Monthly Archives: September 2016

Multiple Backdoors found in D-Link DWR-932 B LTE Router

If you own a D-Link wireless router, especially DWR-932 B LTE router, you should get rid of it, rather than wait for a firmware upgrade that never lands soon.
D-Link DWR-932B LTE router is allegedly vulnerable to over 20 issues, including backdoor accounts, default credentials, leaky credentials, firmware upgrade vulnerabilities and insecure UPnP (Universal Plug-and-Play) configuration.

If successfully exploited, these vulnerabilities could allow attackers to remotely hijack and control your router, as well as network, leaving all connected devices vulnerable to man-in-the-middle and DNS poisoning attacks.

Moreover, your hacked router can be easily abused by cybercriminals to launch massive Distributed Denial of Service (DDoS) attacks, as the Internet has recently witnessed record-breaking 1 Tbps DDoS attack that was launched using more than 150,000 hacked Internet-connected smart devices.
Security researcher Pierre Kim has discovered multiple vulnerabilities in the D-Link DWR-932B router that’s available in several countries to provide the Internet with an LTE network.

Telnet and SSH Backdoor Accounts

While penetration testing, the researcher found that D-Link wireless router has Telnet and SSH services running by default, with two hard-coded secret accounts (admin:admin and root:1234).
Hackers can simply need these credentials to gain access to vulnerable routers from a command-line shell, allowing them to perform man-in-the-middle attacks, monitor Internet traffic, run malicious scripts and change router settings.

Another Backdoor

If this isn’t enough, D-Link DWR-932B LTE router has another secret backdoor that can be exploited by only sending “HELODBG” string as a secret hard-coded command to UDP port 39889, which in return launch Telnet as root privileges without any authentication.

Vulnerable WPS System

Default WPS PIN:

You might have seen a small push button on your router, labeled WPS, stands for Wi-Fi Protected Setup, a ‘so-called’ security feature that allows anyone to connect to your wireless network with a PIN, instead of your actual Wi-Fi password.

Bingo! The PIN for the WPS system on D-Link routers is ‘28296607,’ which is hard-coded in the /bin/appmgr program.


Weak WPS PIN Generation:

Users can also temporary generate a new WPS PIN using router’s administrative web-interface, but unfortunately, the PIN generation algorithm is flawed and so weak that an attacker can easily predict it.

Remote Firmware-Over-The-Air

Now, if you hope that a firmware upgrade will land soon and save you from these issues, then you are wrong.
It’s because the D-Link’s remote firmware over-the-air (FOTA) update mechanism is also vulnerable.
The credentials to contact the FOTA server are hard coded in the /sbin/fotad binary. The user/password combinations are qdpc:qdpc, qdpe:qdpe and qdp:qdp.

“It’s notable the FOTA daemon tries to retrieve the firmware over HTTPS. But at the date of the writing, the SSL certificate for is invalid for 1.5 years,” Kim writes.

Security Removed in UPnP

Due to the security risks involved, there are usually restrictions in place in order to avoid modified new firewall rules from untrusted LAN clients.
However, there is no restriction about the UPnP permission rules in the configuration file for the vulnerable D-Link router, allowing anyone on the LAN to add their own Port forwarding rules from the Internet to other clients located in the LAN.

“An attacker can add a forwarding rule in order to allow traffic from the Internet to local Exchange servers, mail servers, ftp servers, http servers, database servers,” Kim writes. “In fact, this lack of security allows a local user to forward whatever they want from the Internet into the LAN.”

There are more security issues surrounding the vulnerable router, but Kim points out that the router with a big processor, sizable memory (168 MB) and good free space (235 MB) is so badly secured that it would be trivial for attackers to use this router as an attack vector.

Kim privately reported the security flaws to the Taiwan-based networking equipment manufacturer D-Link in June and received no update from the company. So, he went public with details of the vulnerabilities after obtaining CERT’s advice.


via:  thehackernews

NHS Digital aims to put healthcare on firm cyber security footing

NHS Digital set to work closely with National Cyber Security Centre (NCSC) to boost healthcare sector cyber security capabilities.

NHS Digital aims to put the UK’s healthcare sector on a firm cyber security footing, according to Rob Shaw, chief operating officer at NHS Digital’s Data Security Centre.

