Monthly Archives: December 2017

How to Create And Maintain a More Secure Database

The damage done to a business’s reputation and the long-term financial consequences of a data breach are never a concern that should be treated lightly. While extending an existing database into the cloud can allow users to access sensitive files and information with far greater ease, failing to address potential security concerns or underlying vulnerabilities could be a catastrophic error.

Learning more about ways to enhance security or to protect data within the cloud will allow businesses to minimize the potential risks to their network, data, and systems.


Even basic security protocols can make a real difference when it comes to keeping sensitive data and information stored within the cloud safe and secure. Poorly selected passwords, sloppy efforts to update, and patch software or browsing habits that could increase the risk of exposure to malware or lead to other types of network intrusion.

Ensuring that all security efforts, resources, and processes extend to the cloud ensures that digital security can be maintained even for digital working environments that rely on cloud-based storage and computing services.


Partitioning different processes and limiting user and account access is another effective way to ensure that data stored within the cloud is less likely to become compromised. Even the most diligent security efforts may not always be sufficient to prevent a breach or cyber attack from taking place, but businesses may still be able to protect themselves and their data by limiting access and compartmentalizing their records and archived information.

Minimizing the size, scope, and potential impact of a breach may turn a potentially disastrous security problem into a far more minor concern.


There are a range of software options, programs, and digital security applications that may allow businesses to minimize prospective threats. From applications that automatically monitor software patches to those designed to detect and respond to potential threats as quickly as possible, investing in quality security software may be of tremendous benefit.

Full-featured security applications and network monitoring systems can go a long way towards reducing or even eliminating many of the most common security threats.


Keeping an eye on account traffic, data being exchanged and other network activity that may be taking place can be a worthwhile effort. Automating cloud monitoring efforts or contacting with a security or IT service to handle such a task ensures that small businesses can enhance their security without having to hire existing staff or burden their existing employees with additional responsibilities.

Staying alert and vigilant ensures that security vulnerabilities and situations that may pose an inherent risk may be identified, addressed, and resolved with minimal delay. Keeping an eye on their network, data, and user activity means that businesses are much less likely to overlook a potential security concern.


The resources needed to secure a database or protect the network from an intrusion or a breach may not always be available in-house. Seeking out professional assistance can allow businesses to better assess their current infrastructure, outline any issues or concerns which may place them at increased risk, and implement any resources that may be better suited to their needs, budget ,or situation.

Working alongside the right security professional or a third-part IT service provider may also alleviate the need to hire new personnel or expand the size of an existing staff.


Security concerns are not a static issue, and the efforts and protocols that may keep a business safe today could be far from sufficient when it comes to dealing with future threats.

Possessing a better understanding regarding the potential security risks and benefits of cloud services will allow business owners to make more educated and effective decisions. When it comes to securing any sensitive data that may be stored in the cloud, no organization can afford to fall behind the times.

Regardless of what stage your business is in, you should try to use most (if not all) of these practices in order to protect your business. Although your database may seem secure from an outside perspective, a single untrained employee can breach that security if you have not put these processes into practice.

A little bit of preparation now can save you a lot of time and money trying to repair any problems that could have been prevented.


via:  tripwire

Oh Apple, you really need to rethink how you do things

Quietly inserting code into iOS that measurably slows down the performance of older iPhones is a monumentally boneheaded blunder.

The ink is barely dry on the piece I wrote earlier this week about how Apple needs to do better in 2017 when it comes to light that the company has done another boneheaded thing.

It now turns out that the old yet often-quoted urban legend that Apple inserts code into iOS to slow down older iPhones is true.

Yes, Apple is slowing down your old iPhone.

The company admitted yesterday that it started doing it last year when it released iOS 10.2.1 following reports that iPhone 6, iPhone 6s, and iPhone SE were shutting down randomly due to cold weather, low battery charge, or battery aging.

Apple expanded the scope of this code to include iPhone 7 and iPhone 7 Plus devices with the release of iOS 11.2.

Oh Apple, this is a terrible way to do business. This is like the Wi-Fi and Bluetooth buttons in Control Center that don’t actually turn off Wi-Fi and Bluetooth, only a hundred times worse.

While I think that adding code to iOS that caters for battery issues is clever, not telling users that this is happening is something that categorically gets the Cupertino giant onto Santa’s naughty list for several reasons:

  • It makes owners believe that their iPhones are getting old when it is, in fact, the code that’s slowing them down
  • It’s pushing people to replace handsets when all they need is a new battery
  • It’s a serious betrayal of the trust that needs to exist between vendors and customers, and stories like this will make people wary of installing updates, which is a bad thing

So, how could Apple have turned this boneheaded move into a positive thing? By keeping the user in the loop. For example:

  • Pop up a message telling the user that there is a suspected battery problem, and iOS is stepping in to prevent possible problems
  • Suggest the owner get the battery checked and replaced
  • Offer users a way to disable the setting so they can see for themselves that there’s a problem

See, that wasn’t so hard, was it?


via:  zdnet

How CISOs Can Successfully Talk Security to CEOs

It would be funny, if it were not so frustrating, that two individuals so intent on managing risk don’t understand one another. But that is the fundamental problem between business and security leaders. The gap is so huge that bridging it may seem nearly impossible. Yet, it can be done.

