This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-04-28T03:34:38+00:00 www.secnews.physaphae.fr AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC There’s a phrase we’ve been using a lot lately at AlienVault about eating your own dog food. Kind of weird, I know. But, what that means in the world of a product company is to use your own product to test and prove the value of that product. Six months ago, when AlienVault decided to pursue compliance for PCI DSS, HIPAA, and SOC 2 - well, we decided to eat our own dog food - to fully demonstrate our compliance using our own USM Anywhere product. Today, I’m pleased to announce that AlienVault’s USM Anywhere product has achieved certifications for PCI DSS and SOC 2 Type I and 3rd party validation for HIPAA compliance. Additionally, coming very soon are certifications for SOC2 Type 2 and ISO 27001. Lastly, a 3rd party validation of GDPR compliance is complete. How did we achieve certification so quickly? I’m a strong believer in lessons learned. Therefore, our director of security and I started the process by calling peers who had already achieved compliance certifications. We listened and learned about their path to success, and we used that knowledge to create our own plan. Then, our engineering and product teams “rolled up their sleeves” and executed the plan. Compliance is one of the top reasons why our customers turn to AlienVault, and our achieving compliance certification against widely-accepted regulatory standards carries significant and ongoing benefits to AlienVault customers. Here’s how: 1. AlienVault customers have verified assurance in our ability to securely handle their data. We built USM Anywhere—our cloud-based security monitoring solution—because we recognized the enormous value that a SaaS model could deliver to today’s resource-limited IT security teams: significant cost-savings in hardware and maintenance, a much faster deployment time, easier scalability and log retention, amongst many other benefits. Yet, we also knew that even our most credulous users would need assurance that AlienVault was able to securely process, transmit, and store their security-related data in our cloud. Despite the fact that we are a 100% security-centric organization with a renowned security research team, sometimes it’s not enough to tell our users, “Hey, trust us. We know what we’re doing with your data.” As President Ronald Reagan famously stated, “trust but verify,” we want our customers to trust in us and ensure that they have a path to verify that trust. Having successfully completed a third-party audit and earning compliance certifications lets AlienVault customers know that we are doing exactly what we say we are doing—that we have the security controls in place to continuously protect your data and ours. While it’s not a substitute for your own compliance certifications, it does mean that you can rely on our technology to assist in your own compliance efforts. 2. We’ve built a better product for compliance management. As I mentioned above, our internal security and compliance team here at AlienVault used USM Anywhere to demonstrate compliance for certifications and continues to use USM Anywhere for “continuous compliance,” making them a tenacious internal customer with a direct vein to our engineering and product management teams. Throughout our compliance journey, these teams are working side-by-side to address any shortcomings or challenges in USM Anywhere that could impact our own compliance. As a result, our product team continues to make enhancements to USM Anywhere and roll out new features to our customers, including making it easier to organize log data and security events in an auditor-friendly way and more robust out-of-the-box compliance reports. Going through the compliance journey ourselves gives us a deeper un]]> 2017-09-19T13:00:00+00:00 http://feeds.feedblitz.com/~/459931598/0/alienvault-blogs~AlienVault-Achieves-Compliance-for-PCI-DSS-HIPAA-SOC www.secnews.physaphae.fr/article.php?IdArticle=409907 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Myth #1: Machine learning is a form of protection Perhaps the biggest misunderstanding around machine learning being perpetuated by vendors with vague marketing claims is that it’s some kind of new product or feature vendors can offer that can keep companies safe. The fact is machine learning doesn’t provide protection, it helps inform how existing protection operates. The way it does that is by enabling more in-depth and accurate analysis. Myth #2: Machine learning is only being used by next generation antivirus solutions Currently, the most common application of machine learning in endpoint security is analyzing file attributes to predict whether a file on disk is malicious before it has the chance to execute (in other words, the same job antivirus has been