now browsing by tag


#cybersecurity | #hackerspace | Four Important Steps to Secure the United States 2020 Election

Source: National Cyber Security – Produced By Gregory Evans

It’s an unfortunate reality that cyber attacks on the U.S. 2020 election are likely to happen. However, while this is a potent threat to democracy, an even greater threat is to not take the necessary actions to prevent these attacks until it is too late.

There are many different types of cyberattacks that the U.S. 2020 election could face.

  • Attacks on electronic poll books and registration systems to remove individuals from voter rolls, swap their polling location, or claim they’ve voted when they haven’t.
  • Hacking attacks against election websites that educate the public on voting times, polling locations, and the current status of registrations.
  • Disinformation campaigns that disseminate inaccurate results through election night reporting system attacks.

Preventing these attacks requires clever contingency planning and addressing key issues present in the current systems that voters and their states engage with. This article aims to address these issues.

Upgrade voting machines

The most important step in protecting American elections is securing its voting machines. This is hardly a surprise given that the easiest form of attack to comprehend (and by far the most frightening) is the stealthy introduction of malware into voting machines so that election results are changed without anyone noticing.

The first step (and most important) in this process is giving paperless systems a “paper backup” of every vote, one that is verified by each voter. Without this, there is no way to independently assess whether the digital totals provided by the voting machines are legitimate. While this may seem like a huge step, this is something that the United States has made sizable progress towards achieving, that is, halving the number of paperless machines used before 2017.

In a general sense, most American voting machines pose a security risk just by virtue of their age. At a (Read more…)

Source link

The post #cybersecurity | #hackerspace |<p> Four Important Steps to Secure the United States 2020 Election <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | Coronavirus: The Unexpected Human Element at RSA Conference 2020

Source: National Cyber Security – Produced By Gregory Evans

It was Sunday, February 23, 2020, and I was packing my bags for an early morning flight from Detroit to San Francisco for another week at an RSA Conference covering all things related to cybersecurity. The conference theme this year was “The Human Element,” which became an ironic choice of words.

While reading-up on the best sessions, pre-conference news and other hot cyber headlines, I noticed that several large companies had pulled out of the conference because of coronavirus fears.  

Here’s an excerpt from the Business Insider article that grabbed my attention: “Verizon pulled out of the RSA Conference on Friday, joining competitor AT&T and IBM as large sponsors with coronavirus concerns abandon the cybersecurity trade show that was expected to draw more than 40,000 to San Francisco next week. …”

The RSA Conference website offered this webpage with coronavirus updates; however, the information was sparse and seldom updated. No new updates were added after February 25, which started with this less than comforting news, “Today, the City of San Francisco declared a State of Emergency to begin preparations around any future coronavirus outbreaks. The City stated that residents and visitors remain at low risk for becoming infected with the coronavirus and that the number of cases within the City remains at zero. …”

My Delta flight was overbooked, and the airport seemed packed on Monday morning as I traversed through TSA security lines in Detroit. Several TSA officials wore face masks, and most of them were wearing plastic gloves, which I had not seen before.

Thankfully, my flight arrived early, and I was able to attend most of the RSA Public Sector Day at the San Francisco Hilton by Union Square. There was an excellent agenda of topics and federal, state and local government speakers on issues (Read more…)

Source link

The post #cybersecurity | #hackerspace |<p> Coronavirus: The Unexpected Human Element at RSA Conference 2020 <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | Bug Bounty Radar // The latest bug bounty programs for February 2020

Source: National Cyber Security – Produced By Gregory Evans

New web targets for the discerning hacker

Global awareness of hackers continued to ramp up throughout the month of February, with the launch of new and improved bug bounty programs and the realization that some heroes wear… black hoodies.

That was the feeling, at least, in the French city of Lille, which hosted a two-day live hacking event as part of the 2020 Forum International de la Cybersécurité, an annual security conference and trade show.

The event saw 100 hackers finding bugs in the systems of The Red Cross, Oui SNCF, secure messaging provider Olvid, and Cybermalveillance.gouv.fr, a cybersecurity division of the French government.

“Bug bounties are not only for Uber or Deezer, it’s for any organization inspired by cybersecurity and willing to address the bugs in its systems,” Rodolphe Harand, manager of YesWeHack, the bug bounty platform that hosted the live hacking competition, told The Daily Swig.

Not long after the event, French cyber awareness site Cybermalveillance.gouv.fr announced that it was going public with its bug bounty program, one that it had been running privately on the YesWeHack platform since December 2019.

Bounties awarded for high risk and critical flaws are also set to double under the program’s public scope, The Daily Swig reported this month, alongside an interview with the Belgium-based platform intigriti, which has its sights set on global expansion.

If you’re interested in bug bounty market news, February was full of statistics related to payouts and hacker insights, as Facebook highlighted the $2 million it paid out to security researchers through its bug bounty program in 2019.

Dropbox also patted itself on the back, having doled out $1 million in cash to security researchers since its vulnerability rewards program began in 2014.

In related news, HackerOne published its 2020 Hacker Report, which found that although bug bounty payouts across the platform continue to rise, nearly two-thirds of security researchers (63%) have withheld the disclosure of security vulnerabilities on at least one occasion.

The reasons behind this were multifaceted, but the factors that stood out were fear of reprimand, lack of a clear reporting channel, and organizations being unresponsive to previous bug reports.

“I think we really need to disambiguate what people mean by the term ‘bug bounty’,” Casey Ellis, founder of Bugcrowd, told The Daily Swig in a recent chat about the uptake of IoT bug bounty programs.

“They are usually thinking about a public bug bounty, which definitely is the last line of defense.”

Read the full interview with Bugcrowd founder Casey Ellis.

