Thursday, September 28, 2017

WiNX: The Ultra-Portable Wireless Attacking Platform

When you are performing penetration tests for your customers, you need to build your personal arsenal. Tools, pieces of hardware and software are collected here and there depending on your engagements to increase your toolbox. To perform Wireless intrusion tests, I’m a big fan of the WiFi Pineapple. I’ve one for years (model MK5). It’s not the very latest but it still does a good job. But, recently, after a discussion with a friend, I bought a new wireless toy: the WiNX!

The device is very small (3.5 x 3 CM) based on an ESP-WROOM32 module. It comes with a single interface: a micro USB port to get some power and provide the serial console. No need to have a TCP/IP stack or a browser to manage it, you can just connect it to any device that has a USB port and a terminal emulator (minicom, putty, screen, …). It could be not very user-friendly to some of you but I really like this! The best solution that I found until now is to use the Arduino IDE and its serial monitor tool. You can type your commands in the dedicated field and get the results in the main window:

Capture-WiNX

The device can be flashed with different versions of the firmware that offer the following core features. You can use the WiNX as:

  •  a WiFi scanner
  • a WiFi sniffer
  • a WiFi honeypot

Of course, my preferred mode is the honeypot. If the firmware comes with default example of captive portals, it’s very easy to design your own. The only restrictions are the size of the HTML page (must be less than 150KB) and it must include all the components (CSS, images – Base64 encoded). The form may contain your own fields (ex: add a token, CAPTCHA, CC number, etc) and must just post to the “/”, the web server, to see all the fields logged on the internal storage.

Here is an example of a deceptive page that I made for testing purposes:

Exki Portal Sample

To use the device, you just need to plug it into a computer and it boots in a few seconds. Even better, you can use with a power bank and leave it in a discreet place! Cheap, small, easy to manage, I’d definitively recommend adding this gadget to your arsenal!

 

[The post WiNX: The Ultra-Portable Wireless Attacking Platform has been first published on /dev/random]



from Xavier

[SANS ISC] The easy way to analyze huge amounts of PCAP data

I published the following diary on isc.sans.org: “The easy way to analyze huge amounts of PCAP data“.

When you are investigating a security incident, there are chances that, at a certain point, you will have to dive into network traffic analysis. If you’re lucky, you’ll have access to a network capture. Approximatively one year ago, I wrote a quick diary to explain how to implement a simple FPC or “Full Packet Capture” solution based on a Docker container. It’s nice to capture all the traffic in PCAP files but then? PCAP files are not convenient to process and they consume a lot of disk space (depending on the captured traffic of course)… [Read more]

 

[The post [SANS ISC] The easy way to analyze huge amounts of PCAP data has been first published on /dev/random]



from Xavier

Tuesday, September 26, 2017

"Security Champions Program - At the EU #SecAwareSummit"

Editor's Note: Cassie Clarkis a Security Community Manager for Salesforce. She is one of the speakers for the upcoming Security Awareness Summit 6/7 December in London. Below she gives an overview on her upcomingworkshop on Establishing Security Champions Programs. Have you heard of the employee engagement training programs called Security Champions? Ever considered starting a … Continue reading Security Champions Program - At the EU #SecAwareSummit

from lspitzner

Monday, September 25, 2017

"What's Your Tech-to-Human Security Ratio?"

Ever wonder why somesecurity awareness programs successfullychange and secure human behavior while others fail? One of the most common reasons forfailure isminimal investment. Many organizations are heavily investing in their cyber security programs. The problem is they are stuck in the 1990s focusing only onbits-n-bytes. While technology is where every organization should start, we have … Continue reading What's Your Tech-to-Human Security Ratio?

from lspitzner

Stepping up protection with intelligent security

With digital transformation, technology becomes increasingly central to every business and organization. This makes ensuring cybersecurity increasingly important. And, as employees increase their use of mobile devices and cloud-based apps, protecting their work requires a new approach for IT. With 80% of employees admitting to the use of non-approved cloud apps for work, ensuring data protection cannot be left to employees to manage.

To address these needs, Microsoft continues to take a multi-faceted approach to providing built-in security capabilities. These span areas across:

  • Protecting at the front door
  • Protecting data anywhere
  • Achieving data security compliance objectives
  • Detecting and recovering from attacks
  • Managing the security tool set

The Microsoft security tools continuously improve with insight from the Microsoft Intelligent Security Graph, which serves as the connective tissue across Microsoft security solutions. Today at Ignite, we are announcing new integrations, expanded capabilities, and partnerships toward addressing the complex areas of cybersecurity for all organizations.

Protect at the front door

The vast majority of security breaches continue to trace back to weak or stolen passwords. Because it’s proving to work, attackers are increasing their focus on stealing passwords to access corporate systems. The latest Microsoft Security Intelligence Report shows a 300 percent increase in user account attacks. To address this growing issue, it is essential to focus on securing identities and access. Our cloud-based approach is through broadly implemented conditional access.

