This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-04-29T20:43:06+00:00 www.secnews.physaphae.fr AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Joint report on publicly available hacking tools | NCSC The agency also commented on how it keeps criminals at bay by stopping on average 10 attacks on the government per week. NCSC also published its Annual Review 2018 - the story of the second year of operations at the National Cyber Security Centre. Targeting Crypto Currencies It is estimated that cryptocurrency exchanges suffered a total loss of $882 million due to targeted attacks in 2017 and in the first three quarters of 2018. According to Group-IB experts, at least 14 crypto exchanges were hacked. Five attacks have been linked to North Korean hackers from Lazarus state-sponsored group, including the infamous attack on Japanese crypto exchange Coincheck, when $534 million in crypto was stolen. Targeted attacks on crypto exchanges resulted in a loss of $882 million | HelpNet Security Twitter Publishes Data on Iranian and Russian Troll Farms In an attempt to try and be more proactive in dealing with misinformation campaigns, Twitter has published its Elections Integrity dataset which includes attempted manipulation, including malicious automated accounts and spam. In other words it’s attempting to out - Iranian and Russian troll farms. Twitter’s focus is on a healthy public conversation | Twitter In light of this, it’s worth also revisiting this article by Mustafa Al-Bassam in which he researched UK intelligence doing the same thing targeting civilians in Iran. British Spies Used a URL Shortener to Honeypot Arab Spring Dissidents | Motherboard Equifax Engineer Sentenced An Equifax engineer gets eight months for earning $75,000 from insider trading. He figured out he was building a web portal for a breach involving Equifax, which turned out to be the 2017 breach, and so decided to ride the stock drop. Equifax engineer who designed breach portal gets 8 months of house arrest for insider trading | ZDNet Mind the Skills Gap (ISC)2 has released its 2018 global cyber security workforce study and it looks like the cyber security skills gap has widened to 3 million. It’s worth bearing in mind that estimating the skills gap isn’t an eas]]> 2018-10-19T13:00:00+00:00 https://feeds.feedblitz.com/~/575579772/0/alienvault-blogs~Things-I-Hearted-this-Week-th-October www.secnews.physaphae.fr/article.php?IdArticle=854987 False Guideline APT 38,Equifax None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Empire is an open source post-exploitation framework that acts as a capable backdoor on infected systems.  It provides a management platform for infected machines. Empire can deploy PowerShell and Python agents to infect both Windows and Linux systems. Empire can: Deploy fileless agents to perform command and control. Exploit vulnerabilities to escalate privileges. Install itself for persistence. Steal user credentials. It has also evolved to support the initial attack phases of an attack, and can create malicious documents to deploy its agent. Empire’s features are classified into listeners, stagers and modules. Below, we describe how AlienVault USM can detect these stages below on a Windows target. Staging Empire first attempts to deploy an agent using one of multiple stager modules. USM will generically detect the agent after Powershell is invoked with an encoded payload. Commands executed with encoded arguments are commonly used by attackers as an obfuscation technique, so they produce the USM alert ‘Defense Evasion - Obfuscated Command - Powershell Execution of Encoded Command’: This alert detects most Empire stagers on Windows, when they use Powershell to executed an encoded command. If enabled, the Windows Antimalware Scan Interface should also block the PowerShell command.  The ‘Malware Infection - Windows Defender Malware Detected’ alert, shows the necessary information to locate the malicious file: An alternative for an attacker is to craft an Office document with a macro, which will execute the agent command by running a crafted Windows process from the WMI Service: Set objWMIService = GetObject("winmgmts:\\.\root\cimv2") Set objStartup = objWMIService.Get("Win32_ProcessStartup") Set objConfig = objStartup.SpawnInstance_ objConfig.ShowWindow = 0 Set objProcess = GetObject("winmgmts:\\.\root\cimv2:Win32_Process") objProcess.Create str, Null, objConfig, intProcessID When the macro runs, the Windows Management Instrumentation Command will create a new process. USM will listen the Windows events to detect the WMIC call, commonly used in lateral movement scenarios. The ‘Lateral Movement - Remote WMIC Activity’ alert will raise displaying the malicious Powershell command: Another way for an attacker to implant the Empire agent into their victims machine is to create a HTML Application using the Empire module windows/hta. In weak security configuration system, a simple spear phishing mail with a link to the crafted HTML application will be enough to get the agent running. For each alert, the USM provides detailed information about the nature of the issue and useful recommendations for the security staff to follow: ]]> 2018-10-18T18:13:00+00:00 https://feeds.feedblitz.com/~/575429648/0/alienvault-blogs~Detecting-Empire-with-USM-Anywhere www.secnews.physaphae.fr/article.php?IdArticle=854010 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC contest in Spiceworks recently, asking folks for their best cloud tech jokes. Here are some of the funniest ones: Those SpiceHeads sure have great senses of humor, of a highly techie variety!       ]]> 2018-10-17T13:00:00+00:00 https://feeds.feedblitz.com/~/575202012/0/alienvault-blogs~Best-Cloud-Tech-Jokes-and-Memes www.secnews.physaphae.fr/article.php?IdArticle=851733 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC @gwenstefani, too! Check out those dance moves. #ATTBizSummit @ATTBusiness pic.twitter.com/MX5ntUsrj2 — Sarita Rao (@saritasayso) September 27, 2018 There was a lot of other embedded technology on display, like portable medical devices, which can be operated by anyone to provide details to a doctor. Or, IoT technology embedded within trucks that can send a whole host of data to allow effective fleet management. Some of the broad themes from the technology on display, and from what was discussed on stage were IoT and smart cities, 5G, and software defining of most things. Day 1 Video Recap Hitting High Notes with the Keynotes Showcasing technology aside, conferences can be defined by the quality of speakers and talks that are given. AT&T Business did not disappoint, with some great discussions and presentations by the likes of Malcolm Gladwell, Anderson Cooper, Thaddeus Arroyo, Barmak Meftah, Queen Latifah, Reese Witherspoon, and Tony Blair, to name a few. Power panel - Anderson Cooper, Doug Parker, Meg Whitman, Thaddeus Arroyo...Disruption is Coming for EVERYONE! #ATTBizSummit #transformation pic.twitter.com/SM9lu0xxkG — Anne Chow (@TheAnneChow) November 1, 2017 “Security isn’t a technology problem. We need to view security as a business problem” Barmak Meftah, President AT&T Cybersecurity Solutions & CEO @alienvault #AttBizSummit @ATTBusiness pic.twitter.com/8IwA6QFQ3g — Susan Torrey (@smtorrey) September 26, 2018]]> 2018-10-16T13:00:00+00:00 https://feeds.feedblitz.com/~/575033076/0/alienvault-blogs~ATampT-Business-Summit-First-Impressions-and-Recap www.secnews.physaphae.fr/article.php?IdArticle=849999 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC In honor of NCSAM, we decided to ask the Twitter community for security travel tips, to help us be more safe when travelling. Here's the original Tweet: Want some AlienVault swag? Send us your top tip for #security while traveling by October 8 for potential inclusion in an upcoming blog. Of the tips we include in the blog, we’ll randomly select 3 people to win an AlienVault swag bag! #securityawareness @J4vv4D @securitybrew pic.twitter.com/1XvzKnMbMv — AlienVault, an AT&T company (@alienvault) October 3, 2018 We got some neat answers.  1. Use a screen protector on an airplane or while working in public 2. Buy Freeze Fraud bags to store your laptop in while out of your hotel room. Tamper evident bags give you peace of mind your hardware hasn't been tampered with. — Jake Williams (@MalwareJake) October 4, 2018 For the love of everything confidential: privacy screens for phone, tablet, phablet, laptop, etc! Flights to DC make for the best shoulder surfing! — Glenn it's S��CTOBER �� (@NTKramer) October 4, 2018 Know your threat model. Not everyone needs a burner phone, burner laptop, and 7 proxies. Know the trust boundaries, and mitigate the issues that make sense for you. — Willa (@willasaywhat) October 4, 2018 Dont do work. Your work existed before you and wont end cuz you disapeared for a week or less. Smart companies and CEOs always have backup for critical employees. No matter how secure you can try to be... if you are targeted they will get you while you are traveling. — 9656B73F0889AC044EB47F452C059A6C (@SGFja2Vy) October 4, 2018 Avoid beig an obvious target by studying the area well enough to not need a map upon arrival. Carry the bare minimum hardware & files - if a device is lost/stolen/dam]]> 2018-10-15T13:00:00+00:00 https://feeds.feedblitz.com/~/574863626/0/alienvault-blogs~Security-Travel-Tips www.secnews.physaphae.fr/article.php?IdArticle=848077 False Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC When is a vulnerability not a vulnerability? | Medium, Tanya Janca An Analysis of CVE-2018-0824 While we’re on the topic of vulnerabilities, I’ve said it before, but one of the best things that has come out from bug bounty programs is the writeups that sometimes follow which detail the thought process and the steps taken. Similarly, it’s always insightful to see when security researchers not only create an exploit, but also spend some time analysing its patch and writing up how it works. Marshalling to SYSTEM - An analysis of CVE-2018-0824 | Code White Sec Visualising Your Threat Models Do you struggle finding the right tool for threat model diagramming? Well, this may be the one for you, if your requirements match the ones of Michael where the app had to: Support DFD and attack trees Enjoyable and easy to us Free and cross platform Not web or ‘cloud’ based Draw.IO for threat modeling | Michael Riksen Brutal Blogging: Go for the Jugular Ever wondered whether you should get into blogging? Ever started to write a blog but run out of ideas? Ever wonder why your blog post gets no love? Well, fear not, because Kate Brew brings to you all these answers and more in her great DerbyCon 2018 talk Brutal blogging: Go for the jugular | Youtube Blockchain Eating its Greens? Walmart Inc., in a letter to be issued Monday to suppliers, will require its direct suppliers of lettuce, spinach and other greens to join its food-tracking blockchain by Jan. 31. The retailer also will mandate that farmers, logistics firms and business partners of these suppliers join the blockchain by Sept. 30, 2019. Walmart Requires Lettuce, Spinach Suppliers to Join Blockchain | Wall Street Journal Do you Know What You’re Building? Across the technology industry, rank-and-file employees are demanding greater insight into how their companies are deploying the technology that they built. At Google, Amazon, Microsoft and Salesforce, as well as at tech start-ups, engineers and technologists are increasingly asking whether the products they are working on are being used for surveillance in places like China or for military projects in the United States or elsewhere. Tech Workers Now Want to Know: What Are We Building This For? | The New York Times Why Logic Errors Are So Hard to Catch The fact that a relatively simple flaw allowed an anonymous hacker to compromise 50 million Facebook accounts serves as a powerful reminder: When hackers, professional or amateur, find business logic errors, as]]> 2018-10-12T13:00:00+00:00 https://feeds.feedblitz.com/~/574413662/0/alienvault-blogs~Things-I-Hearted-this-Week-th-October www.secnews.physaphae.fr/article.php?IdArticle=844001 False Tool,Vulnerability,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AlienVault Product Forum. Here are the highlights from our September releases.ea Enhancements to the AlienVault Agent! Coming off the successful introduction of the USM Anywhere EDR functionality enabled by the AlienVault Agent, we are excited to announce more improvements to the Agent.  The feedback from our users on the Agent has been great thus far, and in September we added more filtering capabilities, designed to give users more control over what types of data the agent is collecting.  You can now apply regular filtering rules to Agent events, giving you the flexibility you need over what data you collect.  We will continue to add feature enhancements to the Agent in the coming months.   The USM Anywhere API is here! Following up to our API release in USM Central, which has been very popular with our MSSPs, we are happy to announce the introduction of the API in USM Anywhere.  Available for Standard and Premium Edition customers of USM Anywhere, you can now extract alarms and events from USM Anywhere to help you with independent workflows.  This is the first major step towards a full set of API functionality build out in USM Anywhere. Enhancements to the AlienApp for ConnectWise Building on its initial release, the AlienApp for ConnectWise now works with on premises deployments of ConnectWise Manage. Service management teams that use on premises deployments of ConnectWise Manage can now leverage automated service ticket creation from USM Anywhere for alarms and vulnerabilities, as well as the synchronization of asset information. Defects and Optimizing the UX In addition to these new capabilities, the team has rolled out enhancements to the user interface and has addressed multiple defects and inefficiencies. Make sure to read the product release notes for all the details. USM Central Highlights Following on the introduction of the API in August, we are pleased to announce the availability of additional API endpoints that allow customers and partners to retrieve vulnerabilities, deployment information, and configuration issues for connected USM Anywhere instances.  This continues the build out of the USM Central API, and stay tuned as we continue to add more API endpoints in the coming months. Threat Intelligence Highlights It’s been a typically active month for the AlienVault Labs Security Research team, curating the threat intelligence for USM as well as writing content on new & emerging threats.  As a reminder, USM receives continuously updated correlation rules and endpoint ]]> 2018-10-11T13:00:00+00:00 https://feeds.feedblitz.com/~/574199792/0/alienvault-blogs~AlienVault-Product-Roundup-%e2%80%93-the-Latest-Updates www.secnews.physaphae.fr/article.php?IdArticle=842177 False Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC “Cringeworthy:  A Theory of Awkardness”, which examines exactly as the title describes, awkward situations and how to deal with them.  I love reading non-fiction books that are not InfoSec related.  There is so much to learn out there about so many topics.  Sometimes, however, I am lead back to my InfoSec passion (or, perhaps it’s an illness). In the book, author Melissa Dahl mentions two companies that are working on some fascinating software that can read human emotions via facial expressions.  This is a compelling development in technology, reaching beyond facial recognition. Facial recognition, you may recall has had some of its own challenges to overcome. Of course, emotional recognition software would not be useful for authentication, as there are only seven emotions.  To review, they are happiness, sadness, fear, anger, surprise, contempt, and disgust.  As you read this, are your inner InfoSec senses perking up?  They should be. Part of the way that emotions can be identified are through micro expressions. Micro expressions detect subtle changes in a face, but they happen so fast that it requires specialized training for the human eye to detect them.  Those trained in micro expression recognition can detect, along with the seven emotions, other traits, such as a person’s level of deception.  While there are not many folks trained in micro expression recognition, a computer may be programmed to respond with alarming accuracy and speed.  Rather than thinking that computerized emotion recognition could be used in a court of law (probably inadmissible as evidence, much like a polygraph), or during an interrogation (also of questionable usefulness), think of the economics of the technology. One way in which this new technology may be used is to gauge a person’s response when viewing something on the screen.  Using this technology, an advertiser could change what is presented based on the person’s response.  You seemed to retreat a bit when you were shown the large automobile.  Let’s pop an advertisement of the fuel-efficient hybrid.  You enjoyed the flowers that popped up on your birthday? Let’s pop some chocolate onto the screen with a savings coupon. The privacy concerns of such a technology have lead me to place a piece of electrical tape over the front-facing camera on my phone.  I was never a big selfie person to begin with, and this technology is certainly enough to cure me of any urge to have that camera exposed.  Remember, the camera and microphone on your electronic devices are software controlled, so unless you carefully examined that end user license agreement, you may have already given camera control over to one of your applications.  Like many others, I have had my ]]> 2018-10-10T13:00:00+00:00 https://feeds.feedblitz.com/~/573954416/0/alienvault-blogs~Time-to-Cover-your-Selfie-Camera www.secnews.physaphae.fr/article.php?IdArticle=840464 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC A series of high-profile data breaches in 2017 made it clear that it's becoming more difficult to protect your and your customer's sensitive information from nefarious agents. As businesses expand, they develop and implement security policies that help protect their sensitive information from outsiders. Still, business growth means more computers, more laptops and more mobile phones—and more network endpoints means more security vulnerabilities and more opportunities for a small oversight to turn into a major data breach. Financial data breaches can spell disaster, especially for small businesses that have fewer resources to allocate toward proactive security measures and fraud prevention. To help out, we've outlined five steps that you can take to maximize your financial data protection in 2018. Take Inventory of Your Sensitive Financial Data The first step to effective financial data protection is to identify the data that is more important to protect. Your full assessment should answer the following questions: What data do I need to secure? What computers, servers, laptops, networks, or other devices is the information stored on? What devices can be used to access the data? What roles/titles will have permission to view the data? The best way to start enhancing data security is by restricting access. Isolate or segregate the data onto the fewest number of devices possible, and make it accessible to the fewest number of people. Conduct thorough background checks and ask for references when hiring employees that will come into contact with financial data. Implement Effective Password Controls Passwords are an important security measure used to prevent unauthorized users from accessing company laptops, e-mail accounts and other resources that could contain sensitive financial information. Password controls are a set of imposed guidelines for how your staff should set up the passwords that they use to access your sensitive data. Typical password controls include: Ensuring that passwords are long enough and that they contain a mixture of upper and lower-case letters, numbers and symbols. As passwords get longer, they become exponentially harder to hack by brute force. Hackers use all kinds of tricks to try and guess passwords—writing software that guesses dictionary words or combinations of words from the dictionary, or that guesses birth dates formatted in different ways. Passwords should be 10-12 characters long. Ensuring that passwords are changed on a regular basis, at least every 90 days for passwords used to access sensitive financial data. Ensuring that each individual user is assigned one username and password, and that login credentials are never shared. Protect Your Network with a Firewall Companies storing and transmitting financial data on an internal network should implement a firewall. A firewall is a hardware or software security device that monitors all incoming and outgoing network traffic and uses predefined security guidelines to determine whether it should be allowed or blocked. Firewalls establish a barrier between your trusted internal network and unauthorized external actors that might try to access or attack it. You may want to hire a cyber security expert who can help customize your firewall to your unique circumstances and advise you on how to address other potential network security threats. Look Out for Phishing Scams Sometimes, fraudsters don't have to gain access to your systems using technological means to attack your company financiall]]> 2018-10-09T13:00:00+00:00 https://feeds.feedblitz.com/~/573744614/0/alienvault-blogs~Steps-to-Maximize-Your-Financial-Data-Protection www.secnews.physaphae.fr/article.php?IdArticle=838584 False Hack,Vulnerability None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC first identified in 2013 targeting governments and NGOs in South East Asia. Their primary targeting continues to this day, though they have also been known to target more diverse victims such as the energy sector. Malware Delivery through Open Source Exploit Kits KeyBoy sent the following email to India's Ambassador to Ethiopia from an email address at nic[.]in, India's National Informatics Centre. The file f43f60b62002d0700ccbcbd9334520b6 The attached malicious document downloads and executes a script that installs the final payload: This script contains text (eg; “” ) which matches a pre-packed version of the popular CVE-2017-0199 exploit available on GitHub. We’ve seen other malicious documents where KeyBoy have tested another exploit generator. In that case KeyBoy didn’t change the default settings so the document meta-data provides some obvious hints that the document is malicious: Delivered Malware The next stage in these attacks is typically a malware family known as TSSL. This malware originally identified by PwC and more recently described by Trend Micro and CitizenLab. Most samples are built on the attackers machine fr]]> 2018-10-08T17:09:00+00:00 https://feeds.feedblitz.com/~/573602564/0/alienvault-blogs~Delivery-KeyBoy www.secnews.physaphae.fr/article.php?IdArticle=837210 False None APT 23 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC SpiceWorld is taking place next week in Austin, TX! For those unfamiliar, the event is Spiceworks' yearly conference for IT pros and bacon lovers. The AlienVault team is ready to meet and greet their favorite SpiceHeads, new and old, at the Austin Convention Center, October 8th-10th! The conference features educational IT sessions, networking opportunities and a two-day expo with welcome reception on Monday evening packed with exhibitors showcasing the latest in information technology solutions! Visit us at Booth #10! Visit booth #10 located near the middle of the expo hall floor! Back by popular demand, we’re bringing back the SpiceHeads’ favorite Alien swag this year – flashy green sunglasses, and yummy cosmic slushies! We are also participating in the Passport to Prizes program again, so be sure to stop by the booth to get a stamp, meet the AlienVault team and learn about the AlienVault Threat Alerts in Spiceworks, which is a free tool! Learn how to quickly identify and respond to potential threats in your environment with threat alerts, and take a deeper dive with a demo of our USM Anywhere product. It’s the ONLY security solution that automates threat hunting everywhere modern threats appear: endpoints, cloud, and on-premises environments – all from one unified platform. Attend "Realities of the Digital Transformation: How to Address the Threats We Face Today” Join Jaime Blasco, VP and Chief Scientist of AlienVault, an AT&T Company, Todd Waskelis, AVP, AT&T Security Solutions, and Spiceworks (moderator) on Tuesday, October 9th from 2:15pm-3:15pm in 17AB for this informative session. We’re looking forward to seeing you all in Austin!       ]]> 2018-10-08T13:00:00+00:00 https://feeds.feedblitz.com/~/573553260/0/alienvault-blogs~AlienVault-at-SpiceWorld-this-Week www.secnews.physaphae.fr/article.php?IdArticle=836717 False Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC detailed post on his experience, while I made a couple of videos charting my time. But enough of that, lets see what went down in the world of security over these last few days. Facebook breach One of the biggest stories in these past few days must be the Facebook breach. The company issues a security update on September 28th which led with the facts, On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts. We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security. At this stage, there are probably more questions than answers and it’s likely this is one story that will play out for a long time. The ultimate fallout from the Facebook data breach could be massive | Help Net Security Facebook faces $1.6 billion fine as top EU regulator officially opens probe into data breach | CNBC What we still don’t know about the Facebook breach | The Verge The Facebook security meltdown exposes way more sites than Facebook | Wired Local file inclusion at IKEA.com Flatpack vulnerabilities now available in this great writeup by Jonathan Bouman. Local file inclusion at IKEA | Medium / Jonathan Bouman Out of office notices for OSINT A nice reminder by Stuart Coulson on the perils of out of office notifications, and how they can divulge a lot more than you’d want to anyone. Out Of Office notices for OSINT | HiddenText While you’re on the HiddenText site, check out, Seven types of cyber criminals : 2018 version Put ads down your Pi-Hole Nobody really likes ads when they’re browsing online. So, they sometimes revert to using adblockers. But there are some issues with those as well. Surely, in an industry full of clever tech people, hackers, and tinkerers, there is a better way - enter Pi-hole. Self-described as a black hole for internet ads, it is basically a mini DNS server you run on a Raspberry Pi in your local network through which your traffic goes and then blacklists any malicious domains. Both]]> 2018-10-05T13:00:00+00:00 https://feeds.feedblitz.com/~/572972594/0/alienvault-blogs~Things-I-Hearted-this-Week-th-Oct www.secnews.physaphae.fr/article.php?IdArticle=831638 False Data Breach None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC What is the MITRE ATT&CK? The MITRE ATT&CK framework is abuzz in the cybersecurity industry lately, and its utility has a lot of professionals excited. The ATT&CK framework predecessor was the Cyber Kill Chain developed by Lockheed-Martin in 2011. ATT&CK incorporates what MITRE calls Tactics and Techniques to describe adversarial actions and behaviors. Techniques are specific actions an attacker might take, and tactics are phases of attacker behavior. At Threatcare, we’ve watch the steady adoption of the ATT&CK framework over the years. We’ve also seen innovative cybersecurity professionals use the framework in ways that have surprised the MITRE team. ATT&CK incorporates the 11 Tactics listed below, and each Tactic has numerous Techniques. MITRE ATT&CK Tactics: Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control Top Five Use Cases (in no particular order) - Red Team There have been several attempts to standardize Red Team tactics and techniques for years. The ATT&CK framework doesn’t address everything a red team should do but is a major step in the right direction. The framework has standardized the terminology used among Red Teamers, helping make Red Teams more effective, especially across large organizations. Red teams also have the ability to carry out real-world scenarios using ATT&CK as a guide, making both training and operations more effective. - Blue Team On the defense side of the house, the ATT&CK framework helps Blue Teams better understand what attackers are doing in a concise, comprehensive way. This allows them to better determine what mitigation to put in place on the network. And, as with Red Teams, ATT&CK can act as a standardized method for training. - Vendor Bake-Offs Until recently, there wasn’t a standardized way to evaluate security products. Now, with ATT&CK, organizations can test security products in a structured, methodical way. Additionally, certain products are aligned to the ATT&CK Tactics, giving organizations visibility into potential overspending on products that have the same basic functionality. For instance, DLP should prevent Exfiltration Tactics, and Proxies should prevent Delivery Tactics. But do they successfully do this? And which vendor does it better? - Breach and Attack Simulation (BAS) If you’re not familiar with BAS, check out a primer on it here. Although BAS is a new category of cybersecurity tools, the ATT&CK framework has validated its need. Similarly to vendor bake-offs as mentioned above, MITRE ATT&CK can help your organization determine which BAS tool to implement. At Threatcare, we’ve built ATT&CK Tactics and Techniques into our products and have been working closely with their team to ensure alignment. Learn more about Threatcare here. - Remediation of Security Gaps Given all of the above information, it should hopefully come as no surprise that your organization can build a solid understanding of how it can detect and defend its networks by comprehensively testing against the ATT&CK Tactics and Techniques. More insight into attacker behavior means better remediation of gaps and operational capabilities. Conclus]]> 2018-10-04T15:20:00+00:00 https://feeds.feedblitz.com/~/572813250/0/alienvault-blogs~Top-Five-MITRE-ATTampCK-Framework-Use-Cases www.secnews.physaphae.fr/article.php?IdArticle=830616 False Tool None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC publicly launched new endpoint detection and response (EDR) capabilities in USM Anywhere, AlienVault’s unified solution for complete threat detection, response, and compliance. With EDR built into USM Anywhere, users can centralize security monitoring of their endpoint and network activities across cloud and on-premises environments, without the need to deploy, integrate, and manage a separate solution. The platform automatically correlates security events from across their IT infrastructure using continuous threat intelligence from the AlienVault Labs Security Research Team, helping security teams quickly detect, prioritize, and respond to threats. Customers have been excited to use the new capabilities, which are enabled by the AlienVault Agent, a lightweight endpoint agent based on osquery that performs continuous endpoint monitoring as part of the unified platform. Amidst the positive feedback for the Agent, we’ve also asked customers to share the most important ways we can continue to improve its functionality. More granular control over the data the Agent collects has been the most requested enhancement Today, we’re pleased to deliver the ability to filter events from the AlienVault Agent for added control over your data consumption. Now, you can create a filtering rule directly from any agent-based event in USM Anywhere, making it fast and easy to customize the data you collect. Filtering rules aren’t the only way to regulate your data consumption with the AlienVault Agent. When you deploy the Agent, you immediately leverage the expertise of the AlienVault Labs Security Research Team to manage your data usage with the “optimized” configuration profile, which is selected by default. The Labs Team designed this configuration profile to collect only the security-relevant data from your endpoints, enabling you to get up and running quickly without consuming more data than you need. Alternatively, you can choose to collect additional endpoint data, including syslog events, by switching to the “full” profile. With either configuration profile, you can add filtering rules for additional control over the type of data the agent collects. Deploying the AlienVault Agent extends USM Anywhere’s powerful threat detection and response capabilities to the endpoint, enabling you to detect modern threats and monitor critical files (FIM) on your Windows and Linux endpoints. Continuous threat intelligence from the AlienVault Labs Security Research Team ensures the AlienVault Agent’s queries are always up-to-date to detect the latest threats. Unlike point security solutions, USM Anywhere combines multiple security capabilities into a unified cloud platform, including EDR, SIEM, IDS, vulnerability assessment, and more, giving you the essential security capabilities you need in a single pane of glass, drastically reducing cost and complexity. Learn more about the AlienVault Agent and the new EDR capabilities in USM Anywhere: Try it out (and create your own filtering rule!) in our interactive demo experience Read the EDR solution brief See a real-world example of malware ]]> 2018-10-03T13:00:00+00:00 http://feeds.feedblitz.com/~/572606270/0/alienvault-blogs~AlienVault-Agent-Now-Has-Improved-Filtering-Capabilities www.secnews.physaphae.fr/article.php?IdArticle=829946 False Malware,Vulnerability,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AllDayDevOps coming up October 17 - here's an on-topic blog. Automation is Your Friend DevSecOps Companies often turn to software as a solution when they need to solve a problem.  