The latest bug bounty programs for February 2020

February saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:


Program provider: HackerOne

Program type: Private bug bounty

Max reward: $15,000

Outline: Celo, an open banking platform, puts forward a private bug bounty program, with four of its domains in scope.

Notes: Quick responses to bug submissions and rewards based on the Common Vulnerability Scoring Standard are among Celo’s promises.

Visit the Celo bug bounty page at HackerOne for more info


Program provider: HackerOne

Program type: Private bug bounty

Max reward: Undisclosed

Outline: The task management app has launched a private bug bounty program with few details aside from an expanded list of vulnerabilities it considers out of scope.

Notes: Evernote pitches itself as uber responsive, with plans to triage bugs within 10 business days of a successful report submission.

Visit the Evernote bug bounty page at HackerOne for more info

Google API Security Rewards Program

Program provider: HackerOne

Program type: Public bug bounty

Minimum reward: $50

Outline: Google has added another bug bounty program to its repertoire. Security researchers can now report vulnerabilities found in third-party applications accessing OAuth Restricted Scope.

Notes: “Developers of OAuth apps using restricted scopes, with more than 50,000 users, are automatically enrolled into the program after they have passed the security assessment requirement,” outlines the program. Theft of insecure private data through unauthorized access reaps a $1,000 reward. Vulnerabilities must be reported to the relevant app developer first.

Visit the Google API Security Rewards Program at Hackerone for more info

Kindred Group

Program provider: HackerOne

Program type: Public bug bounty

Max reward: $2,500

Outline: Online gambling operator Kindred Group has entered the bug bounty scene with HackerOne, putting its two platforms, which host brands like Unibet, bingo.com, iGame, and MariaCasino, in scope.

Notes: Remote code execution, SQL injection, and other critical bugs pay $2,500. Less severe vulnerabilities, such as Flash-based reflective XSS or captcha bypass, generate a $150 reward.

Visit the Kindred Group bug bounty page at HackerOne for full program details

Microsoft Azure – enhanced

Program provider: Independent

Program type: Public bug bounty

Max reward: $40,000

Outline: Microsoft’s established Azure Bounty Program has expanded its scope to include Azure Sphere to run alongside the general release of the IoT security platform.

Notes: “The goal of the Microsoft Bug Bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our customers,” Microsoft says. Many low-severity issues are out of scope.

Visit the latest Microsoft blog post for full program details

Microsoft Xbox

Program provider: Independent

Program type: Public bug bounty

Max reward: $20,000

Outline: Awards range from $500 to $20,000 for vulnerabilities found in the Xbox Live network and services, although Redmond says higher payouts are possible.

Notes: In-scope vulnerabilities include all the regular suspects with full PoC exploit: cross-site scripting, cross-site request forgery, insecure direct object references, insecure deserialization, code injection flaws, server-side code execution, significant security misconfiguration (when not caused by user), and exploits in third-party components.

Visit the Xbox bug bounty page for full program details


Program provider: HackerOne

Program type: Public bug bounty

Max reward: $10,000

Outline: Ethereum-based banking alternative Monolith has linked with HackerOne to let hackers find bugs in its smart contract wallet and the internet-facing Monolith platform.

Notes: “The most important class of bugs we’re looking for are ones that would cause our users to lose their funds or have them rendered frozen and unusable within their Smart Contract Wallet,” Monolith says.

Visit the Monolith bug bounty page at HackerOne for full program details


Program provider: Independent

Program type: Public bug bounty

Max reward: $10,000

Outline: Developers at imToken, a popular cryptocurrency wallet, have launched a new bug bounty program covering the TokenCoreX library that underpins the application.

Notes: The program is a partnership with blockchain security specialists SlowMist, and covers defects in the implementation of the core encryption algorithm, along with vulnerabilities in chain-related logic code or the wallet application layer. Rewards are paid in Tether cryptocurrency, with critical vulnerabilities amounting to issues that result in an attacker stealing crypto-assets.

Visit the latest imToken blog post for more info


Program provider: HackerOne

Program type: Public bug bounty

Max reward: $2,500

Outline: Business software provider Visma wants security researchers to break their domains, with payouts ranging from $100 for low impact bugs to $2,500 for those defined as critical.

Notes: Critical exploits include RCE and SQL injection. Low-rated vulnerabilities such as open redirect or application level denial-of-service also warrant payouts. “Any reports outside these categories will be triaged on a case by case basis by Security Analysts from Visma,” the company adds.

Visit the Visma bug bounty page at HackerOne for more info

Other bug bounty and VDP news

  • Katie Moussouris, quite possible the Queen of the bug bounty, spoke on the Threatpost podcast about the challenges in implementing successful programs
  • The Hacker News ran an interview with the Open Bug Bounty project, a non-profit that’s demonstrated significant growth over the past year.
  • Bug hunter Alex Chapman published a blog post on his transition from pen tester to full-time bounty hunter.
  • Hyatt expanded its public bug bounty program on its one-year anniversary last month with HackerOne, widening its scope with  higher bounties.
  • Marriott is running a vulnerability disclosure program (unpaid) with HackerOne, as are mobile banking providers bunq, Canadian banking provider Koho, photo video editing app PicsArt, and Belgium-based REM-B Hydraulics.
  • Bugcrowd also saw the SoundCloud bug bounty program increase its rewards last month, now offering a maximum $4,500 for high priority bugs.

To have your program featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line. Read more bug bounty news from The Daily Swig.

RELATED Bug Bounty Radar // January 2020

Source link

The post #hacking | Bug Bounty Radar // The latest bug bounty programs for February 2020 appeared first on National Cyber Security.