Conditional access enables you to control who has access to your organization’s resources based on a combination of risk factors, such as user account activity, physical location, and the trustworthiness of the device. Azure Active Directory analyzes these factors and applies continuous cybersecurity threat intelligence, powered by Microsoft’s Intelligent Security Graph. This insight provides real-time risk assessment, and triggers the appropriate authentication requirements needed for accessing apps and data. Today, we are expanding conditional access capabilities by integrating with Microsoft Cloud App Security, Azure Information Protection, and our partners in the ecosystem:

  • Microsoft Cloud App Security performs real-time monitoring and helps IT gain control over cloud apps and how employees use these apps. Now with Cloud App Security, users’ actions taken in cloud applications can be managed and controlled based on conditional access policies and proxy-enforced session restrictions. For example, you can allow users to access cloud apps from an unfamiliar location or unmanaged device, but prevent them from downloading documents.
  • To further enhance security at the file level, we’re introducing conditional access for sensitive files. With the integration of Azure Information Protection and Azure Active Directory, conditional access can be set up to allow or block access to documents protected with Azure Information Protection. You can also enforce additional security requirements such as multi-factor authentication or device enrollment.
  • Not only are we providing better integration within our own solutions to deliver holistic and identity-driven security, we also are working with our partners to extend conditional access in the ecosystem. In addition to Azure multi-factor authentication (MFA), you can now use RSA, Duo or Trusona for two-step authentication as part of your conditional access policy.

Protect your data anywhere

Employees are using more SaaS apps, creating more data, and working across multiple devices. While this has enabled people to do more, it has also increased the risk of data loss – it is estimated that 58% of workers have accidentally shared sensitive data with the wrong person.

Microsoft’s Information Protection solutions help you detect, classify, protect and monitor your data – regardless of where it is stored or shared. Today, we’re announcing several new investments in the integration across our information protection solutions – helping provide more comprehensive protection across the data lifecycle.

A key part of this vision is to provide a more consistent and integrated classification, labeling and protection approach across our information protection technologies, enabling persistent protection of your data – everywhere. Microsoft Cloud App Security natively integrates with Azure Information Protection to classify and label files that reside in cloud applications.

Finally, we are announcing the general availability of improvements to Office 365 message encryption, which makes it easier to share protected emails with anybody – inside or outside of your organization. Recipients can view protected Office 365 emails on a variety of devices, using common email clients or even consumer email services such as Gmail and Outlook.com.

Achieve your data security compliance objectives

Regulated organizations have additional needs to demonstrate compliance, and we’re investing in tools to help achieve those goals.

Customer Key can help regulated customers meet their security compliance obligations by providing added control and management of encryption keys. To learn more, check out this video example of how Customer Key works in SharePoint Online.

Beyond just security compliance, achieving organizational compliance is a complex challenge. It’s hard to stay up-to-date with all the regulations that matter to your organization, and to define and implement controls with limited in-house capability. We’re pleased to introduce the upcoming preview of Compliance Manager, which enables you to manage your compliance posture from one place and stay up-to-date on evolving data protection regulations. Compliance Manager enables real-time risk assessment with one intelligent score reflecting your compliance posture against data protection regulations when using Microsoft cloud services. It also provides recommended actions and step-by-step guidance to help you improve your compliance posture.

Detect and recover from attacks

On average breaches exist for over 90 days in a customer’s environment before they are detected. In response, many organizations are moving to an assume breach posture. We continue to invest in tools that help detect attacks sooner and then remediate. But, we know it’s also important to continue investing in pre-breach attack prevention tools.

Today, we are announcing several new capabilities to further improve our anti-phishing capabilities in Office 365 Advanced Threat Protection, with a focus on mitigating content phishing, domain spoofing, and impersonation campaigns. Office 365 Advanced Threat Protection is also expanded to help secure SharePoint Online, OneDrive for business, and Teams. In Office 365 Threat Intelligence, we have introduced threat insights and tracking to help with detection and remediation. In Windows, we are adding Windows Defender Application Control, which is powered by the Microsoft Intelligent Security Graph to make it less likely that malicious code can run on the endpoint.

On the post-breach detection side, we are announcing the limited preview of a brand-new service – Azure Advanced Threat Protection for users – that brings our on-premises identity threat detection capabilities to the cloud and integrates them with the Microsoft Intelligent Security Graph. Powered by the graph, our Advanced Threat Protection products have a unified view of security event data so your security operations analysts can investigate an incident from endpoint to end-user to e-mail. Finally, as previously announced earlier in the month, Windows Defender Advanced Threat Protection is integrating Hexadite’s AI technology to automatically investigate new alerts, determine the complexity of a threat, and take the necessary actions to remediate it.

Security management

Protecting resources across distributed infrastructure against evolving cyberthreats demands a new approach to security management – a solution that provides comprehensive visibility, consistent controls and actionable intelligence and guidance.

We are announcing today that Azure Security Center, which helps customers protect workloads running in Azure against cybersecurity threats, can now also be used to secure workloads running on-premises and in other private and public clouds. Azure Security Center reduces management complexity by delivering visibility and control over workloads across clouds, enables adaptive threat prevention to reduce your exposure to threats, and provides intelligent detection to help you keep pace with rapidly evolving cyberattacks.

Azure Security Center also has new capabilities to enable central management of security policies, better detect and defend against advanced threats, and streamline investigation of threats for your hybrid workloads. Read the Azure blog to learn more about these and other new features.

Getting started

We have made it easier than ever to get end-to-end security solutions up and running. FastTrack for Microsoft 365 now provides deployment services for key security scenarios, giving you the resources, tools, and support you need from Microsoft engineers.

FastTrack for Microsoft 365 can work with you directly, work with your existing partner, or help you get matched with a trusted Microsoft partner to deploy comprehensive security solutions. And the best part is this isn’t a one-time benefit. It is a repeatable resource that you can use to ensure you have the help and resources you need.