“We are not planning to do this alone, but will work closely with the National Cyber Security Centre (NCSC),” he told the Cyber Security in Healthcare conference in London.

Shaw said the cyber security threats were same for the healthcare sector as other sectors, but the additional challenge is providing security while the priority remains patient care.

In charting a fresh and effective approach, he said the NHS Digital has recognized that it is not about technology, but about protecting data.

A key part of this approach, said Shaw, is changing the culture and attitudes of people to data protection, which requires leadership.

“We need a better culture [around cyber security] because it cannot just be something that is added on at the end,” he said.

To help ensure that cyber security is an inherent part of everything the UK healthcare sector does, NHS Digital has developed 10 standards.

“Although the amount of malicious traffic on the national NHS network (N3) is around the same level of other sectors of 0.3%, security and integrity of data in healthcare is absolutely critical,” said Shaw.

However, he said the standards were regulatory in intention, but aimed at enabling a secure healthcare sector and increasing patient trust.

Underlining that cyber security is not just about technology, he said most cyber attacks start with social engineering.

Just like other sectors, he said healthcare organisations are regularly targeted by spoofed emails that appear to come from known senders and contain references to personal interests.

In one such incident, he said a healthcare employee was tricked into opening an email that appeared to come from a contact about a subject of common interest.

“When he clicked on the email it appeared to fail to open, but he had compromised his machine and it took two weeks before the compromise was detected,” said Shaw.

In establishing a cyber security-oriented culture, healthcare organizations need to seek to address such risks, he said.

Security risks in unsupported software

Another common challenge, especially in the healthcare sector, is the use of unsupported software, such as Microsoft Windows XP.

NHS Digital estimates that around 15% of Windows installations in the UK healthcare sector are XP, but Shaw said this is not easily or quickly fixed.

“In addition to the costs involved, there is also the problem of migrating legacy applications that run on hardware that will not support more modern operating systems, which adds to the cost of hardware upgrades,” he said.

NHS Digital is aware of the security risks posed by Windows XP. Because its security is no longer being updated by Microsoft, and XP’s vulnerabilities are well known, NHS Digital has developed various strategies for securing computers still running Windows XP.

Managing breaches

Not all organizations know what to do, said Shaw, and that is where NHS Digital can help provide the necessary expertise. Similarly, NHS Digital can provide support where compromises occur.

“There are many threats and sometimes things do get through, which means the way organizations respond when they are breached is important,” he said.

NHS Digital is helping a growing number of hospitals and other healthcare organizations to respond to breaches through its computer emergency response team, CareCert.

“CareCert is making a difference. In a recent ransomware attack, CareCert’s incident response team was able to contain, monitor and eradicate the malware before it could take hold,” said Shaw.

The CareCert team and all the other services provided by NHS Digital, he said, are effectively shifting cyber security in UK healthcare from defence-only mode to detect mode.

Looking to the future, he said CareCert will be a “front door” to the services and support that will be available from the National Cyber Security Centre, which is due to begin operations on 1 October 2016.

“We will be working with the NCSC to provide access to specialists, access help on how to handle security incidents, and share information with and from other organizations,” said Shaw.

He called on healthcare organizations to engage with CareCert and not to overlook investing in people, saying personal responsibility in cyber security is key.

“Don’t fall into the trap of thinking cyber security does not affect patient care because it does, and don’t entrust the security of the many to the few because everyone needs to be involved,” said Shaw.


via:  computerweekly

Demisto Announces a Splunk App

Demisto Announces a Splunk App and Mega-level Sponsorship of Splunk .conf2016 — Demisto will Highlight Intelligent Bot-powered Security ChatOps Platform for Automating Playbooks, Response Tasks and Collaboration on .conf2016 Expo Floor.


Demisto, Inc., an innovator in Security Operations technology, today announced its new Splunk app and a Mega-level sponsorship of .conf2016: The 7th Annual Splunk Conference. Demisto will demonstrate its ChatOps-based Demisto Enterprise Security Operations Platform for greatly improving security operations center (SOC) collaboration and efficiency in addressing security incidents in its booth number M1 at the event this week.