View full post on National Cyber Security

#nationalcybersecuritymonth | Hillicon Valley — Presented by Facebook — FCC fines mobile carriers $200M for selling user data | Twitter verified fake 2020 candidate | Dems press DHS to complete election security report | Reddit chief calls TikTok spyware

Source: National Cyber Security – Produced By Gregory Evans

Welcome to Hillicon Valley, The Hill’s newsletter detailing all you need to know about the tech and cyber news from Capitol Hill to Silicon Valley. If you don’t already, be sure to sign up for our newsletter with this LINK.

Welcome! Follow the cyber team, Maggie Miller (@magmill95), and the tech team, Emily Birnbaum (@birnbaum_e) and Chris Mills Rodrigo (@chrisismills).


FCC FINES TOP MOBILE CARRIERS: The Federal Communications Commission (FCC) is proposing more than $200 million in fines against the country’s top mobile carriers after a lengthy investigation concluded T-Mobile, AT&T, Sprint and Verizon improperly sold access to their customers’ precise location information. 

The agency is alleging the companies broke the law by failing to protect information about the geolocation of their hundreds of millions of customers. 

“The FCC has long had clear rules on the books requiring all phone companies to protect their customers’ personal information,” FCC Chairman Ajit Pai (R) said. “And since 2007, these companies have been on notice that they must take reasonable precautions to safeguard this data and that the FCC will take strong enforcement action if they don’t.”

“Today, we do just that,” Pai said.

The proposed fines — which Verizon, AT&T, T-Mobile and Sprint are now allowed to contest — are some of the largest the FCC has proposed in decades. But since reports began emerging about the fines on Thursday night, consumer advocates and privacy hawks in Congress have accused the regulatory agency of holding back and letting the telecom companies off the hook with fines that amount to a “rounding error” compared to their significant bottom lines.

Sen. Ron WydenRonald (Ron) Lee WydenOvernight Health Care — Presented by American Health Care Association — California monitoring 8,400 people for coronavirus | Pence taps career official to coordinate response | Dems insist on guardrails for funding Schiff presses top intel official to declassify part of report on Khashoggi killing Top Trump advisers discuss GOP need to act on health care at retreat with senators MORE (D-Ore.), who was one of the first to shed light on the companies’ unlawful information sharing, released a statement accusing Pai of going easy on the companies.

“It seems clear Chairman Pai has failed to protect American consumers at every stage of the game – this issue only came to light after my office and dedicated journalists discovered how wireless companies shared Americans’ locations willy nilly,” Wyden said. “He only investigated after public pressure mounted.”

“And now his response is a set of comically inadequate fines that won’t stop phone companies from abusing Americans’ privacy the next time they can make a quick buck,” Wyden said.

Verizon, for instance, boasted a total revenue of $31.4 billion in 2019 and is facing a fine of $48 million.

The FCC is proposing a fine of $91 million for T-Mobile, $57 million for AT&T, $48 million for Verizon and $12 million for Sprint.  

T-Mobile, which is facing the largest fine by far, said in a statement Friday that it intends to dispute the FCC’s conclusions.

“We take the privacy and security of our customers’ data very seriously,” T-Mobile said. “While we strongly support the FCC’s commitment to consumer protection, we fully intend to dispute the conclusions of this NAL and the associated fine.” 

Public Knowledge, a consumer rights group, said the FCC’s fines indicate the chairman is enforcing the law “to the barest degree possible.” 

Read more on the fines here.



Elections have changed and so has Facebook

Facebook has made large investments to protect elections, including tripling the size of the teams working on safety and security to more than 35,000. But the work doesn’t stop there.

See how Facebook has prepared for 2020.


TURN IT IN: House Homeland Security Committee Chairman Bennie ThompsonBennie Gordon ThompsonRussian interference reports rock Capitol Hill Intel officials warned House lawmakers Russia is interfering to get Trump reelected: NYT Top Democrats demand answers on DHS plans to deploy elite agents to sanctuary cities MORE (D-Miss.) on Friday raised concerns around the Department of Homeland Security’s failure to submit a congressionally mandated election security report on time. 

DHS was required under the 2020 National Defense Authorization Act to submit a report to Congress on successful and attempted cyberattacks on U.S. election infrastructure during the 2016 elections, along with any future cyberattacks on elections that DHS anticipates. 

The agency was required by the NDAA to submit the report within 60 days of the bill being signed into law. President TrumpDonald John TrumpThe Memo: Biden seeks revival in South Carolina Congress eyes billion to billion to combat coronavirus Sanders makes the case against Biden ahead of SC primary MORE signed the NDAA on Dec. 20, with Feb. 18 marking the deadline for the report to be submitted to appropriate congressional committees. 

Thompson, whose committee is among those that DHS is required to submit the report to, said Friday that the failure of DHS to submit the report “further obstructs Congress’ abilities to conduct proper oversight,” and noted this was “in direct violation of the law.”

“The threat to our democracy from foreign governments is real, and the Administration’s pattern of denial must stop,” Thompson added. “With President Trump in office, the American people cannot expect our elections to be secure and free from foreign interference or cyber-attacks with status quo measures in place.”

Read more here.


‘WALZ’-ING AROUND: Twitter earlier this month verified an account for a fake 2020 congressional candidate created by a teenager.

The account was for a fictional Republican congressional candidate from Rhode Island named Andrew Walz.

His Twitter bio claimed that Walz was a “proven business leader” and a “passionate advocate for students,” CNN Business first reported.

The owner of the account was a 17-year-old high schooler from upstate New York who, according to the network, made the account over the holidays because he was “bored.”

“During Christmas break I was kind of bored and I learned a lot from history class, but also on the news they were talking more about misinformation,” the high school student told CNN Business.

The teen said it took him about 20 minutes to make the website for his candidate and then another five minutes to create the Twitter account.

He got his profile picture from a website called This Person Does Not Exist, which computer generates realistic photos of fake people.

