Monthly Archives: March 2017

U.S. and UK puts restrictions on carrying electronic from 10 airports.

Due to threats the American and British intelligence has been following up, the two governments has put restrictions on electronics from 10 different airports, in the middle-east and North African countries. This is due to reports that militant groups in those countries want to smuggle explosive devices hidden in electronics gadgets.

The Department of Homeland Security said passengers traveling from those airports could not bring devices larger than a cellphone, such as tablets, portable DVD players, laptops and cameras, into the main cabin. Instead, they must be stored in the checked baggage.

The airports where the restrictions take place are Cairo; Istanbul; Kuwait City; Doha, Qatar; Casablanca, Morocco; Amman, Jordan; Riyadh and Jeddah, Saudi Arabia; and Dubai and Abu Dhabi in United Arab Emirates.

Now what does that mean for the airlines? It means that several of the airlines, including Turkish Airlines, Etihad and Qatar, said early on Tuesday that they were quickly moving to comply. Royal Jordanian and Saudi Airlines said on Monday that they were immediately putting the directive into place.

All this is due to attacks which  happened on several different occasions, such as the one in Yemen, AQAP, where in 2015 it took responsibility for the attack on the Charlie Hebdo magazine offices in Paris, or the same group taking responsibility for a failed attempt by a Nigerian Islamist to put down an airliner over Detroit. The device of that man, which was located in the man’s underwear, failed to detonate, thankfully. Also, in 2010, security officials in Britain and Dubai intercepted parcel bombs sent from Yemen to the United States.

According to the Trump administration this is nothing to do with the Muslim ban, but it is because the Department of Homeland Security has multiple reports that radical Islamist groups want to bring those devices on board and use them as explosives.

This is a step to increase security on the airline carriers that come from the Muslim countries as well as passengers with connecting in the airports of those countries, or people flying in from those specific countries and boarding other airlines’ planes in connecting flights in other airports of the world, all with a final destination to the US and UK.

What are your thoughts about this step? Do you think that it was necessary in order to prevent any further attacks? Who will suffer in the end? The passengers or the airline companies of those countries?

Ethical Hacking: The Most Important Job No One Talks About

If your company doesn’t have an ethical hacker on the security team, it’s playing a one-sided game of defense against attackers.

Great power comes with great responsibility, and all heroes face the decision of using their powers for good or evil. These heroes I speak of are called white hat hackers, legal hackers, or, most commonly, ethical hackers. All these labels mean the same thing: A hacker who helps organizations uncover security issues with the goal of preventing those security flaws from being exploited. If companies don’t have an ethical hacker working for them, they’re in a one-sided game, only playing defense against attackers.

Meet the Hackers
Companies house both developer and security teams to build out codes, but unfortunately, there often is little communication between the two teams until code is in its final stages. DevSecOps — developer and security teams — incorporates both sides throughout all of the coding process to catch vulnerabilities early on, as opposed to at the end, when making updates becomes harder for developers.

Although secure coding practices and code analysis should be automated-  and a standard step in the development process – hackers will always try to leverage other techniques if they can’t find code vulnerabilities. Ethical hackers, as part of the DevSecOps team, enhance the secure coding practices of the developers because of the knowledge sharing and testing for vulnerabilities that can be easily taken advantage of by someone outside the company.

Take, for example, Jared Demott. Microsoft hosts the BlueHat competition for ethical hackers to find bugs in its coding, and Demott found a way to bypass all of the company’s security measures. Let that sink in for a moment — he found a way to bypass all of Microsoft’s security measures. Can you imagine the repercussions if that flaw had been discovered by a malicious hacker?

Let the Hackers Hack
Security solutions (such as application security testing and intrusion detection and prevention systems) are a company’s first line of defense because they’re important for automatically cleaning out most risks, leaving the more unique attack techniques for the ethical hackers to expose. These could include things such as social engineering or logical flaws that expose a risk. Mature application security programs will use ethical hackers to ensure continuous security throughout the organization and its applications. Many organizations also use them to ensure compliance with regulatory standards such as PCI-DSS and HIPAA, alongside defensive techniques, including static application security testing.