The newly announced Demisto Splunk App enables customers to send Splunk incident data directly to the Demisto Enterprise platform. With this new app, customers can accelerate the incident management and response process by automating the entire flow, starting from the Splunk alert through to an incident playbook automation in Demisto, helping increase SOC efficiencies. The app can be downloaded from the Splunkbase website.

Demisto Enterprise’s intelligent automation is provided by DBot, a security chatbot. DBot automates actions across security products and correlates artifacts across incidents by using sophisticated patterns and powerful search capabilities. DBot searches through past and ongoing forensic investigations, and proactively alerts the users when duplicate or related incidents are identified. The playbooks were developed by security and incident response experts, following National Institute of Standards and Technology (NIST) and other regulatory documents. To create new best practices, additional playbooks can be created by users to satisfy compliance and audit requirements, or for interactive modeling and training of analysts.

“We are thrilled to bring the automation and collaboration capabilities of Demisto Enterprise to Splunk customers,” said Slavik Markovich, Demisto CEO & co-founder. “With Demisto leveraging Splunk software, our customers can automate investigation and response for alerts triggered by Splunk® Enterprise or Splunk Enterprise Security (ES). Demisto’s use of Splunk solutions also allows for interactive investigation via an intuitive chat interface, enabled by security data queried from Splunk ES.”

.conf2016 will feature more than 175 technical sessions, including more than 80 customer presentations, and is expected to attract IT, security and business professionals who know the value of their data. The conference will be held Sept. 26-29 at The Walt Disney World Swan and Dolphin Resorts, Orlando, Fla., with three days of optional education classes through Splunk University, Sept. 24-26.

.conf2016 attendees will learn how to gain Operational Intelligence from machine-generated data by improving customer experience and service delivery, enhancing IT performance, shipping better code faster, providing timely business insights, or reaching new levels of security in their organization. With more than 50 percent of the Fortune 100 in attendance, it’s the best place to learn how leading companies are using Splunk. Attendees will share best practices, discover new features and ways to implement Splunk software to gain insights from their data. Register for .conf2016. At the conference, follow us on LinkedIn and Twitter @splunkconf (all conversations tagged #splunkconf16).


via:  enterprise-security-today

Armies of hacked IoT devices launch unprecedented DDoS attacks

DDoS attacks got a power boost thanks to hundreds of thousands of insecure IoT devices.

Security researchers have been warning for years that poor security for internet of things devices could have serious consequences. We’re now seeing those warnings come true, with botnets made up of compromised IoT devices  capable of launching distributed denial-of-service attacks of unprecedented scale.

Octave Klaba, the founder and CTO of French hosting firm OVH,sounded the alarm on Twitter last week when his company was hit with two concurrent DDoS attacks whose combined bandwidth reached almost 1 terabit per second. One of the two attacks peaked at 799Gbps alone, making it the largest ever reported.

According to Klaba, the attack targeted Minecraft servers hosted on OVH’s network, and the source of the junk traffic was a botnet made up of 145,607 hacked digital video recorders and IP cameras.

With the ability to generate traffic of 1Mbps to 30Mbps from every single Internet Protocol (IP) address, this botnet is able to launch DDoS attacks that exceed 1.5Tbps, Klaba warned.

The OVH incident came after, cybersecurity journalist Brian Krebs’ website, was the target of a record DDoS attack that flooded the site at a rate of 620Gbps. The attack eventually forced content delivery and DDoS mitigation provider Akamai to suspend its pro bono service to Krebs, pushing the site offline for several days.

According to Krebs, the attack was nearly twice the size of largest attack Akamai had seen before, and would have cost the company millions of dollars if it had been allowed to continue.

“There is every indication that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called ‘Internet of Things,’ (IoT) devices — mainly routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords,” Krebs said in a blog post after his website came back online under the protection of Google Project Shield.

On Thursday, antivirus and security vendor Symantec published a report warning that insecure IoT devices are increasingly hijacked and used to launch DDoS attacks. The company has seen the number of cross-platform DDoS malware programs that can infect Linux-based systems soar in 2015 and continue this year. These threats are designed to run on Linux-based firmware for CPU architectures commonly used in embedded and IoT devices.

Symantec’s data shows that most of these systems are not compromised through sophisticated or device-specific vulnerabilities, but due to a lack of basic security controls. Attackers typically scan the internet for devices with open Telnet or SSH ports and try to log-in with default administrative credentials. That’s unfortunately all it takes today to build a large IoT botnet.