Here’s some much-needed illumination on why previous attempts to close the gap have resulted in bridges to nowhere—and how to fix that.

Understanding the C-level Perspective

“The fact that cybersecurity is a board issue is yesterday’s news,” said Nik Whitfield, CEO of Panaseer, a cybersecurity data analytics company. “While there is lots of data available, the puzzle that CISOs are trying to solve is how to bring this information together to show the board the picture they need to see.”

It’s like both sides are speaking a different language. The first step in effectively communicating with the CEO and board is to understand their risk language.

“As a CEO, my key concerns are growing the business and increasing shareholder value. As it relates to cybersecurity, I want a holistic picture, not a discussion of the latest technologies,” said Scott Kannry, CEO of cyber risk management company Axio.

Kannry noted his most valuable framework for understanding CISOs is to ask them to answer these four questions:

  1. Do we know our risk and fully understand the dollars and cents involved? Have we taken a sampling of scenarios, put various operational and functional staff around a table and used their collective knowledge to estimate what each of a variety of events could cost?
  2. Do we use a maturity-based cyber evaluation framework and align it with the scenarios quantified in the previous step?
  3. Do we maintain the resources and financial ability to recover from a meaningful event? Do we have the right balance of financial reserves and insurance to pay for as much (or all) of the forensics costs, notification requirements, lost revenue, stolen funds, legal fees and liabilities, repair costs or replacement of damaged assets and others? How do we understand how much insurance to buy? See Step 1.
  4. Do we benchmark our organization against others, possibly a peer group?

In short, CEOs and board members are looking for the bigger picture in risk calculations.

According to The Cyber Balance Sheet survey of more than 80 board members, CISOs and subject matter experts, “Board members were five times as likely to cite ‘risk posture’ as a key security metric compared to CISOs. They are also 13 times as likely to say the same about ‘peer benchmarking’ – showing boardrooms’ greater concern for the big picture.”

That same report found that board members are inundated with security data and often just assume CISOs have things under control. Hence, they tend to “tune out” and simply expect the CISO to keep everything secured. So when something does go wrong, all fingers point to the CISO—an untenable situation, to say the least.

Speaking in Business Tongues

“When discussing cybersecurity risks with the CEO, or the C-suite in general, it’s critical to bridge the gap from purely technical to business terms,” said Brad Arkin, CSO at Adobe. “Remember that top executives have to prioritize many aspects of the business, including investor expectations, revenue and profit, brand equity, employees, etc., so it’s your job as the CISO/security expert to illuminate the business case for security in a broader business risk management context.”

Specifically, this means dumping technical metrics and scare tactics from the conversation. Instead, focus on calculating risks in terms of business impact.

“As far as how risk is determined, the key is not to think primarily in terms of technical metrics, such as unpatched OS vulnerabilities or average password strength, but in terms of business impact,” advised Nir Gaist, founder and CTO of Nyotron, a security products and services provider. “What is the probability that bad thing X could happen to us? What is the business consequence of X? What is a possible way to calculate the financial impact of that business consequence?”

Tips and Pitfalls

Here is a quick list of dos and don’ts from your peers to help you build a conversation framework that will truly connect your message with the powers-that-be:

  • Speak to risk/reward appetites, not in absolutes. Businesses cannot survive, let alone prosper, if all risk is eradicated. “CISOs can fall into the trap of an engineering mindset that seeks technical perfection. This can undermine credibility and set up unfulfillable expectations. And it misses the central reality of business, which is that risk is essential to reward,” said Gaist.
  • Understand how your company makes money, and speak to that. “Effectively translating technical risk into business risk terms means you have to understand how your company makes money. A web-based company selling to consumers is going to be far more sensitive to web-server vulnerabilities than will a B2B logistics firm,” said Kip Boyle, founder and CEO of Cyber Risk Opportunities, a risk management consultancy and service.
  • Expect disbelief of your numbers, present them strategically. “Remember that no one believes the numbers on your deck right out of the box, and you’ll wind up in a debate over how good those numbers are. Instead, use numbers sparingly. If someone wants more numbers from you, let them ask for them,” said Gaist.
  • Set up a business report rather than a security report. “CEOs and other C-levels all follow clear forecasting, tracking and reporting. The closer the CISO can align to this methodology, the more impactful they will be,” said Tom Pageler, chief risk officer and chief security officer at Neustar and  formerly chief risk officer at Docusign and deputy CISO/executive of global security and investigations director at JPMorgan Chase.
  • Make the impact more personal. Whatever you are describing or pitching, bring the point closer to the audience’s personal domain. “For example, if the discussion is with the VP of Sales, describe sales forecast impact. If the discussion is with the CFO, discuss the exposure to lawsuits and other activities that will stem from a breach and cause additional monetary damages,” said Jason Sinchak, CTO of mobile security company Sentegrity and CISO of Emerging Defense, a cyber-security penetration testing and breach investigation consulting firm.

Now you’re all set. Go forth with confidence, speaking in business terms and with the understanding that there is no “us versus them”—there is only “we.”


via:  securityboulevard

How To Avoid Christmas Scams? Here’s 10+ Valuable Expert Advice

That time of the year when we should also keep an eye on online scams.

Christmas scams and winter holidays go together like horse and carriage, this I tell you, brother, you can’t have one without the other.

