BLOG

This is a Great Article by the Knowbe4 Company

Knowbe4 is a great solution for companies to train user on Social Engineering issues.
Here a great example of the content that they deliver to their base.


Scam of the Week: Equifax Settlement Phishing

Well, that did not take long! The Equifax Data Breach resulted in a settlement and those affected have a choice between free credit monitoring or a $125 payment. Internet lowlifes are now targeting victims of the Equifax data breach with phishing attacks and are spoofing Equifax’s settlement page.

Your users should report these as malicious emails. If they fall for it and click on the link, they are likely winding up on a spoofed site that looks very similar to the existing Equifax settlement page.

There, they are going to be exposed to a social engineering scam, trying to steal as much data as possible.

I suggest you send the following to your employees, friends and family. You're welcome to copy/paste/edit:

 

ALERT: Internet bad guys are now trying to trick you into filing an Equifax claim and get a $125 payment because your personal data was in the Equifax data breach. They are sending phishing attacks that look like they come from Equifax and when you click on the links, you wind up on a fake website that looks like it's Equifax, but will try to steal your personal information. Don't fall for it.

if you want to file a claim, go the legit FTC website and click on the blue "File a Claim" button. The website will check your eligibility for that claim, not everyone's information was compromised.
 
Here is the link to the FTC site:
https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement

Go to their blog at https://blog.knowbe4.com/ and also explore the free tools on their site https://www.knowbe4.com/free-it-security-tools

Tue, 06 Aug 2019 15:24:00 +0000

More examples of Speed to market not Secure First

    New technology often saturates a market before fully ripening to prime usefulness. The race to be first to market is often seen in the idea of recognized household names like Alexa, Blackberry, or even the Oculus Rift. While they might not always be the best at what they do, the familiarity can smooth over many of the kinks in the products they produce.

     The Hickory Smart Bluetooth Enabled Deadbolt allows its user to manage their home security remotely and to have the assurance that the door is locked in case they are concerned that they forgot to do so when they left the house. While this function seems to be useful to a potential customer, they have had 6 vulnerabilities uncovered by Rapid7 security researchers. One of the most concerning vulnerabilities is cleartext credential transmission from the Hickory Smart Ethernet Bridge device; it's something I would expect even the least security minded designer to avoid.

    The rest of the data is encrypted and it would be difficult to translate the credentials into actionable information regarding the deadbolt, but if the user were to change the credentials from the defaults and an adversary were able to obtain said credentials, they could be included in future credential stuffing attacks affecting the user. The Amcrest IP2M-841B IP camera is a rebranded Dahua camera; Dahua has had a history of security issues. It has a bug that exposes allows anyone to connect to the camera over http and decode the audio output for their listening pleasure.

    The camera wraps transmissions in a DHAV container, but it is trivial to decipher and play in a VLC player. In their haste to provide a product, they seem to be keeping these products at different patch levels, exposing users to security issues that may have been already patched. As Amcrest is one of many companies to sell rebranded Dahua products, it is unknown how many products are vulnerable to this bug.

    While the focus on being first to market with a technology may establish a foothold in the homes of consumers, it also makes the customers they seek to serve vulnerable to any cyber security risks that may have been left on the cutting room floor in the rush to get the product out the door. Testing and security is becoming ever more challenging by the day and each year we find our old standards insufficient. The effort to obtain access to an unlocked door or bugged camera might not be cost efficient to do for the average person at scale, but it easily puts higher value targets at risk, and simply not being a target is no excuse to support these practices.


Sources:




Tue, 06 Aug 2019 15:06:00 +0000

El Paso and Dayton Tragedy-Related Scams and Malware Campaigns


In the wake of the recent shootings in El Paso, TX, and Dayton, OH, the Cybersecurity and Infrastructure Security Agency (CISA) advises users to watch out for possible malicious cyber activity seeking to capitalize on these tragic events. Users should exercise caution in handling emails related to the shootings, even if they appear to originate from trusted sources. Fraudulent emails often contain links or attachments that direct users to phishing or malware-infected websites. Emails requesting donations from duplicitous charitable organizations are also common after tragic events. Be wary of fraudulent social media pleas, calls, texts, donation websites, and door-to-door solicitations relating to these events.