You may be thinking, “What about security audits? Wouldn’t they do the trick?” No, not fully. Ethical hacking is used to build real-world potential attacks on an application or the organization as a whole, as opposed to the more analytical and risk-based analysis achieved through security audits. As an ethical hacker, the goal is to find as many vulnerabilities as possible, no matter the risk level, and report them back to the organization.

Another advantage is that once hackers detect a risk, vendors can add the detection capability to their products, thus enhancing detection quality in the long run. For example, David Sopas, security research team leader for Checkmarx, discovered a potentially malicious hack within a LinkedIn reflected filename download. This hack could have had a number of potential outcomes, including a full-blown hijacking of a victims’ computers if they had run the file. It’s probably safe to say that just the audit wouldn’t have identified this hidden flaw.

How to Hack
The good news for companies searching for someone to fill this role is that there are several resources for their own employees to learn more about ethical hacking and become a more-valuable asset.

The first step is to get certified. EC-Council has resources and certifications available, and if you want to continue brushing up on your ethical hacking skills, OWASP has you covered. While getting certified isn’t a requirement, I highly recommend this, because getting the basics down will help to provide a foundation on which to build. After you have the basics down, there are many tools and automated processes that can be utilized, but ethical hackers usually use penetration testing and other, mostly offensive, techniques to probe an organization’s networks, systems, and applications. In essence, ethical hackers use the same techniques, tools, and methods that malicious hackers use to find real vulnerabilities.

One Small Step for Companies, One Giant Leap for Hackers
What does this all mean for companies? Well, companies must first acknowledge how ethical hackers can help them. Strong application security programs need to focus both on the code security as it’s being developed, as well as in its running state — and that’s where ethical hacking comes into play. Nothing beats secure coding from the get-go, but mistakes do happen along the way, and that’s where ethical hacking experts can make a difference in an organization.

At the next meeting on staffing, ethical hackers should be right at the top of the list of priorities to keep your company, and its data, safe.

 

via:  darkreading

Build an effective cyberattack recovery playbook by following this NIST guide

Cybersecurity prevention efforts should not trump response capabilities. Experts at NIST spell out four steps to recovering from a cyberattack.

Preventing cybersecurity disasters—large or small—rather than having to recover from them is preferable, for obvious reasons. However, experts at the National Institute of Standards and Technology (NIST) are concerned that overreliance on prevention is as bad as being underprepared. In the NIST special publication Guide for Cybersecurity Event Recovery (PDF), authors Michael Bartock, Jeffrey Cichonski, Karen Scarfone, Matthew Smith, Murugiah Souppaya, and Greg Witte explain why:

“There has been widespread recognition that some cybersecurity events cannot be stopped and solely focusing on preventing cyber events from occurring is a flawed approach.”

That attitude among NIST experts started gaining traction two years ago when the Federal Government’s Office of Management and Budget published the agency’s Cybersecurity Strategy and Implementation Plan (CSIP). The following quote, in particular, captured the attention of NIST personnel:

“CSIP identified significant inconsistencies in cyber-event response capabilities among federal agencies. The CSIP stated that agencies must improve their response capabilities.”

The CSIP defines recovery as, “The development and implementation of plans, processes, and procedures for recovery and full restoration, in a timely manner, of any capabilities or services that are impaired due to a cyber event.”

The report continues, “Although there are existing federal policies, standards, and guidelines on cyber event handling, none of them focuses solely on improving cybersecurity recovery capabilities, and the fundamental information is not captured in a single document. The previous recovery content tends to be spread out in documents such as security, contingency, disaster recovery, and business continuity plans.”

NIST’s Guide for Cybersecurity Event Recovery

Enter the NIST’s Guide for Cybersecurity Event Recovery, which is a compilation of information and processes that can be used by private and public organizations to create recovery plans and be better prepared if a cybersecurity event occurs.

The Guide’s authors believe the recovery function consists of two phases: “The immediate tactical recovery phase is largely achieved through the execution of the recovery playbook planned prior to the incident with input from the NIST Cybersecurity Framework (CSF).”

More subtle is the second strategic phase, which according to the authors, allows organizations to improve pre-recovery functions mentioned in the CSF, in particular: Identify, Protect, Detect, and Respond (Figure A), reducing the likelihood and impact of future incidents.