And while IoT-powered DDoS attacks have now reached unprecedented size, there have been warning signs for several years that they were coming. In October 2015, security firm Incapsula mitigated a DDoS attack launched from around 900 closed-circuit television (CCTV) cameras and in June DDoS protection provider Arbor Networks warned that there are over 100 botnets built using Linux malware for embedded devices.


via:  networkworld

Salesforce, Google, Microsoft, Verizon are all eyeing up a Twitter bid

Twitter continues to inch its way to a sale process, and the latest developments come in the form of alleged bids from potential buyers. Today CNBC is reporting, and we have also independently heard, that both Google and Salesforce are interested in buying the company. We have additionally heard that Microsoft and Verizon have also been knocking, although right now Verizon (which also owns AOL, which owns us), may have a little too much on its plate.

Twitter currently has a market cap of $13.3 billion, and it opened for trading today with a jump of nearly 22%, in response to all these whispers.

Google, Microsoft and Verizon have also been reported as potential suitors in the past (one recent article here), and what we’re hearing about the Microsoft interest is that it, in part, is an attempt by the company to drive the price up to keep it out of Salesforce’s hands.

“At this moment Microsoft has nothing to share,” a spokesperson said when reached for comment. But that begs another point, though: Of the four companies that we’ve heard about, the one that might be most surprising as a suitor is Salesforce.

Salesforce currently has around half of the current market cap of Twitter in its own cash reserves, meaning that if it acquired the company, it would need to raise the remainder elsewhere if it’s an all-cash deal, or it would need to make the rest of the purchase in shares. It would be the highest-ever acquisition by the very acquisitive Salesforce, which has already spent more than $4 billion on acquisitions in the first six months of this year.

Then again, it tried, but missed out, on buying LinkedIn (which Microsoft is picking up for $26.2 billion), so expensive purchases are not out of its sights completely.

There are reasons you might be skeptical of a Salesforce acquisition of Twitter. Twitter is fundamentally a consumer-facing product, currently with a very strong focus on repositioning itself as a media business (content + ads around that content). Salesforce ambition (and some would say achievement) is becoming the ultimate purveyor of cloud-based enterprise services. Maybe there is a place where Salesforce could leverage Twitter’s consumer media play in its own larger platform, but today it seems like a step too far to the side.

On the other hand, there are several reason why this could also make sense. Salesforce could use Twitter to expand significantly into a much different business area, and business model. For example it could help it really light a fire under its new Einstein big data platform with a vast infusion of real-time data.

Data is the big currency for today’s large tech companies, used for advertising but also making the wheels spin for all kinds of business intelligence and insight modelling. Today Salesforce lacks as many ingestion engines for this as others. Twitter, of course, is a mine of real-time data from its 313 million monthly active users, although on its own the company has had a lot of challenges in growing its user numbers, and also figuring out the best ways of effectively monetising them.

Meanwhile, there are other aspects of Twitter that fit into Salesforce’ business. Specifically, there is some potential around customer service (an area that Twitter is pushing via the division that joined it via Gnip).

And there is the fact that Salesforce already offers products around social media interaction and management between businesses and their customers/potential customers/wider public. Personally, I’m not sure if buying a single platform to enable this is what Salesforce would do, considering that today Salesforce manages across multiple platforms and in actuality Twitter is not that big in the greater scheme of things compared to Facebook and the aggregate of other platforms where “conversations” are happening.

There are other, smaller crossovers between the two companies that you shouldn’t overlook. For example, Bret Taylor, who has joined Salesforce via the acquisition of his cloud-based word processing startup Quip, is also on the board of Twitter. Salesforce and Twitter also happen to use the same M&A law firm, Wilson Sonsini (which is, admittedly, used by a lot of tech companies).

For the record, Salesforce declined to respond for this article. “We don’t comment on rumors,” Salesforce’s VP of corporate communications, Chi Hea Cho.

As for the other two companies we’ve heard about, Google as a suitor makes a lot more obvious sense for Twitter, if perhaps a little more pedestrian and predictable. For starters, there is the financial aspect: Google has a lot of cash on hand to finance the acquisition — $73.1 billion, by one estimate earlier this year.