doing for years). But machine learning isn’t just being limited to building a better AV or next-gen AV mouse trap. New solutions are also utilizing machine learning to move endpoint security forward in a different direction. Rather than simply analyzing static file attributes and making a prediction for what a program will do before it’s executed, for example, Barkly analyzes program behaviors during runtime, in an effort to identify and block executing malware in the act. Myth #3: Machine learning is only being applied to analyzing files While solutions that rely on file scanning (ex: next generation antivirus) have obvious trouble detecting fileless attacks — with no file, there’s nothing to scan — other solutions (such as Barkly) are using machine learning to help them analyze system activity and predict whether any particular combination of system calls and commands are indicative of an attempted attack in progress. Myth #4: Machine learning models don’t need to be re-evaluated for months The fact is that machine learning is not “set it and forget it.” Models are only as good as the data they analyze. Improvements to protection depend on frequent, rigorous re-training of the model by providing data with high fidelity to the real world. The more limited the data — in terms of q]]> 2017-09-18T13:00:00+00:00 http://feeds.feedblitz.com/~/459728214/0/alienvault-blogs~Machine-Learning-Myths www.secnews.physaphae.fr/article.php?IdArticle=409411 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Equifax breached, no eyebrows raised. To Brian Krebs providing his characteristic in-depth review The Equifax Breach: What you should know. All the way to articles exposing the poor manner in which the company has decided to respond, we tested Equifax's data breach checker — and it's basically useless. There have been many large breaches, what makes Equifax largely different is that the details stolen weren’t things like usernames or passwords that could be easily changed. Rather it was users names, date of birth, and social security numbers – which are almost impossible to change. Then there’s the case that a lot of the impacted individuals weren’t even customers of Equifax. They merely had their data held by the credit bureau. So it’s unlike, say, the Yahoo breach, where users can simply shut down their account and take their business elsewhere. All eyes will be on the regulators to see if they can get to the bottom of the mess, and levy appropriate penalties. Maybe it’s time for the US to crystallise data protection, much like GDPR is seeking to achieve across Europe. Chatbot to sue Equifax It turns out that if you want to sue Equifax, you can do so without involving a lawyer. The creator, Joshua Browder, originally developed the chatbot to help people appeal against parking enforcement tickets. But now it’s looking to take on the big one and sue Equifax for its colossal breach. Chatbot lets you sue Equifax for up to $25,000 without a lawyer | The Verge Legal technology: the rise of the chatbots | Law Gazette Artificial intelligence developed its own non-human language | The Atlantic Phishers targeting LinkedIn users via hijacked accounts As users, we’re often aware of the dangers that could arise from a poorly secured bank account, but we don’t often give as much thought to other accounts we own such as email or social media. While an individual may not find LinkedIn particularly interesting themselves beyond maintaining a professional presence, attackers look at such accounts differently and will leverage to their advantage wherever possible. Therefore it is important users take the right steps to protect all of their accounts and social media profiles as best as possible by using stro]]> 2017-09-15T13:00:00+00:00 http://feeds.feedblitz.com/~/459150074/0/alienvault-blogs~Things-I-Hearted-this-Week www.secnews.physaphae.fr/article.php?IdArticle=408904 False None Equifax,Yahoo None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC We recently released a new AlienApp for Palo Alto Networks® Next-Generation Firewalls. The app collects raw logs from Palo Alto Networks next-generation firewalls, which are designed to safely enable applications and prevent modern threats by identifying all network traffic based on applications, users, content and devices. The AlienApp for Palo Alto Networks Next-Generation Firewalls provides the data to USM Anywhere for analysis, delivering additional threat detection and visibility to reduce the mean time to detect threats. The AlienApp also includes automated response actions so that metadata of threats detected by USM Anywhere, such as the IP address of the attacking system, can be manually or automatically forwarded to the next-generation firewall for enforcement. Let’s take a closer look at the capabilities of the AlienApp for Palo Alto Networks Next-Generation