To avoid becoming a victim of malicious activity, users and administrators should consider taking the following preventive measures:


Tue, 06 Aug 2019 14:52:00 +0000

NIST Publishes Multifactor Authentication Practice Guide


The National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) has published NIST Cybersecurity Practice Guide: Multifactor Authentication for E-Commerce. The guide provides e-commerce organizations multifactor authentication (MFA) protection methods they can implement to reduce fraudulent purchases.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages e-commerce organizations to download the guide to learn how to prevent e-commerce fraud using MFA solutions.

Fri, 02 Aug 2019 18:30:00 +0000

Cylance Antivirus Vulnerability


Original release date: August 2, 2019

The CERT Coordination Center (CERT/CC) has released information on a vulnerability affecting Cylance Antivirus products. A remote attacker could exploit this vulnerability to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review CERT/CC Vulnerability Note VU#489481 and the Cylance Resolution for BlackBerry Cylance Bypass webpage for patch information and additional recommended workarounds.
.

Fri, 02 Aug 2019 18:29:00 +0000

Steps to Safeguard Against Ransomware Attacks


Original release date: July 30, 2019

The Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing & Analysis Center (MS-ISAC), National Governors Association (NGA), and the National Association of State Chief Information Officers (NASCIO) have released a Joint Ransomware Statement with recommendations for state and local governments to build resilience against ransomware:

  1. Back up systems—now (and daily). Immediately and regularly back up all critical agency and system configuration information on a separate device and store the backups offline, verifying their integrity and restoration process. If recovering after an attack, restore a stronger system than the one lost, fully patched and updated to the latest version.
  2. Reinforce basic cybersecurity awareness and education. Ransomware attacks often require the human element to succeed. Refresh employee training on recognizing cyber threats, phishing, and suspicious links—the most common vectors for ransomware attacks. Remind employees of how to report incidents to appropriate IT staff in a timely manner, which should include out-of-band communication paths.
  3. Revisit and refine cyber incident response plans. Have a clear plan to address attacks when they occur, including when internal capabilities are overwhelmed. Make sure response plans include how to request assistance from external cyber first responders, such as state agencies, CISA, and MS-ISAC, in the event of an attack.

CISA encourages organizations to review the Joint Ransomware Statement and the following ransomware guidance:


Tue, 30 Jul 2019 19:18:00 +0000

Spearphone a attack for Andriod Phones

    A team of cybersecurity researchers - Abhishek Anand, Chen Wang, JIan Liu, Nitesh Saxena, and Yingying Chen - have discovered and demonstrated a new side -channel attack that could potentially allow apps to listen in on the voice coming through an Android phone’s loudspeakers without requiring any device permissions.

    This new attack has been named Spearphone.  It works by taking advantage of the accelerometer built into most Android phones. An accelerometer is a sensor that can detect and monitor the movement of a phone, like being shaken, tilted, or lifted up. The accelerometer can be accessed by any app with any permissions.

    According to The Hacker News, “Since the built-in loudspeaker of a smartphone is placed on the same surface as the embedded motion sensors, it produces surface-borne and aerial speech reverberations in the body of the smartphone when loudspeaker mode is enabled.” The nature of sound is vibrations that travel through a medium transferring energy to our ear drums which then translate the mechanical vibrations into electric signals which our brains translate into sounds. This attack bypasses the need for a second microphone replacing the audio receiver with the accelerometer in the phone itself to translate the soundwaves into electrical messages.

    The researchers created and Android application that was designed to record speech reverberations using the accelerometer and send the captured data back to an attacker-controller server as a proof-of-concept. The researchers have shown that this attack can successfully be used to spy on phone calls, listen to voice notes or multimedia, and to spy on the use of an assistant such as Google Assistant or Bixby, as shown below.

 
Source of Article
 
    The research team believes the Spearphone attack is dangerous and has “significant value as it can be created by low-profile attackers.” The attack can also be used in gender classification with over 90% accuracy and speaker identification with over 80% accuracy. 
 
read the full article here



Fri, 19 Jul 2019 19:30:00 +0000

Linux users be aware


    In the world of malware, almost all malicious software is based around Windows desktop or Linux server systems. Part of this is due to the widespread use of these systems as well as the architecture of the Linux core operating system. This makes it even more surprising when researchers from Intezer recently discovered a desktop Linux spyware application dubbed EvilGnome that no security or antivirus scanners detect yet.