 

Figure A

nistjan2017kassner.jpg

Image: NIST, Michael Bartock, Jeffrey Cichonski, Karen Scarfone, Matthew Smith, Murugiah Souppaya, Greg Witte

Four steps to recovering from a cyberattack

The authors of the Guide go into detail on how to develop an effective recovery process. A brief overview of each step follows.

 

1. Plan for cyber-event recovery

Effective planning is critical, according to the authors. Planning enables organizations to:

  • determine crisis-management and incident-management roles;
  • make arrangements for alternate communication channels, services, and facilities;
  • explore “what if” scenarios based on recent cyber events that have negatively impacted other organizations;
  • identify and address gaps before a crisis occurs, reducing their impact on business; and
  • exercise technical and non-technical aspects of recovery, such as personnel considerations, legal concerns, and facility issues.

2. Continuous improvement

The Guide’s authors warn that recovery planning is not static, adding, “Cyber-event recovery planning is not a one-time activity. The plans, policies, and procedures created for recovery should be continually improved by addressing lessons learned during recovery efforts and by periodically validating the recovery capabilities themselves.”

 

3. Recovery metrics

Rather than guessing if the recovery process worked as planned in a cybersecurity event, the authors suggest metrics to remove any guesswork. “It is beneficial to determine these metrics in advance, both to understand what should be measured and to implement the processes to collect relevant data,” mentions the authors. “This process also requires the ability to determine where the metrics that have been identified can be most beneficial to the recovery activity and identify which activities cannot be measured in an accurate and repeatable way.”

Some suggested metrics are:

  • Costs due to the loss of competitive edge from the release of proprietary or sensitive information
  • Legal costs
  • Hardware, software, and labor costs to execute the recovery plan
  • Costs relating to business disruption, such as system downtime, lost employee productivity, and lost sales

4. Building the playbook

The authors did not forget one of the more serious concerns presented in the Cybersecurity Strategy and Implementation Plan: Recovery guidelines do not reside in a single document, but are spread throughout security, contingency, disaster-recovery, and business-continuity plans.

Understanding mission-supporting information systems, as well as any dependencies surrounding them, is important under normal operating conditions. “In the event of a cybersecurity event, this information becomes paramount, and the processes and procedures need to be presented in an actionable manner to effectively restore business functions quickly and holistically,” conclude the authors. “The playbook is a way to express tasks and processes required to recover from an event in a way that provides actions and milestones specifically relevant for each organization’s systems.”

Conclusion

Throughout the Guide, the authors stress that the document’s main purpose is to provide guidance. “This document is not intended to be used by organizations responding to an active cyber event, but as a guide for developing recovery plans in the form of customized playbooks,” the authors explain in the executive summary. “As referred to in this document, a playbook is an action plan that documents an actionable set of steps an organization can follow to recover successfully from a cyber event.”

 

via: techrepublic

Windows 10 gets even more ads: Here’s how to disable them all

Users report promos for OneDrive have been added to Windows 10’s File Explorer, here’s how to ensure you never see these or most other ads in the OS.

Windows 10 already shows users ads on the lock screen and the Start Menu, but now Microsoft appears to be promoting its services via Windows’ File Explorer.

Various Windows 10 users are reporting seeing adverts for Microsoft’s cloud storage service OneDrive while browsing files on their machine.

The ad, shown in the screenshot above, offers 1TB of OneDrive storage for $6.99 per month, and is technically a ‘sync notification’, designed to let people know they can get more than the 5GB of free storage that comes with a Microsoft account.

Ads for apps and services are already shown throughout Windows 10, and can be found on the Start Menu and lock screen.

The introduction of promotions to File Explorer has been heavily criticized by some Microsoft watchers, and marks a widening of advertising to new areas of Windows 10.

Most of the ads in the Windows 10 are pitched as suggestions for apps and services that might appeal to the user, and some users don’t appear to notice them.

But to some they are intrusive, and if they are offensive to you there are steps you can take to remove them. Follow the video guide above to ensure you won’t see these ads again.

nty1s7p8kajy.png

The OneDrive/Office 365 promotions appearing in Windows 10 File Explorer are technically ‘sync’ notifications.