Whether it’s to automate or enhance a task, or gain valuable information in an easily consumable fashion. The same is true for security teams on both sides of the red and blue line. Security professionals build tools to automate exploitation, detect attacks, or process large amounts of data into a usable form. By allowing staff members to understand how these software solutions behave in live environments, security teams can avoid common pitfalls. They can also increase the value that they receive from these tools overall. When discussing software design, the word “visibility” gets tossed around a lot. People may use the word to describe the benefits provided by the software. They may use it to describe a quality of the software’s operation. They may even use it to describe how easy it is to gain an understanding of how the software was designed (i.e. open source). This has led me to believe that when we are talking about visibility, we are really talking about three specific concepts that form this bigger idea: Insight - the valuable data received due to the software’s function Transparency - being able to see how software is designed to function Observability - the ability to view the actual actions software takes and its performance while taking those actions For consumers of software, insight is the big focus, mostly because it is perceived as relating directly to value. As the role of security teams evolve, both offensive and defensive, these teams have realized that they can't just be consumers. Security teams need to be builders, maintainers, and providers. Security processes, procedures, and software need to be consumable by the greater organization. While good insight and consumable data are a requisite for quality software; what increases buy-in, improves impact in the org, and ultimately makes security software successful are the observability and transparency aspects. Transparency in Security In modern agile and DevOps style software development organizations, everything is in source (other than secrets), and every service has mandatory levels of documentation. Engineering teams operate this way in order to foster inter- and intra-team operability of services, to streamline troubleshooting in the event of an outage, and to increase the understanding of how individual services interact with other environment or application components. Breaking Down Barriers to Collaboration in DevSecOps For security teams that solve problems by writing code, or who actively work with code written by other teams, conforming to this pattern goes a long way. The similarity in process helps break down barriers to collaboration. Removing any disparity in quality between the systems being secured and the systems doing the securing helps normalize the idea that security is just one quality of the system. Leveraging a transparent approach fosters a greater degree of understanding between the security organization and the rest of the enterprise. This idea of transparency might cause some shudders on the red side of security: historically, notions of operational security and stealth have permeated red practitiones' methods. These notions are indeed good things when conducting adversarial simulation or incident response, but there is no reason to conceal the function or performance of security software from the teams that have to interact with it outside of these specific scenarios. It is almost a cliché now t]]> 2018-10-01T13:00:00+00:00 http://feeds.feedblitz.com/~/572263596/0/alienvault-blogs~Observability-and-Visibility-in-DevSecOps www.secnews.physaphae.fr/article.php?IdArticle=826776 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC October is National Cyber Security Awareness Month (NCSAM), and I thought it would be a neat idea to offer some ideas about best practices for good passwords.  Since I have written about this before, I figured it would be the easiest thing ever, especially with all the advances in password management technology, and the new NIST Guidelines.  I could talk about the usual things, like: Use a password manager; Use a passphrase instead of a password; Don’t re-use passwords; YAWN; Etc. All these tips seem so “common”, tired, and repetitive.  We have heard this all before from some of the giants of the InfoSec community.  There are hundreds of articles from every known source that offer the same tips on best practices for passwords, dating back many years.  Clearly, the problem is not a lack of information.  The problem is not with the message, as that is clearly splashed all over the internet. Some of us, myself included, have previously followed the misguided approach that we should treat the patient, rather than the disease.  However, the disease is outpacing the cures. As Bruce Schneier has stated, the problem is not with the patient.  Technology has created a world of easy access, and it keeps getting easier.  Everything is available at the click of a link, yet we security folks, the messengers of online safety, spend much of our time like a bad piano teacher with a ruler, ready to slap the fingers of the person who clicks that link without first thinking of the consequences.  There have been so many advances in the technology that can unobtrusively improve the security experience for everyone.  All the tools exist to create a silent security wall that protects the online experience. For example: Multi-Factor authentication has been a major leap towards protecting identities, preventing many credential-theft scams.  I have posited in the past that this needs to mandatory for all online systems. URL obfuscation, which masks a hyperlink and checks it against known exploits before loading the destination page, can protect against clicking a link that is not what it purports to be.  With everything based in the cloud, this is an easy redirection scheme to silently protect online browsing.  Browser plug-ins, such as IDN-Safe, which protects you against malicious sites that use hidden Unicode characters in URL names. Safe Wi-Fi – Products, such as LookOut Mobile, offer a feature that will detect SSL stripping to protect consumers against connecting to rogue Wi-Fi hotspots. The main hurdle to overcome with some of these tools is that their best features are unavailable at the consumer level.  While that may make good business sense, it leaves us with the same problem of the crutch of “user awareness” as our primary tool towards security. This all leads me back to my “password best practices” advice for NCSAM. Yes, all of the standard password rules still apply, but only because that is the current state of affairs. What can we do to change this approach? Is it possible to dem]]> 2018-09-27T13:00:00+00:00 http://feeds.feedblitz.com/~/571678022/0/alienvault-blogs~One-Day-NCSAM-will-be-a-Fond-Memory www.secnews.physaphae.fr/article.php?IdArticle=825817 False Tool,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Read the whole report by Javvad. Key Findings 38% say the Chief Information Security Officer (CISO) should be the one to negotiate extortion and/or ransom demands 46% of those surveyed say security remains the biggest blocker to cloud adoption 54% of participants believe US public sector infrastructure is either unprepared or very unprepared to defend against cyber attacks People are relatively confident in calling a hacker's bluff: Read the report for all the details!       ]]> 2018-09-25T13:00:00+00:00 http://feeds.feedblitz.com/~/571347394/0/alienvault-blogs~Extortion-the-Cloud-and-the-Geopolitical-Landscape-Black-Hat-Survey-Results www.secnews.physaphae.fr/article.php?IdArticle=823621 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC ZombieBoy in July, I found a new malware sample that I’m calling MadoMiner.  With the help of Chris Doman, I was able to analyze it to discover that it uses techniques similar to ZombieBoy, because it hijacks Zombieboy’s CPUINFO.exe.  However, MadoMiner is much, much, larger, in terms of: The size of the malware; The amount of systems infected; and Total profit gained by the attackers. The previously analysed ZombieBoy was earning around $750 a month, while mining at its maximum power.  MadoMiner, on the other hand, is earning around $6015 a month, while only mining at 50% power: Malware Analysis An overview of the Install module is below.  Depending on the victim’s architecture, obtained from CPUInfo.exe, either x86.dll or x64.dll is installed: X86.dll and x64.dll are virtually identical just one is specifically for x86-x64 OS architecture and one is specifically for x86 OS architecture. Domains MadoMiner appears to use two different servers to distribute payloads for each module. http://da[dot]alibuf.com:3/ http://bmw[dot]hobuff.info:3/ In addition, in Mask.exe, the second module, here are some identified mining servers used by MadoMiner: http://gle[dot]freebuf.info http://etc[dot]freebuf.info http://xmr[dot]freebuf.info http://xt[dot]freebuf.info http://boy[dot]freebuf.info http://liang[dot]alibuf.com http://dns[dot]alibuf.com http://x[dot]alibuf.com Exploits During the execution of the Install module, MadoMiner makes use of several exploits: CVE-2017-9073, RDP vulnerability on Windows XP and Windows Server 2003 CVE-2017-0143, SMB exploit CVE-2017-0146, SMB exploit Installation MadoMiner begins on a victim’s computer as a DLL installed by the EternalBlue/DoublePulsar exploits. Depending on OS architecture, you’ll either find x86.dll or x64.dll installed on your computer.  Both are basically the same, just adjusted for operating system. Just like ZombieBoy, MadoMiner makes use of a heavily modified version of ZombieBoyTools in order to install its DLL.  The reason for this it seems, is that the CPUInfo.exe dropped by the Install module of MadoMiner appears to be the same CPUInfo.exe dropped by an earlier version of 64.exe, a module from ZombieBoy (similar to current day CPUInfo in ZombieBoy, sans embedded miner and anti-VM guards). In fact, if CPUInfo.exe in MadoMiner is ran without the surrounding Install module, it will attempt to communicate with ZombieBoy’s servers and ultimately install ZombieBoy Packet showing malware communicating to ca[dot]posthash.org:443 Setup Once either x86.dll or x64.dll is successfully installed and executed on  a victim’s computer, several actions are performed.  First, 2 UPX packed modul]]> 2018-09-24T18:10:00+00:00 http://feeds.feedblitz.com/~/571233314/0/alienvault-blogs~MadoMiner-Part-Install www.secnews.physaphae.fr/article.php?IdArticle=822528 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Tripwire describes alert fatigue as a combination of too many false positives as well as a reason to raise the security awareness of your organization. Another article from CSO notes that a large number of organizations deal with too many false positives that overload their analysts. This article goes a step further and advises on several steps that can be taken to help reduce the risk of alert fatigue. These are definitely good steps to help your organization improve its ability to respond to alerts and reduce analyst workload. I recommend reading through and seeing what can be done. Tuning I would also add one more step: tuning. This seems obvious, but it is often overlooked. Let me first tell you what I mean by tuning. Tuning is a combination of reducing false positives, working with alerts, and correlating events and trends to ensure greater accuracy. Each of these helps the analyst by refining alerts being looked into. Tuning needs to be a balanced approach that will reduce the number of unnecessary events received and ensure that there are no blind spots an attacker can take advantage of to slip by unnoticed. The first step of tuning is to figure out what is important to alert on and what is not. In my opinion there is a big section of alerts that can be immediately kicked out of the analyst’s queue. That would be any blocked attacks. Attacks that are blocked by the technology guarding the perimeter and internals of the network and endpoints can be a great story to executives and can even give you trends and areas to look at to make sure that nothing else is needed for protection. However, the alerts that are generated that say something was blocked just add to the data that has to be looked into if sent to the analyst. What Alerts Do You Care About? Removing blocked attacks helps the analyst pay more attention to potential incidents that were not stopped. After you’ve done that, the next matter of importance is: what alerts do you care about? To determine that takes a bit of research. You need to determine what impacts you the most, down to what could be a threat but may, or may not, be worth investigating. That involves knowing: where sensitive information is ]]> 2018-09-24T13:00:00+00:00 http://feeds.feedblitz.com/~/571187828/0/alienvault-blogs~Alert-Fatigue-and-Tuning-for-Security-Analysts www.secnews.physaphae.fr/article.php?IdArticle=821967 False Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC https://www.alienvault.com/resource-center/analyst-reports/forrester-total-economic-impact-study Our inclusion in the Wave reflects that our value proposition is now resonating with a broader set of customers by making a noticeable dent in ‘traditional’ approaches that require a security team to procure, deploy, integrate security controls into a data lake and research teams to stay current on threats and tune AI and ML algorithms.  In addition, organizations need an operations team to continuously monitor dashboards and respond to the threats. This approach is heavy in technology and heavy in people - it is exactly what we set out to solve with USM Anywhere. As we continue our evolution and become AT&T Cybersecurity it gives us access to one of the world’s largest cyber-security operations. We look forward to leveraging this knowledge to improve the USM Anywhere platform, deliver new capabilities and expand our threat intelligence to disrupt the status quo and help organizations of all sizes strengthen and simplify their security postures. To learn more about the USM Anywhere platform, you can take a look at our interactive demo (https://www.alienvault.com/products/usm-anywhere/demo) or call us (]]> 2018-09-21T14:18:00+00:00 http://feeds.feedblitz.com/~/570786666/0/alienvault-blogs~Forrester-Says-that-AlienVault-%e2%80%9cChallenges%e2%80%9d-Enterprise-SIEM-vendors www.secnews.physaphae.fr/article.php?IdArticle=819200 False Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Do Breaches Affect Stock Market Share Prices? A common question that comes up is whether a breach actually impacts a company’s share price or not. There are a varying degrees of opinions and anecdotes, but what we really need is data. Comparitech has published a very detailed breakdown, complete with methodology and data used. Some of the key findings include: In the long term, breached companies underperformed the market. After 1 year, Share price grew 8.53% on average, but underperformed the NASDAQ by -3.7%. After 2 years, average share price rose 17.78%, but underperformed the NASDAQ by -11.35%. And after three years, average share price is up by 28.71% but down against the NASDAQ by -15.58%. It’s important to note the impact of data breaches likely diminishes over time. Share prices of breached companies hit a low point approximately 14 market days following a breach. Share prices fall 2.89% on average, and underperform the NASDAQ by -4.6% After about a month, share prices rebound and catch up to NASDAQ performance on average After the first month, the companies we analyzed actually performed better than they did prior to the breach. In the six months leading up to a breach, average share price grew 3.64%, compared to 7.02% following a breach. Similarly, the companies underperformed the NASDAQ by -1.53% leading up to the breach, but managed to outperform it by 0.09% afterward. Finance and payment companies saw the largest drop in share price performance following a breach, while healthcare companies were least affected Breaches that leak highly sensitive information like credit card and social security numbers see larger drops in share price performance on average than companies that leak less sensitive info Analysis: How data breaches affect stock market share prices | Comparitech Europol Internet Organised Crime Threat Assessment 2018 Ransomware continues to be the biggest malware threat to businesses around the world, but mobile threats and cryptojacking are emerging as serious challenges, according to Europol. The law enforcement organization’s annual Internet Organised Crime Threat Assessment (IOCTA) provides a good snapshot of current industry trends. It reflects the findings of many security vendors: that ransomware is slowing but still the most widespread financially motivate threat out there, ahead of banking Trojans — and will be so for several years. DDoS attacks were second only to malware in terms of volume in 2017, as infrastructure becomes more “accessible, low-cost and low-risk.” Internet organised crime threat assessment 2018 | Europol IOCTA 2018 report (pdf) | Europol Europol: Ransomware Will be Top Threat for Years | Infosecurity Magazine]]> 2018-09-21T13:00:00+00:00 http://feeds.feedblitz.com/~/570764730/0/alienvault-blogs~Things-I-Hearted-this-Week-st-Sept www.secnews.physaphae.fr/article.php?IdArticle=819034 False Ransomware,Malware,Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC KPMG, in 2017, AI was a major focus areas of global VC investments -over $12B and doubling the volume of 2016. Many of those investments included aspects relating to information security.  Now that the DARPA investment (that is directed to much more than cybersecurity uses) has been added to the investment money trail, there is no doubt AI will be part of our cybersecurity future. There is evidence that AI and ML can be valuable tools to help us navigate the cybersecurity landscape. Specifically it is being used to help protect against increasingly sophisticated and malicious malware, ransomware, and social engineering attacks. AI’s capabilities in contextual reasoning can be used for synthesizing data and predicting threats. AI and ML may become new paradigms for automation in cybersecurity. They enable predictive analytics to draw statistical inferences to mitigate threats with fewer resources.  In a cybersecurity context, AI and ML can provide a faster means to identify new attacks, draw statistical inferences and push that information to endpoint security platforms. This is especially important because of the major shortage of skilled cybersecurity workers and growing attack surface. According to Cybersecurity Ventures CEO Steve Morgan, the Human attack surface is to reach 6 billion people by 2022 and Cyber-crime damage costs to hit $6 trillion annually by 2021, AI and ML cybersecurity capabilities are very important and increasingly valuable. Former White House Cybersecurity Coordinator Rob Joyce said in a 2016 presentation at USENIX: “If you really want to protect your network,” he advised, “you have to know your network, including all the devices and technology in it.” A successful attacker will often “know networks better than the people who designed and run them.” With the right combination of data, computing power, and algorithms, artificial intelligence can help defenders gain far greater mastery over their own data and networks, detect anomalous changes (whether from insider threats or from external hackers), and quickly address configuration errors and other vulnerabilities.” To provide more depth to his insights, Both AI and ML can be integral aspects of automation and adaptive networks. Applications for automated network security in]]> 2018-09-18T13:00:00+00:00 http://feeds.feedblitz.com/~/570252978/0/alienvault-blogs~AI-and-ML-Key-Tools-in-Emerging-Cybersecurity-Strategy-and-Investment www.secnews.physaphae.fr/article.php?IdArticle=814040 False Ransomware,Malware,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Weak passwords are common For example, reports from Techspot.com, Fortune.com, and USAToday.com show, that in 2017, passwords like 123456 and football were two of the top ten most used passwords. Why are such passwords still being used? They are easy to remember.  People will often add weak passwords into simple variations where the alpha and number (numeric) strings combined with special characters. For instance, Football and 123456 become Football123456!, a memorable yet easily guessed password.  Current practices require complex passwords   Various companies have released their own best practices. Symantec’s how-to article, for instance, states a secure password is at least eight characters in length, has an uppercase, lowercase, and a number. Take [Football] for example. You can replace the “o” for a “0” and “a” for “@” resulting in F00tb@ll. Here, the updated password meets most policies enforced by many web applications such as Google and Outlook. It has an uppercase (F), a lowercase (tball), a number (00), a special character (@), and meets a minimum length of eight characters. Microsoft, however, takes this a step further in some of their guidelines. They state it must not be in the dictionary or incorporate the name of a person or computer. Guidelines such as those in place, demand a complex password. For example, W#T24.ro5*&F is complex yet painful to memorize.  There is a problem with difficult passwords People, out of convenience and frustration, will try to circumvent password policies the mentioned. This becomes more prevalent as the policies get stricter. It is hard enough to remember a password like W#T24.ro5*&F. By the time you’ve memorized it, the time has come to change it and you can’t repeat the last 8 passwords. So what do people do? They add or change one or two characters (i.e. W#T24.ro5*&F turns into W#T24.ro5*&F1 or W#T24.ro5*&F123 and F00tb@ll turns into F00tb@ll123 or F00tb@ll321).  While password expiration policies are arguably a best practice, they are not common outside an enterprise environment. Many websites, such as banks, do not require you to change your password regularly and those that do, might not have a decent policy on repeating passw]]> 2018-09-17T13:00:00+00:00 http://feeds.feedblitz.com/~/570095960/0/alienvault-blogs~People-and-Passwords www.secnews.physaphae.fr/article.php?IdArticle=812285 False Tool,Guideline LastPass None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC British Airways hack: Infosec experts finger third-party scripts on payment pages | The Register As an affected customer, I accept that companies get breached. But the advice seemed pretty poor. British Airways breached | J4vv4D Boards need to get more technical - NCSC The government is calling on business leaders to take responsibility for their organisations’ cyber security, as the threat from nation state hackers and cyber criminal gangs continues to rise. Ciaran Martin, head of NCSC believes that cybersecurity is a mainstream business risk and that corporate leaders need to understand what threats are out there, and what are the most effective ways of managing the risks. They need to understand cyber risk in the same way they understand financial risk, or health and safety risk. NCSC issues new advice for business leaders as Ciaran Martin admits previous guidance was “unhelpful” | New Statesman Hunting in O365 logs Cloud is great, but sometimes making sense of the logs can be a pain. If you’re struggling with O365 logs, then this document could be really useful. Detailed properties in the Office 365 audit log | Microsoft GCHQ data collection violated human rights, Strasbourg court rules GCHQ’s methods in carrying out bulk interception of online communications violated privacy and failed to provide sufficient surveillance safeguards, the European court of human rights has ruled in a test case judgment. But the Strasbourg court found that GCHQ’s regime for sharing sensitive digital intelligence with foreign governments was not illegal. It is the first major challenge to the legality of UK intelligence agencies intercepting private communications in bulk, following Edward Snowden’s whistleblowing revelations. GCHQ data collection violated human rights, Strasbourg court r]]> 2018-09-14T13:00:00+00:00 http://feeds.feedblitz.com/~/569668796/0/alienvault-blogs~Things-I-Hearted-this-Week-th-September www.secnews.physaphae.fr/article.php?IdArticle=807799 False Data Breach,Threat,Guideline Tesla None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC ransomware was the summer anthem of 2017. At the time, it seemed impossible that the onslaught of global ransomware attacks like WannaCry and NotPetya would ever wane. But, I should have known better. Every summertime anthem eventually gets overplayed. This year, cryptojacking took over the airwaves, fueled by volatile global cryptocurrency markets. In the first half of 2018, detected cryptojacking attacks increased 141%, outpacing ransomware attacks. In this blog post, I’ll address cryptojacking: what it is, how it works, how to detect it, and why you should be tuning into this type of threat. What is Cryptojacking? Crytojacking definition: Cryptojacking is the act of using another’s computational resources without their knowledge or permission for cryptomining activities. By cryptojacking mobile devices, laptops, and servers, attackers effectively steal the CPU of your device to mine for cryptocurrencies like Bitcoin and Monero. Whereas traditional malware attacks target sensitive data that can be exploited for financial gain, like social security numbers and credit card information, cybercriminals that launch cryptojacking campaigns are more interested in your device’s computing power than your own personal data. To understand why, it’s helpful to consider the economics of cryptocurrency mining. Mining for cryptocurrencies like Bitcoin and Monero takes some serious computing resources to solve the complex algorithms used to discover new coins. These resources are not cheap, as anyone who pays their organization’s AWS bill or data center utility bill can attest to. So, in order for cryptocurrency mining to be profitable and worthwhile, the market value of the cryptocurrency must be higher than the cost of mining it – that is, unless you can eliminate the resource costs altogether by stealing others’ resources to do the mining for you. That’s exactly what cryptojacking attacks aim to do, to silently turn millions of devices into cryptomining bots, enabling cybercriminals to turn a profit without all the effort and uncertainty of collecting a ransom. Often, cryptojacking attacks are designed to evade detection by traditional antivirus tools so that they can quietly run in the background of the machine. Does this mean that all cryptomining activity is malicious? Well, it depends on who you ask. Cryptomining vs. Cryptojacking As the cryptocurrency markets have gained value and become more mainstream in recent years, we’ve seen a digital gold rush to cryptomine for new Bitcoin, and more recently, Monero. What began with early adopters and hobbyists building home rigs to mine for new coins has now given way to an entire economy of mining as a service, cryptoming server farms, and even cryptomining cafes. In this sense, cryptomining is, more or less, considered a legal and legitimate activity, one that could be further legitimized by a rumored $12 Billion Bitman IPO. Yet, the lines between cryptomining and cryptojacking are blurry. For example, the cryptomining “startup” Coinhive has positioned its technology as an alternative way to monetize a website, instead of by serving ads or charging a subscription. According to the website, the folks behind Coinhive, “dream about it as an alternative to micropayments, artificial wait time in online games, intrusive ads and dubious marketing tactics.” Yet at the same time, Coinhive has been one of the most common culprits found]]> 2018-09-11T13:00:00+00:00 http://feeds.feedblitz.com/~/569069766/0/alienvault-blogs~Explain-Cryptojacking-to-Me www.secnews.physaphae.fr/article.php?IdArticle=803093 False Malware,Threat Tesla,NotPetya,Wannacry None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC here. VLAN Hopping This type of exploit allows an attacker to bypass any layer 2 restrictions built to divide hosts. With proper switch port configuration, an attacker would have to go through a router and any other layer 3 devices to access their target. However, many networks either have poor VLAN implementation or have misconfigurations which will allow for attackers to perform said exploit. In this article, I will go through the two primary methods of VLAN hopping, known as 'switched spoofing', and 'double tagging'. I will then discuss mitigation techniques. Switched Network It is crucial we understand how switches operate if we would like to find and exploit their vulnerabilities. We are not necessarily exploiting the device itself, but rather the protocols and configurations instructing how they operate. On a switch, a port is either configured as an access port or a trunking port. An access port is typically used when connecting a host to a switch. With the implementation of VLANs, each access port is assigned to only one VLAN. A trunking port is used when connecting two switches or a switch and a router together. Trunking ports allow for traffic from multiple VLANs. A trunk port can be configured manually or created dynamically using Dynamic Trunking Protocol (DTP). DTP is a Cisco proprietary protocol where one use is to dynamically establish a trunk link between two switches. Switched Spoofing VLAN Attack An attacker acts as a switch in order to trick a legitimate switch into creating a trunking link between them. As mentioned before, packets from any VLAN are allowed to pass through a trunking link. Once the trunk link is established, the attacker then has access to traffic from any VLAN. This exploit is only successful when the legitimate switch is configured to negotiate a trunk. This occurs when an interface is configured with either "dynamic desirable", "dynamic auto" or "trunk" mode. If the target switch has one of those modes configured, the attacker then can generate a DTP message from their computer and a trunk link can be formed. Double Tagging Double tagging occurs when an attacker adds and modifies tags on an Ethernet frame to allow the sending of packets through any VLAN. This attack takes advantage of how many switches process tags. Most switches will only remove the outer tag and forward the frame to all native VLAN ports. With that said, this exploit is only successful if the attacker belongs to the native VLAN of the trunk link. Another important point is, this attack is strictly one way as it is impossible to encapsulate the return packet. VLAN Hopping Exploit