You can go to fasttrack.microsoft.com and get help to deploy Microsoft products to address some of the most common security scenarios including:

  • Working securely from anywhere, anytime on almost any device enabling a flexible workstyle
  • Protect your data on files, apps and devices within and across orgs
  • Detect and protect against external threats
  • Protect your users and their accounts
  • Securely collaborate on documents in real time


from Julia White

New Microsoft 365 features to accelerate GDPR compliance

This post is authored by Alym Rayani, Director Office 365 Security. 

New capabilities in Microsoft 365 help simplify your GDPR compliance journey

Today we made several Microsoft 365 security and compliance announcements and updates as part of the news from the Microsoft Ignite conference. I wanted to share how these new capabilities provide customers with a more complete and protected solution to simplify their journey to compliance with the General Data Protection Regulation (GDPR).

Earlier this year, we brought together Office 365, Enterprise Mobility + Security, and Windows into a single, always-up-to-date solution called Microsoft 365 – relieving organizations from much of the cost of multiple, fragmented systems that were not necessarily designed to be compliant with modern standards. These announcements at Ignite add to our extensive capabilities that organizations are already using to secure and manage their data, users, and devices.

A platform you can trust, and verify

We understand that organizations with GDPR responsibilities will have additional needs to demonstrate compliance, and we’re investing in tools to help them achieve those goals.

Microsoft 365 users enjoy built-in security and compliance for the apps, services, and devices that they use every day. Microsoft has a long history of transparency, defense-in-depth, and privacy-by-design that enabled us to be the first enterprise cloud services provider to implement the rigorous controls needed to earn approval for the EU Model Clauses, the first to achieve ISO’s 27018 cloud privacy standard, and the first to offer contractual commitments to the GDPR.

Introducing Compliance Manager – We understand that achieving your organizational compliance goals can be very challenging. It’s hard to stay up-to-date with all the regulations that matter to your organization, and to define and implement the controls.

We’re pleased to introduce Compliance Manager, a new compliance solution that helps you to manage your compliance posture from one place. Compliance Manager enables you to conduct real-time risk assessment, providing one intelligent score that reflects your compliance performance against data protection regulatory requirements when using Microsoft cloud services.

You will also be able to use the built-in control management and audit-ready reporting tools to improve and monitor your compliance posture. Read our Tech Community Blog to learn more about Compliance Manager, and sign up for the preview program, which will be available starting in November.

Example of Compliance Manager dashboard

General availability of service encryption with Customer Key – We’re announcing the availability of service encryption with Customer Key, which can help regulated customers demonstrate additional compliance controls by managing the encryption keys for their Office 365 data. Here is an example of how Customer Key works in SharePoint Online:

Simplify how you govern data

Organizations face ever increasing quantities of complex electronic data. Gaining control over this data overload so that you know what to keep and find what’s relevant – when you need it – is critical for both security and compliance purposes. Today we are introducing several new features which further enhance the already rich set of capabilities available with Microsoft Information Protection and Advanced Data Governance.

Companies of all sizes and industries need to protect their sensitive data and ensure that it doesn’t get into the wrong hands. Employees are using more SaaS apps, creating more data, and working across multiple devices. While this has enabled people to do more, it has also increased the risk of data loss – it is estimated that 58% of workers have accidentally shared sensitive data with the wrong person.

Microsoft’s Information Protection solutions help you identify, classify, protect and monitor your sensitive data – as it is created, stored, or shared. We made several investments across our information protection solutions – helping provide more comprehensive protection across the data lifecycle. A key part of our vision is to provide a more consistent and integrated classification, labeling, and protection approach across our information protection technologies, enabling persistent protection of your data – everywhere. Microsoft Cloud App Security now deeply integrates with Azure Information Protection to classify and label files that reside in cloud applications.

Advanced Data Governance enhancements, including event based retention in Office 365 Advanced Data Governance, allows customers to create events which will trigger the retention period of data in Office 365 to consistently comply with internal business requirements. Disposing of data in a defensible manner allows organizations to effectively reduce their security and compliance risks. This feature is currently in the standard Office 365 Universal Preview Program and available for you to try.

New Multi-Geo Capabilities in Office 365 enable a single tenant to span multiple Office 365 datacenter geographies (geos) to store data at-rest and on a per-user basis in customer specified geos. Multi-Geo helps customers address organizational, regional, and local data residency requirements and enables modern collaboration experiences for their globally dispersed employees. Learn more about Multi-Geo.

Also, we are announcing the general availability of improvements to Office 365 message encryption, which makes it easier to share protected emails with anybody – inside or outside of your organization. Recipients can view protected Office 365 emails on a variety of devices, using common email clients or even consumer email services such as Gmail, Outlook.com, and Live.com.

Use intelligent tools to better discover and control your data

Many organizations are evaluating how to find and protect the personal data they collect. With the explosion of data and its increasing value – many organizations cannot adequately manage their assets with traditional manual processes.

Unfortunately, even once you know where all the data is and how it should be managed, you must constantly ensure it is protected from threats. The GDPR requires organizations take appropriate measures to prevent unauthorized access or disclosure and to notify stakeholders in the case of breach. Today, on average attacks exist for over 90 days in an environment prior to detection. Microsoft continues to invest in tools that help detect attacks sooner and then remediate, as well as in pre-breach attack prevention tools.