Then there is social: Google has forever been looking for a stronger foothold in this year, which it has failed to achieve on its own over the years with its own efforts. YouTube is currently perhaps the company’s biggest hope in this space, but while there is some “conversation” on YouTube alongside the vast amount of traffic and consumption of videos, it’s nothing like the almost pure-play conversation that happens on Twitter.

Twitter potentially would hold a lot of promise for a company like Google both to expand its advertising business on desktop and mobile, tapping into a stream of consumers of social media who are slowly being lured away from Google by another huge social media platform, Facebook.

Verizon, lastly, has made no secret of its interest in buying into media properties to add a new wave of business to its traditional roots as a telecoms carrier.

That is an effort that it has filled out so far with its acquisition of AOL, and now Yahoo. Twitter in the mix makes an easy fit, and it would potentially keep Twitter running as it has done (which is the approach Verizon has taken with AOL properties).

On the other side, if Verizon is successful in building out a place for itself as a “third-pillar” for advertising online alongside Google and Facebook, that would theoretically leave little room for an independent Twitter — meaning that it could be a logical place for Twitter to land.

However, although we have heard that Verizon was interested in Twitter a while ago, Verizon tells us that a recent report in the New York Post on making a standing offer for the company was inaccurate. (You can also read that as a narrow and precise denial. Standing offer: no; but what about something else?)

It looks like bids could start to come in soon as Twitter’s board is eager to get things going, although CNBC says there may not be any news before the end of this year. One thing is for certain, however: if Twitter is a bird, its egg has now been cracked and we’re all now watching to see what will come out of it.

We are reaching out to all companies for their response, and will update as we learn more.


via:  techcrunch

LinkedIn doubles down on education with LinkedIn Learning, updates desktop site

LinkedIn, the social network for the working world that now has some 450 million members and is in the process of being acquired by Microsoft for $26.2 billion, today took the wraps off its newest efforts to expand its site beyond job hunting and recruitment, its two business mainstays. The company has launched a new site called LinkedIn Learning, an ambitious e-learning portal tailored to individuals, but also catering to businesses looking to keep training their employees, and beyond that even educational institutions exploring e-learning courses.

The new site was unveiled today in LinkedIn’s offices in San Francisco, and it comes about a year and a half after LinkedIn acquired online learning site for $1.5 billion. A large part of LinkedIn Learning is based on Lynda content, and goes live with some 9,000 courses on offer.

Subjects taught through the service include business, technology and creative topics, with courses running the gamut from programming skills to writing and accounting.

Courses can be both selected by employees as well as recommended by employers and their HR managers who can use LinkedIn’s analytics products to both monitor employees progress but also look at the wider range of what is being studied as a point of reference, and curators at LinkedIn itself.

LinkedIn education is available for LinkedIn Premium subscribers who look like they will get 25 new courses every week based on information on the site. LinkedIn says it will soon be releasing an enterprise tier so that large companies can take subscriptions for their entire employee base, LinkedIn said today.

LinkedIn’s emphasis on education and learning goes hand-in-hand with the company’s primary role today as a place where many people go to create and maintain their professional profiles publicly, and to look for jobs. Building on that as a place to also enhance your professional skills makes a lot of sense.

It also provides a coda to LinkedIn’s efforts in trying to court higher education facilities. LinkedIn started opening up special, verified profile pages to universities and colleges a few years ago and encouraging younger users to get started building LinkedIn profiles as young as 13 to get started.

The idea was to use this as a way of onboarding users early in their professional lives (or before they were even started), but also to potentially hook into alumni job-finding networks for the recruitment business. I always thought this was missing something, though, without offering a learning component, so it’s interesting to see that LinkedIn is now trying to address this.

Interestingly, LinkedIn Learning comes a week after LinkedIn unveiled another take on how to bridge that gap: in India, the company now has an online job placement service that tests an individual’s skills and then suggests jobs that might be suitable for him or her. It doesn’t take the extra leap to include training, but you could imagine how LinkedIn Learning could fit into that product, too.

Today in a presentation in San Francisco about the new product, LinkedIn’s CEO Jeff Weiner described how education has become “one of our most important priorities.” He noted that the World Economic Forum expects 5 million jobs to be displaced by the introduction of new technologies, and that 78% of CFOs surveyed believe that up to 25% of their workforces could be displaced by 2020.

