spraying to around 2,000 organizations per month, while increasing the number of accounts targeted at each of those organizations almost tenfold on average. [...] The hackers' motivation -- and which industrial control systems they've actually breached -- remains unclear. Moran speculates that the

Krebs - Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up

Image
As if the scourge of ransomware wasn’t bad enough already: Several prominent purveyors of ransomware have signaled they plan to start publishing data stolen from victims who refuse to pay up. To make matters worse, one ransomware gang has now created a public Web site identifying recent victim companies that have chosen to rebuild their operations instead of quietly acquiescing to their tormentors. The message displayed at the top of the Maze Ransomware public shaming site. Less than 48 hours ago, the cybercriminals behind the Maze Ransomware strain erected a Web site on the public Internet, and it currently lists the company names and corresponding Web sites for eight victims of their malware that have declined to pay a ransom demand. “Represented here companies dont wish to cooperate with us, and trying to hide our successful attack on their resources,” the site explains in broken English. “Wait for their databases and private papers here. Follow the news!” KrebsOnSecurity was

Black Hills InfoSec - Webcast: Passwords: You Are the Weakest Link

Why are companies still recommending an 8-character password minimum?  Passwords are some of the easiest targets for attackers, yet companies still allow weak passwords in their environment. Multiple service providers recommend 8-character minimum passwords based on outdated data.  Download Slides: https://ift.tt/2z7XAHD 3:26 – In The Beginning 4:23 – What The Experts Say: PCI 5:55 – What The Experts Say: […] The post Webcast: Passwords: You Are the Weakest Link appeared first on Black Hills Information Security . from Black Hills Information Security https://www.blackhillsinfosec.com/webcast-passwords-you-are-the-weakest-link/

Recorded Future - Insights From a Distinguished Law Enforcement Veteran

Our guest this week is Edward Davis. He’s president and CEO of The Edward Davis Company , a business strategy and security services firm, but he is perhaps best known for his role as former police commissioner for the city of Boston — a role he had during the tragic Boston Marathon bombing in 2013. In the aftermath of that event, he was the face of the city, as his team coordinated and collaborated with other local and national law enforcement agencies. We discuss his experience with the Boston Marathon bombing, get his insights on law enforcement in the age of ransomware , and hear his thoughts on the role of threat intelligence . Joining this episode’s conversation is Recorded Future’s Allan Liska. This podcast was produced in partnership with the CyberWire . The post Insights From a Distinguished Law Enforcement Veteran appeared first on Recorded Future . from Recorded Future https://www.recordedfuture.com/podcast-episode-138/

Krebs - Inside ‘Evil Corp,’ a $100M Cybercrime Menace

Image
The U.S. Justice Department this month offered a $5 million bounty for information leading to the arrest and conviction of a Russian man indicted for allegedly orchestrating a vast, international cybercrime network that called itself “ Evil Corp ” and stole roughly $100 million from businesses and consumers. As it happens, for several years KrebsOnSecurity closely monitored the day-to-day communications and activities of the accused and his accomplices. What follows is an insider’s look at the back-end operations of this gang. Image: FBI The $5 million reward is being offered for 32 year-old  Maksim V. Yakubets , who the government says went by the nicknames “ aqua ,” and “ aquamo ,” among others. The feds allege Aqua led an elite cybercrime ring with at least 16 others who used advanced, custom-made strains of malware known as “ JabberZeus ” and “ Bugat ” (a.k.a. “ Dridex “) to steal banking credentials from employees at hundreds of small- to mid-sized companies in the United Sta

SBS CyberSecurity - In The Wild 149

Image
  In The Wild - CyberSecurity Newsletter Welcome to the 149 th issue of In The Wild, SBS’ weekly CyberSecurity newsletter. The objective of this newsletter is to share threat intelligence, news articles that are relevant, new and updated guidance, and other information you may find helpful. Below, you will find some of the latest-and-greatest news stories, articles, videos, and links from the past week in cybersecurity. Some of the following stories have been shared by consultants, others by the SBS Institute, and others yet simply been found in the far corners of the Internet. We hope you find the following stories relevant, interesting, and – most of all – useful. Enjoy. [Blog] Top 25 Threat Actors - 2019 Edition SBS Educational Resources Hacking at the end of 2019 is a lot different than the “hackers” of the mid-2000s, and certainly a far cry from a 15-year old kid in his mom’s basement eating Cheetos and “hacking