Analysis of non-Office 365 data with Advanced eDiscovery: While the amount of data being generated and stored in Office 365 is growing at an exponential rate, many organizations still have data in legacy file shares and archives. Data is also being generated in other cloud services which may be relevant for an eDiscovery case surrounding a Data Subject Request. Analysis of non-Office 365 data allows organizations to import the case-specific copy of such data into a specifically assigned Azure container and analyze it using Office 365 Advanced eDiscovery. Having one eDiscovery workflow for both Office 365 and non-Office 365 data provides organizations with the consistency they need to make defensible decisions across the entire data set of a case.

This feature is currently in preview and requires an Advanced eDiscovery license for each user whose data is being analyzed. Later this year, in addition to Advanced eDiscovery licenses this feature will require the purchase of the eDiscovery Storage plan for all non-Office 365 data imported into the specifically assigned Azure container for analysis by Advanced eDiscovery. The eDiscovery Storage plan comes in increments of 500GB of storage and is priced at $100 per month.

Example of Advanced eDiscovery

To better protect your users against threats, we also improved our anti-phishing capabilities in Office 365 Advanced Threat Protection, with a focus on mitigating content phishing, domain spoofing, and impersonation campaigns. Office 365 Advanced Threat Protection is also expanded to help secure SharePoint Online, OneDrive for business, and Teams. In Windows, we added Windows Defender Application Control, which is powered by the Microsoft Intelligent Security Graph to make it less likely that malicious code can run on that endpoint.

On the post-breach detection side, we announced the limited preview of a brand-new service – Azure Advanced Threat Protection for users – that brings our on-premises identity threat detection capabilities to the cloud and integrates them with the Microsoft Intelligent Security Graph. Finally, as previously announced earlier in the month, Windows Defender Advanced Threat Protection is integrating Hexadite’s AI technology to automatically investigate new alerts, determine the complexity of a threat, and take the necessary actions to remediate it.

Office 365 security management updates – We have also made a few updates to Advanced Security Management to give you even better visibility and control over Office 365. To help organizations in the EU meet their compliance obligations, starting in October, we will begin hosting Advanced Security Management in our EU datacenter region. We are also giving you additional visibility into the service by adding support for activities from Skype for Business, Yammer and Office 365 Threat Intelligence. The signals from these services will be used to generate activity alerts and be factored into anomaly detection alerts. Lastly, to better align our Microsoft 365 investments, we are renaming Advanced Security Management to Office 365 Cloud App Security.

Taking the next step on your GDPR compliance journey

The GDPR is compelling every organization to consider how they will respond to today’s security and compliance challenges. It may require significant changes to how your business gathers, uses, and governs data.

As a global company with hundreds of millions of customers around the globe, we are subject to many stringent regulations including the GDPR and we understand the challenges you face. As your trusted partner, we are committed to going beyond our minimum responsibilities and always working on behalf of your best interests. To that end, Microsoft is an active participant in a community of compliance experts that can support all aspects of your GDPR journey – such as audit and consulting, cloud migration assistance, as well as delivering specific point solutions.

For more details on these announcements and the other capabilities of Microsoft 365, read the new whitepaper: Accelerate your GDPR compliance journey with Microsoft 365.

 



from Microsoft Secure Blog Staff

Friday, September 22, 2017

Security at Microsoft Ignite

Microsoft Ignite begins this Sunday, September 24, with pre-day training and registration! The Microsoft Ignite event delivers the largest and most comprehensive perspective on the future of Enterprise technology at one conference. Everyone who attends— IT pros and Enterprise developers—gets inspiration, training, and connections to drive their business forward with Microsoft technology. 26,000+ IT and Enterprise developer customers and prospects come to collaborate and learn how Microsoft technology can help them achieve success.

Top three things to do before you go:

  1. Download the mobile app
    • The mobile apps allow you to easily access My Conference, session details, evaluations, attendee networking, maps, event notifications, partners, and more. Download it now for your device: Window | IOS | Android
  2. Set up your attendee profile
    • Connect with attendees at the events. Setting up your profile helps attendees discover Microsoft experts and get their questions answered. After your edits are complete, your profile will be updated in the apps and in MyIgnite.
  3. Get ready for a great show
    • Confirm your hotel reservation
    • Familiarize yourself with our event and resources
    • Have fun!

Key security sessions to attend at Ignite

But that’s not all, we have a huge selection of security related content, 345 sessions to be exact. Sessions have been designed to not only meet your product needs, but also your expertise needs. Find a complete list of security sessions here.

Who is attending from Microsoft

This year we are rolling out a fantastic new tool simply known as Expert Finder. All Microsoft staff will be tagged with the areas of expertise and can easily be located on the expo floor. Work with staff onsite at the Expo to locate the expert(s) that you need to speak with.

The Expert Finder tool can be found here. (note – not all attendees will have access)

Where to find Security onsite: In the expo

We have full coverage of security topics in the expo. From getting help desk answers to seeing demos, you are sure to walk away with the information you need.

You’ll find us in the expo during the following times:

  • Monday: 12:30 – 7:30pm
    • Social hour: 5:30pm – 7:30pm
  • Tuesday: 10:00am – 6pm
    • Social hour: 5:30pm – 7:30pm
  • Wednesday: 10:00am – 6:00pm
    • Social hour: 5:30pm – 6:00pm
  • Thursday: 10:00am – 4:00pm

Below you can see where the Security area is located within the Expo, as noted by the red circle.