Then, he filled out a short survey with information about his fake candidate on Ballotpedia, the nonprofit “Encyclopedia for American Politics.” Twitter announced in December that it would be partnering with the nonprofit in an attempt to verify more congressional candidates. 

However, according to the student, neither Twitter or Ballotpedia asked for any further kind of identification to confirm that Walz was, in fact, genuine.

The social media platform has received flak from candidates who say it has been slow to verify them.

Read more on the incident here.


REDDIT DINGS TIKTOK: TikTok is under scrutiny from Reddit CEO and co-founder Steve Huffman for practices he calls “fundamentally parasitic,” referring to serious privacy concerns surrounding the app.

The app is a video-sharing social networking service owned by ByteDance, a Beijing-based company established in 2012 by Zhang Yiming. TikTok launched in 2017 for iOS and Android in markets outside of China.

Huffman said one of the suspicious practices the company partakes in is fingerprinting, a method of tracking devices for each unique visitor, according to The Verge.

“Maybe I’m going to regret this, but I can’t even get to that level of thinking with [TikTok],” Huffman said at the Social 2030 venture capital conference. “I look at that app as so fundamentally parasitic, that it’s always listening, the fingerprinting technology they use is truly terrifying, and I could not bring myself to install an app like that on my phone.”

Research by data protection expert Matthias Eberl highlights the fingerprinting Huffman refers to as an aggregate of audio and browser tracking, allowing the company to know the types of content each user is following. TikTok parent company ByteDance claims the fingerprinting methods are for recognizing malicious browser behavior, but Eberl offers his skepticism, as the platform seemingly works fine without the scripts enabled.

“I actively tell people, ‘Don’t install that spyware on your phone,’ ” Huffman said of TikTok’s software.

Read more here.



Elections have changed and so has Facebook

Facebook has made large investments to protect elections, including tripling the size of the teams working on safety and security to more than 35,000. But the work doesn’t stop there.

See how Facebook has prepared for 2020.


SCHEMING: Advocates are sounding the alarm over online scams that leave senior citizens particularly vulnerable, urging lawmakers and administration officials to take more steps to protect unsuspecting Americans.

Experts say that threat is heightened during tax season as online options for filing have grown in popularly, opening the door to more scams aimed at obtaining sensitive information or money from victims.

“Consumers should be especially vigilant as we approach tax season,” said Bill Versen, chief product officer at Transaction Network Services, a data services provider.

While there are a slew of scams at tax filing season, experts say that the elderly face a higher risk of being ensnared and experiencing financial hardship.

The most common kinds of tax scams are phishing and calls where a scammer impersonates an IRS official, according to Monique Becenti, a product specialist at cybersecurity firm SiteLock.

Phishing is a tactic used by hackers to get access to private information using fake emails, text messages and social media posts.

These communications are designed to bait unaware users, often the elderly, into giving up their personal information or clicking on links that can download dangerous malware onto computers and phones alike.

But the most common scam between 2014 and 2018 was fraudulent IRS calls, according to a yearly report released by the Senate Committee on Aging.

In those calls, the scammer impersonates an IRS official, demanding payment or sensitive information. In some cases, scammers have been known to threaten to suspend licenses, close businesses or even arrest individuals if they fail to pay fake bills.

“The overall goal is cyber criminals trying to file taxes on behalf of that person,” Becenti told The Hill. And once an individual falls victim, scammers can run further schemes. “Ultimately, they have their Social Security number. … Now they have the ability to open up fraudulent accounts on behalf of that individual.”

Read more here.


CHANGE OF PACE: Facebook sued a marketing company Thursday, alleging in federal court that the firm “improperly” collected data from users of the social media platform.

The lawsuit, filed in the Northern District Court of California, claimed oneAudience paid developers to use a malicious software development kit, or SDK, in their apps.

SDKs are tools that let developers make apps more quickly.

OneAudience’s SDK collected data in an improper fashion from Facebook users who opted to log in to certain apps, the lawsuit alleged.

Facebook claimed the data included names, email addresses and gender, in limited cases.

Facebook said it sent a cease-and-desist letter to oneAudience in November, but claimed the company did not cooperate with a requested audit.

OneAudience did not immediately respond to a request for comment.

In a blog post, Jessica Romero, Facebook’s director of platform enforcement and litigation, wrote that the lawsuit was filed to protect the platform’s users.

“This is the latest in our efforts to protect people and increase accountability of those who abuse the technology industry and users,” she wrote. “Through these lawsuits, we will continue sending a message to people trying to abuse our services that Facebook is serious about enforcing our policies.”

Read more here.


CAMEO: Former Illinois Gov. Rod Blagojevich (D) joined an app where people can pay for personalized video messages after President Trump commuted his sentence on corruption charges earlier this month. 

Blagojevich is on the app Cameo offering personal messages for $100. 

“Hey it’s Rob Blagojevich. I’m very excited to connect with you on Cameo. If you want a birthday greeting, an anniversary greeting, motivation or any other kind of shoutout, I can’t wait to hear from you,” the former lawmaker said on his account. 

The app features a variety of celebrities and personalities that offer personalized messages for fans upon request. 

Former Trump White House press secretary Sean SpicerSean Michael SpicerRod Blagojevich joins app where people can pay for personalized video message Press: It’s time to bring back White House briefings Rapid turnover shapes Trump’s government MORE also has an account on the app, as does former Trump administration communications director Anthony ScaramucciAnthony ScaramucciRod Blagojevich joins app where people can pay for personalized video message Scaramucci thanks John Kelly for speaking up against Trump Trump lashes out over Kelly criticism: ‘He misses the action’ MORE, former Trump aide Omarosa Manigault and former Trump campaign manager Corey LewandowskiCorey R. LewandowskiRod Blagojevich joins app where people can pay for personalized video message The Hill’s Morning Report – Sanders repeats with NH primary win, but with narrower victory Trump campaign chief relocating to Washington: report MORE

Trump commuted Blagojevich’s sentence earlier this month. He called Blagojevich’s 14-year sentence “ridiculous” 

“He served eight years in jail, a long time. He seems like a very nice person — don’t know him,” Trump said.