Unfortunately, this is the jingle of online scammers, who take advantage of the buzz around holidays to find new and creative ways of relieving you of your money, your data or both. However, you don’t have to be a cybersecurity expert to avoid their grips, as we will outline in this run-down. We also include valuable advice from experts, so you can better protect yourself against any and all online Christmas scams.

Now let’s see what you need to avoid this season!

1. How to avoid all online shopping Christmas scams

For example, in 2016 City of London police officers estimated about £10 million losses to these kinds of scams. One victim lost £86,000 when they tried to purchase a boat from a fraudster on eBay, police said. That’s just a very tiny tip of a very big iceberg.

Only in Australia, a Commonwealth Bank report revealed that Aussie shoppers will spend $11 billion during the 2017 Holiday season.

Christmas scams online shopping scams

Up to 13.3 million Australian citizens will also shop online. It stands to reason that the numbers are similar across developed nations, so protection against online shopping scams is essential.

We are surfing online looking for the perfect gift and so many options in front of us that we don’t know what to choose from. But are they real? Online scammers and IT criminals post fake ads and run websites they control in order to retrieve our online banking credentials and get access to our sensitive data.

To stay safe from this type of scam look for a few clues:

  • Is the advertised price too low to be true? Check the price for the item on other websites and see where it should be.
  • Avoid any unusual payment system for an online item, like a money order or wire transfer.
  • If you choose to pay from the website’s payment system, look for details that could indicate you are on a hacker-controlled website. There are cases when the scammers direct you to a fake payment site, so look at the URL of the page.

• Verify the Web address of the shopping sites you visit. There are many copycat websites of large retailers, especially this time of year.
• Beware of Websites with steep discounts on brand name or highly sought-after products. If you’re visiting a Website you’re not familiar with and the prices seem too good to be true, they probably are. Cybercriminals will purchase these products with stolen credit cards and quickly create a site to sell them at steep discounts. Or, you might place an order and never get anything. In both cases, the thieves obtain your credit card details when you place an order. Check domain registration sites like to find out when a Website was created and where it is registered. If the Website was created in the last few months, proceed with caution.
• Use caution when making purchases through advertisements on social media. Cybercriminals often place ads to phish for credit card information or to infect your computer or phone with malware. Use a search engine to verify the company name is legitimate, search for the company’s name + “reviews” and/or look in the comments of an add or post, as many times other consumers will comment if the ad is a scam.
• Only purchase gift cards from reputable businesses. Credit-card thieves love purchasing gift cards with stolen credit cards because many hold their value well and there is a thriving secondary market.

Via Cardnotpresent

2. How to stay away from gift card scams

The holiday gift cards are usually promoted via the social media networks, like Facebook or Twitter, and claim to offer exclusive deals or hidden deals.

The problem appears when the gift card is fake and it’s just an excuse to ask the victim for its personal details or credit card numbers. In the 2016 Holiday season, Amazon shoppers were tricked in droves by third-party sellers who used phishing and spoofed emails.

Fake amazon giftcard christmas scams


These malicious sellers lured consumers to leave the Amazon site at the time of payment via very convincing confirmation emails or gift card offers. Amazon itself stayed silent on this topic.

This year we will probably see even more ways of tricking consumers out of their hard-earned cash.

To avoid being fooled into buying a fake gift card, make sure you:

  • Don’t click suspicious links on social media sites, even when the “special offer” comes from a friend.
  • Don’t fill online surveys that ask for your personal information.
  • Check the offer online if it’s just too good to be true. You can contact directly the official website of the producer or you can look it out on search engines and see what results appear. The scammers usually target a large number of people and some results should appear, in case this is a real scam.
  • Pay special attention when buying small animals, mobile devices, cars or motorbikes, since they are some of the most used scamming items.
  • Don’t use Amazon gift card generator tools, websites or apps, they’re all scams.

Via Amazon itself.

3. How charity scams work and how to detect them

Christmas time is a good reason to be kind and generous with the less fortunate people around. That is why we find so many legitimate charity organizations appeal for money or food donations. At the same time, it is a good cover-up for scammers and online crooks to steal your money.

We also want to highlight sites that sell cheap trinkets while pretending to be a charity.

You probably saw something like it in the last week, when it appeared on your newsfeed promising a free octopus ring or a free glowing necklace. We highlighted many types of scams on Facebook here.  Another example is Save Our Oceans NOW, who has 1 stars on TrustPilot but still continues to fool consumers.

save the oceans scam or deceiving promotion


Here’s how it works:

  • They claim to be an online store that donates to a charity or a charity selling wares to support itself
  • They offer a guaranteed freebie, you just have to pay shipping fees
  • You willingly give out all your sensitive personal info and pay a modest sum (5-10 dollars) for the product
  • If lucky, you receive the product
  • If you receive the product, you’re happy and advertise their scam to more friends

In the best case scenario, you got yourself a “free octopus ring”, after only paying 8 dollars in shipping fees.

Meanwhile, that ring costs around 50 cents in China and is delivered to you through a tactic called ‘dropshipping’. That means the store you make your purchase at doesn’t actually have the products available, it just places an order on your behalf to a Chinese factory.

This factory processes your order and requires absolutely no shipping fee. The original store in which you placed your order has absolutely nothing to do with the product in question, it just gets your money and your data, then makes the manufacturer send you that product.

how dropshipping works


Dropshipping is a popular and respected e-commerce practice, but it also leaves room for shadiness like these scams.