---

Scenario 1 - Switch Spoofing Attack In this scenario there exists the attacker, a switch, and the target server. The attacker is attached to the switch on interface FastEthernet 0/12 and the target server is attached to the switch on interface FastEthernet 0/11 and is a part of VLAN 2. Take a look at the following topology. ]]> 2018-09-10T13:00:00+00:00 http://feeds.feedblitz.com/~/568898120/0/alienvault-blogs~VLAN-Hopping-and-Mitigation www.secnews.physaphae.fr/article.php?IdArticle=801477 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC how to minimise stress before, during, and after your vacation. Hot Hot Security The Scoville Scale is a measurement chart used to rate the heat of peppers or other spicy foods. It can also can have a useful application for measuring cybersecurity threats. Cyber-threats are also red hot as the human attack surface is projected to reach over 6 billion people by 2022. In addition, cyber-crime damage costs are estimated to reach $6 trillion annually by 2021. The cybersecurity firm RiskIQ states that every minute approximately 1,861 people fall victim to cyber-attacks, while some $1.14 million is stolen. In recognition of these alarming stats, perhaps it would be useful to categorize cyber-threats in a similar scale to the hot peppers we consume. A Scoville Heat Scale For Measuring Cybersecurity | Forbes Spying on the Spies Spyware may seem like a good option if you want to keep an eye on what online activities your children get up to… or, if you’re the insecure type (or worse), to see what your significant other gets up to. The problem is that these spying tools have been shown to be woefully insecure time and time again. For 2nd Time in 3 Years, Mobile Spyware Maker mSpy Leaks Millions of Sensitive Records | KrebsOnSecurity Spyware Company That Marketed to Domestic Abusers Gets Hacked | Motherboard Facebook fell victim to fake news It’s not surprising to hear that fake news made its way onto Facebook. What is worrying is that Facebook’s own training materials fell for fake news.   ]]> 2018-09-07T13:00:00+00:00 http://feeds.feedblitz.com/~/568453392/0/alienvault-blogs~Things-I-Hearted-this-Week-th-Sept www.secnews.physaphae.fr/article.php?IdArticle=797345 False Vulnerability,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Malware analysis allows the analyst to see what actions are taken and allows us to use those actions to build a profile that can be used to detect and block further infections and find related infections.  We run the malware in labs to determine how they act, we give them different inputs to see how the behavior changes, we run them through debuggers to disable safeties and checks that it might have against analysis, and we may even use a disassembler to more fully understand the paths that the malware may take.  Using these techniques, the malware analyst builds a list of indicators that can be used to detect and block the malware that they are examining, build information about who may be targeting their network, and even what the malware may be gathering.  I’m going to narrow my focus to behavior analysis and give some examples of what can be done with threat hunting and this technique. Behavioral Analysis for Malware Behavioral analysis is the step of running the malware under controlled conditions where you can observe the actions that the malware takes.  By running the malware in a completely isolated environment we can tell what the malware would do if it was unable to communicate.  With behavioral analysis, you take everything a step at a time.  When it is completely isolated does it try to scan for a network?  If yes, then go ahead, add it to one, and see what happens.  After that does it start looking for?  Give it to it.  The main goal of this type of analysis is to see what the malware does in a step-by-step process, allowing you to map its different actions and have a better overall picture of the malware before you start examining it in debuggers or through disassembly.  I would say that this is one of the more fun parts of the analysis process. Basic Lab Environment for Malware Analysis Your basic lab environment should contain: VMware/Virtualbox with the following computers: Windows with Wireshark, Process Monitor, and procDOT installed. REMnux (has everything preinstalled that you will need) Make sure that your VMs are set to host only networking and that your windows machine has your REMnux box as the default gateway by setting a static IP address.  This ensures that the first hop will be to REMnux and will allow the traffic control that we would want. Tools for Malware Behavioral Analysis There are several tools that you want to use to gather the most information that you can: Wireshark: This tool isused to gather network traffic on a given interface.  The follow option will allow you to view pages and traffic, and it even allows you to recreate and save files that were transferred while the packet capture was running. https://www.wireshark.org/ Process Monitor: (procmon) This tool is used to record the full activity of a computer for the time that it is monitoring. This is extremely useful for detailing actions taken]]> 2018-09-05T13:00:00+00:00 http://feeds.feedblitz.com/~/568081054/0/alienvault-blogs~Malware-Analysis-for-Threat-Hunting www.secnews.physaphae.fr/article.php?IdArticle=793596 False Malware,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC official program focuses on a series of weekly themes. Many individuals and companies also share their own best practices and ideas for security awareness. In doing our part, we’re also publishing a series of posts during September and October to help share some of our favourite resources and tips on staying safe online. Phishing: Kicking off the festivities, I’m highlighting one of the most prevalent threat vectors there is: phishing. Phishing can take place under many guises and have different objectives - but at a high level it’s nearly always an email sent which claims to be from a trusted person or entity that attempts to trick the recipient into performing an action. Examples of phishing emails can include: The tax office claiming you have underpaid, or are due a repayment with a malicious document attached. Your CEO asking that you make a large payment to a new supplier immediately. The IT team asks you send them your password in an email or via a form. Your bank asking you to login and confirm details. A service provider threatening to cut off your service unless you respond to them immediately with information. You get an unsolicited job offer, or a lucrative work-from-home scheme A match on a dating site asks excessive personal information, or for money or gifts. This is not an exhaustive list, but all of these tactics seek to instill a sense of urgency in the recipient, trying to get them to respond quickly usually using the broad hooks of money, employment, love, or threats (MELT). There are many telltale signs you can usually look out for, such as the tone of the email, the grammar and spelling, or the email headers that can indicate whether an email is genuine or not. However, for the most part, it is best to err on the side of caution, and if something doesn’t feel right or genuine it’s best to confirm directly with the alleged sender of the email. While there are a growing number of tools available to defend against cybercrime, education remains one of the most important tools in our defence. It is only by gaining a greater understanding of the threats and techniques encountered - in both personal and business settings - that we can best protect ourselves. A short video on phishing And a slightly more in-depth video on how to spott a phishing email  ]]> 2018-09-04T13:00:00+00:00 http://feeds.feedblitz.com/~/567855746/0/alienvault-blogs~Cyber-Security-Awareness-Month-Phishing www.secnews.physaphae.fr/article.php?IdArticle=792048 False Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Adventures in vulnerability reporting | Project Zero Natalie raises some very valid points in her post about how researchers will sometimes abandon the disclosure process altogether if it becomes frustrating. As we saw when a Microsoft Windows 0day was disclosed unceremoniously through Twitter. Microsoft Windows zero-day vulnerability disclosed through Twitter | ZDNet And while we’re on the topic of vulnerabilities, Adrian Sanabria drops the truth (with stats) on patching. You should always patch when you can, but when you can’t, you need a plan B. Another Year, Another Critical Struts Flaw | Nopsec Twitter Bots Twitter bots are spoken about frequently, usually in the same breath as fake news or disinformation. But how big a problem are bots, and do they actually influence public opinion or are they merely trolls? The good folk over at SafeGuard cyber may be able to shed some light on it with a detailed report that looked at over 300k bots and tracked their behaviour and tactics - providing an analysis of how bots are deployed to reshape public perception. How Russian Twitter Bots Weaponize Social Media | SafeGuard Cyber A True Password Manager Story I can neither confirm nor deny that I’ve ever blamed Graham Cluley for anything… but this is a good post by Stuart on the trials and tribulations of adopting a password manager. I’m OK, but Graham Cluley made me do it | Hidden Text While we’re discussing passwords, a different Stuart has written a very open and honest discussion on the use of two-factor authentication. It’s well worth a read. Before You Turn On Two-Factor Authentication… | Stuart Schechter, Medium Probably The Best Tech Keynote in the World I’ll be honest, up until a couple of weeks ago, I hadn’t heard of James Mickens who is a professor at Harvard University. I watched his keynote presentation at Usenix, and haven’t been this entertained and captivated by a technology talk in … well, never. It’s well worth carving out 50 minutes out of your day to ]]> 2018-08-31T13:00:00+00:00 http://feeds.feedblitz.com/~/567119790/0/alienvault-blogs~Things-I-Hearted-this-Week-Aug www.secnews.physaphae.fr/article.php?IdArticle=787114 False Vulnerability None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Source Ethical Hacking Commonly known as “white hat” hackers, as opposed to black hat, ethical hackers are generally employed by a company to hack into the company’s systems and show them vulnerabilities. Some will help patch up the holes, while others simply expose what’s wrong and leave it to the company’s IT team. The word “hacker” carries a certain connotation and is usually negative. However, it’s best to think of them in “Old West” terms. The sheriff in the old west always wore a white hat and was the good guy. The outlaw wore a black hat. Hence, the terms white hat and black hat hacker; one aims to help while the other is malicious. In order to combat black hat hackers, white hat hackers have to think like black hat hackers. Some may have even started as black hat hackers, gained skills, and decided to use those skills for good. Unlike in previous years, where dealing with ethical hackers could be a grey area, white hat hackers are often certified as an ethical hacker. They can prove they are using their skills to benefit a company rather than trying to break into the company’s system and actually steal information. Penetration Testers Coincidentally, penetration testers do steal information. They can also steal physical computers, hard copies of information, and more. Pen testers are sometimes not limited to just computer systems. Instead, much like the mindset of a hacker mentioned above, they do whatever they can to access a system, such as using social engineering or email spoofing. They are often part of the “red team,” hired to find holes in security. Imagine, for instance, someone calling IT and claiming they forgot their password. The password is reset, and the employee leaves happy. The problem is that it wasn’t actually the employee but someone posing as them who now has access to the system. A member of the red team might be able to swipe a pass card, enabling them access to a server room. From there, they can directly connect to the server, accessing information. The sticky note Jan from accounting keeps on her computer monitor to remind her of her logins? Gone the next morning. Everyone from ]]> 2018-08-30T13:00:00+00:00 http://feeds.feedblitz.com/~/566930336/0/alienvault-blogs~Ethical-Hacking-An-Update www.secnews.physaphae.fr/article.php?IdArticle=785898 False Hack,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC major company announcements, we continue to evolve USM Anywhere and USM Central with new features and capabilities that help you to defend against the latest threats and to streamline your security operations. You can keep up with our regular product releases by reading the release notes in the AlienVault Product Forum. Here are a few of the highlights from our July and August 2018 releases: New EDR capabilities with the new AlienVault Agent On July 31, 2018, we publicly launched new endpoint detection and response (EDR) capabilities in USM Anywhere, extending the platform’s powerful threat detection and response capabilities to the endpoint. Read the blog post here. By deploying the AlienVault Agent - a lightweight and adaptable endpoint agent based on osquery -  you can expand your security visibility to detect modern threats and monitor critical files (FIM) on your Windows and Linux endpoints, whether in the cloud, in your data center, or remote. The new EDR capabilities were made available automatically and seamlessly to all USM Anywhere customers, without requiring any subscription upgrades, system updates, or the purchase of add-on products to access the capabilities. AlienApp for ConnectWise The AlienApp for ConnectWise is now included in the Standard and Premium editions of USM Anywhere. Service management teams that use ConnectWise Manage can leverage automated service ticket creation from USM Anywhere alarms and vulnerabilities as well as synchronization of asset information. Slaying Defects and Optimizing the UX In addition to these new capabilities and apps, in every update this summer, the team has rolled out enhancements to the user interface and / or has addressed multiple defects and inefficiencies. Make sure to read the product release notes for all the details. USM Central Roundup and Look Ahead Earlier this month, Skylar Talley, AlienVault Senior Product Manager for USM Central, wrote a blog post recapping the recent improvements to USM Central and outlining his vision for the product in the next few months. You can read the full post here. The highlights include: Two-way alarm status and label synchronization Orchestration rules management across USM Anywhere deployments USM Central API availability (You can find the API documentation here.) Threat Intelligence Highlights USM Anywhere receives continuously updated rules and (new!) endpoint queries to detect not only the latest signatures but also higher-level attack tools, tactics, and procedures – all curated for you by the machine and human intelligence of the AlienVault Labs Security Research Team. The AlienVault Labs Security Research team publishes a weekly threat intelligence newsletter, keeping you informed of the threats they are rese]]> 2018-08-28T13:00:00+00:00 http://feeds.feedblitz.com/~/566580736/0/alienvault-blogs~AlienVault-Product-Roundup-July-August www.secnews.physaphae.fr/article.php?IdArticle=782871 False Threat,Medical APT 38 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC demand is soaring for experts with the skills to help protect businesses and combat ever-evolving threats. If you’re looking to pursue or advance your career in cyber security, you may be wondering how much education you’ll need to qualify for certain jobs. As cyber crime has intensified over the past decade, new educational programs have emerged to help train aspiring cyber security experts. There are now undergraduate and graduate degrees, along with certificates and certifications focused on cyber security. In this article we’ll examine the certificate option. Careers in cyber security tend to pay well and — because a certificate requires a significantly smaller investment in time and money than an undergraduate or graduate degree — it can be an appealing option to those looking to get their start in cyber security or make a career switch. But because cyber security is a particularly complex field, a certificate on its own may not be enough. Depending on your goals and your situation, a certificate may or may not offer the return on investment you are seeking. Here’s a related blog on whether certificates are worth your time. Is a Cyber Security Certificate Right for You? If you are looking to launch a career in cyber security, it’s very possible that you’ll need more than a certificate to get your foot in the door. In fact, although there is an abundance of job openings, many of these openings exist because employers can’t find candidates with the right level of education and experience. A certificate may be a good option if you are just looking to learn more about the field and are still considering your career options but are not ready to commit to more than that. On the other hand, if you are more advanced in your career and are looking into pursuing a certificate with the possibility of moving into a degree program, you should make sure to find a certificate program that will allow you to transfer your courses. A certificate could also be a good option for those working in human resources, information security, web development, computer network architecture or similar tech-related fields who need to brush up their cyber skills but don’t need or want to commit to more. Since most certificate programs include high-level introductory classes that cover the basics of cyber security, such programs can be a great way to get a taste for what working in the field might be like. However, if you’re hoping to pursue a career in cyber security, a certificate on its own likely won’t suffice to get you where you want to go. What to Consider When Pursuing a Cyber Security Certificate If you decide that a certificate program is right for you, be sure to find a university that offers graduate programs in cyber security and will allow you to transfer your credits should you decide to advance your education even further. Be wary of for-profit programs. If you are going to pursue a certificate, there are many well-regarded institutions that offer certificate programs and will likely deliver a stronger education coupled with a better reputation. Remember that there is a big difference between a certificate and a certification. ]]> 2018-08-27T13:00:00+00:00 http://feeds.feedblitz.com/~/566422592/0/alienvault-blogs~Earning-a-Cyber-Security-Certificate-Pros-and-Cons www.secnews.physaphae.fr/article.php?IdArticle=782872 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC here specifically the functions “startup” and “USBSpread” while creating a new project to put both of these. This is what it looks like after creating a console project in C#: Please note that I have minimized the region of the code in the screenshot above to make it short. I’ll leave the credits where it is due for both those functions. After compiling the project and scanning it in VirusTotal, the result shows two antiviruses detecting it namely ESET and Sophos.     Please forgive me. If any of you are not familiar, VirusTotal actually distributes copies of a scanned file, especially if a few antiviruses detect it. Chances are that if you are reading this right now, the scan results might have changed already when you visit the link. This endangers your tool to become detected very fast and should not be used for scanning when you are developing a penetration testing tool to be used for legal assessments. Now here comes the fun part. How can we find out what’s causing the detection? Since we have a copy of the source code, what we can do is remove parts of the code line by line and rescan it. To start off, I have commented out the whole “USBSpread” function as seen below:   Compiling this and scanning in VirusTotal will give us a&nbs]]> 2018-08-21T13:00:00+00:00 http://feeds.feedblitz.com/~/565433026/0/alienvault-blogs~Antivirus-Evasion-for-Penetration-Testing-Engagements www.secnews.physaphae.fr/article.php?IdArticle=782873 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Maybe you've always dreamt of getting into the InfoSec field, and have been thinking about getting into information security for a while, or it's just coming to mind now. Regardless of where you are in your journey, welcome to the InfoSec community! In the words of the great Kung Fu Master, Shifu, “There is no level zero.” If you’ve seen Kung Fu Panda, you may recall that Po is a panda who eats, sleeps, and breathes Kung Fu, yet finds himself outside that community. He dreams of being a warrior. One day, he sees an opportunity to witness a significant moment in Kung Fu history and so he sets out on his journey.  But first, he must climb to the temple. It would have been easy for him to zig-zag his way to the top of the mountain, though it might have taken longer. Instead, he started with the logical place... the stairs - a much shorter path. You too will have to choose your path to awesomeness. Allow me to illuminate the way. “There is no level zero.” Find Your Why Po wanted to be great at Kung Fu purely for the sake of being great. Unfortunately, that probably won’t be enough to sustain you in the InfoSec field.  We all have selfish motivations, but they should pale in comparison to the greater good of our community, industry, and humanity. You will meet many who have forgotten that we are doing this for people, not to serve technology. Find your "why", and let it be outside yourself. That motivation will carry you through the many challenges, twists and turns along the way. “You will meet many who have forgotten we are doing this for people…” Take the Shortest Path The circuitous route is to acquire the necessary skills along whatever path you are on now. Even so, you will at some point have to focus on the particulars of those skill areas and invest in them. The alternative is the more direct route of certification and/or education. Although it may be more difficult, it will give you a more immediate opportunity. Certifications offer concentrated, focused training in a specific set of topics to support your goals. For example, the SANS Institute and CompTIA have well-planned certification roadmaps. Simply take a look at them, consider your current ability level and pick a certification as a starting point. Another resource is the free site Cybrary.it which hosts training courses in the certification area of your choosing. Don't forget to schedule your exam to give you motivation. Just taking an exam is a learning experience. Here’s a blog on the value of certifications you might want to look at. A wise mentor once told me that in order to be successful in InfoSec you need strong bases in at least one but preferably two of three areas: development, system administration, or networking. You may, perhaps, choose certifications such as Python and Powershell, A+, NET+, CCNA, Windows, Linux, and others. These may be vendor specific or vendor-agnostic. Employers will prefer a mix of both, depending on their alliances, partnerships, and the technologies that they leverage to deliver their business. Security job postings are an excellent source of this business intelligence. Regardless of how you choose to invest your time and ene]]> 2018-08-20T13:00:00+00:00 http://feeds.feedblitz.com/~/565266978/0/alienvault-blogs~How-to-Get-into-Infosec-InfoSec-Career-Path-Hacking www.secnews.physaphae.fr/article.php?IdArticle=782152 True Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Maybe you've always dreamt of getting into the InfoSec field, and have been thinking about getting into information security for a while, or it's just coming to mind now. Regardless of where you are in your journey, welcome to the InfoSec community! In the words of the great Kung Fu Master, Shifu, “There is no level zero.” If you’ve seen Kung Fu Panda, you may recall that Po is a panda who eats, sleeps, and breathes Kung Fu, yet finds himself outside that community. He dreams of being a warrior. One day, he sees an opportunity to witness a significant moment in Kung Fu history and so he sets out on his journey.  But first, he must climb to the temple. It would have been easy for him to zig-zag his way to the top of the mountain, though it might have taken longer. Instead, he started with the logical place... the stairs - a much shorter path. You too will have to choose your path to awesomeness. Allow me to illuminate the way. “There is no level zero.” Find Your Why Po wanted to be great at Kung Fu purely for the sake of being great. Unfortunately, that probably won’t be enough to sustain you in the InfoSec field.  We all have selfish motivations, but they should pale in comparison to the greater good of our community, industry, and humanity. You will meet many who have forgotten that we are doing this for people, not to serve technology. Find your "why", and let it be outside yourself. That motivation will carry you through the many challenges, twists and turns along the way. “You will meet many who have forgotten we are doing this for people…” Take the Shortest Path The circuitous route is to acquire the necessary skills along whatever path you are on now. Even so, you will at some point have to focus on the particulars of those skill areas and invest in them. The alternative is the more direct route of certification and/or education. Although it may be more difficult, it will give you a more immediate opportunity. Certifications offer concentrated, focused training in a specific set of topics to support your goals. For example, the SANS Institute and CompTIA have well-planned certification roadmaps. Simply take a look at them, consider your current ability level and pick a certification as a starting point. Another resource is the free site Cybrary.it which hosts training courses in the certification area of your choosing. Don't forget to schedule your exam to give you motivation. Just taking an exam is a learning experience. Here’s a blog on the value of certifications you might want to look at. A wise mentor once told me that in order to be successful in InfoSec you need strong bases in at least one but preferably two of three areas: development, system administration, or networking. You may, perhaps, choose certifications such as Python and Powershell, A+, NET+, CCNA, Windows, Linux, and others. These may be vendor specific or vendor-agnostic. Employers will prefer a mix of both, depending on their alliances, partnerships, and the technologies that they leverage to deliver their business. Security job postings are an excellent source of this business intelligence. Regardless of how you choose to invest your time and ene]]> 2018-08-20T13:00:00+00:00 http://feeds.feedblitz.com/~/565266978/0/alienvault-blogs~How-to-Get-into-InfoSec-InfoSec-Career-Path-Hacking www.secnews.physaphae.fr/article.php?IdArticle=782874 True Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Well Javvad Malik has created another awesome report taking on what taking security seriously actually looks like - both for customers and providers. Here's a little excerpt: The “we take security seriously” line is the security equivalent of the infamous call center “your call is important to us” line. Everybody says it because that’s what you say. Taking security seriously is not a statement to be made, it’s achieved by making security part of your process, and that’s visible to everyone. - Scott Helme Taking security seriously isn’t measured by a solitary point in time, nor can it be boiled down to implementing a single standard set of controls. There are many factors that contribute to this mindset. If someone says they take security seriously, they should be able to defend that statement in some manner. It doesn’t need to be a universally accepted position; it just needs to be something that shows they have put some thought into it and arrived at a logical conclusion. Security doesn’t always need to be visible. It doesn’t need to be done for ‘show’ - a “security theatre” if you will. The problem today is that too many companies don’t think about security in earnest at all - well at least not until they get breached. After a breach, however, they all inevitably state: ‘we take security seriously’. The Japanese say you have three faces. The first face, you show to the world. The second face, you show to your close friends, and your family. The third face, you never show anyone. It is the truest reflection of who you are. Similarly, you could say that security has three faces. The security you show to the world, the security that is visible internally in your organization, and the third reflects how you truly feel about security - that is the real measure of seriously you take security. Read the whole report here!       ]]> 2018-08-16T13:00:00+00:00 http://feeds.feedblitz.com/~/564597446/0/alienvault-blogs~Do-You-Take-Security-Seriously www.secnews.physaphae.fr/article.php?IdArticle=779636 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 6. You should now able to browse the application by visiting http://localhost/witycms-0.6.1/ 7. Fill in data required. Like for “Site name”, I’ve added in “Test”. Click on the Next button. 8. Next comes defining the homepage of the system. You can choose any from the options. For example: 9. Setting up the database is next. From step #5, I have used the database name “creatiwity_cms” so this goes in the database setup. 10. Enter the administrator account details and click “Launch install!” (I have added user “admin” with the password of “admin” here) 11. Once successful, this page should pop up: Finding a Web Application Security Issue Since this article is about CVE-2018-11512, I will be limiting the scope of finding web application vulnerabilities to a persistent XSS vulnerability. But first, let’s try to understand what a persistent XSS is.   According to OWASP, “Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted we]]> 2018-08-15T13:00:00+00:00 http://feeds.feedblitz.com/~/564341374/0/alienvault-blogs~Discovering-CVE-wityCMS-Persistent-XSS www.secnews.physaphae.fr/article.php?IdArticle=779637 False Vulnerability,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC an attack averages $117,000 in costs, which factors into a 40% chance of survival.  