Networking opportunities

Ignite it not only about talking with the Microsoft experts, it’s also a great time to network with your peers. Here is a list of great opportunities for you to network during the event:

  • Immersion zone
    • Get “Hands-on”- you’ll find Labs, workshops, mixed reality experiences, learning experts and more!
  • Visit the security and privacy Microsoft Tech Community
    • Learn and see what other attendees are talking about. Then take the opportunity to not only to collaborate virtually, but set up time to network face-to-face while at the event.
  • Social hours
    • Wind down the day and enjoy a drink with security related professions, social hours are posted above.
  • Celebration event
    • More details to come, but on Thursday we have an amazing celebration event!

In the week following Ignite, we will summarize our lessons learned, product announcements, and customer feedback received from the event.

To learn more about Microsoft security solutions and services, visit https://www.microsoft.com/secure.

We hope you have a lot of fun, make amazing connections, and walk away with inspiring insights at this year’s Ignite conference. We’re looking forward to seeing you there!



from Microsoft Secure Blog Staff

Thursday, September 21, 2017

"International Security Awareness Programmes - At the EU #SecAwareSummit"

Editor's Note: Angela Baudachis a security awareness consultant for DXC Technology. She is one of the speakers for the upcomingSecurity Awareness Summit 6/7 December in London. Below she gives an overview on her upcoming talk on International Awareness Programmes. Have you ever spoken to another person at cross purposes? Especially to a foreigner? Did you … Continue reading International Security Awareness Programmes - At the EU #SecAwareSummit

from lspitzner

Wednesday, September 20, 2017

"Identity Theft - How to Protect Yourself: List of Resources"

As you might have heard by now, Equifax was hacked and it's up to you to take steps to protect yourself against identity theft. However, we're here to help! We've collated some information from SANS Security Awareness here to help you get answers quickly. The Economist recently wrote an article on identity theft, utilizing SANS … Continue reading Identity Theft - How to Protect Yourself: List of Resources

from SANS SA

Tuesday, September 19, 2017

"How to Gain Leadership Support for Your Awareness Program"

I'm finding myself more and more often speaking to senior leaders about human risk. Leaders not only want to better understand how to manage human risk, but why we are facing this growing problem. Attached is a graph I love to use when starting this discussion (feel free to steal and use if it can … Continue reading How to Gain Leadership Support for Your Awareness Program

from lspitzner

Monday, September 18, 2017

[SANS ISC] Getting some intelligence from malspam

I published the following diary on isc.sans.org: “Getting some intelligence from malspam“.

Many of us are receiving a lot of malspam every day. By “malspam”, I mean spam messages that contain a malicious document. This is one of the classic infection vectors today and aggressive campaigns are started every week. Usually, most of them are blocked by modern antivirus or anti-spam but these files could help us to get some intelligence about the topic used by attackers to fool their victims. By checking the names of malicious files (often .rar, .gip or .7r archives), we found classic words like ‘invoice’, ‘reminder’, ‘urgent’, etc… [Read more]

[The post [SANS ISC] Getting some intelligence from malspam has been first published on /dev/random]



from Xavier

"Infosecurity Conference - Hacking Humans: Dissecting a Social Engineering Attack"

Folks, friendly reminder I'll be presenting Wednesday, 4 October at the Infosecurity North American Keynote event on Hacking Humans: Dissecting a Social Engineering Attack. I'll demonstrate how targeted social engineering attacks work by walking you through a real, targeted attack and what we learned by interacting with with the hacker. As I learned from … Continue reading Infosecurity Conference - Hacking Humans: Dissecting a Social Engineering Attack

from lspitzner

Friday, September 15, 2017

"Equifax Webcast Follow-up - Your Questions Answered"

  On Wed, 13 September 2017 we hosted a webcast on the Equifax hack, which you can now find in the webcast archives. One of the things that surprised us was the amount of questions asked, well over 100 hundred questions, a new record I believe for a SANS webcast! Event though we spent over … Continue reading Equifax Webcast Follow-up - Your Questions Answered

from lspitzner

"Measuring Your Security Culture - At the EU #SecAwareSummit"

Editor's Note: Lushin Premji manages the awareness program at Thomson Reuters. He is oneofthe speakers for the upcomingSecurity Awareness Summit 6/7 December in London. Below he gives an overview of his upcoming talk on Measuring Your Security Culture. Security culture in an organisation is priceless. A strong security culture will create an environment where employees … Continue reading Measuring Your Security Culture - At the EU #SecAwareSummit

from lspitzner

Thursday, September 14, 2017

[SANS ISC] Another webshell, another backdoor!

I published the following diary on isc.sans.org: “Another webshell, another backdoor!“.

I’m still busy to follow how webshells are evolving… I recently found another backdoor in another webshell called “cor0.id”. The best place to find webshells remind pastebin.com[1]. When I’m testing a webshell, I copy it in a VM located on a “wild Internet” VLAN in my home lab with, amongst other controls, full packet capture enabled. This way, I can spot immediately is the VM is trying to “phone home” to some external hosts. This was the case this time! [Read more]

 

[The post [SANS ISC] Another webshell, another backdoor! has been first published on /dev/random]



from Xavier

3 key tenets to help with security management

 

This post is authored by Berk Veral, Director, Product Marketing, Enterprise Cybersecurity Group.

Across industries, as attack methods have become more sophisticated and complex, organizations have been responding by deploying more security solutions, which in turn has tremendously increased the complexity of security management.

Today, organizations must manage distributed resources across many environments, and given the constantly evolving threats, this means there are more attack surfaces that need to be protected.