Read more here.


A LIGHTER CLICK: Hope y’all are happy


AN OP-ED TO CHEW ON: Indictment of Chinese hackers is wake-up call for better public-private cooperation



Vatican joins IBM, Microsoft to call for facial recognition regulation (Reuters / Philip Pullella, Jeffrey Dastin) 

The World Health Organization has joined TikTok to fight coronavirus misinformation (Verge / Makena Kelly)

Walmart is quietly working on an Amazon Prime competitor called Walmart+ (Recode / Jason Del Rey)

Source link

The post #nationalcybersecuritymonth | Hillicon Valley — Presented by Facebook — FCC fines mobile carriers $200M for selling user data | Twitter verified fake 2020 candidate | Dems press DHS to complete election security report | Reddit chief calls TikTok spyware appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | March 2020 – Professional Services and the Media Industry

Source: National Cyber Security – Produced By Gregory Evans

In today’s ever-shifting market, we recognize that you need to be constantly adapting, and Akamai provides a way to enhance your customers’ experiences through our unique expertise, helping you unlock the value of Akamai’s products and services.

Professional Services’ primary mission is to drive customer success and growth. In order to achieve that, Akamai’s Global Services and Support team rationalized the Web Performance and Media Services portfolio that bundles Advisory, Professional Services and Support to focus on value confirmation that is differentiated at each level of service.

As industry experts and trusted advisors, we can help our customers scale, meeting their needs by offering everything from break-fix support to implementation services, to maintaining and optimizing their Akamai products to assisting in addressing their specific business goals through the adoption of Akamai solutions.

The new Premium 3.0 Services and Support provides a high-touch engagement and access to aligned support professionals with extensive knowledge and understanding of all Akamai solutions. This service enables media configuration optimization through best-practices and regular validation of product value to improve viewer experience. As part of its capabilities, Premium 3.0 includes a catalog of Technical Business Assessment with tools such as Ingest Readiness, Reduced Rebuffering and Media Distribution Optimization, all this to ensure that the different aspects of media distribution are set up and configured correctly.

To learn more about professional services, please visit our website: https://www.akamai.com/us/en/services/


*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Nancy Carvajal. Read the original post at: http://feedproxy.google.com/~r/TheAkamaiBlog/~3/MEV-MF3Sx1M/march-2020—professional-services-and-the-media-industry.html

Source link

The post #cybersecurity | #hackerspace |<p> March 2020 – Professional Services and the Media Industry <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cyberfraud | #cybercriminals | These Are The Most Rampant Windows And Mac Malware Threats For 2020: Here’s What That Means

Source: National Cyber Security – Produced By Gregory Evans

Seven weeks into 2020, and we are deep into the season for cybersecurity reporting. You can expect a wide range of summaries of the threat landscape from 2019 and forecasts as to what to expect this year. As threat actors from China, Russia, Iran and North Korea continue to probe network and system security around the world, we also have the rising threat of ever more sophisticated malware hitting individuals and the companies they work for, all fuelled by the scourge of social engineering to make every malicious campaign more dangerous and more likely to hit its mark.

BlackBerry Cylance has published its “2020 Threat Report” today, February 19, and its theme is the blurring lines between state actors and the criminal networks that develop their own exploits or lease “malware as a service,” pushing threats out via email and messaging campaigns, targeting industries or territories. This year, 2020, will be seminal in the world of threat reporting and defense—IoT’s acceleration is a game changer in cyber, with the emergence of a vast array of endpoints and the adoption of faster networking and pervasive “always connected” services.

The challenge with IoT is the limited control of the security layers within those endpoints—it’s all very well having smart lightbulbs, smart toys and smart fridges. But if every connected technology you allow into your home is given your WiFi code and a connection to the internet, then it is near impossible to assure yourself of the security of those devices. Current best practice—however impractical that sounds—is to air-gap the networks in your home: trusted devices—your phones, computers and tablets, and then everything else. If one family of devices can’t see the other, then you are much better protected from malicious actors exploiting casual vulnerabilities.

I have warned on this before, and the market now needs the makers of networking equipment to develop simple one-click multiple networking options, so we can introduce the concept of a separated IoT network and core network into all our homes—something akin to the guest networks we now have but never use on our routers, but simpler, more of a default, and therefore better used.

According to Cylance’s Eric Milam, the geopolitical climate will also “influence attacks” this year. There are two points behind this. First, mass market campaigns from state-sponsored threat actors in Iran and North Korea, from organized groups in Russia and China, and from criminal networks leveraging the same techniques, targeting individuals at “targeted scale.” And, second, as nation-states find ever more devious ways to exploit network defenses, those same tools and techniques ultimately find their way into the wider threat market.

The real threats haven’t changed much: Phishing attacks, ranging from the most basic spoofs to more sophisticated and socially engineered targeting; headline-grabbing ransomware and virus epidemics; the blurring between nation-state and criminal lines, accompanied by various flavors of government warnings. And then, of course, we have the online execution of crimes that would otherwise take place in the physical world—non-payment and non-delivery, romance scams, harassment, extortion, identity theft, all manner of financial and investment fraud.

But, we do also have a rising tide of malware. Some of that rising tide is prevalence, and some is sophistication. We also have criminal business models where malware is bought and sold or even rented on the web’s darker markets.