Back to the Save Our Oceans one.

So you just paid for shipping and your money goes not to the shipping of the ring (because that’s free) or to a charitable cause because that’s the scam. Your money goes to the website holders themselves.

In the process, if you haven’t paid by Paypal, you also willingly gave out your name, address, phone number and credit card info to the scammers.

They will use this data to target you with other scams as well, then sell their “customer” database to any takers (most of them with bad intentions).

To send your money in the right direction, take the following measures:

  • Check if the website is genuine before sending your money. The site may use official logos and appear as real. This doesn’t mean it is.
  • Contact the real charity groups directly to make your donation. Do not donate anything to intermediary people or suspicious sites.
  • If you are approached by a charity group or person and you are in doubt, check online for the organization’s name or the person’s name who requested the money.
  • Never pay shipping for a “freebie” like this. Just use the money and buy the freebie directly from a reputable seller, it’s often much cheaper and safer for your personal information.


4. How to see Christmas e-card scams for what they are

Christmas time period is that time of the year when we give presents to friends and family members. But we also send Christmas e-cards to people we appreciate. And of course, we too receive Christmas e-cards, which is a good thing, unless we are dealing with an online scam.

ecard scam online scams christmas


In these unfortunate cases, the Christmas e-cards we receive could contain hidden malicious software or a link to a hacker-controlled website.

For this reason, we need to pay attention to the animations, pictures, videos or links in the e-card that could download malware or send us to a site that contains malicious content.

Therefore, in the end, it is the malicious content that should worry us because it may be used to steal sensitive data from our computers or valuable information.

To stay safe from special holidays’ compromised e-cards, follow these general guidelines:

  • Pay attention to spam campaigns that try to push these phishing attempts to you.
  • If you receive a suspicious e-mail, do not open it, do not click any link or download any attachment.
  • Make sure you have not only antivirus protection, but also a good anti-spyware program.
  • Even if you receive such an e-mail from a friend, it doesn’t mean that he or she actually sent that e-mail.

According to the Kount Merchant Holiday Retail Guide, Cyber Monday 2017 saw the biggest increase in fraud attacks, at 134%.


If they did indeed send the eCard, you’ll get peace of mind before opening it and the opportunity to thank them properly!

Via IdentityForce

5. How to be safe from catfishing and other romance scams

This is an old one and we have all seen it in a form or another. In 2016 there was a 20% increase in this type of spam, with an estimated $230 million in losses. However, FBI saysthat only about 15% of romances scams are reported, so the true number can be much higher.

A classic romance scam usually starts with a conversation on a social media account or by exchanging a few e-mails.

Since we are dealing with an old scam, this one involves a lot of experience from the scammers and a little knowledge of human psychology. All of us want company and affection, especially in winter time, and all of us spend even more time connected to the Internet.

Just to name a few practices from what we mentioned in this article, online crooks use fake profiles on apparently legitimate sites in the famous practice called catfishing, run Tinder, Viber or Kik bots in phishing attempts to obtain your data and even inject malware into your computer or smartphone.

catfishing online scams christmas scams romance


To avoid a romantic disappointment and protect yourself:

  • Do not trust anyone you meet online or someone who asks for money or your credit card information.
  • Beware of sharing your most intimate information on social media or dating sites. Even if you receive similar information from the other person, you cannot verify the truth of this info.
  • Take advantage of these security guides and be proactive with what you care most about
  • If targeted by spammers, warn others of their methods

Via Wayne May, Scam Survivors founder

6. How to stay clear of games giveaways and lotteries scams

There ain’t such a thing as a free lunch. This old adage applies to both giveaways and lotteries scams.  There is no Microsoft Email Lottery, no Uber Online Lottery with free rides and no Linkedin Online Lottery, just to name a few common ones.

The lottery scam will never truly go away because people will always hope to win something.

lottery scam uber scam

It starts with a message being sent to the victim and letting the person know a ridiculously huge amount of money or benefits have been won. All the victim needs to do is “just” pay for the small processing fees or complete some forms.

To stay safe from this online scheme:

  • Do not trust such an e-mail or offer. Google it beforehand.
  • Do not even open such an e-mail, least of all click anything in it.
  • Do not complete forms in a giveaway

A similar lottery scam, a much harder one to detect, is targeting gamers around the world. It’s harder to detect because many game companies or influencers do host giveaways offering free games.

riot games fake giveaway online scam


In general, with games you should do this:

  • Do not click links sent via private messages in the game client (League of Legends, Steam, Battlenet etc) or on streaming platforms like Twitch
  • Don’t sign up for quizzes promising that the winner will get a free game
  • Don’t sign up for contests requiring more than a simple comment on Reddit or a forum, one which does not ask for your personal information
  • Go to the official webpage of the supposed giveaway provider and check if they mention the contest. If League of Legends hasn’t announced a giveaway, then there is none.

A long, non-recycled password is a great way to protect your account in combination with email verification
We also have a very fun account security video that the Riot team worked on

Via Christopher Hymes, Director of Information Security at Riot Games



7. How to identify winter holidays travel scams

We wrote one of the most comprehensive guides on protecting yourself against airline scams. Since the holidays are approaching, we really need to underline the fact that airline scams are just a tiny part of a booming industry: online travel scams.

online travel scams facebook southwest scam


The worst scams of this type simply take your money and don’t send you anywhere, maybe just to the police to file a report.