Firewalls, and see how it can help you close the loop faster between threat detection and response. Make Firewall Data Actionable Firewalls provide a wealth of data on both inbound and outbound network traffic that can help security analysts understand communications trends as well as uncover threats as they occur. As a result, collecting log data from firewalls has become a cornerstone of any robust security monitoring program. Additionally, compliance can be a driver for firewall log collection, with regulations, like PCI DSS, outlining specific requirements in this area. Palo Alto Networks next-generation firewalls allow for the creation of comprehensive, precise security policies, allowing organizations to safely enable applications while preventing modern threats. Data from the next-generation firewall is collected via syslog, parsed and normalized, and then correlated with data from your network and assets, as well as with AlienVault’s best-in-class threat intelligence. By adding more context to the data, USM Anywhere can help identify additional threats and empower the analyst to take action. As an example, USM Anywhere can use the next-generation firewall log data to help you identify a possible brute force attack. Here’s an example of a USM Anywhere alarm generated after repeated login attempts are followed by a successful login: This may be an indicator of a real attack, or the activity may prove to be benign; but with USM Anywhere, there’s no need to connect to the next-generation firewall or the targeted system to view log files. Instead, you can use the USM Anywhere console to view both relevant and actionable alarms, and drill into more detailed information. Close the Loop Between Threat Detection and Response Let’s presume that, upon inspection, you determine it’s not simply a forgetful user trying different passwords, but rather a bad actor trying to authenticate into your network. The first step in the response is likely blocking the source IP address at the firewall. The AlienApp for Palo Alto Networks Next-Generation Firewalls includes integrated orchestration actions that streamline and acce]]> 2017-09-14T13:00:00+00:00 http://feeds.feedblitz.com/~/458882748/0/alienvault-blogs~Security-Orchestration-with-the-AlienApp-for-Palo-Alto-Networks-NextGeneration-Firewall www.secnews.physaphae.fr/article.php?IdArticle=408440 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC said Wayne Jackson, CEO of Sonatype. “As a larger company, Equifax most likely spent a lot of money, time and resources securing their customer data, and yet they still fell victim to a massive attack. Everyone should pause and ask themselves: is my enterprise doing enough? Organizations must evolve their cybersecurity programs at a faster pace, and employing security service providers (where necessary) can be one way of doing so. Security programs must also be continuously tested, so an annual red team assessment with qualified, ethical hackers can be critical in understanding how strong your cybersecurity really is,” said Steve Groom, director of cyberdefense at Proficio. To make matters even worse, Equifax has probably mismanaged the incident initially a bit from a public relations standpoint as well. “Equifax adds insult to injury by requiring consumers to waive their rights to a day in court and accept mandatory binding arbitration in order to take advantage of the company’s free year of credit monitoring. Cybersecurity experts estimate that the effects of this breach may be felt by consumers for decades. Consumers who choose to take advantage of Equifax’s credit monitoring in response to this breach should be sure to read the fine print carefully to find out how to opt out of these outrageous arbitration clauses,” John Breyault of National Consumers League said. Considering how huge data breaches can damage a company's reputation, they should be a lot more careful in how they present themselves to the general public during their incident response. Any perception of trying to waive a consumer's right to sue will have negative consequences. At least Equifax has responded to public outrage regarding the “you cannot sue us” clause. On September 8th, ]]> 2017-09-13T13:00:00+00:00 http://feeds.feedblitz.com/~/458628461/0/alienvault-blogs~How-Does-The-Equifax-Incident-Compare-to-Other-Data-Breaches www.secnews.physaphae.fr/article.php?IdArticle=407722 False None Equifax None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Educational picture from Harborx Firstly, what is the purpose of Bitcoin? Why does it exist? In the words of Satoshi Nakamoto, the anonymous inventor of Bitcoin: “Commerce on the Internet has come to rely almost exclusively on financial institutions serving as trusted third parties to process electronic payments. While the system works well enough for most transactions, it still