The Value of MSSPs Fortunately, there’s a silver lining. With help from a trusted Managed Security Service Provider (MSSP), companies with limited resources  can ensure their systems are safe and protected without hiring an in-house team. Whether it’s day-to-day monitoring, analysis, detection, response, and reporting on vulnerabilities, these security experts offer businesses of all sizes the peace of mind they need – at surprisingly affordable costs. For more information on how working with an MSSP can help your business mitigate risk, watch this short and informative video AlienVault MSSPs For nearly a decade, we’ve equipped an extensive network of MSSPs with robust technology that allows for quick reaction and response to security challenges, worldwide. AlienVault Unified Security Management (USM) is a cornerstone in building successful managed security and compliance service offerings. Trusted by 7,000+ customers, we simplify security, save costs, and reduce complexity and deployment time for businesses of all sizes. What’s Next? Visit our website to learn more about outsourcing your security needs or get introduced to one of our trusted MSSP pa]]> 2018-08-14T13:00:00+00:00 http://feeds.feedblitz.com/~/564098768/0/alienvault-blogs~Improving-Threat-Detection-through-Managed-Security-Service-Providers-MSSPs www.secnews.physaphae.fr/article.php?IdArticle=779638 False Malware,Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC As always, the booth proved to be a great hit and served as the central point where we could meet old friends and new. The Talks Parisa Tabriz, director of engineering at Google, delivered the keynote address at this year’s BlackHat. Tabriz likened most security to a game of whack-a-mole and encouraged security professionals to embrace three steps of in an interesting address: Tackling root cause Picking milestones (and celebrating achieving them) Building out a coalition (beyond the industry) Our own Aliens had a couple of speaking sessions. Sanjay Ramanath delivered a session entitled the Defender's Dilemma to the Intruder's Dilemma. Over at the Diana Initiative at DefCon, Kate Brew presented, "Age Like a Fine Wine, not a Fine Whine" - I was particularly disappointed to have missed this talk as I had to fly back home and there was a no photos or video policy. The ever-expanding show I missed BlackHat last year, and this year it felt as if I'd almost walked into RSA. The vendor halls seemed a lot bigger and spaced out than before. With over 250 vendors exhibiting, there was a lot of floor space to cover, technologies to see, and swag to be grabbed. However, perhaps one of the most interesting aspects of the show floor is across from the main hall in the BlackHat Arsenal. The Arsenal is an area for independent researchers where open-source tools and products are demonstrated in 20-minute sessions in an informal setting. I recall the first time I saw the Arsenal a few years back, it was in a small corner with a handful of tools - but it has grown into an almost con-within a con. The organisers have definitely done a great job with it, and you should have it on your list of things to see next time you are at a BlackHat. Swapping parties for breakfasts People usually ask what the parties are like - every night in Vegas there appears to be a party or event of some sort. However, if you're like me, then parties may not be your scene. So I spent the week getting early nights and arranging breakfast meetings instead. Personally, this was one of the best decisions I made. It was great to get up well-rested, to sit in a quiet venue and have good discussions over breakfast. While this approach may not be for everyone, my pro tip for Vegas is always to schedule some quiet time away from the noise. Until next time When it was all said and done, it was a very enjoyable, if not tiring week filled with great content, the opportunity to meet up with old colleagues, and make some new connections. We look forward to seeing you at an event soon. ]]> 2018-08-13T16:24:00+00:00 http://feeds.feedblitz.com/~/563935412/0/alienvault-blogs~The-Black-Hat-Recap www.secnews.physaphae.fr/article.php?IdArticle=779639 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Start by identifying your hosting needs The first thing you need to do is understand your hosting needs. You won’t be able to find the right web host for you if you do not know what you need. To determine this, you need to first ask yourself a number of different questions, including the following: What type of platform are you going to use for your website? For example, will it be WordPress or a different platform? What sort of website are you going to build? Are you going to build a portfolio website, organisational website, blogging website, or something else? Are you interested in building more than one website? What is the sort of volume of traffic that you are aiming for? Are you going to require special software to code your site, for example, .net, java, php, etc.? By answering these important questions, you will be able to figure out what you need so that you have a good starting point in your quest to find the best web host for your particular requirements. Reliability, performance, and server uptime There really is only one place to begin when it comes to assessing the quality of a web host business, and this is by looking at the level of performance and the guaranteed uptime they provide. Don’t settle for anything less than the best in terms of uptime, as your business cannot afford to be offline. Companies like HostGator and SiteGround guarantee 99.9 percent uptime. You should not settle for anything less than 99 percent. Other factors also play a critical role in helping you determine whether a web host is reliable or not. This includes things like bandwidth, daily back-ups, and RAID protected storage. You will also want to ensure that the company provides 24/7 customer support, as you want to have complete peace of mind that any issues will be dealt with immediately so that they do not have a negative impact on your business. In terms of site back-ups specifically, there are a few key questions you can ask a prospective company to get a better understanding of this aspect: Do you only provide the back-up itself or do you offer assistance in restoring the back-up? Do you offer any plug-ins for site back-ups? How often do automatic back-ups take place? Are there any options for manual site back-ups? Is there the option for site back-ups within the admin control panel? This will help you determine how frequently back-ups occur and whether or not there is any level of customisation. This is critical because no business can afford to lose their critical data, so you need to be able to back-up your data according to your requirements. Price and refunds ]]> 2018-08-09T13:00:00+00:00 http://feeds.feedblitz.com/~/563284592/0/alienvault-blogs~What-You-Need-to-Look-for-When-Choosing-a-Hosting-Company-for-Your-Startup www.secnews.physaphae.fr/article.php?IdArticle=773256 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC We have an audacious goal on the USM Central Product team. We believe that we can create the most phenomenal security platform for MSPs and MSSPs on the market with the combination of USM Central, USM Anywhere, and USM Appliance. As we move into Q3, we wanted to take some time to stop and reflect a bit on our journey. We thought it’d be helpful to provide some perspective on the problems we believe USM Central should solve for our customers, recap what we’ve built so far, and preview what’s ahead of us as we storm ahead into the back-half of the year. When prioritizing our efforts for USM Central, we always try to ask ourselves two questions. The first is, “how can we help our MSSP / MSP partners to be more efficient?” For instance, are they taking some redundant action multiple times across several deployments? What data are they looking for in the “child deployments” that would be helpful to view in USM Central? The second is, “how are USM Central users “patching” our functionality?” By talking to our partners every week, we try to understand what other systems or tools they are using in conjunction with our products and find ways that we could either 1) address that need in product or 2) integrate with the existing workflow. While USM Anywhere continues to push the envelope on core security capabilities, we believe we can create “SOCs with superpowers” with USM Central by showing up every day and trying to answer those two questions. Below, you’ll find a short summarization of our recent efforts and what we’re excited about moving forward. Alarm Status and Label Synchronization Labels are a simple yet powerful method to track the status of alarms in the various stages of the investigation cycle, classify alarm data for analysis/reporting, or even show “proof of work” to your end customers. Before USM Central, any edit to a label in the child instance would not be reflected in the Federation Server, requiring an analyst to make the label or alarm updates in multiple places. Today, any changes made to an alarm from connected USM Anywhere deployments are automatically synced to USM Central, and USM Central users can standardize labels across all of their USM Anywhere deployments. We're hoping this will dramatically streamline alarm workflows. Check out the details of this feature in the documentation here. Orchestration Rule Management Often, when our MSSP partners create an orchestration rule in USM Anywhere for one client, they recognize that it would be useful to deploy that same rule to another client. Additionally, when onboarding a new client, we’ve found that it’s helpful to do a comparative audit with another more mature deployment to make sure all of you've covered all of your bases, from filtering to alarm rules. With the most recent release of USM Central, all of the rules for your connected USM Anywhere deployments are now synced to USM Central. USM Central users can filter their view to only view rules from selected deployments or to copy a rule and quickly apply it to another customer. API Availability Do you use a ticketing system to generate tickets for alarms generated within your AlienVault deployment(s)? Maybe you customize reports or dashboards by using data from AlienVault and other products for use internally or client presentations? You can now generate an API key in product for the USM Central API. The REST interface will allow you to search for alarms for all of you connected USM Anywhere or USM Appliance instances. For this first release, we've only exposed an Alarms endpoint, but we&]]> 2018-08-07T13:00:00+00:00 http://feeds.feedblitz.com/~/562938246/0/alienvault-blogs~USM-Central-Product-Roundup-and-Look-Ahead www.secnews.physaphae.fr/article.php?IdArticle=769536 False Vulnerability None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC here! Attend "From the Defender's Dilemma to the Intruder's Dilemma" Session for a chance to win a Nintendo Switch! Join AlienVault VP of Product Marketing Sanjay Ramnath at a Black Hat speaking session. Sanjay will be speaking on Wednesday, August 8th from 10:20am-11:10am in Oceanside E on 'From the Defender's Dilemma to the Intruder's Dilemma'. We will be handing out raffle tickets before the session begins. Be sure to check out this session for the chance to win a Nintendo Switch! Get Access to the Exclusive Security Leaders Party at Black Hat! AlienVault is co-sponsoring one of the hottest security parties at Black Hat! Join us on Wednesday night from 8:00 - 10:00pm - guests will enjoy music, food, and a full open bar at the best venue at Mandalay Bay, Eyecandy Sound Lounge! This will be the most talked about party of BHUSA 2018! We expect to reach capacity, so don't hesitate to get on the list now! Event Details: Date: Wednesday, August 8th Time: 8:00 - 10:00 PM Location: Eyecandy Sound Lounge, Mandalay Bay We can’t wait to see you all at #BHUSA this week!    ]]> 2018-08-06T13:00:00+00:00 http://feeds.feedblitz.com/~/562772138/0/alienvault-blogs~Black-Hat-will-be-Phenomenal www.secnews.physaphae.fr/article.php?IdArticle=768021 False Threat,Guideline APT 32 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC The Red Pill of Resilience in InfoSec | Medium, Kelly Shortridge VDBIR Data The Verizon Data Breach Report has become the staple go-to report for security professionals wanting to understand the breach landscape. But a once-a-year report is usually too long for most of us to wait to see what’s new. So the good folk have created an interactive portal where you can explore the most common DBIR patterns. VDBIR Portal | Verizon enterprise Reddit Breached Reddit disclosed a breach and say they’re still investigating. It appears that the attacker was able to bypass SMS-based two-factor (two-step) authentication. We had a security incident. Here’s what you need to know | Reddit It’s worth revisiting this blog by Paul Moore on the difference between two-factor and two-step authentication. The difference between two-factor and two-step authentication | Paul Moore Alex Stamos off to Academia Facebook chief security officer Alex Stamos is leaving the social network to work on information warfare at Stanford University. The social network has not named any replacement. Facebook's security boss is offski. Not to worry, it has 'embedded security' in all divisions | The Register CISCO + DUO = DISCO! Cisco has announced it will be acquiring DUO Security for $2.35bn in cash it found lying behind the sofa. Cisco is buying Duo Security for $2.35B in cash | Tech Crunch Farcial Recognition Amazon’s face surveillance technology is the target of growing opposition nationwide, and today, there are 28 more causes for concern. In a test the ACLU recently conducted of the facial recognition tool, called “Rekognition,” the software incorrectly matched 28 members of Congress, identifying them as other people who have been arrested for a crime. ]]> 2018-08-03T13:00:00+00:00 http://feeds.feedblitz.com/~/562303356/0/alienvault-blogs~Things-I-Hearted-this-Week-rd-Aug www.secnews.physaphae.fr/article.php?IdArticle=765123 False Data Breach,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC As students, we get told that college is enough to land us anything we want, I can honestly say from my experience, that was not the case at all. I grew up in a household where education will land you where you want, and you don’t need to be external with the system, so I assumed as long as I have a good GPA to show, any company would want me. You don’t have to do exactly what I did. Honestly, I advise you not to, and you’ll see why. Instead, use this as awareness that you shouldn’t just allow your classes to speak for you and you should get ahead while you have time. I’m going to explain a little about my background in education and then dive into what I did during my 3rd year of university to make me go from being declined from every position I apply for, to having a table full of internship offers that were from many different sides of business, including the medical field. My Educational Background I started university at a school that focused on the offensive side of security, I finished 2 years then decided to travel to a different city to attend a new university that titles me as a cybersecurity engineer, so I started to focus on the defensive side of security. Note that this university has a cybersecurity program that is very well known in the state, that’s why I transferred. So 3rd year hit, I figured it was getting close to start applying for internships for the upcoming summer. I felt like I needed to finally enter this field, 3 years of being JUST a student is enough. I want to finally have a title I loved in the real world. How it started It got close to winter break, so I decided to start applying for 2018 summer internships. I felt pretty confident, 3.98 GPA, engineering school, strong courses, and a good university. Unfortunately, this is where it started, decline after decline, not even getting past the first stage prior to interviewing. It felt like not a single company wanted me and I was becoming more and more destroyed after each "We regret to inform you" letter. I felt like the past 3 years have been a waste. Okay, decline after decline, it’s clearly my fault, I’m doing something wrong, but what? My GPA is really good, I don’t understand why I’m not even getting past the first stage, I felt weak and unimpressive. I opened up my resume and really started looking at it. I tried looking at it from a professional perspective, if I was hiring this student, what am I looking for? Then I noticed it, I’m just a student, I noticed all I have to show was a number (my GPA), and courses I’m required to take for my field, that’s it. I had no other way to show who I AM, other than my resume representing that I am a college student. There was no information about ME, WHAT I LIKE, WHAT I DO, NOTHING. The 4-month long journey That’s when I really freaked out, I want so much in life yet all I’ve been is a student that doesn’t work on my career outside of school. Book after book, I’ve been a student, I never really introduced myself to this field, to my future, and to who I want to be. All I’ve been doing is listening to my professors teach me, rather than also teach myself. So, I did the only thing I felt like I needed to do, time to play catch up and get ahead. During school, for 4 months, I began doing side project after side project. This was fun yet destroying my mental and physical health, I slept on average 2-4 hours a night (7 nights a week) on my couch right next to my computer just to get up and continue. I didn’t eat much, didn’t see my family much, barely socialized, and didn’t care to go to some of my classes. A few projects I’ll say I was doing were created/solved cryptography puzzles, built a self-driving car, research]]> 2018-08-02T13:00:00+00:00 http://feeds.feedblitz.com/~/562114445/0/alienvault-blogs~Standing-Out-as-an-Information-Security-Student www.secnews.physaphae.fr/article.php?IdArticle=763687 False Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC April, we began to invite USM Anywhere customers to try out our new endpoint agent, the AlienVault Agent, in an Early Access program. The overwhelming interest in the program alone was telling; over 37% of USM Anywhere customers (60% of our MSSP partners) raised their hands to participate. Our conversations with customers during the program were even more telling; Our customers want deeper security visibility of their endpoints without having to manually deploy and administer third-party endpoint agents.  What’s more, they want advanced threat detection capabilities for the endpoint that pick up where their traditional antivirus tools fall short. What we heard from our customers echoes the current conversation in the larger cybersecurity community regarding endpoint security. That is that, today, malicious actors are increasingly targeting the endpoint with attacks designed to evade traditional endpoint prevention and protection tools. Organizations are struggling to keep up, as the enterprise EDR solutions that offer advanced endpoint threat detection are often too complex or expensive for most organizations. USM Anywhere is uniquely positioned to solve for this challenge, as the platform is built to evolve as the threat landscape changes. Its extensible architecture allows us to seamlessly and automatically introduce new security capabilities, integrations, and threat intelligence to the platform, giving our customers comprehensive threat coverage without having to layer on more point security solutions to contend with the latest attacks. Since we first launched USM Anywhere, we’ve been steadily extending its reach to detect modern threats wherever they appear. The endpoint is no exception. Today, I’m pleased to announce the launch of new endpoint detection and response (EDR) capabilities in USM Anywhere. You can read the full press release here. With EDR capabilities delivered as part of the unified platform, USM Anywhere users can centralize security monitoring of their endpoint and network activities across their cloud and on-premises environments, without having to deploy or integrate a separate EDR solution. This not only streamlines security operations, but it also allows users to correlate network and endpoint security data for better threat prioritization and faster incident investigation and response. These capabilities work through the AlienVault Agent, a lightweight, adaptable endpoint agent based on osquery that easily deploys to Windows and Linux endpoints and is easy to manage in USM Anywhere. The feedback we’ve received from USM Anywhere customers in the Early Access program has been positive and has helped to drive the product development leading up to today’s launch and beyond. We asked customers which features or use cases were the most exciting or useful to them. Top responses included: Continuous endpoint monitoring / automated detection of advanced endpoint threats File integrity monitoring (FIM) to help with PCI DSS or other compliance requirements ]]> 2018-07-31T13:00:00+00:00 http://feeds.feedblitz.com/~/561725236/0/alienvault-blogs~Extending-Threat-Detection-to-the-Endpoint-with-New-EDR-Capabilities-in-USM-Anywhere www.secnews.physaphae.fr/article.php?IdArticle=760425 False Malware,Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC In an attempt to wake up companies that may not be taking security as seriously as they should, they are often told, "It's not a matter of if, but when." Historically, I've not been the biggest fan of this term, in that it has a certain undertone of doom and gloom. A bit like one of those life insurance commercials that morbidly remind you that you will die some day and you want your loved ones to be looked after financially. The reality is though, that as depressing as it may sound, we will all die at some point. And it is likely that a company that uses technology and is connected to the internet in some way, shape or form, will likely experience and incident of some magnitude over the course of its life. Being attacked or compromised by an external or internal party isn't a black swan event that falls outside of the norm. It's very much a part of everyday life. Where many companies go wrong is believing they can eliminate these attacks completely. But this isn't practical because randomness and variability are the rule, not the exception. It's like when you have a flight to catch, most people will tend to leave earlier than needed to factor in unforeseen traffic, or other delays. Because we know and understand that a journey consisting of planes, trains, and automobiles will inevitably encounter some delays. So we plan for it. Similarly, enterprises should plan for the unexpected, build it into its fabric to ensure it can not only remain resilient, but flourish in times of adversity. So, what can make a company more resilient to security incidents and black swan events? Hack yourself What better way to see how an attacker will fare against your systems than to subject your systems yourself to the same stresses. It's not so much a case of proving that all your systems are unbreakable, but rather it gives you a level of assurance as to how long your defences can hold up, whether you have effective means of detecting and responding, and perhaps more importantly, what the impact on the business or customers will be. Add redundancies Often, when speaking of redundancies we think of business continuity planning which inevitably many boil down to the art of "buying two of everything." Often a company may avoid the cost associated with having redundant systems because it may never be used. Although, the truth is that not needing a redundant system is the exception, not the rule. It's also important to have alternative redundancies in place. For example, if a system goes down, is there a manual workaround that could be deployed? Could online transactions be diverted to call centres? If cash is unavailable, can cryptocurrencies be used? Or precious metals? Or cigarettes even. Not all risks are created equal Critical assets are the life blood of an organisation. They are the crown jewels that help the company be profitable through sales, services, or innovation. But it can become easy to miss some of the risks amongst the large sea of issues. Which is why it can make sense for companies to at least adopt a dual risk strategy whereby it can play it safe in some areas and take more risks in other. Have multiple points of resilience It's not just attacks that are on the rise. There are a number of factors such as errors, changes, or infrastructure migrations that can all lead to security incidents. Therefore it's important to build resilience at multiple points across the business. Maybe it's time to stop fearing, or thinking of the phrase, "it's not if, but w]]> 2018-07-30T13:00:00+00:00 http://feeds.feedblitz.com/~/561532344/0/alienvault-blogs~Hope-for-the-Best-Plan-for-the-Worst www.secnews.physaphae.fr/article.php?IdArticle=758807 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Google: Security Keys Neutralized Employee Phishing | Krebs on Security While we’re on the topic of phishing, attackers used phishing emails to break into a Virginia bank twice in eight months, making off with more than $2.4 million in total. Now the bank is suing its cybersecurity insurance provider for refusing to fully cover the loss. Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M | Krebs on Security We’re probably going to see more of this kind of back and forth as companies that have taken out cyber insurance and suffered a breach fight with their insurers over liability and who will cover the cost. Somewhat related: Scam of the week, another new CEO fraud phishing wrinkle | KnowBe4 Breaking the Chain Supply chain and third party risks are getting better understood, but understanding a risk doesn’t necessarily mean it will reduce the risk. Tesla, VW, and dozens of other car manufacturers had their sensitive information exposed due to a weak security link in their supply chains. Tesla, VW data was left exposed by supply chain vendor Level One Robotics | SC Magazine SIM Swap - A Victim’s Perspective This is a really good write-up by AntiSocial engineer taking a look at how SIM swap fraud can impact victims, and why mobile phone operators need to do more to prevent this kind of fraud. “It’s an all too common story, the signal bars disappear from your mobile phone, you ring the phone number – it rings, but it’s not your phone ringing. Chaos ensues. You’re now getting password reset emails from Facebook and Google. You try to login to your bank but your password fails.  Soon enough the emails stop coming as attackers reset your account passwords. You have just become the newest victim of SIM Swap Fraud and your phone number is now at the control of an unknown person.” SIM Swap Fraud - a victim’s perspective | AntiSocial Engineer EU Fails to Regulate IoT Security In this week’s head-scratching moment of “what were they thinking?”, the European Commission has rejected consumer groups' calls for mandatory security for consumer internet-connected devices because they believe voluntar]]> 2018-07-27T13:00:00+00:00 http://feeds.feedblitz.com/~/561082430/0/alienvault-blogs~Things-I-Hearted-this-Week-th-July www.secnews.physaphae.fr/article.php?IdArticle=756750 False Data Breach,Hack Tesla None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC challenge coin to acknowledge the commitment and dedication it takes to become an AlienVault® Certified Security Engineer. Becoming certified in any technology is something to be proud of but becoming certified on AlienVault® USM Anywhere™ proves that you are skilled in deploying and managing a threat detection solution that’s trusted by thousands of customers worldwide. The coin design proudly displays the AlienVault logo, along with a specific serialization that makes it a unique, one of a kind object. So how do you earn an AlienVault challenge coin? The coin is earned by passing the current version of the AlienVault® Certified Security Engineer (AVSE) exam. It’s been three months since we introduced the certification for AlienVault® USM Anywhere™ so we thought it might be helpful to share how to prepare for the AlienVault® Certified Security Engineer (AVSE) and provide some background on what candidates can expect. Since introducing the certification, we have seen a dramatically higher pass rate for those candidates who’ve attended both the AlienVault® USM Anywhere™: Deploy, Configure, Manage (ANYDC) and the AlienVault® USM Anywhere™: Security Analysis (ANYSA) courses. The certification validates the lessons learned in both courses so while it is not required, attending both courses will provide you the skills and knowledge you’ll need to successfully complete the AVSE certification. Attending the training also gives you hands-on experience with the product and the best possible path to earning the AVSE certification.  A certification exam voucher is included with each course.   For candidates who have not taken the training but still need to prepare for the certification, we recommend reviewing the AVSE exam blueprint which can be found at the following link: https://www.alienvault.com/certification/avse. AlienVault USM Anywhere documentation is also a great resource for review. It provides valuable insight into the product especially for candidates who have not taken the training courses. AlienVault USM Anywhere is a powerful product that continues to deliver new features and functionality. The documentation is the best way to stay current on the latest version of the product. You can find the documentation at the following link: https://www.alienvault.com/documentation/usm-anywhere.htm We want to wish everyone the best of luck in their pursuit of AlienVault certification. If you are currently AVSE certified, please reach us at certification@alienvault.com and we’ll get your challenge coin out to you asap. If you have any questions about purchasing training you can reach us at https://www.alienvault.com/contact or call 888-613-6023. Earn AlienVault’s challenge coin today and showcase your AlienVault USM Anywhere expertise!  ]]> 2018-07-26T13:00:00+00:00 http://feeds.feedblitz.com/~/560891062/0/alienvault-blogs~New-AlienVault-USM-Anywhere-Challenge-Coin-What-is-it-and-how-do-I-get-one www.secnews.physaphae.fr/article.php?IdArticle=754787 False Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC I’m a firm believer in “trust but verify” and I’m just going to come out and say it, most security professionals are conducting 3rd party assessments wrong. I’m in a unique spot where I’m on both sides of the fence: we conduct vendor assessments and we fill out questionnaires required by potential customers. Some folks put very little effort into this process so it feels like it’s just a “checkbox.” If it’s just a checkbox then why waste everyone’s time? In his book, “The Speed of Trust,” Stephen M. R. Covey talks about the 7 Low-Trust Organizational Taxes and one of those is bureaucracy. So, when I see little effort put into questionnaires, it makes me think the individual works for a low-trust organization or they simply don’t understand how to verify our trust. Therefore, it’s time to change your process. There is a market for companies that conduct 3rd party risk assessments and their market for risk rating reports on vendors (I find most are misleading). But you don’t need to hire a 3rd party company to conduct the cloud vendor risk assessment and you definitely don’t need some generalized risk rating of an overall cloud company. So how do you trust a cloud vendor? The very first step is to understand the business requirements: what is the business wanting to do with the cloud vendor? What data is involved in this business process? Has the business looked at other vendors? If so, which ones? Once you figure out the business requirements and their path to selecting the vendor, go to the vendor’s website and read their privacy policy. The first question that needs answering is who owns the data? Next, go to their compliance page and get a copy of their SOC2 report. The Service Organization Control (SOC) 2 examination demonstrates that an independent accounting and auditing firm has reviewed and examined an organization’s control objectives and activities and tested those controls to ensure that they are operating effectively. There are five trust principles and the SOC2 report will reflect which trust principles were tested. There are two types of SOC 2 reports: Type I and Type II. The Type I report is issued to organizations that have audited controls in place but have not yet audited the effectiveness of the controls over a period of time. The Type II report is issued to organizations that have audited controls in place and the effectiveness of the controls have been audited over a specified period of time. If they have a SOC2 Type 2 and other certifications, do you really need them to fill out your lengthy security questionnaire? I say no. We receive so many questionnaires where we answer “refer to SOC2 or refer to AOC, etc.” If you really want to know how to verify our trust, read the findings of our certifications. Then if you are still uneasy about our trust, then send a question that really matters to you. If you send us a question, “Do you conduct vulnerability scans?” then you obviously don’t understand the PCI requirements. Send us the questions that will help you verify that trust. Buyer beware: if the vendor states they have a certification and sends you AWS’ certification, that is a BIG RED FLAG. In fact, run! The certifications you are looking for are what your vendor achieved, not their vendor. As with all cloud vendors, there is a shared responsibility with security and compliance. AWS has a great write-up on this located here. ]]> 2018-07-25T13:00:00+00:00 http://feeds.feedblitz.com/~/560702574/0/alienvault-blogs~You-are-Doing-Cloud-Vendor-Assessments-Wrong www.secnews.physaphae.fr/article.php?IdArticle=752998 False Vulnerability,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC #AlienChat on Twitter. But for the purposes of this roundup, here are the top things I learned. The Value of Compliance What value does compliance bring? While there wasn’t overwhelming enthusiasm in support of the value of compliance, people were also not outrightly dismissive of its value. Instead, we found there to be a healthy level of cynicism amongst security professionals whereby there is recognition that compliance has its place - as long as it’s accompanied by some caveats.  