In some cases, an organization may end up having multiple point solutions even within a single workload to address specific security concerns. However, managing a growing number of individual security controls becomes a true nightmare. You lose visibility into the security state of that workload, let alone the security of the entire organization.

Managing a high number of point solutions and vendors, coupled with the increasing ‘noise’ caused by diverse datasets with varying levels of fidelity, adds to the complexity of security management. It becomes harder to gain optimal insight into end points and results in even less visibility into the security posture of your entire network.

Often, these point solutions don’t share any information as they are not integrated, which leads to the most dangerous of your challenges: ineffective responses to threats that grow both in number and sophistication.

More solutions to deploy and more vendors to manage, with less insight and ineffective threat response, ultimately manifests in higher costs of security for CISOs as well.

How can CISOs efficiently manage security?

In today’s connected, technology-driven world, where digital transformation is the only way to survive for any organization, an efficient security management practice becomes the cornerstone of any long-term strategy of CISOs, regardless of their industry.

Whether your assets are deployed in the cloud, on-premises, or across a hybrid environment, your organization’s security has 4 core components for you to manage and secure:

  • Identity
  • Devices or end points
  • Apps and data
  • Infrastructure

And across these 4 core components, an effective security management solution should provide 3 key tenets – visibility, control, and guidance:

  • Full visibility that helps you understand the security state and risks across resources
  • Built-in security controls to help you define consistent security policies
  • Effective guidance to help elevate your security through actionable intelligence and recommendations

Vendor consolidation & intelligence is key

An effective security management solution is not about a single console. It is about integration where it counts, but with the freedom of specialized tools for different functions.

Microsoft helps you consolidate from a plethora of specialized functions and tools to just a few. Our offerings provide functionality to ensure specialized security teams have the flexibility and freedom to manage the unique needs of specific areas such as identity, devices, apps or infrastructure. However, the key that makes Microsoft security management consoles much more effective is the vast intelligence that is built into our solutions, which helps your organization maintain a consistent and robust security posture.

Microsoft has a unique perspective as we face the same adversaries our customers do, but because of the scale of technology we build and operate, we capture a massive amount of security related-signal:

  • Nearly 1 billion Windows devices updated worldwide each month, and we operate the largest anti-virus and anti-malware service in the world
  • Over 450 billion authentications processed monthly into our cloud services
  • Over 400 billion emails scanned monthly for spam and malware through Office 365 and Outlook.com
  • More than 18 billion Bing web page scans per month

We build this intelligence into our products and services – harnessing the power of machine learning, processing trillions of pieces of data, from billions of devices, we enable our customers to detect relevant threats faster and prioritize response. Our security management solutions are built to work for you. This shared intelligence is leveraged by management consoles across identity, devices, apps, data, and infrastructure – helping security admins and operation center teams to get important insights optimized for their workloads.

The key for a CISO’s success in managing security is not about a single console across everything, but consolidation wherever it makes sense. This gives CISOs the best of all capabilities and allows them the flexibility when they need it.

With single vendor management, built-in controls that come with Microsoft solutions, and unmatched intelligence, Microsoft becomes your trusted partner in achieving intelligent security management.



from Microsoft Secure Blog Staff

Friday, September 8, 2017

FSEC 2017 Wrap-Up Day #2

Here we go with a quick wrap-up of the second day. It started smoothly around 09:00 and was dedicated to more technical talks. After some refill of coffee, I was ready to follow all talks presented in the main track.

It started with LiveOverflow who presented “Play CTF“. CTF games (“Capture The Flag”) are present on the schedule of many infosec conferences but can also be independent events. The idea of the talk was original. It started with a short definition: They are security competitions with challenges that you must solve to find the “flag”. Sometimes, I’m playing CTF games but it’s always a dilemma. If you play, you don’t follow tracks (and I can’t write my wrap-ups!). Playing CTF is a great way to learn to hack. That’s what demonstrated Fabian in his talk. CTF’s are also a great to learn new technologies because it’s always changing. (example: many developers switched from PHP to Node.js). Challenges are usually based on typical vulnerabilities but you must be creative to solve them. They are often weird and do not always reflect the real world. So be prepared to fail :). The second part of the talk was more technical with examples of challenges. I like the one based on an issue present in Python 2 and how it compares objects. The second example was a format string vulnerability and finally a Python sandbox evasion. A very nice talk to start the day! If you’re interesting, you can find many CTF’s on a common agenda on ctftime.org.

The second slot was mine. I presented my overview of webshells from an HTTP protection perspective. Here are my slides:

Then, Ryan Lackey presented “The trouble with updates“. This is a fact, to be better protected against software vulnerabilities, patching is the key! Today, most operating systems and software have automatic update features but it’s not always for the good. Indeed, a few times a year, we read some bad news about a patch that broke a system or makes it less stable. But automatic installation also means that some bad code can be automatically injected into a system. What if the patching process is compromized? There was already several papers released about Microsoft WSUS! Some people also recommend to not install patches automatically. Certainly not on production systems. In this case, a best practice is to deploy the patches on a test system first to ensure that everything runs smoothly.

 

The next presentation was about “The status of web browsers VS DOM fuzzing” by Ivan Fratric (from the Google Project Zero). DOM or “Document Object Model” used in web browsers has been an interesting target for a while. A classic technique to find bugs in software is fuzzing. Ivan’s presentation reviewed how modern browsers are protecting themselves against fuzzing. Ivan explained how he developed his fuzzer and successfully used it to discover a lot of vulnerabilities. And guess what? All major browsers suffered from vulnerabilities.