suffers from the inherent weaknesses of the trust based model. Completely non-reversible transactions are not really possible, since financial institutions cannot avoid mediating disputes. The cost of mediation increases transaction costs, limiting the minimum practical transaction size and cutting off the possibility for small casual transactions, and there is a broader cost in the loss of ability to make non-reversible payments for non-reversible services. With the possibility of reversal, the need for trust spreads. Merchants must be wary of their customers, hassling them for more information than they would otherwise need. A certain percentage of fraud is accepted as unavoidable. These costs and payment uncertainties can be avoided in person by using physical currency, but no mechanism exists to make payments over a communications channel without a trusted party. What is needed is an electronic payment system based on cryptographic proof instead of trust...” I like to say that each new person in Bitcoin adds a new use case. Some people believe Bitcoin is less of a new technology, and more of a paradigm shift. This paradigm shift will continue to grow, fueled from the global development underway, but ultimately, the fundamental goal is to transmit the properties of cash onto the Internet. This enables censorship resistance, irrevocability, fast confirmation, and pseudonymity, while setting the way for Internet-bound asset classes. Think of a Bitcoin as a unit of currency. There are a few characteristics that we need to address when thinking about currency. Some important characteristics are total supply, divisibility, and deflation. When it comes to Bitcoin, there will never be more than twenty-one million Bitcoins. Presently there are around 16.5 million Bitcoins, and this will slowly rise until there are twenty-one million. This is due to the process known as "the halving", which essentially means the reward for mining a block is divided in half. This creates an algorithmic decline, until all Bitcoins have been mined. Once there is no longer a mining reward (coinbase), miners will only profit from fees included in transactions. This means Bitcoin is deflationary, or that its supply slowly reduces. If twenty-one million Bitcoins seems like a small number, don't worry. A Bitcoin can be divided down to the eighth decimal, the smallest unit being a 'satoshi'. These Bitcoins are, ultimately, just private keys. Cryptography is the blood and veins of the Bitcoin protocol (like many protocols), and this allows us to interact with our money from a purely digital standpoint. The entire foundation of Bitcoin poss]]> 2017-09-12T13:00:00+00:00 http://feeds.feedblitz.com/~/458407808/0/alienvault-blogs~Explain-Bitcoin-to-Me www.secnews.physaphae.fr/article.php?IdArticle=407010 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC CYBER SECURITY FIDUCIARY DUTY The corporate board of directors has the ultimate responsibility for cyber security. Cyber security is not just an IT issue — it is a core, enterprise risk issue, which falls under your fiduciary duties as a board member. In your duty of care, you must use good business judgement in all aspects of business operations. This means acting in good faith, in the best interests of the corporation, on an informed basis and not wastefully or in your own self-interest. This sets the stage for the Business Judgement Rule. The Business Judgement Rule works in favor of corporate board directors when they come under legal attack for decisions that result in harm to the corporation. As long as these business decisions do not involve “direct self-interest or self-dealing, corporate directors act on an informed basis, in good faith, and in the honest belief that their actions are in the corporation’s best interest (Wikipedia link),” the Business Judgement Rule applies. Cyber risk management must be given a proper allocation of your time, attention and corporate resources. It is your job to ensure management is setting the cultural tone for the organization which includes cyber security awareness. Cyber risk must be integrated into your organization’s Enterprise Risk Management Framework. As with each category of Enterprise Risk (Operational Risk, Environmental Risk, Health & Safety Risk, Project Risk, Strategic Risk etc.), clear communication and reporting is critical to maximize leadership’s line of sight into the subject. The board, senior management, business unit leaders, IT, HR, committee leaders and third-party service providers must all be on the same page concerning the level of detail and the frequency and the format of cyber security reports you require. Concerning third-party vendors and partners, the importance of understanding their security posture cannot be underestimated. Smaller companies are a gateway into mid-sized and larger companies for