This is what happened here when a couple was just one of the many to lose thousands of pounds on fake Airbnb listings.

The “happy” cases of Christmas scams based on holiday bookings hide the real costs of your trip. You will end up paying more than initially thought.

These hidden costs could be necessary to pay when you get there to access a local attraction, pay for transport costs or other hidden fees.

To make sure you are not the victim of travel scams:

  • Always buy airline tickets or book a travel offer from official travel websites.
  • If the price for the trip or for the flight may be too low to be true, it may actually be some sort of scam.
  • Here are another 3 useful tips to avoid airline scams online

If it’s a bona fide deal, open a new browser window and go to the agent’s or retailer’s website, and you’ll find it. Better still, use Gmail and Google’s excellent spam filter will put everything suspicious in a junk folder, and prompt you not to reply or click, even if you get tempted.
However, even official airline websites don’t exactly help foster consumer trust. Just yesterday after I entered my credit card number to buy a flight I was told that the price had risen since I started the booking process. That’s dishonest and unhelpful, to say nothing of airline booking websites that pre-select travel insurance and confirmed seat fees.

Via Jamie Carter, travel journalist

8. How to avoid Christmas screensavers bundle malware

Sites hosting screensavers have long been plagued by malware and trojans, and the biggest vector for infection might just be the biggest problem in town.

As Emsisoft also highlights, holiday search terms are loaded with additional downloads like potentially unwanted programs. In essence, they’re the gift that keeps on giving. Not joy or beautiful Christmasy landscapes, but pop-ups and dangerous types of malware and ransomware.

christmas screensavers bundles scam

So, before decorating your PC with snow-laden houses, do make sure you’re visiting safe websites and not downloading anything malicious. You can do this by using a traffic-filtering software that blocks malicious websites and, of course, by having an antivirus installed.

We also found a great list of screensaver suggestions and safe sources on Digital Citizen.


Via Emsisoft

9. How to identify shipping notification Christmas scams

This time of the year marks a big increase in the number of items purchased online and, at the same time, in the number of confirmation emails and shipping notifications we receive.

But are all these notifications real? As we previously highlighted, some of them may be fake and dangerous! An email requesting an update on your shipment could be a disguised attempt to retrieve valuable information from your online banking account.

fake ups shipping update online scams christmas

This email might or might not have an attachment that you are requested to download. You could be dealing with a phishing e-mail, an e-mail designed to spread ransomware or any other combination, so take precautions!


Via Webroot

10. How to spot fake jobs, financial opportunities, and Christmas scams for loans

One of the busiest periods in recruitment is the holiday season. Job seekers around to world flock to job sites in order to boost their careers. Malicious hackers get a present as well: the personal details of those jobs seekers.


A popular method of gathering sensitive information is phishing via fake job sites. Unsuspecting victims simply give out their name, address, phone number and even SSN, thinking they’re applying for a job through an established career portal.

Another one is good old-fashioned emails from “recruiters” or “staffing agencies” – click the link and at best you give out your personal information, at worst you find yourself with a malware infection. 


Be rational. Unless you’ve been actively applying for jobs, it’s unlikely someone is going to find you in the “internet resources” and offer you an amazing job.

Via Spamfighter


The holidays are a time for presents, not falling prey to Christmas scams, so use this guide to stay safe and spread the cheer (and valuable info!) to your loved ones.



via:  heimdalsecurity

Permissions Flaw Found On Azure Ad Connect

A permissions flaw in Microsoft’s Azure AD Connect software could allow a rogue admin to escalate account privileges and gain unauthorized universal access within a company’s internal network.

Microsoft issued an advisory for the vulnerability on Tuesday. Affected are Office 365 customers running Microsoft’s Active Directory Domain Services in conjunction with Azure AD Connect software installed with the Express Settings, according to Preempt Security that first identified the vulnerability.

Microsoft didn’t release a patch to fix the bug, rather it made available a PowerShell script that adjusts the permissions of the Active Directory domain accounts to protect customers from the vulnerability. Microsoft also said future versions of affected software (after version 1.1.654.0) would not be impacted by this vulnerability.

“Before this release, the account was created with settings that allowed a user with password administrator rights the ability to change the password to a value know to them. This allowed you to sign in using this account, and this would constitute an elevation of privilege security breach. This release tightens the setting on the account that is created and removes this vulnerability,” Microsoft states.

The flaw allows trusted users with limited or temporary privileges within a domain, such as the ability to change passwords or add users to administrative groups, to escalate privileges, said Roman Blachman, CTO and co-founder of Preempt.

He said there are several scenarios where “stealthy admins” can elevate their access within a domain. One way is a rogue technical support operator (or “stealth admin”) could use their limited privilege of managing passwords to change the password of a domain administrator. They could then login as the domain administrator and configure their own profile with greater access to the company’s network.

“The flaw allows a support operator to replicate all of the domain passwords of every user and compromise any account in the domain and give themselves full administrator rights,” Blachman said. “So, this support operator could go from having limited access to making themselves a domain admin.”

In another attack scenario, a rogue admin with limited privileges of adding and removing users from administrative groups could simply add themselves to a group with more privileges.