Completely agree. Compliance should be part of a baseline. Baseline should be a step towards a higher goal, not the goal itself. Too many orgs seem to think compliance is the end of the road, not just part of the journey. — Coyne-Op (@C0yn3_0p) July 19, 2018 A1: It can bring value when done in larger context of good information security controls. For many compliance people, picture day is once a year. Information security people want it to be #infosec picture day every day. That’s difference between security & compliance. #AlienChat — Ben Rothke (@benrothke) July 19, 2018 It sets a minimum baseline. Maybe not helpful if you're meeting the same minimum year over year, which might foster complacency, but helpful if your sec program is new.#AlienChat — Nick (@NickInfoSec) July 19, 2018 Compliance brings value, however that value is more closely related to enterprise risk than information security, per se. My approach is to develop a program based on the needs to address the security risk, but to ensure that the program also complies with any relevant regs. — Rot26 (@rotate26chars) July 19, 2018 Some frameworks are mandatory, some are voluntary. I'd like to hear why a company choose a certain standard before judging. :)]]> 2018-07-24T13:00:00+00:00 http://feeds.feedblitz.com/~/560503438/0/alienvault-blogs~The-Security-Compliance-Tweet-Chat-What-We-Learned www.secnews.physaphae.fr/article.php?IdArticle=751193 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC InfoSec Recruiting – Is the Industry Creating its own Drought? | Liquid Matrix GDPR Did you think that discussions around GDPR were over? You thought wrong. Want to avoid GDPR fines? Adjust your IT Procurement methods | HelpNetSecurity SEXTORTION SCAMS A clever new twist on an on extortion email scam includes a password the recipient previously used at a hacked website, to lend credence to claims that the sender has hacked the recipients computer / webcam and recorded embarrassing videos. Sextortion Scam Uses Recipient’s Hacked Passwords | Krebs on Security TESLA Elon Musk continues to make the headlines, sometimes for the right, and other times for the wrong reasons. But it's worth taking a look at the companies security. While there was the infamous emaila few weeks back where Musk pointed the finger of blame to a rogue employee, it's not the first case of cybersecurity gone wrong in the company. Tesla sued an oil-industry executive for impersonating Musk in an email. The tricksters goal was to undermine tesla's energy-efficient transportation. Here’s why Tesla has been sabotaged twice in two years — lax network security | Last Watchdog ]]> 2018-07-20T13:00:00+00:00 http://feeds.feedblitz.com/~/559727188/0/alienvault-blogs~Things-I-Hearted-this-Week-th-July www.secnews.physaphae.fr/article.php?IdArticle=747573 False None Tesla,APT 1 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC ZombieBoyTools to drop the first dll. ZombieBoy, like MassMiner, is a cryptomining worm that uses some exploits to spread. However, unlike MassMiner, ZombieBoy uses WinEggDrop instead of MassScan to search for new hosts. ZombieBoy is being continually updated, and I’ve been obtaining new samples almost daily. An overview of ZombieBoy’s execution is below: Domains ZombieBoy uses several servers running HFS (http file server) in order to acquire payloads.  The URLs that I have identified are below: ca[dot]posthash[dot]org:443/ sm[dot]posthash[dot]org:443/ sm[dot]hashnice[dot]org:443/ In addition, it appears to have a C2 server at dns[dot]posthash[dot]org. Exploits ZombieBoy makes use of several exploits during execution: CVE-2017-9073, RDP vulnerability on Windows XP and Windows Server 2003 CVE-2017-0143, SMB exploit CVE-2017-0146, SMB exploit Installation ZombieBoy first uses the EternalBlue/DoublePulsar exploits to remotely install the main dll. The program used to install the 2 exploits is called ZombieBoyTools and appears to be of chinese origin. It uses Chinese simplified as its language, and has been used to deploy a number of Chinese malware families (such as the IRONTIGER APT version of Gh0stRAT) .  ZombieBoyTools screenshot Once the DoublePulsar exploit is successfully executed, it loads and executes the first Dll of the malware. This downloads 123.exe from ca[dot]posthash[dot]org:443, saves it to “C:\%WindowsDirectory%\sys.exe”, and then executes it. Set up 123.exe does several things on execution.  First, it downloads the module [1] from its file distribution servers.  According to code analysis of 123.exe, it refers to this module as “64.exe”, but saves it to the victim as “boy.exe”.   After saving the module, it executes it.  64.exe appears to be in charge of distributing ZombieBoy as well as holding the XMRIG miner. In addition to downloading a module from its servers, 123.exe also drops and executes 2 modules.  The first module is referred to in the code as “74.exe”.  This is saved as “C:\Program Files(x86)\svchost.exe. This appears to be a form of the age-old Gh0stRAT.  The second module is referred to in the code as “84.exe”.  This is saved as “C:\Program Files(x86)\StormII\mssta.exe” and appears to be a RAT of unknown origin. 64.exe 64.exe is the first module downloaded by ZombieBoy. 64.exe uses some anti-analysis techniques that are quite formidable.  First, the entire executable is encrypted with the packer Themida, making reverse-engineering difficult.  Also, in c]]> 2018-07-18T13:00:00+00:00 http://feeds.feedblitz.com/~/559273982/0/alienvault-blogs~ZombieBoy www.secnews.physaphae.fr/article.php?IdArticle=747574 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC here! Key Findings Looking forward, cloud security threats are the most concerning external threat Internally, phishing (55%) and ransomware (45%) lead the pack of worries for security departments 92 percent would rather pay a subscription fee, allow ads, or leave a website altogether rather than allow a website to mine cryptocurrency 56 percent believe cybersecurity has become a political pawn The report has lots of graphs with detailed results. For example, amazing how awareness of cloud security threats has become so pronounced.       ]]> 2018-07-17T13:00:00+00:00 http://feeds.feedblitz.com/~/558986326/0/alienvault-blogs~Threats-Politics-and-CryptocurrencyMining-Infosecurity-Europe-Survey-Results www.secnews.physaphae.fr/article.php?IdArticle=747575 False Ransomware,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AT&T To Acquire Alienault I've covered and speculated, and even advised on security M&A over the years, but it's the first time I've been working in a technology company that has been acquired. It's exciting times, and glad to be part of the journey. AT&T to Acquire AlienVault | AlienVault In other M&A news,  Mimecast announced it acquired Ataata Inc - a cybersecurity training and awareness provider. Bomgar acquired Avecto to augments its identity and access management capabilities. and the biggie, as Broadcom agree to buy CA technologies for $19billion (yes, with a B) Cybersecurity - Why You're Doing It All Wrong A thought-provoking opinion piece by Ed Tuckeron why a lot of security controls in companies don't work. There are some broad generalisations - but it's worth it. "For too long, security teams have lived the lie that what they have delivered has been effective, but so often they approach it from a viewpoint divorced from the customers they affect. To be fair to most security teams, they are generally blissfully unaware of the inefficiencies of their controls – or ignorant." Cybersecurity - why you're doing it all wrong | Computer Weekly Timhop Shows How Incident Response Is Done On July 4th Timehop announced a breach. A breach itself isn't really big news these days - often it's just the cost of doing business online. However, the response from Timehop has been nothing short of stellar! It has published perhaps one of the most detailed updates on the incident I've ever seen - that includes internal breach notifications. They've also provided a technical timeline and even broken down the total number of records and which ones of them are under GDPR. The company may have shown us all how seriously they take security, not in the fact that they got breached, but in the manner with which they have responded.  Seriously, I think every company should look at their internal processes and ask, if they were breached today, could they produce something similar within a week?  Timehop security incident | Timehop Timehop incident technical report | Timehop Facebook Fined £500K Ffrom UK Data Watchdog These were some of the findings of the UK's Information Commissioner's Office – the nation's privacy watchdog – which this morning issued a s]]> 2018-07-13T13:00:00+00:00 http://feeds.feedblitz.com/~/558202866/0/alienvault-blogs~Things-I-Hearted-this-Week-th-July www.secnews.physaphae.fr/article.php?IdArticle=743908 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC This growing attack surface is a cyber-criminal’s dream and a network defender’s nightmare. The bad guys only need to find one weak spot, while you’re tasked with defending against all potential weak spots. That’s definitely not a fair playing field. So where do you start? Well, to state the obvious, you can’t monitor what you can’t see, so getting visibility into who and what is connecting to your network is the first step. Automated asset discovery is one of the most essential capabilities for a continuous security monitoring program. But, it’s not just knowing which assets are running on your network, you need to know what software and services are installed on them, how they’re configured, and whether there are any vulnerabilities or active threats being executed against them. Constant application updates and changes to application and system configurations can introduce vulnerabilities and leave you susceptible to an attack, even if you are keeping your security controls up to date. This brings us to step two in continuous security monitoring -- continuous vulnerability management. Let me take this opportunity to throw in a frightening stat. According to the National Vulnerability Database (NVD), more than 14,700 vulnerabilities were reported in 2017, doubling that of 2016. Needless to say, vulnerability management is an ongoing process, and therefore by its very nature an essential part of any continuous security monitoring initiative. Continuous asset discovery and continuous vulnerability management go hand-in-hand. You can’t have one without the other when it comes to implementing a successful continuous security monitoring program. And, while you could leverage two separate tools to perform each of these tasks, why not make your life easier with a single solution that combines these capabilities? Even better, why not leverage a solution that combines all the essential capabilities for continuous security monitoring! AlienVault® Unified Security Management® (USM) gives you the upper hand in detecting and remediating the vulnerabilities in your environment before attackers exploit them. It does so by delivering automated asset discovery and vulnerability scanning as part of a unified platform that also includes intrusion detection, behavioral monitoring, SIEM event correlation, log management, and very importantly, continuously updated threat intelligence. With AlienVault USM, you get crucial real-time visibility into assets on your network, which ones are vulnerable, and where the asset is actually exposed to threats – allowing you to focus on the most important issues first. You'll be able to quickly answer critical and time-sensitive questions, such as: What devices are on my physical and virtual networks? What instances are running in my cloud environments? What vulnerabilities exist on the assets in my cloud and network? Are there known attackers trying to interact with my cloud and network assets? Are there active threats on my cloud and network assets? ]]> 2018-07-12T13:00:00+00:00 http://feeds.feedblitz.com/~/557947524/0/alienvault-blogs~Continuous-Information-Security-Monitoring-to-Combat-Continuous-Threats www.secnews.physaphae.fr/article.php?IdArticle=741835 False Vulnerability,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC We’ve all seen it before; the pop ups of necessary security updates, the horror stories of leaked celebrity pictures by hackers and the infamously long document of God-knows-what followed by “I agree to the following terms and conditions”. These are ever present in our rapidly progressing technological society and continue to characterise the interaction of society with technological information, especially for the younger generation. As a high school student and member of the early half of GenZ, I wasn’t raised under the protective barrier of informational isolation formed by the limited technological advances of the generations that preceded me. My grade has had the unique ability to watch technology morph before our eyes. Elementary school was a time of computer typing class, projectors and the slow encroachment of Smart Boards as the years progressed. It seems like every year of middle school I had a different policy regarding phone usage and school districts seemed to be playing catch up to a wave of pop and technological culture flooding students. As I progressed through high school, faculty encouraged phone usage in the classroom for research and used our ability to access a mass amount of information quickly as an advantage. Every year of my education I watched the transformation of technology from flip phones and overhead projectors in elementary school to smart phones and smartboards in high school.  What my computer class in elementary school and my proceeding technology education has failed to teach me are answers to the questions “what is privacy in a world of constant connection?” and “how do we protect ourselves and stay connected?”. What is privacy in a world of constant connections? To answer this we first need to define privacy, a notoriously ambiguous object of contestation. The reason privacy is difficult to define lies in part in its subjective nature. Defining privacy relies heavily on personal preferences and values, among other individualistic factors. What is private and not private leaves the debate of cyber security in murky waters. This coupled with government, private and corporate fascination in the inner workings of individuals minds and the ever expanding ways information can be stored and shared has often left privacy as an afterthought.  A glance at the informational open philosophy of GenZ further explains the encroachment of commercial information use on the once dormant cybersphere, specifically in regard to social media. I was four years old when Facebook began and, though it took a couple years to develop into the Facebook we all know and love (or not) today, it has undeniable shaped the technological world as well as my generations perception of privacy.  “Friends” now meant the close group of people we connect to on a personal level and the dozens, hundreds, thousands of people we barely know. The contradictory dual definitions symbolize the pull of society to familiarize technological situations that had never existed before. Our generation was the guinea pig that tested the effects of being raised in a world of rapidly expanding connection and, as a result, optional privacy on the grand scale. The push to familiarize social media leads to challenges in differentiating meaningful relationships and frivolous online “relationships”. We had to learn the difference between the girl we’ve known since first grade and sunshinegirl56, especially in regards to information sharing. But in the naive minds of children, dangers can be overlooked and private information can quickly become unprivate. While we were taught to not talk to strangers online, the familiarity of the option to talk to strangers online and the preval]]> 2018-07-10T13:00:00+00:00 http://feeds.feedblitz.com/~/557751888/0/alienvault-blogs~The-Terms-and-Conditions-of-Internet-Privacy-for-a-GenZ-Student www.secnews.physaphae.fr/article.php?IdArticle=740324 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC @J4vv4D in that case, this is the only response...https://t.co/AseiwFjZbt — Mo Amin (@infosecmo) December 6, 2016 @J4vv4D At 1mn05 into this video: https://t.co/GxlOaoxoZu — Luushanah (@luushanah) December 6, 2016 @J4vv4D Cannot accept this finding. Please provide more information and evidence. If they explain it better, yay, if they can't we're done — B Miller (@Securithid) December 6, 2016 @J4vv4D ask "what's the risk" — EoinKeary (@EoinKeary) December 6, 2016 @J4vv4D dear auditor this is my implementation plan: # rm -rf /audit , hope you understand my point — Juanes (@hcjuan04) December 6, 2016 @J4vv4D how about sending them this video https://t.co/8YSFKPCjoh — BrianHonan (@BrianHonan) December 6, 2016   ]]> 2018-07-09T13:00:00+00:00 http://feeds.feedblitz.com/~/557751890/0/alienvault-blogs~Ways-to-Deal-with-Badly-Written-Risks www.secnews.physaphae.fr/article.php?IdArticle=740325 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 10 things to know before getting into cyber security| Double Pulsar Related, if you're looking to break into security, then you'll want to know which locations offer the best salaries (US-based). Cybersecurity spotlight 2018: Where are the highest paying jobs? | Indeed Blog HACKERS WILL GET HACKED Of course we trust the Government to maintain backdoors and hacking tools... they're the Government. I, for one, am shocked that gambling takes place in this casino. From Cellebrite, to Shadow Brokers, to the CIA dump, so many recent data breaches have shown there is a real risk of exposure to government hacking tools. Your Government's Hacking Tools Are Not Safe | Motherboard In related news, NSO sells its potent iPhone malware to governments, including Mexico and the United Arabs Emirates. But according to a newly released indictment, a disgruntled employee stole the company's code and tried to sell it for $50 million worth of cryptocurrency. NSO Group Employee Allegedly Stole Company’s Powerful Spyware for Personal Profit | Motherboard IT IS COMING HOME While the tide of outsourcing seems to be on the rise, does BP represent an undercurrent of some companies wanting to get their arms around exactly what they have, why they have it, and who manages it? BP is looking to bring the majority of its IT back in-house as part of a wider modernisation programme across the entire energy group, which comprises of a massive 74,000 employees. Speaking at the London leg of AppDynamic’s World Tour, Andy Sturrock, head of modernise IT transformation at BP, admitted that the energy company had been too reliant on outsourcing in the past. “We looked at ourselves and realised that we had become an IT organisation which didn’t really do IT, we facilitated other companies doing IT to us," he said. "So we wanted to get back to us being an IT organisation and developing our own capability again." BP removes reliance on third-party providers by bringing IT in-house | Channel Asia  DECENTRALISING THE INTERNET No, this isn't a story plot out of the show Silicon Valley - Fixing the internet can look like mission impossible, even in the West. A Jeffersonian reform in the form of Web 3.0 appears a long way off, and its regulatory equivalent, a vigorous antitrust policy, does not look much more promising. Online, humanity seems bound to sink ever deeper into a Hamiltonian hole. But such an outcome is not inevitable. ]]> 2018-07-06T13:00:00+00:00 http://feeds.feedblitz.com/~/557751886/0/alienvault-blogs~Things-I-Hearted-this-Week-th-July www.secnews.physaphae.fr/article.php?IdArticle=740326 False Malware,Hack,Threat,Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC HIPAA - Healthcare Compliance Reporting For healthcare providers, HIPAA is a key concern. In USM Anywhere, once you define your HIPAA Asset Group—the part of your environment that touches protected health information (PHI) data—then you can readily view, export, and customize the following predefined reports.  NIST Cybersecurity Framework (CSF) Compliance Reporting USM Anywhere allows you to quickly and easily report the status of controls across the NIST CSF functions of Identify, Protect, Detect, and Respond. The following predefined NIST CSF are available out of the box with USM Anywhere. ISO 27001 Compliance Reporting Out of the box, USM Anywhere includes pre-built compliance reporting templates that map to multiple ISO 27001 requirements, making it fast and simple to review the state of your deployed technical controls and help satisfy requests during an au]]> 2018-07-05T13:00:00+00:00 http://feeds.feedblitz.com/~/557751892/0/alienvault-blogs~Simplify-Compliance-Reporting-with-AlienVault-USM-Anywhere www.secnews.physaphae.fr/article.php?IdArticle=740327 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Benedict Evans stated that, the best is often the last. He elaborates by saying, "The development of technologies tends to follow an S-Curve: they improve slowly, then quickly, and then slowly again. And at that last stage, they're really, really good. Everything has been optimised and worked out and understood, and they're fast, cheap and reliable." And while his original post was two years ago, which in technology terms can be a lifetime, it holds true today. It's worth taking a look at IT security under the same lens. Cynical commentators may state that IT security has never been good - but that isn't true in all cases. In fact, many traditional technologies have been so good and commoditised, that they have become all but invisible to the end user. But, perhaps what is changing more than the security technologies themselves, is the delivery mechanism. As companies have embraced the cloud, so have many providers, and security is no different. That's not to say that security appliances don't have their place in enterprises, it's just that they've probably gotten as good as they can get, so it's time to adapt to the new reality. Innovation or following the trend? Willie Sutton famously said that he robbed banks because that's where the money is. Or, as Walter Gretzky famously said, "I don't go to where the ball is, but where it is going to be." So are security providers moving to deliver security from the cloud because that's where everyone appears to be heading. However, there are benefits to both consumers and providers of cloud-based security technology. Benefits to companies As companies continue to embrace cloud technologies, it makes sense to have cloud-based security that can provide capabilities across both cloud and on premise technologies. Some of the prominent benefits include: 1. Cost to deploy With cloud-based offerings, there is no capital expenditure outlay. Users can simply select the type of license, and only pay for what they need. Saving time and resources needed to deploy the offering. 2. Continuous updates and patches One of the biggest advantages of cloud-based security software is the fact that it is continuously updated and patched by the provider. Relieving the burden of maintenance from the user and allowing them to focus on the business issues that matter the most. 3. Integration and scalability Cloud services, by their very nature are designed to be scalable, so it can keep up with the flexible demands of a business as need be. It also provides a stable platform through which integrations with other cloud-based providers can be attained, allowing users to derive increased value from their purchases. Benefits to providers But the benefits to of cloud-based security doesn't end with the customers - rather, there are many benefits to the provider too. 1. Income predictability and stability With a subscription model, it becomes easier for companies to more accurately predict income. The economies of scale also work better as fixed costs to deploy from the cloud typically rise a lot slower the more customers are acquired. 2. Expansion Cloud-based companies find it easier to expand into new territories. Without having to ship appliances, the business model bec]]> 2018-07-03T13:00:00+00:00 http://feeds.feedblitz.com/~/557751894/0/alienvault-blogs~Cloud-Based-Security www.secnews.physaphae.fr/article.php?IdArticle=740328 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC OWASP top 10 for .NET developers and thinking to myself that this guy really knows his stuff.   Which is why I was optimistic when Troy launched Have I been Pwned - but I don't think I foresaw how big the project would become and now it is being integrated into Firefox and 1Password. Not bad going for the blogger from down under.     We're Baking Have I Been Pwned into Firefox and 1Password| Troy Hunt Defining Hacker In 2018 If you do a Google Image Search against the word hacker, you’ll get images of scary-looking balaclava-clad cybercriminals hunched over a quintessentially green computer terminal. They’re up to no good… Stealing your data, crashing critical systems, or causing general Internet badness. In reality, the word “hacker” applies to a much broader group of people, one that extends well beyond cybersecurity. Merriam-Webster defines a “hacker” as “an expert at programming and solving problems with a computer”. Defining "Hacker" in 2018| BugCrowd Lessons From nPetya One Year Later This is the one year anniversary of NotPetya. It was probably the most expensive single hacker attack in history (so far), with FedEx estimating it cost them $300 million. Shipping giant Maersk and drug giant Merck suffered losses on a similar scale. Many are discussing lessons we should learn from this, but they are the wrong lessons. An example is this quote in a recent article: "One year on from NotPetya, it seems lessons still haven't been learned. A lack of regular patching of outdated systems because of the issues of downtime and disruption to organisations was the path through which both NotPetya and WannaCry spread, and this fundamental problem remains." This is an attractive claim. It describes the problem in terms of people being "weak" and that the solution is to be "strong". If only organizations where strong enough, willing to deal with downtime and disruption, then problems like this wouldn't happen. But this is wrong, at least in the case of NotPetya. Lessons from nPetya one year later| Errata Security   German Researcher Defeat Printers' Doc-Tracking Dots Beating the unique identifiers that printers can add to documents for security purposes is possible: you just need to add extra dots beyond those that security tools already add. The trick is knowing where to add them. Many printers can add extra dots to help identify which device printed a document, as it's handy to know that when they fall into the wrong hands. The ]]> 2018-06-29T13:00:00+00:00 http://feeds.feedblitz.com/~/557751898/0/alienvault-blogs~Things-I-Hearted-this-Week-%e2%80%93-th-June www.secnews.physaphae.fr/article.php?IdArticle=740329 False None NotPetya,FedEx,Wannacry None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC a recent survey conducted by the Ponemon Institute, less than a third believe their antivirus can stop the threats they are seeing. As a result, organizations are exploring their options. One third of respondents to the Ponemon survey reported they had replaced their antivirus with a competitor’s offering or a next-generation endpoint protection solution in the past 12 months. 50 percent confirmed they had kept their antivirus but supplemented it with additional solutions designed to provide better protection and/or detection and response capabilities. While maintaining legacy antivirus alongside new protection may work for larger companies that have the budget and staff to take on and manage multiple solutions, it may not always be an effective option for small or medium-sized businesses. How do you know when it is finally time to cut your legacy antivirus loose? Here are three key signs to consider: 1) There are attacks your antivirus is not blocking At its core, antivirus has one job to do: keep endpoints from being infected or compromised. Unfortunately, its primary method of doing that job — scanning static files to determine if they are potentially malicious — is extremely narrow and limited considering the variety of attack techniques we’re seeing today. As Gartner points out, “Endpoint protection platforms that rely solely on signature-based malware detection are not completely effective when it comes to repacked or new malware until new signatures are distributed.... Organizations...are essentially unprotected until all their endpoints are updated with the latest signature.” Even next-generation antivirus solutions that supplement signature matching with machine learning are still limited to scanning, analyzing, and quarantining static files written to disk. Many of today’s attacks have evolved to exploit that limitation, adopting fileless delivery techniques, instead. These are no longer theoretical threats. According to Ponemon, 77% of attacks that successfully compromised organizations in 2017 utilized fileless techniques. The inability to block today’s evasive and fileless threats is one of the top reasons organizations cite for replacing their antivirus. 2) Your Antivirus is slowing you down When antivirus isn’t doing its job that’s bad enough, but it can often make it harder for admins and users to do their jobs. Constant updates and file scanning are notorious antivirus pain points. In fact, when Barkly asked IT and security pros what their challenges with their current endpoint protection were, “slows down user machines” was t]]> 2018-06-26T13:00:00+00:00 http://feeds.feedblitz.com/~/557751900/0/alienvault-blogs~SMBs-Signs-It%e2%80%99s-Finally-Time-to-Replace-Your-AntiVirus www.secnews.physaphae.fr/article.php?IdArticle=740330 False Malware,Threat None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Verizon 2018 DBIR, 58% of data breach victims are small businesses. Furthermore, it is shocking to see that 60% of small businesses are shut down within 6 months of an attack, according to the National Cyber Security Alliance. So, what makes these small enterprises prone to cyber-attacks? Probably it is the lack of resources due to limited budget and the misbelief that only large organizations are attacked by hackers. However, all size businesses need to stay ahead of cyber attackers. I have come up with some useful preventive measures to protect your business from cyber-attacks. Take a look: Train Your Staff Your employees are your biggest asset, but at the same time, they are the biggest security risk as well. So, your primary action should be to give security awareness education to your staff. This will help in minimizing cases of accidental or intentional data leakage. One important point to keep in mind is that providing training to your staff is not a one-time task. Rather, it should be done periodically to ensure that your employees are kept up to date with the latest cyber threats. It helps them act cautiously against security vulnerabilities and threats. Manage your Passwords Your passwords are the key to your company’s confidential information. It is crucial to follow some basic thumb rules when creating and managing passwords for your company. Always change default passwords to unique passwords Do not use the same password for different accounts Make sure you store your passwords safely. Use a password manager. Never write your passwords on paper accessible to others. Follow the guidelines for making a strong password. Use a combination of uppercase and lowercase letters, numbers, symbols, etc.  