Image: Tall_Ships_for_Life/Reddit/Microsoft

 

via:  techrepublic

Google Maps’ latest trick is remembering where you parked

It depends on you manually dropping a pin, though.

Google Now kept track of parking locations before, but it wasn’t with any degree of accuracy. The latest version of the Android Google Maps app circumvents how inaccurate the feature was by having you mark a parking spot for yourself. That’s a pretty stark comparison to the dark magic (read: GPS and other data) that Now used prior.

Simply open the application after parking, tap the blue location dot and you’re good to go. From there you can add notes (helpful for jotting down location in parking ramps) and even take photos to remind you which blue Toyota Camry is yours. Additionally you can add a timer so you know when the meter will expire. All of this info can be pulled for notifications and alerts, too.

As Android Police points out, though, this appears to only work for one car at a time. Not a huge deal, but it does rule out keeping track of your car at home, and a rental car in another city while on vacation.

AP also notes that some Android Auto users might see a new arrival screen too. Oh, and folks using Maps to find their way around via public transit could see weather alerts.

 

via:  engadget

Here is a tiny GameBoy emulator for your tiny Apple Watch screen

Are your fingers small enough?

 

Gabriel O’Flaherty-Chan

The last place you’d probably want to play a video game is on an Apple Watch. The wearable has a tiny screen, almost no buttons and can only be operated with one hand. It’s a completely impractical gaming device, but developer Gabriel O’Flaherty-Chan made a Game Boy emulator for it anyway.

Named after Pokémon’s Giovanni, the wrist-worn Game Boy emulator crams Nintendo’s original gaming portable into an Apple Watch Series 2. It doesn’t quite play games at full speed, but it is fully functional. On-screen buttons underneath the game display let users tap in start, select and B button inputs, and swiping up, down, left or right emulates the d-pad inputs. Want to press the A button? Just tap on the right side of the watch’s face.

The project is a fork of Gambatte, an existing Game Boy emulator — but O’Flaherty-Chan says it wasn’t an easy port. Apple’s WatchOS didn’t use any of the graphics standards the original emulator relied on, and was never really meant to play complex games. Still, the project is a neat proof of concept, albeit one that will never see full support on the App Store. Still, if you want to check it out for yourself, hit up the GitHub link at source link below. Giovanni is open-source, after all.

 

via:  engadget

Apple doubles the storage of the iPhone SE and iPad Mini 4

The 16GB iPhone is dead.

The new, limited-edition red iPhone 7/7 Plus and upgraded 9.7-inch iPad aren’t the only things Apple has to share today. The company is also increasing the storage across all iPhone SE and iPad Mini 4 configurations. The lowest-capacity 4-inch iPhone SE is now 32GB, up from 16GB, and the 64GB model has been scrapped in favor of a 128GB version. Basically, Apple has doubled the storage and finally killed off the last 16GB iPhone, but good news: The prices haven’t changed. The new 32GB iPhone SE costs $399/£379 (the same price as the old 16GB device), while the 128GB model comes in at $499/£479. Both will go on sale this Friday, March 24th.

For the iPad Mini 4, Apple has simply done away with the 32GB and 64GB models, introducing a new, lone 128GB config. You’re getting an even better deal here, since you’re only expected to pay as much as the 32GB was worth for quadruple the storage — though it makes sense customers should get more bang for their buck since the internals of the Mini 4 are lagging behind Apple’s other iPads. The 128GB tablet goes on sale for $399/£419 for the WiFi-only model, and $529/£549 if you add LTE connectivity.

 

via:  engadget

Apple acquires Workflow automation app, offers it free

The technology could be used by Apple to offer quick access for disabled people.

Apple has acquired the Workflow automation app, which allows iOS users to trigger a sequence of tasks across apps with a single tap.

A spokesman for Apple confirmed on Wednesday the company’s acquisition of DeskConnect, the developer of the app, and the Workflow app, but did not provide further details.

Workflow, developed for the iPhone, iPad, and Apple Watch, allows users to drag and drop combinations of actions to create workflows that interact with the apps and content on the device. It won an Apple design award in 2015 at its annual Worldwide Developers Conference.