To circumvent detection, Preempt said a stealthy admin would alternatively target the MSOnline (MSOL) PowerShell Module, part of Windows Azure Active Directory. “Such (service) accounts are often less monitored than full domain admins even though they have relatively high privileges,” researcher said.

“Imagine a help desk technician with permissions to reset non-admin passwords but no other domain admin privileges. Because the MSOL account is generated under the Built-in Users container, and the Built-in Account Operators group (e.g. helpdesk team) has permissions to reset passwords for the Built-in Users container, this gives the account operator full de facto access to domain passwords, as well as other elevated privileges (e.g. Domain Admin),” researcher wrote in a technical write up of the vulnerability posted Tuesday.

Using the aforementioned technique, Blachman said, it is possible for an admin to escalate their privileges via the MSOL service account.

“Now the stealthy admin can log into Azure AD Connect and reconfigure the account so everything would work properly and no one would ever notice the changes to the account,” Blachman said. 

“Microsoft acknowledged the issue and has released a Microsoft Security Advisory 4056318 and a PowerShell script that addresses the flaw by adjusting the permissions of the Active Directory domain accounts to modify properties of the AD DS synchronization account (MSOL),” Preempt said.


via:  threatpost

UK companies hoarding Bitcoin to prepare for ransomware attacks

Some firms are asking their employees to prepare digital wallets and monitor cryptocurrency prices, according to Paul Taylor, former Ministry of Defense cyber chief.

  • UK firms are stockpiling Bitcoin to prepare for potential ransomware attacks. -The Telegraph, 2017
  • Bitcoin is now valued above $18,000, and companies may be tempted to cash it in instead of saving it. -The Telegraph, 2017

British companies are hoarding Bitcoin to pay off hackers and unlock critical systems in the event of a ransomware attack like WannaCry, according to The Telegraph.

“Companies are definitely stockpiling Bitcoin in order to be prepared to pay ransoms,” Paul Taylor, former Ministry of Defense cyber chief and KPMG partner, told The Telegraph.

A ransomware attack occurs once every 40 seconds, as noted by TechRepublic’s sister site ZDNet. The number of people who reported encounters with ransomware worldwide in the past year rose from 2.3 million to nearly 2.6 million, according to Kaspersky Lab.

These attacks are now so common that employees are being ordered to prepare digital wallets and monitor cryptocurrency prices to avoid inflation, should the company need to keep an attack from gaining public attention, Taylor told The Telegraph.

Two thirds of companies that have fallen victim to such an attack have paid the attackers, according to a Trend Micro report. However, paying up is no guarantee of unlocking your files: Of those companies, one in five never got their data back after paying, the report found.

Large British businesses are prepared to pay out an average of £136,235 (about $182,693) to regain access to important intellectual property or business critical data, according to a June report from Citrix. These businesses are also stockpiling an average of 23 Bitcoins in case they are suddenly hit by an attack, the report noted.

The recent boom in Bitcoin value—currently worth more than $18,000—may tempt businesses to cash in on their stockpile, Chris Mayers, chief security architect at Citrix, told The Telegraph, making them unable to pay the ransom. However, keeping a large stockpile may also make them a more desirable target for hackers.

Security experts warn companies not to pay the ransom, as attackers may repeatedly hit the same company, and instead to report the attack. But many companies find that it’s easier to pay out and keep attacks private, The Telegraph noted.

Companies that want to avoid ransomware attacks should ensure they are backing up their data to a secure location daily.


via:  techrepublic

Russia could chop vital undersea web cables, warns Brit military chief

ACM Sir Stuart Peach is right – but only to a point

JUPITER submarine cable

The JUPITER sub-Pacific communications cable. The Chief of the Defense Staff warns that cables such as these are vulnerable to attacks

The head of the British Armed Forces, Air Chief Marshal Sir Stuart Peach, has warned that Russia could cut off the UK by severing undersea communications cables.

In a speech made to military think-tank the Royal United Services Institute last night, the air marshal said: “There’s a new risk to our way of life, which is the vulnerability of cables which criss cross the sea beds. Can you imagine a scenario where those cables are cut or disrupted? Which would immediately and potentially catastrophically affect our economy and other ways of living if they were disrupted.”

Peach was giving the annual Chief of the Defense Staff Lecture, in which he talks about topical defense, security and geopolitical issues. He specifically highlighted Russia as the most likely nation state that might go around cutting cables and causing chaos.

“In response to the threat posed by the modernization of the Russian navy, both nuclear and conventional submarines and ships, we, along with our Atlantic allies, have prioritized missions and tasks to protect the sea lines of communication,” he said, specifically mentioning the role of NATO.

The air marshal also joked about bringing back the Railway Squadron of the Royal Logistics Corps, which drove military-manned trains to and from West Berlin during the Cold War, as well as beefing up Britain’s military hackers with a “reservist and contractor”-led cyber force.

A stagnant defense budget, allied to possible inflation-driven cuts to internal spending, mean the Royal Navy is facing decades of severe overstretch. Peach’s speech ought to be read (or watched, if you’ve an hour of free time – the Russian comments are all in the first five minutes) with the military need to put pressure on politicians for extra funding in mind.