In the Cylance report, there is a useful summary of the “top malware threats” for Windows and Mac users. Cylance says that it complied its most dangerous list by using an “in-house tooling framework to monitor the threat landscape for attacks across different operating systems.” Essentially that means detecting malware in the wild across the endpoints monitored by its software and systems. It’s a volume list.

For cyber-guru Ian Thornton-Trump, the real concerns for individuals and companies around the world remain Business Email Compromise, “the fastest growing and most lucrative cyber-criminal enterprise.” He also points out that doing the basics better goes a long way—“there is little if any mention of account compromises due to poor password hygiene or password reuse and the lack of identifying poorly or misconfigured cloud hosting platforms leading to some of the largest data breaches” in many of the reports now coming out.

So here are Cylance’s fifteen most rampant threats. This is their own volume-based list compiled from what their own endpoints detected. There are missing names—Trickbot, Sodinokibi/REvil, Ryuk, but they’re implied. Trickbot as a secondary Emotet payload, for example, or Cylance’s observation that “the threat actors behind Ryuk are teaming with Emotet and Trickbot groups to exfiltrate sensitive data prior to encryption and blackmail victims, with the threat of proprietary data leakage should they fail to pay the ransom in a timely manner.”

There are a lot of legacy malware variants listed—hardly a surprise, these have evolved and now act as droppers for more recent threats. We also now see multiple malware variants combine, each with a specific purpose. Ten of the malware variants target Windows and five target Macs—the day-to-day risks to Windows users remain more prevalent given the scale and variety of the user base, especially within industry.

Windows Threats

  • Emotet: This is the big one—a banking trojan hat has been plaguing users in various guises since 2014. The malware has morphed from credential theft to acting as a “delivery mechanism” for other malware. The malware is viral—once it gets hold of your system, it will set about infecting your contact with equally compelling, socially engineered subterfuges.
  • Kovter: This fileless malware targets the computer’s registry, as such it makes it more difficult to detect. The malware began life hiding behind spoofed warnings over illegal downloads or file sharing. Now it has joined the mass ad-fraud market, generating fraudulent clicks which quickly turn to revenue for the malware’s operators.
  • Poison Ivy: A malicious “build you own” remote access trojan toolkit, providing a client-server setup that can be tailed to enable different threat actors to compile various campaigns. the malware infects target machines with various types of espionage, data exfiltration and credential theft. Again the malware is usually spread by emailed Microsoft Office attachments.
  • Qakbot: Another legacy malware, dating back a decade, bit which has evolved with time into something more dangerous that its origins. The more recent variants are better adapted to avoiding detection and to spreading across networks from infected machines. The malware can lock user and administrator accounts, making remove more difficult.
  • Ramnit: A “parasitic virus” with “worming capabilities,” designed to infect removable storage media, aiding replication and the persistence of an attack. The malware can also infect HTML files, infecting machines where those files are opened. The malware will steal credentials and can also enable a remote system takeover.
  • Sakurel (aka. Sakula and VIPER): Another remote access trojan, “typically used in targeted attacks.” The delivery mechanism is through malicious URLs, dropping code on the machine when the URL is accessed. The malware can also act as a monitor on user browsing behavior, with other targeted attacks as more malware is pulled onto the machine.
  • Upatre: A more niche, albeit still viable threat, according to Cylance. Infection usually results from emails which attach spoof voicemails or invoices, but Cylance warns that users can also be infected by visiting malicious websites. As is becoming much more prevalent now, this established legacy malware acts as a dropper for other threats.
  • Ursnif: This is another evolved banking trojan, which infects machines that visit malicious websites, planting code in the process. The malware can adapt web content to increase the chances of infection. The malware remains a baking trojan in the main, but also acts as a dropper and can pull screenshots and crypto wallets from infected machines.
  • Vercuse: This malware can be delivered by casual online downloads, but also through infected removable storage drives. The malware has adapted various methods of detection avoidance, including terminating processes if tools are detected. The primary threat from this malware now is as a dropper for other threats.
  • Zegost: This malware is designed to identify useful information on infected machines and exfiltrate this back to its operators. That data can include activity logging, which includes credential theft. The malware can also be used for an offensive denial of service attack, essentially harnessing infected machines at scale to hit targets.

Mac Threats

  • CallMe: This is a legacy malware for the Mac world, opening a backdoor onto infected systems that can be exploited by its command and control server. Dropped through malicious Microsoft Office attachments, usually Word, the vulnerability has been patched for contemporary versions of MacOS and Office software. Users on those setups are protected.
  • KeRanger: One of the first ransomware within the Mac world, the malware started life with a valid Mac Developer ID, since revoked. The malware will encrypt multiple file types and includes a process for pushing the ransom README file to the targeted user. Mitigation includes updates systems, but also offline backups as per all ransomware defenses.
  • LaoShu: A remote access trojan that uses infected PDF files too spread its payload. The malware will look for specific file types, compressing those into an exfiltration zip file that can be pulled from the machine. While keeping systems updated, this malware also calls for good user training and email bevavior, including avoidance of unknown attachments.
  • NetWiredRC: A favourite of the Iranian state-sponsored APT33, this malware is a remote access trojan that will operate across both Windows and Mac platforms. The malware focuses on exfiltrating “sensitive information” and credentials—the latter providing routes in for state attackers. Cylances advises administrators to block 212[.]7[.]208[.]65 in firewalls and monitor for “%home%/WIFIADAPT.app” on systems.
  • XcodeGhost: Targeting both Mac and iOS, this compiler malware is considered “the first large-scale attack on Apple’s App Store.” Again with espionage and wider attacks in minds, the malware targets, captures and pulls strategic information from an infected machine. its infection of “secure apps” servers as a wider warning as to taking care when pulling apps from relatively unknown sources.