cyber criminals — a pattern we have seen repeated in multiple high-profile cyber-attacks in recent years. When it comes to handling critical, sensitive digital assets, a director must show reasonableness in protecting sensitive data in their care. Directors must proactively ensure that an effective cyber security program is in place and that they are prepared to handle a data breach, should one occur. Taking these critical precautions demonstrates that the boar]]> 2017-09-11T13:00:00+00:00 http://feeds.feedblitz.com/~/458211458/0/alienvault-blogs~Cyber-Security-Duties-of-Corporate-Directors%e2%80%8a%e2%80%94%e2%80%8aPart-I www.secnews.physaphae.fr/article.php?IdArticle=406541 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC The blog is here Or go directly to the full report here Google wanting to index the real world Google is looking to improve its already impressive maps with newer cameras and algorithms they used to index the web, in the real world. Google’s huge investment in machine learning and AI provides a natural way to get that information. Thanks to recent research inside the maps division, when a Street View car captures photos of a stretch of road, algorithms can now automatically create new addresses in the company’s maps database by locating and transcribing any street names and numbers. Street View was the first of Google's product groups to use the company's powerful custom AI chips, dubbed TPUs. GOOGLE'S NEW STREET VIEW CAMERAS WILL HELP ALGORITHMS INDEX THE REAL WORLD (Wired) Demand for cloud skills continues to rise According to research by Akamai, the number of cloud engineering roles has increased by 18% over the past year, while roles for senior cloud engineers have risen by 34%. In particular, the skills needed for successful cloud migration, and more nuanced skills across a range of areas, including cloud management, cyber security and application development, have all seen a rise in demand. One would hope this vital skill gap gets plugged soon, as the number of breaches in the cloud as a result of misconfigured servers continues to grow. Demand for cloud skills (Information Age) Leaky S3 bucket sloshes deets of thousands with US security clearance (the Register) In somewhat related news, according to a study by 451 Research, almost two-third of organizations surveyed say recruiting for jobs in data center and server management is becoming increasingly difficult because of the skills needed, both in traditional servers and converged infrastructure. Demand for server specialists increases, but talent pool is small {snp-blog-cta-whitepaper-osn-security-tools-for-beginners} Phishing scams Phishing scams aren’t really new, nor are they very not]]> 2017-09-08T13:00:00+00:00 http://feeds.feedblitz.com/~/457690312/0/alienvault-blogs~Week-in-Review-%e2%80%93-th-September www.secnews.physaphae.fr/article.php?IdArticle=406079 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Main Functions Asset Discovery Tools Perform for Your Business: It is important to know which software modules are installed in your network. Interestingly, most employers and security professionals are unaware of the tools being used on their network, therefore an asset discovery tool is required. The main services an asset discovery tool provides are: Diagnosis of problems / faults & resolving them Device management Asset maintenance Configuration management   Mitigation of security risks Avoidance of unlicensed software packages (and hence, avoidance of malware and threats) Eliminating commercial risks arising due to the exposure of organization’s sensitive data to unauthorized people/tools How the Implementation of Asset Discovery Safeguards Businesses Asset discovery not only maximizes the value of existing assets, but also optimizes the network in many ways. The benefits that make it crucial for your business are: Enhances the level of security A likely path for a malware to enter your network is undoubtedly through unlicensed software. An asset discovery tool will capture these unlicensed software modules immediately and half of your problems are solved. Prevents penalties by confirming your licenses You should know that software vendors use multiple ways to check whether the commercial implementation of their software is licensed or not. If someone is caught using unauthorized versions, they might have to face penalties. But when you have deployed asset discovery for your business, the authenticity of software licenses is checked regularly. Lets you learn about your network’s hardware and software assets IT managers can use asset discovery as a method to understand network architecture. It uncovers many aspects of your network, allowing IT/Security professionals to safeguard the set-up more efficiently. A sample of questions it answers are: What’s going on in your cloud environment? Which