Laying cable

Peach’s warning comes in the context of Russian naval renewal over the last few years and increasing naval activity by Moscow’s armed forces, as well as a recent report highlighting potential legal vulnerabilities around cables and their landing stations. The basic argument goes that as everyone knows where they are, they are uniquely vulnerable.

Without doubt, this is true. It is also true that in our increasingly interconnected world, even “the baddies” like Russia and Iran are also coming to depend on communications over these cables. In spite of conspiracy theories around Russian spy ships interfering with undersea cables, the greater threat to global connectivity appears to be the West, which has inserted eavesdropping capabilities into a large number of cables around the world. Both the US and UK have the advanced technologies necessary to do this sort of work while underwater.

Russia, meanwhile, seems to like trolling professional Western observers by sailing along cable routes, raising watchers’ blood pressure all the while. Rather than some kind of high-tech interference, the main fear is that the Russians will simply drop anchor over a cable site and drag it through in order to sever the cable – as happened accidentally off the coast of Jersey last year thanks to the careless crew of an Italian-flagged gas tanker.

As we previously reported, naval gazers reckon the Russian spy ships may be looking for so-called dark cables used for dedicated defense and intelligence communications. The idea is that by cutting dedicated links, spies and other snoopers’ comms are forced onto public cables – where they can then be re-routed into areas where hostile states can collect and analyze them at leisure.


via:  theregister

Chromecast is back on Amazon

Amazon will once again allow sales of Apple TV and Google Chromecast on its site, after banning them two years ago in an effort to promote its own Fire TV hardware to online shoppers. The addition of Apple TV is not surprising – Amazon and Apple came to an agreement earlier this year that included the launch of the Amazon Prime Video app for Apple TV, and the return of the Apple TV to Amazon’s online store. However, the return of Chromecast is notable given the recent drama between the two companies, which led to Google pulling YouTube from Echo Show and Fire TV.

The return of Apple TV and Chromecast was reported earlier today by CNET, though the product listing for Apple TV had already been spotted back in September.

CNET’s report also noted there are now five streaming devices from Apple and Google back on Amazon, including the Apple TV, two versions of Apple TV 4K, plus Chromecast and Chromecast Ultra. None are available for sale yet.

An Amazon spokesperson only offered the following statement about the change:

“I can confirm that we are assorting Apple TV and Chromecast.”

Google and Amazon have been feuding for some time.

Google has not been happy about Amazon’s decision to ban sales of competitors’ hardware from its site, including Chromecast, Google Home (an Echo rival), and more recently, Nest devices, including the Nest Thermostat E, Nest Camera IQ and the Nest Secure alarm system.

Earlier this month, Amazon again angered Google when it launched its own version of Google’s YouTube player for Echo Show that lacked many core features. Google pulled access to that app, so Amazon worked around the block by implementing a web version of YouTube instead. Both apps had been built without Google’s input or knowledge, ultimately leading the company to pull YouTube entirely from Amazon’s hardware lineup, including Fire TV.

In this light, the return of Chromecast looks like a concession from Amazon, or even an indication that the two rivals have come to some sort of agreement.

We’ve asked Google if it will now revise its decision to pull YouTube from Fire TV and Echo Show, given this change, and will update if the company responds.


Update, 12/14/17, 5 PM ET: Google has offered the following statement:

“We are in productive discussions with Amazon to reach an agreement for the benefit of our mutual customers. We hope we can reach an agreement to resolve these issues soon.”


via:  techcrunch

Facebook adds a Snooze button for muting people, groups and Pages for 30 days

Facebook today is launching a new feature designed to give users more control over what content they see in their News Feed: a “Snooze” button. The option, which will become available via the top-right dropdown menu on a post, will mute content from a person, Page or group for 30 days.

The new feature can serve as a way to dial down the content you don’t want to see, without having to fully unfollow or unfriend someone.

For example, if you’ve had enough of someone’s political rants or baby photos, you can temporarily opt to see less of them in your News Feed. You could also turn off a particularly chatty Facebook friend whose continuous updates clutter your feed.

The option could be useful for people going through a breakup, too  – that is, one where they’re staying connected socially, but don’t necessary want constant reminders of what an ex is up to. That’s an area Facebook has explored in the past, with the 2015 debut of tools to help you see less from former flames. However, not many people seem to know these features exist. Snooze, on the other hand, will be far more visible.

For Pages and Groups, having a Snooze button means they may be able to better retain their less active users, who may have otherwise unliked them or left the group to avoid their content.

TechCrunch first spotted Snooze in testing this fall, when different lengths of time were being offered. Today’s launch has settled on a month as the right amount of time spent on mute.

Snooze joins a series of other content controls for News Feed, like Unfollow, Hide, Report and See First, which give people more ways to customize their experience, notes Facebook.

The update, while seemingly minor, comes at a time when many people – including some of Facebook’s early founders – are questioning whether social media is having a negative impact on people and society as a whole. A network that’s too tuned to what people want to see, and provides that to them by way of algorithms, can lead to addiction and an inability to relate to different people and opinions.

The flip side of Facebook’s toolset for deep personalization, including now Snooze, are these ongoing concerns that Facebook’s social network can become overly comfortable for people. It allows people to ensconce themselves in a world where everyone thinks like them, enjoys the same things, and posts similar news and other things. But this is not the real world, where people’s opinions can wildly differ. The result of this bubble effect is a reduction in being exposed to new ideas, and an increased intolerance for those who don’t share your same beliefs.