In reality, the list itself is largely informational as mitigation is much the same: Some combination of AV tools, user training, email filtering, attachment/macro controls, perhaps some network monitoring—especially for known IP addresses. The use of accredited VPNs, avoiding public WiFi, backups. Cylance also advises Windows administrators to watch for unusual registry mods and system boot executions.

Thornton-Trump warns that we need constant reminding that cyber security is about “people, process and technology.” Looking just at the technology side inevitably gives a skewed view. For him, any vendor reports inevitably “overstate the case for anti-malware defences in contrast to upgrade and improvement of other defensive mechanisms, including awareness training and vulnerability management.”

And so, ultimately, user training and keeping everything updated resolves a material proportion of these threats. Along with some basic precautions around backups and use of cloud or detached storage which provides some redundancy. Common sense, inevitably, also features highly—whatever platform you may be using.

Source link

The post #cyberfraud | #cybercriminals | These Are The Most Rampant Windows And Mac Malware Threats For 2020: Here’s What That Means appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | Top 3 Trends at Shmoocon 2020

Source: National Cyber Security – Produced By Gregory Evans

On January 31, 2020, Shmoocon held their annual conference in Washington D.C. Each year, the event offers a glimpse into the upcoming trends of the year, defined by the needs of the federal industry. Outlined below are the top three trends observed by our ForAllSecure engineers.

Shmoocon is becoming more than just a Federal meetup.

Due to its close proximity to government HQs, Shmoocon is known to be a conference popular to the Federal audience. This year, audience dynamics have shifted and has brought together a wider range of attendees across all industries. This may be an indicator that many government cybersecurity pain points are universal. Historically, Federal challenge and needs have been considered unique, often standing alone in its own market category.

Commonalities in cybersecurity pain points don’t come as a surprise for ForAllSecure. Having partnered with the Defense Innovation Unit, also known as DIU, Mayhem has an intimate understanding of the DoD’s appsec challenges. We’ve also learned that their needs are transferable and relevant to commercial industries, such as aerospace, automotive, critical infrastructure, and more. Read more about our learnings here: Top 5 Takeaways From The “ForAllSecure Makes Software Security Autonomous” Livestream

The crowd is loving mini-CTFs.

On top of the classic Capture the Packet and Hack Fortress competitions held annually at Shmoocon, there were smaller challenges at most vendor booths. Attendees were encouraged to solve security challenges to win attractive prizes ranging from exploitation prizes to simply playing smash brothers with their security-passionate comrades. It’s a great place to get your hands dirty while exploring the con. 

We love this trend! It also highlights the need to provide a community where security professionals can exchange ideas, challenge each other, and enjoy each other’s company. That’s one of the reasons why we decided to host the industry first FuzzCon in SF on February 25, 2020. Join us to meet fuzzing experts and connect with other passionate fuzzing enthusiasts. Register here!

Don’t know what fuzzing is? Here’s a quick read for your reference: What is Next-Generation Fuzzing

Yet again, Shmoocon delivers a rich range of topics.

Shmoocon is notorious for high quality, in-depth talks on various cybersecurity topics. This year, there were various speaking sessions on cybersecurity policies and technologies. The 5G and fuzzing sessions were recognized as some of the best talks of the con. 

5G has been highly anticipated. To meet consumer expectations, telecommunications companies have opted to host 5G Hackathons, where fuzzing was a common technique within several teams’ toolbag. 

Among the fuzzing sessions was a talk from our very own Mark Griffin, ForAllSecure Engineer, on, “Knowing the Unfuzzed and Finding Bugs with Coverage Analysis.” Missed it? You can still catch it in April 2020 on the ForAllSecure BrightTalk channel. Stay tuned!

Are there any other big show takeaways that we missed? Let us know on Twitter.


Source link

The post #cybersecurity | #hackerspace |<p> Top 3 Trends at Shmoocon 2020 <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | 10 Must-See Talks to Attend at RSA Conference 2020

Source: National Cyber Security – Produced By Gregory Evans

RSA Conference USA is one of the most anticipated digital security events of the year. Last year, its 31 keynote presentations, more than 621 speaker sessions, 700 presenting companies on the exposition floor attracted over 42,000 attendees. Given such popularity, how could the State of Security not include this event in its list of the top information security conferences for 2020?

This year’s iteration of RSA Conference USA promises to be exciting (and potentially meditative, should you so choose). To help attendees get the most out of the event, we at the State of Security have assembled some of the most exciting talks listed on the schedule. Here are 10 in particular that are worth mentioning.

Speaker: Rohit Ghai | President of RSA

Location: Moscone West

Date and Time: February 25, 2020 8:10AM – 8:30AM

It’s our stories that make us human. All of us love a memorable narrative, and we often exaggerate characters and fudge reality to fit the narrative.

In the mind of RSA President Rohit Ghai, the cybersecurity industry has an incomplete and overly simplified view of the characters in our story: the human element. That’s why Ghai will use his time in this speaker session to review the facts and set the story straight. After all, we are only as great as the story we leave behind.

Speaker: Dr. Jessica Barker | Co-Founder and Co-Chief Executive Officer of Cygenta

Location: Moscone South

Date and Time: February 25, 2020 11:00AM – 11:50AM

For too long, the cybersecurity industry has attempted to use FUD to engage with the human element. In this engaging talk, Cygenta co-CEO Dr. Jessica Barker will draw on extensive (Read more…)

Source link

The post #cybersecurity | #hackerspace |<p> 10 Must-See Talks to Attend at RSA Conference 2020 <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | Black Hat Asia 2020 postponed due to coronavirus epidemic

Source: National Cyber Security – Produced By Gregory Evans

Security conference was due to open its doors in Singapore next month

The upcoming Black Hat Asia security conference has been postponed due to ongoing concerns surrounding the latest coronavirus outbreak, event organizer Informa has confirmed.