In other words, apart from the larger ideology that LinkedIn likes to describe about being a charter of our world’s “economic graph” (LinkedIn’s answer to Facebook’s social graph), LinkedIn also sees education as a business opportunity, with “just in time” experience training from LinkedIn as a key way of meeting that demand.

Desktop refresh, and messages get bots

Alongside today’s launch of LinkedIn Learning, LinkedIn also announced that it would soon be updating in other areas of its service. They include a new desktop experience, a “smarter” content newsfeed, and additions to its messaging service, including — you guessed it! — the introduction of bots.

None of these, it seems, are live yet but are coming soon, the company says.

The main idea with the desktop redesign is to give the desktop experience, on the bigger screen and via a browser, more parity with what LinkedIn has done with native apps. In a way, this was overdue: the company counts professionals as its customer base, a mostly desk-bound, and therefore captive, audience for a better desktop version.

The new look will include quicker ways of toggling from your own profile to suggestions of others to look at, follow, and message; as well as a more dynamic stream of potential jobs and other content.

The content, meanwhile, looks like it will also get updated again. The feed will be expanding to include a bigger mix of suggested people to connect with and follow; more influencer content; and news curated by LinkedIn’s editorial team.

The news element of this is particularly interesting: it looks like LinkedIn wants to take a bigger step forward here and position itself as destination to get all the news that you might want to read that might be relevant to your professional world and beyond. Think of this as LinkedIn’s equivalent of Facebook’s trending topics.

LinkedIn has tried to offer aggregated news content to its users in the past — a service that it picked up by way of its acquisition of Pulse — but it has also peppered it with a lot of thought pieces about the news from Influencers rather than offer readers the core of the news itself.

Now LinkedIn will push breaking news alerts to you, and then, when you click on them, you will be given a wider array of supplemental links to learn more. This could include more news stories, or people on LinkedIn who are connected to you, and to the news; and (yes) those Influencer posts.

My impression is that I’m not sure how much traffic or buzz LinkedIn’s news feed gets today, and this is a way of trying to turn that around.

Last of all, LinkedIn showed off a little preview of how it will be updating its messaging and chat experience. I don’t know if this is really necessary, or just a sign of the times, or LinkedIn jumping on the bot bandwagon, but it looks like there will be more “suggested content” that will now be worked into the messaging experience.

For example, if you are chatting with someone about setting up a meeting, you can now schedule it, including setting up the meeting room, “using bot technology.”

LinkedIn has a long way to go, though, before messages are a big thing on the site. Today, Mark Hull, who is head of product in the messaging team, highlighted the progress LinkedIn has made by noting that there has been a 240% increase in messaging activity on the platform since relaunching the messaging apps last year.

He said that people are now “using messages on a weekly basis” — which may indeed be progress for LinkedIn, but is obviously well behind apps like Facebook’s Messenger and WhatsApp, or perhaps more in LinkedIn’s professional court, Slack, which are used daily and hourly.


via:  techcrunch

How to Create a Portable Hotspot on Android with VPN on

Many Android users (myself included) have long found it annoying that creating a working portable hotspot is not possible while using a VPN on the device that shares the connection.  From the user interface to the lines of code that power the app behind it, a driving principle of designing Freedome has always been to make the kind of VPN that only makes your online experience better, without hindering it in any way.

Tethering with VPN is now possible

This is why we are extremely happy – both personally and for our users – to announce that our new Android release (out now on Google Play) makes it possible to have Freedome turned on while sharing your connection with other devices. We are also the first (as far as we know) major VPN provider to make this happen.

Instructions on setting up a portable hotspot

The new update automatically allows you to create a portable hotspot with Freedome VPN, so the instructions are fairly simple.

  1. Download Freedome VPN on your Android
  2. Turn on the portable hotspot feature from your Android settings

Keeping it simple, as usual!