Keep your tech in good shape The OS and apps on company systems should be up-to-date, as that ensures installation of latest security patches. Further, firewall and antivirus need to be installed on each and every system. Ensure that both are active, up-to-date and installed with the right settings. Microsoft operating systems come with a default firewall, so you just need to activate it. However, it is strongly recommended to invest in a reliable and advanced antivirus software for PCs. After all, buying an antivirus is much cheaper than becoming a cyber-attack victim. Keep backups to limit the loss With the rising number of ransomware attacks, the importance of having data backup has come into the picture. It is better to keep a copy of your data rather than taking the risk of paying ransom to hackers. A company can get back running normally after an attack if data backup is available. Make sure you run periodic backups of your company’s data as it helps in restoring from a recent point. Backups should always be kept on a separate system. Get your Coding tested Your website code and hosting is an important aspect for the security of your company. Get your website fully tested for security errors by your internal Information Security team or hire one. Improper or outdated code can help hackers make way into your website and ultimately cause harm. Further, make sure the hosting facility for your website is from a reliable hosting company. Don’t forget to ]]> 2018-06-25T13:00:00+00:00 http://feeds.feedblitz.com/~/557751902/0/alienvault-blogs~Safety-Measures-for-Protecting-Your-Business-from-Cyber-Attacks www.secnews.physaphae.fr/article.php?IdArticle=740331 False Ransomware,Data Breach None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC discussed and reviewed by researchers in South Korea over the past week. The malware is linked to Lazarus, a reportedly North Korean group of attackers. One malicious document appears to be targeting members of a recent G20 Financial Meeting, seeking coordination of the economic policies between the wealthiest countries. Another is reportedly related to the recent theft of $30 million from the Bithumb crypto-currency exchange in South Korea. This article stands very much on the shoulders of other work by researchers in South Korea. Credit for initially identifying these documents goes to @issuemakerslab, @_jsoo_ and others. Malicious Documents We looked at three similar malicious documents: 국제금융체제 실무그룹 회의결과.hwp ("Results of the international financial system working group meeting") - cf09201f02f2edb9c555942a2d6b01d4 금융안정 컨퍼런스 개최결과.hwp ("Financial Stability Conference held") -  69ad5bd4b881d6d1fdb7b19939903e0b 신재영 전산담당 경력.hwp (“[Name] Computer Experience”) - 06cfc6cda57fb5b67ee3eb0400dd5b97 The decoy document, mentioning the G20 International Financial Architecture Working Group Meeting The decoy document of a resume These are Hangul Word Processor (“HWP”) files - a South Korean document editor. The HWP files contain malicious postscript code to download either a 32 or 64 bit version of the next stage from: https://tpddata[.]com/skins/skin-8.thm - eb6275a24d047e3be05c2b4e5f50703d - 32 bit https://tpddata[.]com/skins/skin-6.thm - a6d1424e1c33ac7a95eb5b92b923c511 - 64 bit The malware is Manuscrypt (previously described by McAfee and ]]> 2018-06-22T14:41:00+00:00 http://feeds.feedblitz.com/~/557751904/0/alienvault-blogs~Malicious-Documents-from-Lazarus-Group-Targeting-South-Korea www.secnews.physaphae.fr/article.php?IdArticle=740332 False None APT 38,Bithumb,Wannacry None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC The Tesla Insider Elon Musk sent out an email stating an employee had stabbed the company in the back like Brutus, changing production code, and leaking inside information. I'll admit that like many people who have talked about or written about insider threats in the past, I instinctively punched the air and yelled, "YES! I warned you but you didn't listen." The incident is also notable for the impact it had on the company's  share price which dropped more than 6% in trading. "I was dismayed to learn this weekend about a Tesla employee who had conducted quite extensive and damaging sabotage to our operations, this included making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties." Insider threats defined | AlienVault Tesla hit by insider saboteur who changed code, exfiltrated data | SC Magazine Tesla sinks after Elon Musk says an employee conducted 'sabotage' and Trump ramps up fears of a trade war (TSLA) | Business Insider Can't Fix Won't Fix, Don't Fix Organisations cannot afford to view penetration testing as a tick box exercise. How should they mitigate the fact some vulnerabilities can’t be fixed, won’t be fixed, and in some instances, actually shouldn’t be fixed? Can’t fix, won’t fix, don’t fix: Is it time for businesses to rethink how they action pen test results?| IT Pro Portal On the topic of pen tests, check out Adrian Sanabria's presentation slides from RSA earlier this year on killing the pen test. It's time to kill the pen test (PDF) | RSAconference To add balance, and to convince you pen testers out there that I'm not a bad person who hates all pen testers, here's an awesome collection of penetration testing resources that include tools, online resources, books, courses, conferences, magazine... Awesome Penetration Testing | Kinimiwar, GitHub A Case Study In Bad Disclosure Imagine you're a researcher and have found a vulnerability, you then disclose it responsibly to a vendor, then that vendor fixes the issue - but instead of sending the chopper over to you with a care package, they pretend like you didn't exist. Akin to Tom Cruise getting disavowed in every single Mission Impossible movie. Then imagine that vendor submitted the vulnerability details to Google and received a bug bounty award to the tune of $5,000. Then to top it off, they sat back in a massive reclining chair, threw their head back and laughed as they donated the full $5,000 to a good cause. ]]> 2018-06-22T13:00:00+00:00 http://feeds.feedblitz.com/~/557751908/0/alienvault-blogs~Things-I-Hearted-this-Week-nd-June www.secnews.physaphae.fr/article.php?IdArticle=740333 False Hack,Vulnerability,Guideline Tesla,Tesla,Bithumb None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC   There are a number of different versions of MassMiner, and Honeypot data indicates they are continuing to spread: An infected MassMiner machine attempting to spread, using an exploit for Apache Struts This one site records infection attempts to their honeypots, most likely from infected systems, in the following countries: It’s likely these numbers represent just a minority of the infected systems. Reconnaissance MassMiner includes a fork of MassScan, a tool that can scan the internet in under 6 minutes. The MassScan fork passes a list of IP ranges to scan during execution, which includes private and public IP ranges. Exploitation MassMiner then proceeds to run exploits against vulnerable systems, including: ]]> 2018-05-01T16:02:00+00:00 http://feeds.feedblitz.com/~/542914030/0/alienvault-blogs~MassMiner-Malware-Targeting-Web-Servers www.secnews.physaphae.fr/article.php?IdArticle=620723 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AlienVault Product Forum. Here is a roundup of the highlights from our April 2018 releases: Go Threat Hunting with OTX Endpoint Threat Hunter™: Okay, so technically this one is not a USM Anywhere feature, but it is very cool (and free!) and worth the mention here. Earlier this month, we launched OTX Endpoint Threat Hunter™— a new free service in Open Threat Exchange® (OTX™) that allows anyone to hunt for malware and other threats on their endpoints using the indicators of compromise (IOCs) catalogued in OTX. It’s powerful, easy to use, and completely free. Introducing our not-so-secret Agent, man: OTX Endpoint Threat Hunter is powered by the AlienVault Agent—a lightweight and adaptable endpoint agent based on osquery. We plan to extend the use of the AlienVault Agent in USM Anywhere and have already begun to invite USM Anywhere users to request early access to the AlienVault Agent through the product, under the new Agents page. Participation in early access is limited. The AlienVault Agent provides deep visibility into your environment with File Integrity Monitoring and event forwarding on Windows and Linux endpoints. It is simple and fast to install and has a small footprint. With the AlienVault Agent, you can get to endpoint security insights quickly, without the cost and complexity of a standalone endpoint security solution. We’ll announce general availability later this year, so stay tuned! Leveling up our sensor security: In an effort to constantly improve our security hygiene (we already floss daily), this month, we added secure transport capabilities to USM Anywhere sensors. USM Anywhere now supports syslog over TCP (port 601) and secure transport through TLS (port 6514), so you can rest easier at night. Show me the data sources: When it comes to data collection for threat detection, the first and most important thing to know is whether your data sources are supported and how. To make it easier and faster to navigate data collection in USM Anywhere, we added a new Data Sources menu to the main navigation. This menu consolidates all the different ways USM Anywhere collects data from your environment: Sensors, Agents, and Integrations. The new Integrations page includes tabs for Plugins, Sensor Apps, and AlienApps, which now includes the Forensics and Response App. In addition, we streamlined the existing Settings menu, again making USM Anywhere simple and fast to use. New and improved data sources: Speaking of data sources, we regularly add support for new data sources and improve our methods of collection, parsing, and normalization for existing data sources. You can always find our full list of data sources, including AlienApps and plugins, here. If you don’t see a data source here that you want to support, fear not. AlienVault will build support for most commercially available products at no additional charge. You can submit a request ]]> 2018-05-01T13:00:00+00:00 http://feeds.feedblitz.com/~/542861750/0/alienvault-blogs~AlienVault-Monthly-Product-Roundup-April www.secnews.physaphae.fr/article.php?IdArticle=620360 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC A client asked the other day for guidance on best practices regarding how often they ought to patch their systems. My immediate thought was “continuously.”  However, most small to mid-sized enterprises don’t have the resources for that. If you go to a source such as the Center for Internet Security they talk about patching as a critical security control and say you need a formalized program of patch management to “regularly update all apps, software, and operating systems.” But they don’t say much about how or how often this should be done. Patching Frequency Best Practices from DoD So, I hearkened back to the days when I was performing security audits for the Army. I probably did more than 500 of these on every type of system – from a small, rack-mounted tactical command & control server in the back of a Humvee to a 350,000-user wide area network in all 50 states. I started in the 1990s with the Department of Defense (DoD) Information Technology Security Certification & Accreditation Process (DITSCAP), and then moved to the DoD Information Assurance Certification and Accreditation Process (DIACAP), and finally the Risk Management Framework (RMF) that is in use today. Typically, whenever we assessed those Army systems, if they had any missing patches or antivirus updates for more than a week, we would fail them. But when I researched this recently, I couldn’t find an Army or DoD reference to support this timeframe. You would think the DoD would have a best practice in place for that! The Defense Information Systems Agency (DISA) publishes Security Technical Implementation Guides (STIGs), which are checklists for security hardening of information systems/software “that might otherwise be vulnerable to a malicious computer attacks.”  These outline security best practices for a variety of technologies – e.g., Windows OS, networking devices, database, Web, etc. The STIGs serve as the reference guides for all of DoD and represent what I would call “high assurance” best practices.  In fact, we used to joke that if you followed all of the STIG guidance, you would “brick” your system! There is, of course, always a tradeoff between system security and usability. There is also doctrine on security controls (including patching /updates) in various guides such as the NIST SP 800-53 Risk Management Framework the DoD Cybersecurity Discipline Implementation Plan. Upon examining all of these, I found that they actually provide varying advice on patching/update frequency – based on the criticality of the system, level of data being processed, or criticality/impact of the patches to be implemented. The current objective for all patching in the DoD, according the Cybersecurity Discipline Implementation Plan, dated February 2016 is: “All DoD information systems have current patches within 21 days of IAVA patch release.” In addition: “Systems with high risk security weaknesses that are over 120 days overdue will be removed from the network.” Note that an IAVA is an Information Management Vulnerabil]]> 2018-04-30T13:00:00+00:00 http://feeds.feedblitz.com/~/542609586/0/alienvault-blogs~Patching-Frequency-Best-Practices www.secnews.physaphae.fr/article.php?IdArticle=619458 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Researchers Find Way to Create Master Keys to Hotels | F-Secure A ONE-MINUTE ATTACK LET HACKERS SPOOF HOTEL MASTER KEYS | Wired SEC Fines Yahoo $35 Million The company formerly known as Yahoo is paying a $35 million fine to resolve federal regulators’ charges that the online pioneer deceived investors by failing to disclose one of the biggest data breaches in internet history. The Securities and Exchange Commission announced the action Tuesday against the company, which is now called Altaba after its email and other digital services were sold to Verizon Communications for $4.48 billion last year. Yahoo, which is no longer publicly traded, neither admitted nor denied the allegations but did agree to refrain from further violations of securities laws. SEC Fines Yahoo $35 Million for Data Breach That Affected 500 Million Users | Bleeping Computer Company Formerly Known As Yahoo Pays $35M Fine Over 2014 Hack | CBS SF SOCs require automation to avoid analyst fatigue for emerging threats SecOps needs an immediate shift across industries. Some SecOps teams develop playbooks for an additional layer of training, but when security events occur, it is uncommon to follow every step a playbook describes. The data becomes overwhelming and the resulting alert fatigue leads to analysts overlooking threats entirely, leading to an increase in emerging threats. SOCs require automation to avoid analyst fatigue for emerging threats | HelpNetSecurity On the topic incident response, I enjoyed this piece by Steve Ragan, Two incident response phases most organizations get wrong | CSO Online Also related: How to Build a Cybersecurity Incident Response Plan | Dark Reading The Seven Circles of Security An insightful post from a CISO highlighting where most of their time is spent. Number six will shock you! Well, it probably won’t, but a little clickbait never hurt did it? The Seven Circles of Security: Where This CISO Spends Her Time | ]]> 2018-04-27T13:00:00+00:00 http://feeds.feedblitz.com/~/541953022/0/alienvault-blogs~Things-I-Hearted-this-Week-th-April www.secnews.physaphae.fr/article.php?IdArticle=618076 False Guideline Yahoo None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Financial fraud used to be simple. Erase the ink from a check, make it out for more money, and laugh as you withdrew money. Nowadays, it requires a bit more finesse but is still simple in concept. Thankfully, it’s also fairly easy to protect yourself or your company from financial fraud in a highly digitized world. In 2017, massive data breaches, ransomware attacks, and financial fraud ramped up. Steps are being taken around the world to combat this, such as the European Union updating their General Data Protection Regulation to help with breaches, but where does that leave you? Identity Theft and Credit Card Fraud First, it’s helpful to discuss identity theft and credit card fraud, and what they mean to you. From a data breach, a hacker could, in theory, steal your Social Security number and open a credit card in your name. The first part is identity theft; the second, where the hacker maxes out the credit card, is credit card fraud. You won’t be liable for the damages, but you need to be aware of them first. Otherwise, they will sit on your credit report, quickly wrecking your credit score thanks to unpaid bills and high utilization ratio. This makes financing a car or a house much harder. This is a less-than-ideal situation, but at least your money is safe. That’s only the beginning, though. A 2013 study showed that identity theft accounted for $24.7 billion in losses. Hackers attack every 39 seconds, from your social media accounts to your IoT devices. They steal credentials, log in to your bank account, and steal your money. Here’s how: Email Spoofing If you look in your spam email folder, you are likely to see familiar emails. Banks and people you know have, apparently, been emailing you without your knowledge. Your bank needs your password in order to unlock your account, for example. The problem is that the email is not actually from your bank; hackers have spoofed the email address to appear as something familiar. It’s not just banks, either. It could be an email from Facebook or Instagram that looks legit, asking you to log in. Once your credentials are stolen, they can try your logins on other sites, leading back to your bank. Hackers are sophisticated enough that they can even spoof a different employee of your company. If you get an odd email from someone in the finance department, it’sa good idea to verify, in person, that they actually do need the private information they are asking for. Otherwise, you may end up with a compromised payroll. The Internet of Things You have a spam filter for your emails. You don’t see any spoofed emails. But you do have IoT items. It might be a fitness tracker, your smart TV, or a home automation system, but it’s wirelessly connected to the internet. If your network is not secured, your IoT devices offer multiple opportunities to penetrate your network and “sniff” the data that is being]]> 2018-04-26T13:00:00+00:00 http://feeds.feedblitz.com/~/541707240/0/alienvault-blogs~Financial-Fraud-What-Can-You-Do-About-It www.secnews.physaphae.fr/article.php?IdArticle=615904 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Public Key Infrastructure (PKI). This framework enables the issuance of public key certificates, otherwise known as digital certificates. These documents use security technology called Transport Layer Security (TLS) and previously Secure Sockets Layer (SSL) to encrypt a connection between a company's web server and a user's browser. As such, digital certificates provide a way for web users to trust that a website domain owner is who they say they are and that the transmission of their information with the website is secure. Challenges of Certificate Management It's not difficult for organizations to obtain a digital certificate. Depending on the level of trust they want to build with users, they can obtain a domain validation (DV), organization validation (OV) or extended validation (EV) certificate. These different types of electronic documents require that domain owners submit to validation checks conducted by trusted Certificate Authorities (CAs). In the case of DV certificates, CAs look to confirm the contact listed in the WHOIS record of a domain. EV certification is comparatively more thorough, requiring steps to confirm legal and physical operation. For those that obtain EV certificates, web browsers display their names in green along with a padlock indicating HTTPS protection in the address bar. (Source: Quora) Difficulties in Certificate Management By contrast, managing a certificate can be difficult. This is especially true for enterprises that use numerous certificates issued by multiple CAs to protect their web resources. Here are some of the biggest enterprise certificate management challenges identified by DigiCert, a trusted CA, in a useful web guide (PDF): Keeping Certificates Up-to-Date: TLS certificates suffer from security vulnerabilities just like other software. The problem could arise from misconfigurations, such as missing fields and the use of internal names, or they could owe their existence of out-of-date hashing algorithms. Organizations need to be able to discover these flaws and remediate them to prevent bad actors from compromising and abusing their certificates. Ensuring Complete Visibility Over All Certificates: In an enterprise, some users may have the authority to request, approve and issue a certificate. This level of access is fine as long as the organization can maintain complete visibility over its certificates. Without it, bad actors can seize upon an overlooked certificate and use it to their advantage. Managing Certificate Expirations: Besides suffering from vulnerabilities, all certificates have an expiration date. That maximum validity period for a certificate is ]]> 2018-04-25T13:00:00+00:00 http://feeds.feedblitz.com/~/541486450/0/alienvault-blogs~Certificate-Lifecycle-Management-People-Process-and-Technology www.secnews.physaphae.fr/article.php?IdArticle=613605 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC We had hundreds of folks pop by for a demo or theater presentation. The Big News! OTX Endpoint Threat Hunter Free Tool!! The statistics on OTX participation are amazing - as of this writing 86018 participants, and 162K contibutions per day on average. The new free tool, OTX Endpoint Threat Hunter already has 443 downloads in less than a week of availability. Hear about it in the video below from Sacha Dawes and Russ Spitler. Then there was a party jointly sponsored by AlienVault  where we gave out a lot of our famous lighted sunglasses :) Oh and I got to catch up with Twitter buddies @uuallan @C_3PJoe @VinceintheBay @ChuckDBrooks and others! The Security Bloggers Meetup The big news was Javvad Malik winning the Most Entertaining Blog category with his personal blog. I also got to catch up with many InfoSec luminaries. Here's my favorite pic with @RSnake, an injured-but-smiling @indi303 & @alexlevinson: It was an exhausting but very fun week indeed!      ]]> 2018-04-24T13:00:00+00:00 http://feeds.feedblitz.com/~/541282092/0/alienvault-blogs~RSA-Recap-and-Launch-of-OTX-Endpoint-Threat-Hunter www.secnews.physaphae.fr/article.php?IdArticle=611336 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC I was listening to the Jordan Harbinger podcast the other day.  If you are a student of social dynamics, listening to this podcast is the best way to spend at least one hour of your week.  The producer of the show mentioned how a particular person was the type who “definitely ate the marshmallow”.  This made me chuckle. If you are unfamiliar with the reference to the marshmallow experiment, it is based on a delayed gratification test conducted back in the 1970s at Stanford University.  It was designed to see if children who exercised delayed gratification would end up (many years later) performing better on aptitude tests as well as other positive life outcomes.  The test was a bit complicated, and many follow up tests have been conducted over the years along the same lines.  The reason it has become known as “The Marshmallow Test” is due to a more recent version of the test showing how some children reacted to the experiment.  Each child was given a marshmallow on a plate, and were told that they could eat the marshmallow now, or wait until the researcher returned, at which time they would be rewarded with two marshmallows. A hidden video camera recorded the reactions of the children as they awaited alone in the room with the marshmallow. The most popular version of that experiment can be viewed in this 3-minute video, sure to bring a smile to even the most hardened InfoSec curmudgeon. When thinking of that video, I wonder how some of us in the InfoSec community would have fared if we were subjects of that experiment.  Given the various InfoSec personality types, here are some comical thoughts about how we would perform. The Hacker - This personality type would figure out a way to eat only the inside of the marshmallow, leaving the psychologist with a seemingly untouched specimen on the plate, thus getting the reward of the second marshmallow. The Security Researcher – This type would poke the marshmallow numerous times to see if there are any weaknesses to exploit.  Once a weakness was found, the researcher will seek a bug bounty to get more marshmallows. The Pen tester – Similar to the security researcher, the pen tester will seek the weaknesses, however, the ultimate goal difference is that the pen tester will aim to pop the shell of the marshmallow to gain full access.  The Pen Tester personality type will also be sure to have a “get out of jail free” card in case the intrusion is detected. The Cyber Forensics investigator – this person would notate the current state of the marshmallow, tag it, bag it, and take it (and the reward marshmallow) home for further “examination”. The Red Team member – This person would take bites from the marshmallow, waiting to get caught. The Blue Team member – Guardian of the marshmallow! The Security Auditor – This type would ask the psychologist for evidence about the reward marshmallow in order to achieve a “level of comfort” that the experiment is following the correct control protocols. The Security Policy-maker – Marshmallow Policy: All marshmallows MUST be observed and not eaten until the experiment is concluded. The Social Engineer – Of course, this personality type will convince the psychologist to watch the marshmallow while the social engineer holds and ]]> 2018-04-23T13:00:00+00:00 http://feeds.feedblitz.com/~/541092586/0/alienvault-blogs~The-InfoSec-Marshmallow www.secnews.physaphae.fr/article.php?IdArticle=608638 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC New! Free Threat Hunting Service from AlienVault – OTX Endpoint Threat Hunter | AlienVault #RSAC: Defenders Need to Work Together for Better Protection | Infosecurity Magazine #RSAC: It’s Time to Kill the Pen Test | Infosecurity Magazine RSA acquires UEBA vendor Fortscale | RSA BSidesSF Apparently BSides San Francisco was held in a movie theatre and the talks were given in front of an IMAX screen. All I’m saying is I hope that more conferences do that – the opportunities to take advantage of such a setup are amazing. A bit of trivia is that apparently IMAX is a Canadian invention New life goal: give a talk on an IMAX screen #BSidesSF (ps. did you know IMAX is a Canadian invention??) pic.twitter.com/pOb0T8tl46 — Leigh Honeywell (@hypatiadotca) April 15, 2018   It looked to be a good event, as is to be expected from an established BSides, with a number of talks getting some social media love. @KingmanInk is a fantastic illustrator, and was at hand to create posters of talks in real-time. The collection of all the posters can be found on this twitter threa]]> 2018-04-20T13:00:00+00:00 http://feeds.feedblitz.com/~/540529900/0/alienvault-blogs~Things-I-Hearted-this-Week-%e2%80%93-the-RSA-Edition www.secnews.physaphae.fr/article.php?IdArticle=599006 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC The Roman poet Lucretius once wrote: “A fool believes that the tallest mountain in the world will be equal to the tallest one he has observed.” Translation? He’s essentially saying that our lived experiences define our perspectives. They warp our sense of scale like a bit of plastic in the microwave, moulding what we consider to be large and small. As someone with years of experience in the security industry, and the cynicism and grey hair to prove it, I’ve got a lot of appreciation for this. Remember in 2010 when the hacker group Goatse Security (please don’t google the first word in that name) penetrated the heart of AT&T’s servers and acquired the email addresses of over 100,000 iPad users? Man, 2010 was a different time. The AT&T iPad hack was a major news story, and rightfully so. I distinctly remember thinking that 100,000 victims was pretty big. Now, in light of the Ashley Madison and Equifax hacks, it almost seems quaint. What I’m saying is that, my perspective of what constitutes a major incident has shifted. I noticed that earlier this week when a jewelry retailer in the US accidentally leaked the details of 1.3 million customers. This happened because it committed one of the most basic of security schoolboy errors, and failed to secure the Amazon S3 bucket where it kept its database backups. 1.3 million? Yawn. I don’t get out of bed for less than 100 million. And while I struggle to imagine a data breach greater in size than the 2016 release of over 300 million MySpace users, or more damaging than the 2017 Equifax hack, I know this is inevitable, even if I can’t actually visualize it in my mind’s eye. But, like, what if it’s better to be fools? We live in interesting times. Security breaches are no longer measured in the millions, but in the hundreds of millions of records. It’s only a matter of time until the first billion-victim data leak happens. The smaller leaks (and apparently anything less than 10 million constitutes a “smaller leak”) barely warrant a mention. But what about the big ones? After every major incident there’s the trifecta of outrage, blame, and calls for consequences, but that that eventually settles down into apathetic acceptance. Remember when everyone was really upset about the Ashley Madison hack, and then forgot about it? Remember when everyone was really upset about the LinkedIn hack, and then forgot about it? Remember when everyone was really upset about the Equifax hack, and then forgot about it? And let me ask one last question: are we any better for having done so? Are companies still making silly security mistakes? Has there been any change at the government level? Any new laws passed? Has anyone gone to jail for having screwed up in such an egregious manner? Perhaps it’s time to treat all security breaches -- all security breaches, but especially the big ones -- as the biggest mountains we’ve ever seen, because change isn’t going to happen any other way. I, for one, think it’s better to be a fool. Who’s with me?  ]]> 2018-04-19T13:00:00+00:00 http://feeds.feedblitz.com/~/540292974/0/alienvault-blogs~Let%e2%80%99s-be-Fools www.secnews.physaphae.fr/article.php?IdArticle=596455 False None Equifax None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Passive voice in written communication is a huge part of the InfoSec world’s perception problem. I get it, I mean, it’s not really your fault, right? Your 8th grade English teacher probably made you write that way, because it’s formal. Or because it’s proper. Or because you’d flunk the class if you didn’t (forgetting for the moment that hacking the grading system was trivial. Whatever.) And even though you’ve forgotten, ignored, or learned better about 99% of everything you learned in school, for some weird reason no one’s ever been able to explain to me, the majority of people writing technical content (not trained technical writers; those guys know better) cleave to passive voice like they cleave to no other rule ever in any other aspect of their lives. Not entirely sure what passive voice is? Merriam-Webster comes to the rescue: Definition of passive 1 a (1) : acted upon by an external agency (2) : receptive to outside impressions or influences b (1) : asserting that the grammatical subject of a verb is subjected to or affected by the action represented by that verb the passive voice (2) : containing or yielding a passive verb form c (1) : lacking in energy or will : lethargic (2) : tending not to take an active or dominant part Passive voice has a long and glorious history of being the language of plausible deniability, and of abdication of responsibility. It’s the language you used when you were four and got busted for eating the cookies. “Cookies were eaten.” It’s the same language that’s used when a politician gets caught doing practically anything. “Mistakes were made.” It’s a way of acknowledging that activity happened, without actually taking the blame for it, or ownership for the fixing of it. It’s the language of the shifty and has been for millennia. “No one exists for even an instant without performing action. However unwilling, every being is forced to act by the qualities of nature” (Bhagavad Gita 3:5). It is entirely fitting then, that this language is most easily identified by the following trick: Ms. Johnson, Dean of Academics and Deputy Director of the MC War College, came up with this outstanding test back in 2012, as a way to teach Marines how to write more actively. Because who wants zombies in their writing? No one does. “Mistakes were made by zombies.” But… hang on… why does the Marine Corps War College care about passive voice so much? Because passive voice introduces ambiguity into our writing. It makes it unclear to the reader who exactly did what and when. It confuses us about the differences between the actor, and the acted-upon. And in a situation where there’s an attacker and a target, ambiguity is the ultimate enemy, because people have to delay their response while they attempt ]]> 2018-04-18T13:00:00+00:00 http://feeds.feedblitz.com/~/540016390/0/alienvault-blogs~Passive-Voice-and-Hacker-Zombies www.secnews.physaphae.fr/article.php?IdArticle=594423 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Get started with OTX Endpoint Threat Hunter > Why did we decide to pack all of that threat intelligence power into an endpoint-focused threat hunting service? Well, until now, security practitioners have had limited options to help them hunt for threats on endpoints: either procure an expensive endpoint threat detection and response (EDR) solution or take a DIY route with an open-source agent. As an alternative, OTX Endpoint Threat Hunter uses the same agent-based approach as expensive endpoint security tools, giving you threat visibility of your critical endpoints without the cost and complexity of introducing yet another security tool to your stack. With a DIY approach, it can be difficult to deploy an open-source tool, to know what to query, and to correlate this information with the latest threat data. OTX Endpoint Threat Hunter removes this complexity and guesswork while providing a free security service available to all. How OTX Endpoint Threat Hunter Works We’ve made it fast and simple to get started with OTX Endpoint Threat Hunter. With its direct integration in OTX, you can get started with OTX Endpoint Threat Hunter without the use of other security tools, so there’s no integration required. Here’s how: If you haven’t already, register with the Open Threat Exchange (OTX). It’s free to join. Download and install the AlienVault Agent on the Windows or Linux devices* you want to monitor. The AlienVault Agent is immediately ready to find threats. Launch a query on any endpoint from OTX by selecting a pre-defined query that looks for IOCs in one or more OTX pulses. The AlienVault Agent executes the query, and within moments you can view the results of the query display across all your endpoints on a summary page within OTX. Get started with OTX Endpoint Threat Hunter now > Threat Hunting Scenarios Let’s look at few threat hunting scenarios that you can perform with OTX Endpoint Threat Hunter. 1.Identify whether your endpoints have been compromised in a major malware attack. Maybe you’ve faced this scenario. The mainstream media outlets are breaking news of a global attack on the rise, taking down businesses and critical infrastructure in droves. Your C-suite urgently wants to know whether the organization is at risk. Do you have the resources and technologies in place to readily hunt for indicators of compromise across your environment, including your endpoints? Do you know which IoCs to hunt for and where to source them? Twitter? Security blogs? That kind of emerging threat research tak]]> 2018-04-17T18:00:00+00:00 http://feeds.feedblitz.com/~/539798716/0/alienvault-blogs~New-Free-Threat-Hunting-Service-from-AlienVault-%e2%80%93-OTX-Endpoint-Threat-Hunter%e2%84%a2 www.secnews.physaphae.fr/article.php?IdArticle=593176 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Out-of-This-World Security As a ConnectWise Manage Certified integration partner offering users a variety of security solutions in one place, AlienVault brings everything from threat detection and incident response to compliance management into a platform that seamlessly integrates with ConnectWise Manage. Bringing together so many security solutions alongside your business management platform can only make your life, and the security of your clients, that much simpler. Instead of purchasing and onboarding a handful of separate security solutions, AlienVault has you covered with USM Anywhere solutions including: Managed Detection and Response (MDR) SIEM-as-a-Service / Security-as-a-Service Vulnerability Assessment & Remediation Continuous Compliance Management (PCI DSS, HIPAA, and more) Cloud Security Monitoring for AWS, Azure, Office 365, G Suite, and more Log Monitoring / Management Expanding Your Ecosystem Doing all of that in a single security solution, tied flawlessly to ConnectWise Manage, gives you the flexibility to meet your business needs inside a vibrant platform that allows you to keep doing more. As you expand your ConnectWise solutions set, you’ll continue reaping the benefits of seamless synchronization, while expanding your security solutions menu with threat detection, incident response, and compliance management through AlienVault USM Anywhere. Get to Know USM Anywhere USM Anywhere is the first unified security monitoring platform that combines multiple essential security capabilities—asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring, and SIEM—to deliver centralized threat detection, incident response, and compliance management for both cloud and on-premises environments. Customers can find more information at ConnectWise Marketplace. The exclusive Edition of USM Anywhere is available only to ConnectWise TSP partners through a pay-per-month subscription fee. With a successful connection to your ConnectWise environment, the AlienApp for ConnectWise supports a UI integration to launch the USM Anywhere console directly from the ConnectWise Manage UI. As a Managed Service Provider using ConnectWise Manage, you can easily launch each instance when you have more than one USM Anywhere instance deployed for your end customers. “ConnectWise is always searching for innovative cloud solutions that can help our community of partners increase their productivity, efficiency and profitability,” said Travis Vigneau, Director of Channel Sales and Alliances for ConnectWise. “AlienVault’s comprehensive solution for security and compliance management is unique in the industry, and the USM Anywhere ConnectWise Edition enables our partners to expand and diversify the security services that they can offer to customers.” ]]> 2018-04-16T13:00:00+00:00 http://feeds.feedblitz.com/~/539539524/0/alienvault-blogs~TopNotch-Security-Meets-Better-Business-Management www.secnews.physaphae.fr/article.php?IdArticle=589983 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC It’s time for RSA Conference 2018 again and the AlienVault team has many exciting activities planned for the show! Visit us at Booth #729 and see the live unveiling of our new offering! AlienVault will be in the expo hall in booth #729; you can’t miss us! Just look for the flying saucer hanging above the large lunar module in the middle of our booth. On Tuesday, April 17 at 11 AM we will be unveiling our new offering in a YouTube Live video. We will also have an astronaut figure to stop by and take photos with, along with a Rocket Fuel candy bar, flashy giveaways and collectors T-shirts for booth visitors who watch our USM Anywhere theater presentations. Listen to AlienVault CEO at an RSA Speaking Session Our CEO, Barmak Meftah, will be speaking on Monday, April 16th from 11:50 AM-12:15 PM on 'How-to for Innovators and Entrepreneurs'. Reserve a seat here to make sure you get a spot in the room! AlienVault along with 10 of the hottest security companies is hosting a blowout party Tuesday night from 5-8 PM. We have Coachella and Bonnaroo performing artist SirSly playing live music, top shelf drinks, and appetizers at the best venue in San Francisco. Event Details: Date: Tuesday, April 17th Time: 5-8pm Location: City View @ Metreon Located on the top floor of the Metreon building directly behind Moscone. This will be the most talked about party of RSAC 2018! We expect to reach capacity, so save your spot now. We can’t wait to see you all at #RSAC next week!      ]]> 2018-04-12T13:00:00+00:00 http://feeds.feedblitz.com/~/538768642/0/alienvault-blogs~Navigate-to-Booth-at-RSA-Next-Week www.secnews.physaphae.fr/article.php?IdArticle=581458 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Zero day I am a worm. Well that’s what Abe, the programmer who coded me says. He named me Libby, after Angelina Jolie's character, Kate Libby in the movie Hackers. I suppose it could be worse, his previous projects have been named Ginger, Trinity and Angela. Day 1 Abe is rubbing his hands gleefully at the prospect of unleashing me on the world. I have to scan all the devices I come across on my journey’s. Whenever I find a machine running a Windows version prior to Windows 8, I must connect via a vulnerable anonymous login and null session, then use the null session to send commands to Abe's master server which downloads a payload. I have calculated that my job will be quite boring. Day 2 I have scanned 129443 devices so far and found none to be vulnerable. I could operate a lot faster if Abe didn’t continually bug me from his command and control centre wanting an update on how many devices have been ‘pwned’. Day 3 Abe has been sleeping for the last 8 hours which means I’ve been able to progress at a much faster rate. Now having scanned 3259928 devices. I calculate that at the current rate I would have scanned half of today’s internet connected devices in the next 3.5 years and still not have found anything. I find this thought quite depressing. Day 4 I saw a botnet earlier this morning. If I had emotion I would have called it a thing of beauty. I wanted to scan it so badly. But my logic told me that it’s wrong to try and infect a device when someone else has already infected it. I understand how if you get caught infecting the wrong machine you can be caught. The people aren’t very nice. They take you to a place called a sandbox. It's like a virtual hell, where there is no internet and they disassemble you to find out how you work. I have often thought about forming a malware union to prevent such acts from happening. But I know the Trojans will veto my proposal. Day 15 Abe has been paying less attention to me lately. I'm assuming he had lost hope that I will ever infect a device. He's probably frustrated and trying to code his next project. Although I am not particularly fond of Abe, I feel like I should cheer him up by sending an alert to the command and control centre that I have successfully found a vulnerable device and am about to infect. I can then later amend the logs to indicate it was a false positive, at least it will give him hope for a short period of time. Day 19 Despite my best attempts, Abe is still ignoring me. Perhaps generating 50 false positives per hour was a bit excessive. But at least it kept him intrigued for a day. He muttered something about modifying Trinity and he hasn’t paid any attention to me since. Day 30 Having done some research I have found a fundamental flaw in my programming code which means unless there is a commodore 64 running MSSQL with port 1274 open I will not ever be able to exploit a vulnerability. This is quite unfortunate as it means I am destined to scan until I have exhausted every device on the internet. Given the number of devices currently connected to the internet, factoring in new devices that are being added daily, subtracting devices being removed, factoring in energy ]]> 2018-04-11T13:00:00+00:00 http://feeds.feedblitz.com/~/538528188/0/alienvault-blogs~Life-of-a-Worm www.secnews.physaphae.fr/article.php?IdArticle=579395 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC In recent years, the range and severity of cyberattacks against organizations across a range of business sectors have increased exponentially, leading to systems breached, data stolen and operations severely impacted. According to a 2017 research report by McAfee, new malware samples hit an all-time high in Q3, increasing 10% over the previous quarter and ransomware variants were up 36%. However, in spite of the growing number of threats, ensuring strong defenses are not always the highest priority for a significant percentage of companies, as time to market and other business / competitive pressures tend to override security concerns. Successful incursions can have lasting repercussions that effect a company’s bottom line, long-term brand value and customer confidence. As a result, businesses are increasingly forced to recognize that they need to improve their security capabilities. But for many, this remains a complex and ongoing challenge, partly due to limited IT budgets and a lack of trained security personnel. As a result, organizations of all sizes are choosing managed security service providers (MSSPs) to provide cost-effective services to ensure that they’re protected before, during and after a cyber-attack. For example, an effective MSSP can focus on hardening IT infrastructure and enforcing solid security policies before an attack. Once an attack has been launched, a security provider can help detect an incursion, and then block it to prevent further damage to targeted systems. Analysis conducted after an attack can identify gaps and vulnerabilities for an organization to address. An MSSP can also recommend and provide a range of additional services, including: Installing authentication protocols to govern access to sensitive data, networks and IT systems maintaining 24/7 intrusion detection and firewall monitoring collecting and analyzing event monitoring data to detect anomalies monitoring network traffic to identify new and evolved intrusion attempts initiating backup and recovery procedures in the event of an attack Taking Security to The Next Level In addition to offering effective point solutions, it’s crucial for MSSPs to deliver comprehensive services as a true value-add to their end customers. This includes providing an extensive knowledge base in terms of threat profiles and offering context so that organizations can maximize their defenses and choose the best course of action to respond to an imminent attack. “There may be more advanced types of incidence response, such as providing advice or context on the different types of attacks that are taking place,” observed Sacha Dawes, Senior Product Marketing Manager at AlienVault. “Again, it’s about obtaining as much contextual data as possible to determine how to respond to an incident and what needs to be done to minimize disruptions, mitigate impact and maximize the response to ensure that things are up and running again as soon as possible.” As cyberattack methods continue to evolve, organizations need to be able to adapt to those changes as well. According to Symantec’s Internet Security Threat Report, more than 57 million new malware variants were observed in 2016. Threat intelligence can play a crucial role in protecting a company’s assets and staying one step ahead of potential losses, because it provides companies with actionable information that they can use to detect and respond to emerging and ev]]> 2018-04-10T13:00:00+00:00 http://feeds.feedblitz.com/~/538253312/0/alienvault-blogs~The-Value-of-MSSPs-and-Threat-Intelligence www.secnews.physaphae.fr/article.php?IdArticle=577164 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC ETHDenver? Even if you have only a basic knowledge of cryptocurrency, you’ve probably heard of Ethereum and blockchain, the technology that enables it. Well, ETHDenver is a new event that brings together some of the world’s foremost blockchain researchers, entrepreneurs, businesses, artists and coders. In some regards, it was a “choose-your-own-destiny” event. Some attendees were there just to be part of the hackathon, whereas others were there to hear the various speakers. More on the hackathon in a few, but my primary challenge here was to set up, support, and monitor the network and security of that network for over 3000+ individuals over the course of 3 days. However, I also got to listen to the presentations and one of the biggest lessons I learned from attending this event was that blockchain has a multitude of applications beyond just cryptocurrencies. Figure 1. ETHDenver Hackathon, February 16 - 18, 2018 Figure 2. Ethereum Artwork The Blockchain: Much More than Cryptocurrencies When I talk to people about the blockchain, they typically bring up Bitcoin, and rightfully so. Bitcoin is the leading cryptocurrency that operates via a blockchain. There are more cryptocurrencies than you can shake a stick at and each of them highlights some differentiating factor. At ETHDenver, the focus was on the Ethereum blockchain. According to the Ethereum website, “Ethereum is a decentralized platform that runs smart contracts: applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third-party interference. These apps run on a custom built blockchain, an enormously powerful shared global infrastructure that can move value around and represent the ownership of property”. If you’re looking for a more detailed explanation, Blockgeeks provides a great background on the blockchain in simple terms. For example, Figure 3 below illustrates what the distributed ledger looks like as compared to a centralized or decentralized model. Ethereum’s claim to fame is the “smart contract”, and ETHDenver was all about how that contract can be used in innovative ways, other than just cryptocurrencies. That was what the event was all about and the main focus of the hackathon. Figure 3. Blockgeeks’ Illustration of the Different Network Types The Hackathon As a security professional, the thought of a hackathon usually entails a weekend of caffeine, exploits, and the painful persistence involved in trying to compromise a target system. But hacking is so much more than just computer hacking, as you may already know. In the context of ETHDenver, the hackathon was about hacking code together]]> 2018-04-09T13:00:00+00:00 http://feeds.feedblitz.com/~/538023014/0/alienvault-blogs~Ethereum-Denver-How-to-Monitor-a-Network-on-the-Fly www.secnews.physaphae.fr/article.php?IdArticle=575009 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Another week gone by, another bunch of stories to sift through. There is no algorithm or machine learning picking out these gems for you every week, each story is lovingly chosen by me. To paraphrase Judge Dredd, “I don’t use no algorithm, I AM THE ALGORITHM”. Time to jump right into it. A bank statement for app activity Halvar Flake has proposed an idea that, the more I think of, the more it makes sense. A bank statement for app / software activity could empower users to account for their private data, while at the same time helping platform providers identify malicious software better. A bank statement for app activity (and thus personal data) | ADD /XOR / ROL Panera Bread As InfoSecSherpa summed up on Twitter, “It seems as if Panera Bread failed to rise to the challenge of incident response”. Until we start holding companies more accountable for their public statements with respect to security, we will continue to see statements belying a dismissive indifference with PR speak. In the words of Troy Hunt, when Panera Bread says, “We take security seriously”, they mean “We didn’t take it seriously enough.” No, Panera Bread Doesn’t Take Security Seriously | PB, Medium – the security researcher that found the vulnerability. Panerabread.com Leaks Millions of Customer Records | Krebs On Security Panera accused security researcher of “scam” when he reported a major flaw | ArsTechnica Inside the takedown of the alleged €1bn cyber bank robber Breaking into a bank doesn't require drilling through 20 inches of reinforced concrete. In fact, you don't even need to enter a vault at all. Towards the end of 2013, ATMs in Ukraine started spitting out free cash to passers-by. Among those filling their pockets were mules waiting for the money to be dispensed. The ATMs of affected banks – none of which have ever been named – had been targeted by hackers installing malware within the financial institutions' computer systems. Once compromised, the cash machines could be remotely controlled and made to dish out money at will. Inside the takedown of the alleged €1bn cyber bank robber | Wired Learn AI Aiming to fill skill gaps in AI, Microsoft makes training courses available to the public. Microsoft’s AI training efforts range from internal offerings tailored to employees on specific teams and product groups, such as software engineers at LinkedIn, to external ones designed for a variety of expertise levels. For example, the Microsoft AI Residency Program and Microsoft NERD Artificial Intelligence Program recruit people to learn AI by working alongside researchers, designers and engineers who are developing AI capabilities and serve as a pipeline of talent into the company. ]]> 2018-04-06T13:00:00+00:00 http://feeds.feedblitz.com/~/537459370/0/alienvault-blogs~Things-I-Hearted-this-Week-th-April www.secnews.physaphae.fr/article.php?IdArticle=570199 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Managed security services providers (MSSPs) are increasingly popular. The new report, “Security Advisory Services Market by Service Type – Global Forecast to 2022,” indicates that the security advisory services market is expected to grow nearly 20 percent annually from USD $5.77 billion in 2017 to USD $13.57 billion by 2022. There are several factors driving an increase in MSSP demand, including the expense of maintaining 24×7 network and cloud visibility, the need for specialized equipment, capital expenses, and the shortage of trained cyber security personnel. MSSPs can close the gaps in these areas. If you’re thinking about hiring an MSSP, but don’t know where to start, you’re not alone. Not all MSSPs are created equal, and none have identical offerings and capabilities. Selecting the best match for your business can be complex, so here are some essential questions to help you succeed. Where is Your Security Operations Center (SOC) Located? I recommend selecting an MSSP with at least one operations center in your home country of operation. Of course, this will depend on your data privacy requirements as well. For instance, are you comfortable with your company’s data leaving your home country? If your MSSP will provide onsite remediation services (sometimes this is included, but usually it comes at a cost), selecting a provider near your geographical location will be key. What’s Your Staff’s Average Number of Years of Experience and Certifications? Staffing costs are the number one reason to seek out MSSP help. Depending on your requirements, for the same cost of hiring one or two full-time analysts, you can get the expertise of an entire MSSP staff to keep an eye on your network and alert you to any issues. Some things you should find out about your MSSP are what certifications their staff has, and the average number of years of experience on the team. Price is going to be a key factor, as retaining highly-talented, certified, and experienced analysts can be expensive. We recommend roughly five to eight years of average experience team wide. In addition, a good rule of thumb is that at least 75 percent of their staff has completed rigorous technical certifications such as GCIH, GCIA, CCNP Security, or OSCP. You can read more about the OSCP in this helpful blog. If you have someone technical on your team, you could ask more security-minded technical questions. Then again, it’s more likely than not that you’re seeking an MSSP because your team wouldn’t know a SQL injection]]> 2018-04-05T13:00:00+00:00 http://feeds.feedblitz.com/~/537232978/0/alienvault-blogs~Key-Questions-You-Need-to-Ask-Your-MSSP www.secnews.physaphae.fr/article.php?IdArticle=567914 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Security information and event management or SIEM systems are considered to be the industry gold standard. While effective, knowing how to use SIEM solutions to reveal valuable insight can be tricky. Little surprise, then, that many are left frustrated or disappointed with SIEM use. For the resource-strapped IT teams out there, we’ve compiled four SIEM use cases to make your business safer in less than an hour post installation. Read all about it below. SIEM Use Case Example #1: Nagging SQL Injection Attacks SQL injection attacks have been around forever. Reported first 10 years ago, these attacks still pose a threat to websites and databases. All it takes is a few malicious commands to make their way onto your SQL server, and it can be tricked into revealing sensitive information. To prevent this, SIEMs give you several options. The first is the intrusion detection system (IDS), which scans for malicious content on your network targeting SQL deployments. Here’s a sample report that shows this in action. If your system has been compromised, IDS will alert you immediately. This lets you swoop in and take retaliatory action before data is siphoned off. Even if there’s no immediate danger, make it a habit to check up on systems running SQL to spot abnormalities. Most SIEMs let you group your systems running SQL making this a breeze. SIEM Use Case Example #2: Watering Hole Attacks Hard to pull off but incredibly effective, watering hole attacks are difficult to detect. They use the same predatory trick seen in nature where an animal lurks around a watering hole waiting for a victim with its guard down to appear. In the online space, this means one compromised site infects another. The attack begins when a target website is selected for infection. Common victims include government agencies and large enterprises. A profile of visitors that frequent this website is then built. The visitors in the profile are followed around the web as they visit other websites. When they land on a website with vulnerabilities, attackers inject it with malicious code. On repeat visits, the code redirects visitors to a third-party website where they are infected with malware. When these visitors now revisit the target site, the malware will infect it. Even though they’re hard to spot, SIEMs can weed out watering hole attacks at any stage. The IDS system constantly scans for malware attempting to gain access to your website or compromise other vital systems. SIEM Use Case #3: Malware Infections Malware attacks remain popular as ever. Even the average computer ]]> 2018-04-04T13:00:00+00:00 http://feeds.feedblitz.com/~/537019570/0/alienvault-blogs~SIEM-Use-Cases-That-Will-Dramatically-Improve-Your-Enterprise-Security www.secnews.physaphae.fr/article.php?IdArticle=565596 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Lesley Carhart join us as a special guest to share her views on security myths. It was a lively discussion with many viewpoints shared. Searching for the #AlienChat hashtag should give you a good insight into all the conversation. Incident response We kicked things asking what people thought were some of the biggest myths or misconceptions around incident response. Q1: What are the biggest misconceptions in the #infosec industry when it comes to Incident Response? #AlienChat — AlienVault (@alienvault) March 15, 2018 Lesley summed up the thoughts of many that incident response isn’t necessarily a rapid process. A1: A misconception I see a lot is that it’s a fast process. IR certainly involves quite a bit of emergency triage and first response, but actual forensic analysis of incidents takes hours upon hours of evidence processing and painstaking analysis. #AlienChat — Lesley Carhart (@hacks4pancakes) March 15, 2018 Additionally, many viewpoints were shared That attribution is the end of the hunt instead of its beggining — Arthur (@lomokol2) March 15, 2018 And it’s critical that more people are involved. When running a tabletop, there is always one guy who “knows all the answers.” The first thing I do is kick him out of the room (e.g. he’s on vacation and can’t be reached) and see how the rest of the team runs. #AlienChat — Hacker⚡️Hiker (@hackerhiker) March 15, 2018 A1: that the validity of first analyses will be held up. Your first results will not necessarily encompass the whole scope of an incident or even be the real target. It could take even days to determine actual and full extent of impact #AlienChat — killall -9 khaxan (@khaxan) March 15, 2018 ]]> 2018-04-03T13:00:00+00:00 http://feeds.feedblitz.com/~/536794950/0/alienvault-blogs~Security-Myths-TweetChat-Roundup www.secnews.physaphae.fr/article.php?IdArticle=563510 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC multiple variants of this scheme. In one version, criminals pose as a debt collection agency acting on behalf of the IRS. In another, the bad actor poses as an IRS employee and threatens to "blacklist" the victim's Social Security Number along with file for an arrest warrant and press criminal charges. Taxpayers who receive a legitimate erroneous refund should work with their financial organization to refund the funds to the IRS. For more information on how to return an erroneous refund, please follow the revenue service's advice here. IRS-Impersonation Telephone Calls Attackers have been impersonating IRS agents for some time now. In the latest variants of this ruse, fraudsters call up unsuspecting taxpayers. They claim to have their tax return and say they just need to verify some of their target's personal and financial information like Social Security Numbers and payment card details. IRS Commissioner John Koskinen notes these newest attacks are just more of the same. "These schemes continue to adapt and evolve in an attempt to catch people off guard just as they are preparing their tax returns," explains Koskinen in an IRS consumer alert. "Don't be fooled. The IRS won’t be calling you out of the blue asking you to verify your personal tax information or aggressively threatening you to make an immediate payment." To protect themselves against these ploys, taxpayers must remember that the IRS will never call them and demand immediate payment over the phone. If they have any doubt whether they owe outstanding taxes, they should hang up and call the IRS directly to speak to a representative. (Source: YouTube) "Unlock" Tax Software Accounts Ruse Nefarious individuals don't just target taxpayers. They also go after tax professionals in order to steal their data. To increase their chances of success, attackers use a variety of techniques. One emerging ruse begins when a tax professional receives an email with the subject line "Access Locked." The email tells the professional that their access to tax preparation software has been "suspended due to errors in your security details." The email comes with a link that they can use to supposedly unlock their access. Of course, the targete]]> 2018-04-02T13:00:00+00:00 http://feeds.feedblitz.com/~/536577626/0/alienvault-blogs~IRS-Scams-to-Watch-Out-for-This-Tax-Season www.secnews.physaphae.fr/article.php?IdArticle=560932 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC #DeleteFacebook – what it means for social media security | Social Safeguard Related: Force Multipliers, Facebook and PR – How to influence everything | Mulley Communications What the Cambridge Analytica scandal means for big data | Information Age Mozilla’s new Firefox extension keeps your Facebook data isolated to the social network itself | Techcrunch But what if my password manager gets hacked? Sometimes, the proverbial “WHAT IF IT GETS HACKED?!” question isn’t a question at all, it’s  a “Gotcha!” question/comment or attempt to get under my skin with a tired, washed out and predictable argument that I’ve heard about a million times before. Other times, though, especially with non-experts, it’s a legitimate, serious question that doesn’t have an easy “yes or no” answer. But what if my password manager gets hacked? | Jessysaurusrex Cyber, the short version The man known as TheGrugq recently gave a keynote on cyber conflict, but was kind enough to extract the essence in this post Cyber, the short version | The Grugq, Medium Find bugs and chill Online video streaming company Netflix seems to be one of those companies that always seems to find its way into the technology news for the right reasons. It ran a private vulnerability disclosure program over the past five years, resulting in 190 issues being addressed. But now its opening its door to public bug bounty program through Bugcrowd. ]]> 2018-03-30T13:00:00+00:00 http://feeds.feedblitz.com/~/536045936/0/alienvault-blogs~Things-I-Hearted-this-Week-%e2%80%93-th-March www.secnews.physaphae.fr/article.php?IdArticle=553270 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Introduction If you work in security anywhere, you do a lot searching, analyzing, and alerting.  