“After careful consideration of the health and safety of our attendees and partners, we have made the difficult decision to postpone Black Hat Asia 2020 due to the coronavirus outbreak,” read an announcement, issued via  the official Black Hat Events Twitter account.

Black Hat Asia was due to take place at the Marina Bay Sands in Singapore from March 31 to April 3.

The Asian edition, one of three Black Hat security conferences that take place around the world each year, celebrated its 10th anniversary in 2019, with infosec luminary Mikko Hyppönen delivering the keynote.

Security expert Mikko Hyppönen delivering the keynote at Black Hat Asia last year

With its origins being traced to Wuhan, China, the coronavirus outbreak in question refers specifically to the novel strain of pathogen now known as COVID-19.

According to a situation report (PDF) from the World Health Organization yesterday (February 13), there have been nearly 47,000 confirmed cases of infection globally, with more than 1,300 deaths.

News of the Black Hat Asia postponement follows a similar announcement earlier this week that Mobile World Congress 2020 would not go ahead in Barcelona this month due to concerns surrounding the virus.

DEF CON China, a hacking event that was slated to take place in Beijing in April, was also postponed last month due to concerns surrounding COVID-19.

“Our sympathies are with those affected during this difficult time,” an announcement on the Black Hat Events website read.

“Please know we are planning to host Black Hat Asia 2020 in the fall this year. We hope you are able to join us and will provide an update with the new event dates as soon as possible.”

The announcement as it appears on the Black Hat Asia website

RELATED The next arms race: Cyber threats pulled into stark focus at Black Hat Asia 2019

Source link

The post #hacking | Black Hat Asia 2020 postponed due to coronavirus epidemic appeared first on National Cyber Security.

View full post on National Cyber Security

Microsoft Patch Tuesday, February 2020 Edition — Krebs on Security

Source: National Cyber Security – Produced By Gregory Evans

Microsoft today released updates to plug nearly 100 security holes in various versions of its Windows operating system and related software, including a zero-day vulnerability in Internet Explorer (IE) that is actively being exploited. Also, Adobe has issued a bevy of security updates for its various products, including Flash Player and Adobe Reader/Acrobat.

A dozen of the vulnerabilities Microsoft patched today are rated “critical,” meaning malware or miscreants could exploit them remotely to gain complete control over an affected system with little to no help from the user.

Last month, Microsoft released an advisory warning that attackers were exploiting a previously unknown flaw in IE. That vulnerability, assigned as CVE-2020-0674, has been patched with this month’s release. It could be used to install malware just by getting a user to browse to a malicious or hacked Web site.

Microsoft once again fixed a critical flaw in the way Windows handles shortcut (.lnk) files (CVE-2020-0729) that affects Windows 8 and 10 systems, as well as Windows Server 2008-2012. Allan Liska, intelligence analyst at Recorded Future, says Microsoft considers exploitation of the vulnerability unlikely, but that a similar vulnerability discovered last year, CVE-2019-1280, was being actively exploited by the Astaroth trojan as recently as September.

Another flaw fixed this month in Microsoft Exchange 2010 through 2019 may merit special attention. The bug could allow attackers to exploit the Exchange Server and execute arbitrary code just by sending a specially crafted email. This vulnerability (CVE-2020-0688) is rated “important” rather than “critical,” but Liska says it seems potentially dangerous, as Microsoft identifies this as a vulnerability that is likely to be exploited.

In addition, Redmond addressed a critical issue (CVE-2020-0618) in the way Microsoft SQL Server versions 2012-2016 handle page requests.

After a several-month respite from patches for its Flash Player browser plug-in, Adobe has once again blessed us with a security update for this program (fixes one critical flaw). Thankfully, Chrome and Firefox both now disable Flash by default, and Chrome and IE/Edge auto-update the program when new security updates are available. Adobe is slated to retire Flash Player later this year.

Other Adobe products for which the company shipped updates today include Experience Manager, Digital Editions, Framemaker and Acrobat/Reader (17 flaws). Security experts at Qualys note that on January 28th, Adobe also issued an out-of-band patch for Magento, labeled as Priority 2.

“While none of the vulnerabilities disclosed in Adobe’s release are known to be Actively Attacked today, all patches should be prioritized on systems with these products installed,” said Qualys’s Jimmy Graham.

Windows 7 users should be aware by now that while a fair number of flaws addressed this month by Microsoft affect Windows 7 systems, this operating system is no longer being supported with security updates (unless you’re an enterprise taking advantage of Microsoft’s paid extended security updates program, which is available to Windows 7 Professional and Windows 7 enterprise users).

If you rely on Windows 7 for day-to-day use, it’s probably time to think about upgrading to something newer. That might be a computer with Windows 10. Or maybe you have always wanted that shiny MacOS computer.

If cost is a primary motivator and the user you have in mind doesn’t do much with the system other than browsing the Web, perhaps a Chromebook or an older machine with a recent version of Linux is the answer (Ubuntu may be easiest for non-Linux natives). Whichever system you choose, it’s important to pick one that fits the owner’s needs and provides security updates on an ongoing basis.

Keep in mind that while staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re not losing your mind when the odd buggy patch causes problems booting the system.

So do yourself a favor and backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, keep an eye on the AskWoody blog from Woody Leonhard, who keeps a close eye on buggy Microsoft updates each month.

Tags: Alan Liska, CVE-2019-1280, CVE-2020-0618, CVE-2020-0674, CVE-2020-0688, Jimmy Graham, Microsoft Patch Tuesday February 2020, Qualys, Recorded Future

The source of this story comes from click here!

The post Microsoft Patch Tuesday, February 2020 Edition — Krebs on Security appeared first on National Cyber Security.

View full post on National Cyber Security