A note on privacy

It’s worth noting for the sake of your privacy that the tethered device’s traffic will NOT go through the VPN tunnel of the device sharing the connection. As Freedome lead Android developer Antti Eskola (who, by the way, you can thank for making this feature a reality) says:

“Android does not allow tethered devices access to the VPN tunnel. This is a deliberate choice forced by Android for security reasons. For instance, when using VPN to access your employer’s network, they might not want your friends and family there. Also a VPN tunnel shared with others wouldn’t really be a private network anymore”

In other words, remember to use Freedome on laptops and any other devices you connect to your own hotspots with.


via:  safeandsavvy

LightCyber Closes Breach Detection Gap in Cloud Data Centers

LightCyber Closes Breach Detection Gap in Cloud Data Centers by Extending Behavioral Attack Detection to Amazon Web Services — New Magna Products Deliver Attack Detection for Public Cloud Data Centers and Additional Detection for Linux Data Center Workloads.

LightCyber, a leading provider of Behavioral Attack Detection solutions, today announced new Magna products for Amazon Web Services (AWS) to close the breach detection gap in cloud and hybrid cloud data centers. The new products provide attack visibility for Infrastructure-as-a-Service (IaaS) cloud and hybrid cloud data center workloads. Leveraging all of the existing behavioral profiling and anomaly detection capabilities available in the Magna platform, the new Magna Detector-AWS and Magna Probe-AWS products support deployment within an organization’s AWS Virtual Private Cloud (VPC). LightCyber also announced a new version of its agentless, on-demand Magna Pathfinder for Linux to extend integrated network and endpoint detection features to one of the most common data center server platforms.

Approximately 155 million workloads will move to public cloud data centers by 2019 according the Cisco Global Cloud Index (1), eclipsing those that will exist in private cloud data centers. Even bulge bracket banks are projected to migrate from little or no use of public cloud data centers today to having 30 percent of their data center capacity in the public cloud within three years, according to a note from Deutsche Bank (2).

“While network security analytics systems exist for on-premise environments, the capabilities for public cloud workloads have lagged behind,” said Jason Matlof, executive vice president, LightCyber. “Extending the Magna Behavioral Attack Detection platform into the public cloud data center enables security operators to achieve similar levels of security visibility into active attacks for both the on-premise and cloud data center environments.”

The new LightCyber Magna products detect the operational activities of malicious insiders or targeted external attackers attempting to gain control of assets hosted in an AWS cloud data center or using it as a point for command and control (C&C) communication and eventual exfiltration of data. Similar to an on-premise data center, once attackers gain a foothold, they need to explore the environment through reconnaissance and must expand their realm of control to gain access to assets using lateral movement. The Magna Behavioral Attack Detection platform employs machine learning techniques to detect these reconnaissance and lateral movement activities, as well as C&C and exfiltration, so that an attack can be thwarted before damage is done. The Magna platform combines the capabilities of Network Traffic Analytics (NTA) with User and Entity Behavior Analytics (UEBA) to eliminate blindness to attacker and malicious or risky insider activity.

The new Magna Probe-AWS and Magna Detector-AWS make use of native AWS VPC Flow Logs or, the currently in beta, Gigamon Visibility FabricTM for AWS to monitor the virtual network. It also complements the existing capability of the Magna platform to monitor inbound and outbound network traffic to a public cloud over a site-to-site VPN.

In addition, the new version of Magna Pathfinder extends the Magna platform with an agentless, on-demand capability to interrogate Linux workstations and servers, which complements the network-centric behavioral profiling capabilities of the Magna Detector products. Previously Magna Pathfinder engaged only with Windows servers and clients.

Pricing and Availability

LightCyber Magna Probe-AWS and Magna Detector-AWS are beginning their beta program, with general availability planned for Q4 2016. The price starts at $5,000 per year, depending on the number of nodes in the AWS environment. The new LightCyber Magna Pathfinder is now generally available and pricing starts at $9,000 per year.


Infographic and Blog — How attackers stay hidden in the public cloud and how detect them.
Product details — Magna platform for Behavioral Attack Detection with addition of AWS.



via:  enterprise-security-today

Yahoo! Confirms the Breach of 500Mn Online Credentials

It’s been a few weeks coming, but Yahoo! has confirmed the breach of 500 million credentials.

Back in August, the hacker responsible for dumping hundreds of millions of MySpace, LinkedIn and other credentials online in recent months claimed to have put up for sale 200 million Yahoo log-ins.

Yahoo said at the time that it was “aware” of the incident, although it didn’t initiate a user-wide password reset.