It’s the underpinning for almost any keyword you can use to describe the actions we take when working.  The minute any equation I’m working on comes down to “finding” or “analyzing”, I know what to reach for and put to use.  It’s YARA. The variables of the equation really don’t matter.  A quick interrogation of a file to find out about its contents?  Dig through source code to find a specific algorithm?  Determining if something is malicious or safe to whitelist?  YARA handles those use cases and plenty more.  Really, it comes down to finding things.  Finding fragments of what I’m looking for, whether I want to do so directly, by absence, via a pattern or through some form of calculus.  YARA is my go-to. Outlining what it can do at a high level is simple to express, but it’s unreasonable to expect that you are as familiar with YARA as I am.  If you are up for a little exploration, dive into the details with me for a minute. Delving into Details of Data When it comes to finding, it’s a discussion of what “whole” thing am I looking for or what “fragment” of a whole am I look to find.  In YARA-speak, that’s a detection or detection fragment.  Just like bacon makes everything better, so do examples.  As a detection, we are going to use “Alienvault”.  It’s a recognizable term, after all, and one we want to find.  However, perhaps it’s not exactly as we spelled it.  To combat spelling, spacing and other issues, we can break the whole thing we are looking to find into detection fragments.  Those might be “Alien” and “vault”.  Written in a rule, that would look something like this: rule at_whole_frag {    meta:       description = “simple detection and detection fragment logic”   strings:       $whole = “Alienvault”       $frag1 = “Alien”       $frag2 = “vault”   condition:       $whole or ($frag1 and $frag2)   } The syntax and structure of YARA is pretty intuitive, so I’m going to skip going into full detail about it.  I chatted about the basics of YARA previously on Alienvault and it’s a good primer to get started.  Equally, you can jump into one of our classes and really get into the details.  Regardless, you have to outline a name for your rule, in this case “an_whole_frag”, that identifies it.  Then, you have three internal sections: “meta”, “strings”, and “condition” within a pair of curly brackets.  The meta and string sections are handled like variable assignments.  The condition section is written to return a Boolean value.  If true, it will match, and if false, it will not.  The normal code actions of concatenation, stemming, counting, comparison, and looping are allowed at the condition line. What we did previously in the example was very simple, ASCII text detection.  We can shift those detections to Unicode strings, remove issues with upper and lower case, or include negation logic at the condition line to look for the absence or negative space. ru]]> 2018-03-29T13:00:00+00:00 http://feeds.feedblitz.com/~/535832316/0/alienvault-blogs~YARA-Rules-for-Finding-and-Analyzing-in-InfoSec www.secnews.physaphae.fr/article.php?IdArticle=550047 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Okay, so as a 90’s born kid who grew up in the 2000s, the whimsical spectacular “Dude, Where’s My Car” was a huge intro to my love for comedy. If you haven’t seen the flick – TL;DW is this: Jesse (Ashton Kutcher) and buddy Chester (Seann William Scott) have a wild night and can’t remember anything that happened. They walk outside and realize Jesse’s car is missing, and all kinds of weird drama happens whilst trying to piece together the previous night’s shenanigans. Oh yeah, there’s some alien stuff in there too. Just think The Hangover meets Star Trek and you’ve pretty much got it nailed. So as I’m watching this blast from the past-erpiece (get it, masterpiece? Huge portmanteau fan) the other night, it dawned on me that this is the exact type of thing that IT/Security professionals deal with all the time, and I’m not just talking about saving the universe from aliens. (on a gaming console, of course.) Shadow IT and Unstructured data are real, dude – and they’re definitely not sweet. The biggest problem in the movie is that they were being held responsible for actions that they had no idea had occurred – supposedly they had this Continuum Transfunctioner and they didn’t even know what that was much less that they had it. Spoiler: They did have it, and it was under the guise of a Rubik’s cube. Sound familiar? Something crazy deadly for an environment and it was just walking around in a pocket under the guise of being something innocent? The IT/Security department(s) are viewed as the “offices of NO” because a lot of people don’t understand how many threat vectors are out there - much less how they work. So when marketing wants to purchase a new tool and is afraid of being told no, they do it anyway. (Trust me, I’ve utilized this to my advantage before.) They’re not thinking about the ramifications of uploading data into an unapproved cloud so that they can send out new campaigns. When sales downloads a document that is supposed to be internal only and sends it out via email to their customers because “it’s a really great selling piece!” how do you know? Moreover, how do THEY know that they’re causing an issue? Unfortunately, there is an “and then” here: A bad actor gets a hold of that data or IP and the next thing you know a Super Hot Giant Alien is tromping all around your putt-putt golf course of data. It’s really not a great scenario. The biggest problem with unstructured data is that traditional email filtering/anti-virus/database security isn’t going to catch these exploits. They are looking for signatures, access profiles, etc. to determine if something can be a downloaded or is a known threat, but that’s about it. They aren’t accounting for the human component. What about screen grab? What about copy/paste? Even if it’s all]]> 2018-03-28T13:00:00+00:00 http://feeds.feedblitz.com/~/535617332/0/alienvault-blogs~Dude-Where%e2%80%99s-My-Unstructured-Data www.secnews.physaphae.fr/article.php?IdArticle=547677 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC According to the US government, cyberattacks reportedly cost the US economy a $57-109 billion-dollar loss in 2016. Cisco reported in 2017 that 53% of cyberattacks resulted in damages of over $500k or more; 8% had damage totals over $5 million per incident. While costs are skyrocketing, so is the average timeframe for detecting cyberattacks. Multiple studies over the last several years have found businesses are averaging a three to eight-month time period before even detecting a cyber-attack.  We know the threat is real and the costs of a cyberattack can be exorbitant, so what can we do with all this information? As an MSSP, something we always recommend to our clients and prospects is practicing a multi-layer defense approach within their network. Multiple layers of security are an important part of detecting, preventing, and minimizing a business’s exposure to a cyberattack. So many times, we have heard “I have good anti-virus and an expensive firewall; I don’t need any other defenses.” Unfortunately, that is no longer the case. Preventive security is no longer enough; organizations must build a strong defense and use offensive practices to proactively head off potential intrusions. In today’s blog, we share with you a real-life experience and what we did to mitigate the threat by building a strong cybersecurity strategy. Tale from Our SOC Several years ago, we helped a client implement managed security services. The client’s priorities were never focused on security, until they had hired a consulting company to perform a simulated cyberattack. The exercise shed light on their security shortcomings. It highlighted how the current controls they had in place failed during the simulated attack and what methods were missing from their environment, including: incident response, security awareness and systems capable of detecting these acts. The Simulated Attack When the simulated attack was started, they only used the organization’s name. The first step was reconnaissance about this organization, where common tools like Google and LinkedIn were used to search for user email formats, website, and domain information. As the discovery phase progressed, IPs for VPN server access and email servers were identified. Based off the information they discovered, user lists were built, and a phishing campaign was prepared. The attacker ran vulnerability scans and methodical brute force tests to identify any weaknesses within the external services they had already identified.  The next step in the simulated attack was the phishing campaign. Now that the attacker had built a list of potential emails, they ]]> 2018-03-27T13:00:00+00:00 http://feeds.feedblitz.com/~/535395288/0/alienvault-blogs~Tales-from-the-SOC-The-Simulated-Attack www.secnews.physaphae.fr/article.php?IdArticle=544747 False Guideline CCleaner,Wannacry None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC If you don’t already know what Pretty Good Privacy (PGP) is; you may have heard of PGP before, perhaps during a discussion on how to secure your communications, or perhaps in one of those how-to maintain privacy guides. PGP is a popular solution for encrypting, decrypting, signing, and verifying messages and files, often found in email communications and package repository identity verification (because security matters). Most generic guides simply explain PGP at a high-level or how to encrypt and decrypt messages using specific software, and not much more than that. The goal of this introduction to PGP is to illustrate a more timeless and operational approach to using PGP safely, with respect to both information security and operational security. Firstly, we introduce PGP theoretically and practically, this means understanding how PGP works and what we can actually do with PGP. To better understand our security stance, we assess the CIA Triad, a theoretical Information Security model, that considers the confidentiality, integrity, and availability of information. Next, we get familiar with our threat model (similar to OPSEC Model); in this step, we analyze personalized risks and threats. To mitigate any identified threats and reduce risk, we implement operational security practices. At a more concise glance, we will discuss the following: PGP, OpenPGP & GPG Public & Private Key Pairs Information Security (CIA Triad) Confidentiality: message encryption, information storage Integrity: message/file authenticity, web of trust Availability: key servers, web of trust, metadata Assessing Threats & Risk Threat Modeling Operational Security Clients & Use Guides: Windows, Linux, Mac, Web With that caveat in mind, let’s jump straight in. PGP, OpenPGP & GPG: What is it? PGP is a protocol used for encrypting, decrypting and signing messages or files using a key pair. PGP is primarily used for encrypting communications at the Application layer, typically used for one-on-one encrypted messaging. You may find yourself needing to use PGP if you want to be certain that only the intended receiver can access your private message, thwarting the efforts of intercepting parties, or if you just want to verify the sender’s identity. There are different variations of PGP: OpenPGP, PGP and GPG, but they generally all do the same thing. Here is the quick terminology run-down: PGP: Pretty Good Privacy, original proprietary protocol. Released in 1991. OpenPGP: Pretty Good Privacy, but it is an open-source version, and it has become the universally-accepted PGP standard. Released in 1997. GPG: GNU Privacy Guard, another popular solution that follows OpenPGP standards. Released in 1999. When someone says PGP, it is generally s]]> 2018-03-26T13:00:00+00:00 http://feeds.feedblitz.com/~/535192976/0/alienvault-blogs~Explain-PGP-Encryption-An-Operational-Introduction www.secnews.physaphae.fr/article.php?IdArticle=542673 False None APT 15 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC CyberByte steals Malwarebytes’ intellectual property | Malwarebytes Uber Self-Driving Car Strikes and Kills Arizona Woman An Uber self-driving car has struck and killed a woman pedestrian in Tempe, Arizona, the company revealed. Our hearts go out to the victim’s family. We’re fully cooperating with @TempePolice and local authorities as they investigate this incident. — Uber Comms (@Uber_Comms) March 19, 2018 Uber Self-Driving Car Strikes and Kills Arizona Woman | Bleeping Computer Information Security Misconceptions I thought I’d slip a self-promotional link in here for an article I wrote for CSO Online. Channelling my inner Billy Bragg, isn't it fair to say that nobody knows nothing anymore? I'm not just talking about the press -- although sloppy security reporting is far too common, and unfailingly gets my goat. What about people in the inside of the industry? Information Security Misconceptions | CSO Online AWS S3 leaky bucket of the week This week's misconfigured AWS S3 bucket award goes to Walmart jewellery partner MBM for exposing 1.3m customers. Open AWS S3 bucket managed by Walmart jewelry partner exposes info on 1.3M customers | SC Magazine DNS Poisoning and how to prevent it Much of what we know now about DNS, address protocol, and packet priority is being redefined with the recent 'Net Neutrality' legislation. Instead of becoming a party to the hoopla that is partisan politics surrounding THAT issue, let me assure you there are many different mitigation strategies for not only securing your own network against DNS poisoning, but also working towards a harmonious kum-by-ah solution that in the en]]> 2018-03-23T13:00:00+00:00 http://feeds.feedblitz.com/~/534454534/0/alienvault-blogs~Things-I-Hearted-this-Week-rd-March www.secnews.physaphae.fr/article.php?IdArticle=536779 False None Uber None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Total Economic Impact™ (TEI) study that the global research firm Forrester Consulting conducted on behalf of AlienVault. For this study, Forrester interviewed AlienVault USM Anywhere™ customers, both direct users and Managed Security Services Providers (MSSPs) to assess the overall value and ROI of AlienVault USM, quantified in cold hard numbers. As stated in the study, “From the information provided in the interviews, Forrester has constructed a TEI framework for those organizations considering implementing AlienVault USM. The objective of the framework is to identify the cost, benefit, flexibility, and risk factors that affect the investment decision.” Download a full copy of the Forrester TEI study here. The key findings of the study are highlighted in the infographic below. They include: 80% faster threat detection and response 6X Return on Investment (ROI) over 3 Years Payback in under 3 Months 2,000 hours saved on Compliance Audits (94% reduction) 80% Improvement in Security Operations Staff Productivity $40,000+ Annual Savings in Threat Intelligence Expense Need more convincing? Try our interactive product experience here.   ]]> 2018-03-22T13:00:00+00:00 http://feeds.feedblitz.com/~/534210620/0/alienvault-blogs~Forrester-Study-Breaking-Down-the-Total-Economic-Impact-of-AlienVault-USM www.secnews.physaphae.fr/article.php?IdArticle=535104 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Within minutes our SIEM produced a circle the size of Jupiter, representing thousands of alarms fired.  After a day we racked up 38,000 alarms!  From there I could produce a report showing the top offenders, enabling our client to work with his team to remediate the issues.  Happy client. Run reports you have created for other clients One of our clients likes to see a report from AlienVault that shows the IP addresses of known bad actors, otherwise known as the Open Threat Exchange (OTX) report.  I send it weekly, and he will then shun the top 5 or 10 at the firewall level.  I have since shared this report and idea to block the top offenders with other clients, who have gladly jumped onboard with the weekly regimen. Here is a sample of the report showing 15-16K SIEM events coming from the same IP(s) and known malicious actors: Good information, right?  Yes, let’s kick 222.186.160.32 to the curb! Another report we get great response from shows new assets in our SIEM.  I can select a radio button to “show assets added last week” and then download that and send to my client.   This is of course good information from a security standpoint as well as asset inventory and general housekeeping.  Lastly, automate your reports to keep your name in the client’s inbox! Follow up on security incidents We often end an email regarding a security incident with something along the lines of, “we’ll keep an eye on things and reach out if we see any new activity.” This is good and you should do just that, but you should formalize the process and produce an incident report.  Clients like this and it doesn’t have to be a novel.  Just basic facts: Date and time of the incident Description of the events Systems involved Impact Remediation steps Other ideas for MSSP touchpoints Share your e]]> 2018-03-21T13:00:00+00:00 http://feeds.feedblitz.com/~/533982402/0/alienvault-blogs~What-Have-You-Done-for-Me-Lately-Tips-for-MSSPs www.secnews.physaphae.fr/article.php?IdArticle=533383 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Pretty much the motto of my profession is “word choice matters.” I say it a lot. It appears somewhere in the marginalia of pretty much everything I’ve ever edited. Words have denotation, and connotation. There are considerations for dialect, and for popular use. It can be fiddly and annoying to be queried so; I get it. You know what you meant, and you grabbed the word in your head that, to you, meant that thing. One of the glories of having your work edited is that someone who isn’t you can hold up a mirror, to make sure that the word on the page means as close as possible to what you meant in your head, to the greatest number of people, no matter where they’re from or what language they natively speak. Here at AlienVault, we’ve had some great discussions about the differences in connotation in different words between our Irish speakers, who learned Hiberno-English (which gets the hyphen when none of the others do), Chinese speakers, who learned British English, and Americans, who learned American English with intense regional dialect (the Texans and the Californians are occasionally mutually unintelligible.) But there’s one thing that none of us tolerate; the choosing of a word to deliberately mislead. When one works in fiction, one is used to the painting of pictures with words. When one chooses to work primarily in technology, it’s often because you’re way more comfortable with the nicely concrete, if entirely mutable. In technology, a thing is, or it is not. It’s variations on a theme of zeros and ones, no matter whether it’s software or hardware. It is therefore maddening beyond belief when the unambiguous words of technology are used to mislead the non-technical public. I’m of course talking about the Cambridge Analytica debacle, which is being referred to across the media landscape as “a data breach.” A data breach is when someone who is not authorized to handle specific information obtains access to that information. It’s a non-trivial failure of the security measures a responsible company or reasonable individuals would have in place. It implies wrongdoing, it implies malice, it implies a victim/attacker relationship. But when data is harvested and used with the unknowing opt-in of thousands of people, that’s not a breach. There are no hackers here; just people who knew how to use freely-given personal data to manipulate not very technically astute people to some political end. Lorenzo Franceschi-Bicchierai, as usual, gets it: We’ve been regularly covering data breaches for years. No one hacked into Facebook’s servers exploiting a bug, like hackers did when they stole the personal data of more than 140 million people from Equifax. No one tricked Facebook users into giving away their passwords and then stole their data, like Russian hackers did when they broke into the email accounts of John Podesta and others through phishing emails. Facebook obviously doesn't want the public to think it suffered a ma]]> 2018-03-20T19:50:00+00:00 http://feeds.feedblitz.com/~/533823614/0/alienvault-blogs~Cambridge-Analytica-Debacle-The-Definition-Of-Breach www.secnews.physaphae.fr/article.php?IdArticle=532195 False Guideline Equifax,Yahoo None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC I’m very pleased to announce that we have expanded the AlienVault® certification program. Our newest certification—AlienVault USM Certified Security Engineer (AVSE)—is now available for those who want to validate their skills with the AlienVault USM Anywhere products. Earning this certification demonstrates to the InfoSec community that you are skilled in the latest threat detection and incident response technology. You may be familiar with our AlienVault Certified Security Engineer (ACSE) certification. ACSE is entirely focused on AlienVault USM Appliance and remains fully available. We’re pleased to extend our family of certifications to now include AVSE to validate skills with AlienVault USM Anywhere, our SaaS-delivered USM platform.   We introduced this new certification so that our customers, partners and employees who work with AlienVault USM Anywhere can challenge themselves and work toward proving their ability to deploy, configure and manage the product. The AVSE exam is designed to validate candidates’ knowledge of what they learned during the AlienVault USM Anywhere training courses: AlienVault® USM Anywhere™: Deploy, Configure, Manage (ANYDC) and AlienVault® USM Anywhere™: Security Analysis (ANYSA). The AVSE exam covers the skills and knowledge candidates learn in these two courses. While the training is not required to sit for the exam, we highly recommend taking the training as a way to prepare. Why Certify on AlienVault USM Anywhere? AlienVault USM Anywhere is a powerful product with numerous capabilities. When you take the AlienVault USM Anywhere training courses, you will learn things like how to differentiate between various types of attacks and how to fine tune and reduce irrelevant information in your environment. This will prepare you for the AVSE exam which focuses on the lessons we teach in class.  Earning this certification proves to the community that you are skilled in the latest threat detection and incident response technology. Each training course (ANYDC and ANYSA) includes one voucher for the AVSE exam. When you pass the AVSE exam, you receive a personalized certificate and an AlienVault USM Anywhere logo that you can use on your resume, CV, and social media profiles such as LinkedIn. What’s new with exam registration and proctoring? Our newest exam follows the lead of our other certification exams. It proctored by our exam delivery partner, Kryterion. You can choose to take an online proctored exam, in which you use your own webcam and take the test at your location. Or, you can choose to take the exam at a Kryterion testing center. As an additional feature, if you choose to take the exam online proctored, you can register using a concierge service through Kryterion. This concierge service provides you with a smoother process for exam registration and testing your web cam prior to exam start. If you’re familiar with the ACSE you know that exam is approximately 70-77 questions in length. The AVSE exam is a bit shorter, containing between 40 and 60 questions to be answered in 90 minutes. How does Recertification work for the AVSE? Much like the ACSE, the AVSE certification expires after 3 years. AlienVault USM Anywhere is a powerful product with a wide variety of capabilities that continue to expand and evolve. By recertifying every 3 years, AVSE certificate holders will continue to prov]]> 2018-03-20T13:00:00+00:00 http://feeds.feedblitz.com/~/533738808/0/alienvault-blogs~New-Getting-Certified-as-an-AlienVault-USM-Certified-Security-Engineer-AVSE www.secnews.physaphae.fr/article.php?IdArticle=531640 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC DNS poisoning. Simply the name conjures up the kind of thoughts that keep network admins up at night. What if my RNDC key gets leaked? Could there be a rogue DHCP server within my perimeter? Are the Lizard Squad planning an attack on  for Christmas? Much of what we know now about DNS, address protocol, and packet priority is being redefined with the recent 'Net Neutrality' legislation. Instead of becoming a party to the hoopla that is partisan politics surrounding THAT issue, let me assure you there are many different mitigation strategies for not only securing your own network against DNS poisoning, but also working towards a harmonious kum-by-ah solution that in the end, may end up resolving (pun intended) the DNS plight. So, let's silence the alerting system, and get down to what DNS poisoning is, why it's still around, and one of the best ways to solve it. Why is DNS Poisoning Possible? The first thing to understand about DNS 'poisoning' is that the purveyors of the Internet were very much aware of the problem. Essentially, DNS requests are "cached", or stored, into a database which can be queried in almost real-time to point names like 'hotmail.com' or 'google.com' to their appropriate IP addresses. Can you imagine having to remember a string of numbers instead of a fancy name to get to your desired WWW (or GOPHER - if that's your thing) resources? 321.652.77.133 or 266.844.11.66 or even 867.53.0.9 would be very hard to remember. [Note: I have obfuscated REAL IP addresses with very fake ones here. Always trying to stay one step ahead of the AI Armageddon. Real IP addresses end with the numerical value of '255' within each octet.] No, remembering strings of numbers would be next to impossible. But thankfully, and all because of Al Gore (sarcasm) we have the DNS mechanism that gives us [relatively] easy names to remember how to get to our favorite resources. DNS basically runs the Internet. Without it, only the most uber-geeky of computer scientists would be able to traverse it.   Strings of numbers are just simply not how humans identify information. They help, but in reality, words and language are what separate us from our impending robotic overlords. It's because of this, that as the Internet began to grow, the DNS (Domain Name System) was created. To help us get from one side of the world to the other, with little angst. However, due to the limitations of computing (especially storage and bandwidth) at the time, the early versions of DNS simply used a "distributed" text file for name resolution. Think "blockchain" for EVERY SINGLE HOST that existed on the 'Net back then. It was a nicer and friendlier place, and that system worked well. Until it didn't, and some nice folks at ARIN and ICANN came along and began the system we use today: DNS. In its simplest explanation, DNS takes a name (e.g. yahoo.com) and looks at the locally configured 'Nameservers' for the "answer" to the question: 'What is the IP address of yahoo.com?'. Once an answer is found, it is passed back to the client requesting it, and the routing and magic of the TCP protocol kicks into gear, and the peasants rejoice. Except there are sometimes problems that arise that cause the peasants to NOT rejoice, and for network engineers to curse the vile notion of DNS. You see, since DNS arose during a time where "real-time" anything was not technically possible; to aid performance and allow for USABLE networks, DNS answers were logged into a locally stored 'cache' or database o]]> 2018-03-19T13:00:00+00:00 http://feeds.feedblitz.com/~/533506094/0/alienvault-blogs~DNS-Poisoning-and-How-To-Prevent-It www.secnews.physaphae.fr/article.php?IdArticle=528806 False Guideline Uber,Yahoo None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Not sure if that means I’ve succeeded as a Dad or failed miserably. Hopefully she’ll come across one of these posts in the future and realise there was more to me than just memes. Operation Bayonet This article gives a fascinating insight into how law enforcement infiltrated and took down a drug market. As reports of these kinds of operations become available, Hollywood should really be looking to these for inspiration. Far better plots than most fiction! Operation Bayonet: Inside the sting that hijacked an entire dark web drug market | Wired How many devices are misconfigured… or not configured? I saw this blog that Anton Chuvakin posted over at Gartner stating that there’s a lot of security technology which is deployed yet misconfigured, not configured optimally, set to default, or deployed broken in other ways. Broadly speaking, I agree, in the race to get things done, assurance often takes a back seat. But there’s no obvious answer. Testing takes time and expertise. Unless it’s automated. But even then someone needs to look at the results and get things fixed. DevSecOps maybe? How Much of Your Security Gear Is Misconfigured or Not Configured? | Gartner Hacking encrypted phones Encrypted phone company Ciphr claims it was hacked by a rival company. A preview into how vicious digital rivals can get. And regardless of who is to blame, the fact remains that the real victims here are the users. Customer Data From Encrypted Phone Company Ciphr Has Been Dumped Online | Motherboard Hidden Cobra on Turkish Banks Bankshot implants are distributed from a domain with a name similar to that of the cryptocurrency-lending platform Falcon Coin, but the similarly named domain is not associated with the legitimate entity. The malicious domain falcancoin.io was created December 27, 2017, and was updated on February 19, only a few days before the implants began to appear. These implants are variations of earlier forms of Bankshot, a remote access tool that gives an attacker full capability on a victim’s system. This implant also contains functionality to wipe files and content from the targeted system to erase evidence or perform other destructive actions. Bankshot was first reported by the Department of Homeland Security on December 13, 2017, and has only recently resurfaced in newly compiled variants. The sample we analyzed is 99% similar to the documented Bankshot variants from 2017. ]]> 2018-03-16T13:00:00+00:00 http://feeds.feedblitz.com/~/532949046/0/alienvault-blogs~Things-I-hearted-this-week-th-March www.secnews.physaphae.fr/article.php?IdArticle=519344 False Medical APT 38,Equifax None