    EvilGnome is a collection of modules designed to spy on a user’s system and exfiltrate data to an external Command & Control (C2) server controlled by the attacker. It is designed to appear as an extension of the Gnome GUI environment for Linux desktop.

    The malware is a self-extracting archive shell script that installs the modules and sets up persistence through use of the crontab. The modules are: • ShooterSound—records audio clips from the user’s microphone using PulseAudio. • ShooterImage—captures screenshots of the user’s desktop. • ShooterFile—scans the filesystem and is capable of filtering files by type and creation date. • ShooterPing—data exfiltration module, also capable of receiving new commands from the C2 server and stopping other modules from running. • ShooterKey—possible keylogger module that appears to be unfinished.

    Many of the modules appear to be very limited or missing some functionality. Also, metadata about the malware’s creation was included in the upload to VirusTotal, leading the researchers to believe this was a prototype version of the malware that was mistakenly released.

    Intezer researchers believe the malware to be tied to the Russian-affiliated group Gamaredon. Not only does EvilGnome use the same hosting provider as Gamaredon for C2 servers and similar domain names such as .space and .ddns, it was also found on an IP address controlled by Gamaredon 2 months ago and uses techniques and modules similar to Gamaredon’s collection of Windows tools. 
To check if a Linux system is infected, look for an executable called gnome-shell -ext in the ~/.cache/gnome-software/gnome-shell-extensions  directory.


Sources:

https://thehackernews.com/2019/07/linux-gnome-spyware.html

https://www.bleepingcomputer.com/news/security/new-evilgnome-backdoor-spies-on-linux-users-steals-their-files/

https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/
Fri, 19 Jul 2019 19:24:00 +0000

A Methodology for Enabling Forensic Analysis Using Hypervisor Vulnerabilities Data: NIST Publishes NISTIR 8221


Hardware/Server Virtualization is a foundational technology in a cloud computing environment and the hypervisor is the key software in that virtualized infrastructure. However, hypervisors are large pieces of software with several thousand lines of code and are therefore known to have vulnerabilities. Hence, a capability to perform forensic analysis to detect, reconstruct and prevent attacks based on vulnerabilities on an ongoing basis is a critical requirement in cloud environments.

To gain a better understanding of recent hypervisor vulnerabilities and attack trends, identify forensic information needed to reveal the presence of such attacks, and develop guidance on taking proactive steps to detect and prevent those attacks, NIST has published NIST Internal Report (NISTIR) 8221, “A Methodology for Enabling Forensic Analysis Using Hypervisor Vulnerabilities Data.” NISTIR 8221 outlines a methodology to enable this forensic analysis, and illustrates the methodology using two open-source hypervisors—Xen and Kernel-based Virtual Machine (KVM). The source for vulnerability data is NIST’s National Vulnerability Database (NVD).

Publication details:
https://csrc.nist.gov/publications/detail/nistir/8221/final


CSRC Update:
https://csrc.nist.gov/news/2019/nist-publishes-nistir-8221 


Thu, 18 Jul 2019 14:37:00 +0000

Draft NIST Cybersecurity White Paper on Understanding Emerging Blockchain Identity Management Systems


NIST announces the release of a Draft Cybersecurity White Paper, A Taxonomic Approach to Understanding Emerging Blockchain Identity Management Systems (IDMS), which provides an overview of the standards, building blocks, and system architectures that support emerging blockchain-based identity management systems and selective disclosure mechanisms. The document also considers the full spectrum of top-down versus bottom-up governance models for both identifier and credential management and addresses some of the risks and security concerns that may arise. The terminology, concepts, and properties introduced in this work can facilitate communications amongst business owners, software developers, cybersecurity professionals within an organization, and individuals who are or will be using such systems.

A public comment period for this document is open until August 9, 2019. See the publication details link for a copy of the document and instructions for submitting comments.

Publication details:
https://csrc.nist.gov/publications/detail/white-paper/2019/07/09/a-taxonomic-approach-to-understanding-emerging-blockchain-idms/draft


CSRC update:
https://csrc.nist.gov/news/2019/draft-white-paper-emerging-blockchain-idms


Thu, 18 Jul 2019 14:35:00 +0000