Some of the examples of tasks for which Workflow can be used are making animated GIFs, adding a home screen icon to call a loved one and tweeting a song the user has been listening to, according to a description of the app.

Apple is keeping the app alive on its App Store and it has been made free, according to TechCrunch, which first reported the acquisition.

The company, which typically comments on its acquisitions with the standard line that “Apple buys smaller technology companies from time to time, and we generally do not discuss our purpose or plans,” on Wednesday went on to comment about the benefits of the app.

The app was selected for the Apple design award “because of its outstanding use of iOS accessibility features, in particular an outstanding implementation for VoiceOver with clearly labeled items, thoughtful hints, and drag/drop announcements, making the app usable and quickly accessible to those who are blind or low-vision,” Apple told TechCrunch.

It isn’t clear at this point how the app will be integrated with Apple’s offerings. Besides offering a standalone Workflow app, Apple may possibly look at integrating the technology into iOS with Siri being the key interface for many users, particularly for disabled people.

 

 

via:  networkworld

Making Mistakes in Security

At some point in your career, you will make mistakes—small mistakes, big mistakes, even career-defining mistakes. I am writing this in retrospect because during the course of my job duties, I recently made a mistake. The details are irrelevant, but I wanted to share my experience with making mistakes in the professional world.

Mistakes and human error in Information Security account for 70 percent of the initial intrusion vectors for attackers, states the 2016 Verizon Data Breach Investigations Report. This report suggests that, “basic security hygiene is what matters the most in terms of effective defensive countermeasures.” Security starts with you. Understanding the impact of what a careless mistake could mean to the security of your organization and to your personal reputation as a security practitioner could very well be detrimental.

In one case, an employee working in the finance department of a wire and cable manufacturer was sent an email claiming to be from the company’s executive, demanding to have 40 million Euros transferred to a bank account in the Czech Republic. This is one instance where a mistake caused a company an incredible financial hardship due to human error.

When making mistakes, especially as a security practitioner, it is important that you look yourself as a brand. You are your personal brand—your brand is defined by your actions. If you have good actions, then your brand will sell very well. If you promote your brand, there will be a higher demand for it.

However, in the case of an event where you just made a royal mistake, it’s time to think about your options.

If you are genuinely unsure if you made this error, it is important that you first seek clarity. It has been extremely important in my life to take ownership and accountability for my mistakes. But don’t be a martyr. Every mistake comes with a prolific opportunity to grow from it, but if it wasn’t your mistake, then you are hurting your brand without gaining the opportunity to grow. My first suggestion to you if you are unsure of the mistake is to find the evidence.

If in your search you do indeed find that it was entirely you and you are the problem, the second piece to the puzzle for is to accept ownership. I have seen people go to vast means to deny, deny and deny. In all aspects of my life, this has never worked to my favor. You need to accept that you can, will, and do make mistakes in life.

Taking accountability for your mistake comes with a price tag. There will be some level of consequences for your mistake. We will call consequences “amendments” because to amend something is to change it, and that is exactly what you need to do.

The worst thing that could ever come out of this is for you to be wrong once then continue to be wrong for the rest of your life. so call your consequences “amendments.” You want to change the impact of your mistake.

Changing the impact of your mistake could mean a lot of things. However, it starts by asking those you’ve impacted, “How can I change things?” This seems simple but the magic in this is meaning it. I’ve done this enough to know that people will feel if you are sincere or not.

Amending may very well be not behaving that way from that point forward; it may be a financial payment, it may even be jail time (let’s hope not). Whatever it may be, I have learned that walking away with an action step is the only way to repair your brand. It starts with asking that question. Seek an agreement between you and those affected.

Carrying out your obligation to agreement is the only way to repair your brand. I must warn you that entering into this agreement and not carrying out the obligation to the full extent will demolish any credibility you might have beyond repair. It’s very serious and you must treat it so.

Handling mistakes this way has proven to be the most effective way to overcome and grow beyond any obstacle I have ever faced thus far.

Remember:

  1. Seek Clarity
  2. Accountability
  3. Amendments

And remember that security starts with you.

 

via:  tripwire

Double Agent attack can turn antivirus into malware

Cybellum researchers say the problem can affects all processes, won’t go away anytime soon.