I really expected a lot of the next talk about AutoIT by Vanja Svajcer from Cisco/Talos: “Hiding malware payloads with AutoIT”. A few days ago, I wrote a diary about AutoIT based malware. Vanja started with a nice introduction about AutoIT. This tool exists for years but seems to be back on stage. It’s a BASIC alike scripting language that can perform GUI automation and testing, can load external UDF (“User Defined Function, …). Of course, like any other languages, the code is never released as is, it is usually heavily obfuscated (variables and functions are renamed, junk code is inserted, strings split, etc…). It is even possible to inject the payload into an existing process. After the introduction, Vanja focused on a specific sample and explained how it infects the victim’s computer.

During the lunch break, I attended the lightning call session. A lot of interesting stuff and, amongst others, a quick presentation of Taler was performed by Sva. Taler is an alternative electronic payment system still under development. If you’re interested, check this website.

There was no talk foreseen in the afternoon, just the closing session and the results of the CTF. We spent the rest of the day chatting around some drinks under a nice weather. Yes, networking is also important during security conferences. This wraps up my first visit to FSEC. This is a nice event and the country looks nice. You can add put it on your wish-list of conferences to attend next year!

[The post FSEC 2017 Wrap-Up Day #2 has been first published on /dev/random]



from Xavier

"Awareness Officers - What to Communicate About the Equifax Hack"

Editor's Note: We will continue to update this blog post as new information is learned about the incident. As most of you have read by now, Equifax was hacked.Equifax is one of four credit rating services, called Credit Bureaus (the other three are Experian, Trans Union and Innovis). This means they harvest (and sell)the financial … Continue reading Awareness Officers - What to Communicate About the Equifax Hack

from lspitzner

Thursday, September 7, 2017

FSEC 2017 Wrap-Up Day #1

New IIS functionality to help identify weak TLS usage

This post is authored by Andrew Marshall, Principal Security Program Manager, TwC Security, Yanbing Shi, Software Engineer, Internet Information Services Team, and Sourabh Shirhatti, Program Manager, Internet Information Services Team.

As a follow-up to our announcement regarding TLS 1.2 support at Microsoft, we are announcing new functionality in Windows Server 2012R2 and Windows Server 2016 to increase your awareness of clients connecting to your services with weak security protocols or cipher suites.

IIS logs can already be used to correlate client IP address, user agent string, and service URI. With the addition of the new custom logging fields detailed below, you will be able to quantify the usage of outdated security protocols and ciphers by clients connecting to your services.

To enable this new functionality, these four server variables need to be configured as the sources of the custom fields in IIS applicationHost.config. The custom logging can be configured on either server level or site level. Here is a sample site-level configuration:

 <site name="Default Web Site" id="1" serverAutoStart="true">
 <application path="/">
 <virtualDirectory path="/" physicalPath="C:\inetpub\wwwroot" />
 </application>
 <bindings>
 <binding protocol="https" bindingInformation="*:443:" />
 </bindings>
 <logFile>
 <customFields>
 <clear />
<add logFieldName="crypt-protocol" sourceName="CRYPT_PROTOCOL" sourceType="ServerVariable" />
<add logFieldName="crypt-cipher" sourceName="CRYPT_CIPHER_ALG_ID" sourceType="ServerVariable" />
<add logFieldName="crypt-hash" sourceName="CRYPT_HASH_ALG_ID" sourceType="ServerVariable" />
<add logFieldName="crypt-keyexchange" sourceName="CRYPT_KEYEXCHANGE_ALG_ID" sourceType="ServerVariable" />
 </customFields>
 </logFile>
 </site>

Each SSL info field is a hexadecimal number that maps to either a secure protocol version or cipher suite algorithm.
For an HTTP plain-text request, all four fields will be logged as ‘-‘.

A sample log and explanation of the new fields follows:

For more information visit Official Microsoft Documentation for Custom Logging Fields in IIS.


from Microsoft Secure Blog Staff

Wednesday, September 6, 2017

Interesting List of Windows Processes Killed by Malicious Software

Just a quick blog post about an interesting sample that I found today. Usually, modern pieces of malware implement anti-debugging and anti-VM techniques. They perform some checks against the target and when a positive result is found, they silently exit… Such checks might be testing the screen resolution, the activity of a connected user, the presence of files on the desktop, etc. But they also search for interesting processes that could reveal that they are being monitored or debugged. This is achieved via the GetProcessesByName system call. Example:

processName = "tool_executed_by_analyst"
processList = Process.GetProcessesByName(processName)
If processList.Count > 0 Then
    ' Process is running, exit silently...
Else
    ' Process is not running, do our malicious stuff...
End If

This time, the sample did not search for running processes. Instead is a stealthy exit, it just executed a long list of taskkill.exe commands with process names like this:

taskkill.exe /IM <string> /T /F

“/IM” refers to the process image name, “/T” means to terminate all child processes and “/F” means to kill the process forcefully. This is a quite agressive technique!