Snooze, in that context, could be seen not as an empowering tool, but one that could potentially lead people to further distancing themselves from friends with different perspectives – whether political, religious, cultural or otherwise – simply because it’s something you don’t want to see.

But at least Snooze’s forced cooldown period could stop people from unfriending people with these opposing viewpoints.

Facebook notes that when the Snooze period is about to end, it will notify you of this – presumably, in case you need to snooze them again. You can also reverse a snooze at any time, the company notes.

The Snooze button is rolling out today, across Facebook.


via:  techcrunch

FCC repeals net neutrality

As I write this, the Federal Communications Commission (FCC) is going through the motions, live streaming its commissioners as they (mostly) express support for what turned out to be the inevitable killing of net neutrality: the 3-year-old landmark rule – imposed during the administration of President Obama – that prevents internet service providers (ISPs) from favoring some sites over others by slowing down connections or charging customers a fee for streaming or other services.

…at least, the FCC had been going through the motions, until around 12:51 pm, when the room was evacuated and bomb sniffing dogs were led through the emptied room by their handlers.



Commissioners were let back into the room around 1pm after it had been cleared by security. Within minutes, the room, the internet, and the telecom industry had also been cleared of net neutrality.

There has been much gnashing of teeth.

Clearly, this has been a contentious few months of debate: on one side, telecom giants like AT&T, Charter, Comcast and Verizon have been urging the repeal, which was put forward and championed by Republican FCC Chairman Ajit Pai. They view it as a major victory that will peel back what they see as onerous government regulation.

Getting rid of net neutrality is going to be great for innovation, Pai has been saying, though “blaring from every computer screen in the nation” is actually a joke news piece from The Onion:


Robert Reich, founding fellow of The Sanders Institute – a nonprofit, educational organization founded last year by Jane Sanders, wife of Sen. Bernie Sanders, I-Vt., to help raise awareness of “enormous crises” facing Americans – called industry claims that net neutrality hurts consumers because it discourages investment in their networks “rubbish.”

Since Net Neutrality was adopted, investment has remained consistent. During calls with investors, telecom executives themselves have even admitted that Net Neutrality hasn’t hurt their businesses.

This is what cable companies can inflict on us in the absence of net neutrality, Reich predicts:

  1. Drive up prices for internet service. Broadband providers could charge customers higher rates to access certain sites, or raise rates for internet companies to reach consumers at faster speeds. Either way, these prices hikes would be passed along to you and me.
  2. Give corporate executives free reign to slow down and censor news or websites that don’t match their political agenda, or give preference to their own content – for any reason at all.
  3. Stifle innovation. Cable companies could severely hurt their competitors by blocking certain apps or online services. Small businesses who can’t afford to pay higher rates could be squeezed out altogether.

No, says former FCC Chairman Michael K. Powell: that’s the rubbish.

Powell, now a lobbyist for the cable and telecom industry, came out with an opinion piece in which he declared that opponents’ protests amount to “hyperbole, demagoguery and even personal threats.”

More from his article, which was published by Recode on Wednesday:

New-age Nostradamuses predict the internet will stop working, democracy will collapse, plague will ensue and locusts will cover the land.

The biggest threat to Silicon Valley innovation and improving consumer experiences isn’t net neutrality; he says; it’s “an internet that stalls and doesn’t get better.”

Powell says that the “vibrant and open internet” that Americans cherish “isn’t going anywhere.” Not for days, not for weeks, not for years: we’ll also still be merrily shopping online for the holidays, oversharing our photos on Instagram, harping on about our political grievances on Facebook, and asking Alexa what the score of the game is. Everything is going to be Just Fine, and the internet Will Not Blow Up.

Why the confidence? Because ISPs value the principles of net neutrality and the open internet more than activists would have you believe, Powell says. After all, it’s easier to make money with an open internet:

A network company makes the most money when its pipe is full with activity. The more consumers use, the more profitable the business. With new, compelling services, consumer demand rises for higher speeds. Degrading the internet, blocking speech and trampling what consumers now have come to expect would not be profitable, and the public backlash would be unbearable. Economic self-interest and the pursuit of profits tilts decidedly toward an open internet.

His optimism is not mirrored throughout the internet.

Senior analyst Michael Fauscette, Chief Research Officer at G2 Crowd, a review website for business software, says that letting a business self-regulate hasn’t gone well in the past, either for the businesses or the public.

Neither is this struggle over. Fauscette predicts that “there will be plenty of lawsuits attempting to put the protections back in place.” Besides whatever happens in the court, there are things happening inside Congress to restore net neutrality by passing a law to protect it. On Tuesday, Sen. John Thune (R-SD) asked net neutrality supporters on “both sides of the aisle” to work with him on a legislative solution.

Would such a law pass anytime soon, given the makeup of the Republican majority House and Senate? Maybe not, but “soon” might come sooner rather than later, given Democrat Doug Jones’ upset victory to become senator in conservative Alabama, plus the fact that influential Republican Ted Cruz is seen as the next conservative in Democrats’ cross-hairs.

In the meantime, take your pick between alternating views of the near future: either everything will be hunky dory, per Powell, or we can all start reaching for our wallets to pay for internet fast lanes or kicking back with a beer as we get shunted onto slow lanes.


via:  nakedsecurity