A zero-day attack called Double Agent can take over antivirus software on Windows machines and turn it into malware that encrypts files for ransom, exfiltrates data or formats the hard drives.

Based on a 15-year-old feature in Windows from XP through Windows 10, the attack is effective against all 14 antivirus products tested by security vendor Cybellum – and would also be effective against pretty much every other process running on the machines.

Double Agent was discovered by Cybellum researchers and has not been seen in the wild.

“The attack was reported to all the major vendors which approved the vulnerability and are currently working on finding a solution and releasing a patch,” according to a Cybellum blog. All the vendors were notified more than 90 days ago, which is the standard length of time for responsibly disclosing vulnerabilities and giving vendors time to fix them.

In this case two out of 14 antivirus vendors that have been notified have taken steps to deal with the problem – AVG and Malwarebytes, says Slava Bronfman Cybellum’s CEO. The other 12 that have been notified are Avast, Avira, Bitdefender, Trend Micro, Comodo, ESET, F-Secure, Kaspersky, McAfee, Panda, Quick Heal and Norton.

UPDATE: Trend Micro has issued this statement: “At this time, we have confirmed that Titanium is the only product affected by this vulnerability, and we do have a patch in the works to be published as an urgent security bulletin later this morning.” That bulletin is here.

UPDATE: Kaspersky Lab issued this statement: “Kaspersky Lab would like to thank Cybellum Technologies LTD for discovering and reporting the vulnerability which made a DLL Hijacking attack possible via an undocumented feature of Microsoft Application Verifier. The detection and blocking of this malicious scenario has been added to all Kaspersky Lab products from March 22, 2017.”

UPDATE: Comodo Vice President of Worldwide Engineering Egemen Tas wrote a post about this including: “No we are not vulnerable to this AppVerifier injection…For this attack to be successful, [the] malware author should be able to bypass [Comodo Internet Security] protection. CIS by-default allows only whitelisted applications to modify such critical keys. Non-whitelisted applications will be either blocked or sandboxed rendering the attack ineffective.”

UPDATE: Norton issued this statement: “After investigating this issue we confirmed that this PoC does not exploit a product vulnerability within Norton Security. It is an attempt to bypass an installed security product and would require physical access to the machine and admin privileges to be successful. We remain committed to protecting our customers and have developed and deployed additional detection and blocking protections to users in the unlikely event they are targeted.”

Double Agent takes advantage of a quirk of Microsoft Application Verifier, a tool that detects and fixes bugs in native applications. This is performed by something known as a “verifier provider DLL” that gets loaded into the applications at runtime.

Microsoft Application Verifier allows creating new verifier DLLs and registering them with a set of keys for it that get stored in the registry. “Once a DLL has been registered as a verifier provider DLL for a process, it would permanently be injected by the Windows Loader into the process every time the process starts, even after reboots/updates/reinstalls/patches/etc.,” Cybellum says. In other words, the DLL persists.

This vulnerability is actually an undocumented feature of Microsoft Application Verifierl, Bronfman says, so it’s unlikely to be removed anytime soon.

Bronfman says there’s no particular flaw with the antivirus platforms; the DLLs could be inserted into any process. Cybellum chose to attack them because they make an effective attack surface: they are trusted by other applications on the computers, including other security software.

“Antivirus is most important attack we could do,” he says. “If you attack an organization, not just consumer, you can get full control over the organization. No other security examines the antivirus. It will bypass all the huge stack of security products you might have.”

The workaround being used by AVG and Malwarebytes involves patching the antivirus software to look for any process trying to write to the antivirus registry and then block it, he says. “Antivirus is in the kernel with a driver that can see almost everything,” he says.

Meanwhile organizations might try increasing diligence about downloads to stop Double Agent from accessing machines.

Cybellum says that three years ago Microsoft provided a new design concept that antivirus vendors could use that is called Protected Process and is meant specifically to protect antivirus software. Vendors could write their platforms so they are considered protected processes that would only allow trusted, signed code to load on them. So the code would be protected from any code-injection attack, including Double Agent.

Bronfman says executing the attack could be done by someone with the skills of a script kiddie. The attack code can be downloaded directly from a malicious Web site or opening a malicious attachment, he says.

 

 

via:  networkworld