Some processes are well-known, others were more exotic. Here is the full list:

avpmapp.exe
econceal.exe
escanmon.exe
escanpro.exe
TRAYSSER.EXE
TRAYICOS.EXE
econser.exe
VIEWTCP.EXE
FSHDLL64.exe
fsgk32.exe
fshoster32.exe
FSMA32.EXE
fsorsp.exe
fssm32.exe
FSM32.EXE
trigger.exe
FProtTray.exe
FPWin.exe
FPAVServer.exe
AVK.exe
GdBgInx64.exe
AVKProxy.exe
GDScan.exe
AVKWCtlx64.exe
AVKService.exe
AVKTray.exe
GDKBFltExe32.exe
GDSC.exe
virusutilities.exe
guardxservice.exe
guardxkickoff_x64.exe
iptray.exe
freshclam.exe
freshclamwrap.exe
K7RTScan.exe
K7FWSrvc.exe
K7PSSrvc.exe
K7EmlPxy.EXE
K7TSecurity.exe
K7AVScan.exe
K7CrvSvc.exe
K7SysMon.Exe
K7TSMain.exe
K7TSMngr.exe
nanosvc.exe
nanoav.exe
nnf.exe
nvcsvc.exe
nbrowser.exe
nseupdatesvc.exe
nfservice.exe
cmd.exetaskkill/IMnwscmon.exe
njeeves2.exe
nvcod.exe
nvoy.exe
zlhh.exe
Zlh.exe
nprosec.exe
Zanda.exe
NS.exe
acs.exe
op_mon.exe
PSANHost.exe
PSUAMain.exe
PSUAService.exe
AgentSvc.exe
BDSSVC.EXE
EMLPROXY.EXE
OPSSVC.EXE
ONLINENT.EXE
QUHLPSVC.EXE
SAPISSVC.EXE
SCANNER.EXE
SCANWSCS.EXE
scproxysrv.exe
ScSecSvc.exe
SUPERAntiSpyware.exe
SASCore64.exe
SSUpdate64.exe
SUPERDelete.exe
SASTask.exe
K7RTScan.exe
K7FWSrvc.exe
K7PSSrvc.exe
K7EmlPxy.EXE
K7TSecurity.exe
K7AVScan.exe
K7CrvSvc.exe
K7SysMon.Exe
K7TSMain.exe
K7TSMngr.exe
uiWinMgr.exe
uiWatchDog.exe
uiSeAgnt.exe
PtWatchDog.exe
PtSvcHost.exe
PtSessionAgent.exe
coreFrameworkHost.exe
coreServiceShell.exe
uiUpdateTray.exe
VIPREUI.exe
SBAMSvc.exe
SBAMTray.exe
SBPIMSvc.exe
bavhm.exe
BavSvc.exe
BavTray.exe
Bav.exe
BavWebClient.exe
BavUpdater.exe
MCShieldCCC.exe
MCShieldRTM.exe
MCShieldDS.exe
MCS-Uninstall.exe
SDScan.exe
SDFSSvc.exe
SDWelcome.exe
SDTray.exe
UnThreat.exe
utsvc.exe
FortiClient.exe
fcappdb.exe
FCDBlog.exe
FCHelper64.exe
fmon.exe
FortiESNAC.exe
FortiProxy.exe
FortiSSLVPNdaemon.exe
FortiTray.exe
FortiFW.exe
FortiClient_Diagnostic_Tool.exe
av_task.exe
CertReg.exe
FilMsg.exe
FilUp.exe
filwscc.exe
filwscc.exe
psview.exe
quamgr.exe
quamgr.exe
schmgr.exe
schmgr.exe
twsscan.exe
twssrv.exe
UserReg.exe

[The post Interesting List of Windows Processes Killed by Malicious Software has been first published on /dev/random]



from Xavier

"Build a Security Awareness Escape Room - At the EU #SecAwareSummit"

Editor's Note: The FedEx Information Security team will be leadingan interactive workshopon buildingSecurity Awareness Escape Rooms , based on the Escape Rooms they have deployed internally at FedEx. In addition, summit attendees will participate in and compete against each other in an actualEscape Room. The FedEx team is one of the eventsatthe upcomingEuropean Security Awareness &hellip; Continue reading Build a Security Awareness Escape Room - At the EU #SecAwareSummit

from lspitzner

"OUCH! Newsletter is Out - Password Managers"

The Septemberedition of the OUCH! security awareness newsletter is out. For this month we coverPassword Managers. Passwords continue to be one of the biggest challenge for people as they are expected to maintain a strong, unique password for every account. Yet many people can have well over one hundred passwords, not to mention having to &hellip; Continue reading OUCH! Newsletter is Out - Password Managers

from lspitzner

Tuesday, September 5, 2017

"Leverage SANS Expertise: Enhanced Phishing Training Available"

&nbsp; We're thrilled to release the enhanced SANS Phishing Training solution. Robust phishing training is one of many must-haves for security awareness training effectiveness. SANS Phishing Training is a simple and cost effective solution enabling you to effortlessly reach everyone in your organization. SANS world class instructors and experts designed SANS Phishing Training to deliver &hellip; Continue reading Leverage SANS Expertise: Enhanced Phishing Training Available

from SANS SA

Sunday, September 3, 2017

[SANS ISC] AutoIT based malware back in the wild

I published the following diary on isc.sans.org: “AutoIT based malware back in the wild“.

One week ago I wrote a diary with an analysis of a malicious RAR archive that contained an AutoIT script. The technique was not new but I was curious to see if this was a one-shot or not. To search for juicy samples, VirusTotal Intelligence or “VTI” is a nice source. Thanks to the “Retro Hunt” feature, it is possible to search for specific samples that were submitted. The search conditions are based on YARA rules… [Read more]

[The post [SANS ISC] AutoIT based malware back in the wild has been first published on /dev/random]



from Xavier