Now, the online giant—which is in the process of being acquired by US telecoms behemoth Verizon, has confirmed the situation, but the breach is larger than expected, and Yahoo said that the heist was carried out by a state-sponsored attacker.

It said in a statement that certain user account information was stolen from the company’s network in late 2014, including names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected, it said.

“Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network,” it said in its statement. “Yahoo is working closely with law enforcement on this matter.”

Certain details differ from the previous claim by Peace—those 200 million credentials were linked to an earlier breach, from 2012. Peace also has never been seen as a state-sponsored bad actor. For now, whether this 500-million cache is from an additional incident unrelated to Peace’s claims is unknown.

Security experts, who have been waiting all day to hear the company’s confirmation (some would say confession) were quick to pounce on what they perceive to be the company’s irresponsibility.

“One of the more egregious errors in this disclosure was the fact that date of birth (DOB) information was exposed,” Todd Feinman, founder of Spirion, said via email. “Companies like Yahoo have an obligation to their customers to protect their privacy and classify personally identifiable information. DOBs are a perfect example of data that should be classified and protected so that, in the event of a data breach, personally identifiable information (PII) is not exposed.”

DOB can be used in conjunction with other data to steal an identity or compromise the victim in other ways. It is sometimes used as secondary validation, and Feinman said “should be classified as confidential and kept encrypted just like social security numbers and health record numbers.”

Jason Hart, the CTO of Data Protection at Gemalto, noted that the month+ that it has taken Yahoo to fess up is also an issue.

“While it is worrying that Yahoo has been breached, what’s more concerning is that it has taken over a month to confirm, especially when consumers’ personal information is at risk,” he said. “The good news is the sensitive data that is now for sale, such as user names, email addresses and dates of birth, is encrypted— but these records could be easily decrypted if the company did not implement properly managed encryption keys. What’s more, Yahoo certainly could have done more to prevent the breach in the first place by implementing two-factor authentication internally, which can protect employees from a spear-phishing attack.”


via:  infosecurity-magazine

Mamba Ransomware Encrypts Hard Drives Rather Than Files

Just when we thought ransomware’s evolution had peaked, a new strain has been discovered that forgoes the encryption of individual files, and instead encrypts a machine’s hard drive. The malware, called Mamba, has been found on machines in Brazil, the United States and India, according to researchers at Morphus Labs in Brazil. It was discovered by the company in response to an infection at a customer in the energy sector in Brazil with subsidiaries in the U.S. and India.

Renato Marinho, a researcher with Morphus Labs, told Threatpost that the ransomware is likely being spread via phishing emails. Once it infects a machine, it overwrites the existing Master Boot Record with a custom MBR, and from there, encrypts the hard drive.

“Mamba encrypts the whole partitions of the disk,” Marinho said. “It uses a disk-level cryptography and not a traditional strategy of other ransomware that encrypts individual files.”

The malware is a Windows threat, and it prevents the infected computer’s operating system from booting up with out a password, which is the decryption key.

The victims are presented with a ransom note demanding one Bitcoin per infected host in exchange for the decryption key and it also includes an ID number for the compromised computer, and an email address where to request the key.

Mamba joins Petya as ransomware targeting computers at the disk level. Petya encrypted the Master File Table on machines it infected. Mamba, however, uses an open source disk encryption tool called DiskCryptor to lock up the compromised hard drives. Petya was a game-changer among ransomware families. It spread initially among German companies targeting human resources offices. Emails were sent that contained a link to a Dropbox file that installed the ransomware. The malware showed the victim a phony CHKDSK process while it encrypted the Master File Table in the background.

Researchers quickly analyzed Petya’s inner workings and by understanding its behavior, were able to build a decryptor shortly after the first infections were disclosed.

More than a month after Petya surfaced, a variant was found that included a new installer. If the installer failed to install Petya on the compromised machine, it installed a less troublesome ransomware strain known as Mischa. Petya included an executable requesting admin privileges that caused Windows to flash a UAC prompt; if the victim declined at the prompt, the malware would install Mischa instead of Petya.

Mischa behaves like most of the ransomware many are familiar with. Once the victim executes link sent in a spam or phishing email, the malware encrypts local files and demands a ransom of 1.93 Bitcoin, or about $875 to recover the scrambled files.


via: threatpost