assets are present in your physical and virtual network? Which vulnerabilities are present in your on-premises or cloud networks? What are the possible holes, which the attackers may use to harm you? What are the active threats which need immediate resolution? Reminds you to keep your network updated The efficient asset discovery tools will let you know about the installed assets, retired assets, license status, and more. So, you will be aware of the overall situation of your business network. Eventually, the maintenance and optimization become better due to this. Allows assessing where are you wasting money Extra software, the lifespan of devices, unused licenses and future asset requirements will be available to you if you ]]> 2017-09-07T13:00:00+00:00 http://feeds.feedblitz.com/~/457500806/0/alienvault-blogs~Why-is-Asset-Discovery-Crucial-for-Any-Business www.secnews.physaphae.fr/article.php?IdArticle=405460 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Fear and Loathing in Las Vegas. Read the report for useful insights that are representative of the larger information security community. Key Findings Ransomware is the biggest concern among security professionals (42%) Sharing of threat intelligence continues to grow among the different channels 56% of respondents use open source/public threat intelligence feeds For 50% of respondents, the shortage of security workforce is the biggest challenge that has increased over the last year 64% of participants state that they are either “confident” or “very confident” in their organizations ability to detect and respond quickly to a data breach Speaking of Black Hat, we love to come up with new and innovative designs for our booth as well as cool swag; see below our spaceman in our 2017 Black Hat booth and the fidget spinners we were giving out in the booth. Don’t forget to check out the whole report from Javvad!       ]]> 2017-09-06T13:00:00+00:00 http://feeds.feedblitz.com/~/457309054/0/alienvault-blogs~Ransomware-amp-Threat-Intel-in-Las-Vegas www.secnews.physaphae.fr/article.php?IdArticle=404820 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC newest certification—AlienVault USM Appliance Technician—is now the first level of certification in our program. The AlienVault Certified Security Engineer (ACSE), introduced in 2015, remains the capstone certification in our lineup. Today, I thought I’d discuss why we introduced this new certification, how it works (which is a little different than many tech certifications), and why this matters for those who already hold our ACSE certification. Learning About Security—The Certification Connection Security and IT professionals have varying reasons for choosing to pursue an industry certification. Gaining recognition among peers, building credentials when seeking employment, and advancing in one’s career are all mentioned frequently. However, there’s another reason to pursue a certification, one that’s often overlooked. There’s plenty of evidence showing that testing helps you to learn, and the deeper you learn USM Appliance, the more you’ll get use of its powerful capabilities! When you take our comprehensive, five-day AlienVault USM Appliance for Security Engineers course, you’ll learn the core skills to design, implement, and operate AlienVault USM Appliance in your environment. This will prepare you for the AlienVault USM Appliance Technician certification, which was designed to focus entirely on testing the skills and knowledge that we teach in the class. By preparing for the exam, and passing it, you can have confidence that you have a strong foundation to start using USM Appliance and growing your understanding of the security visibility that it offers. What’s Different About AlienVault USM Appliance Technician Our newest certification works a bit differently than the current ACSE, and differently than many other tech certifications. It’s entirely based on the skills and knowledge that we teach in our five-day AlienVault USM Appliance for Security Engineers course. All of the questions on the AlienVault USM Appliance Technician exam are derived from knowledge and skills acquired during the class. Therefore, it serves as the ideal way to validate learning immediately after completing our comprehensive training class. In contrast, the ACSE certification tests knowledge and skills that typically require months of hands-on product experience to acquire. The AlienVault USM Appliance Technician certification is only available to those who complete the AlienVault USM Appliance for Security Engineers course. For a certification based entirely on the class, we believe it’s most appropriate to require two things—completing the class and passing the exam--in order to earn the certification. The AlienVault USM Appliance Technician certification that you earn never expires or requires recertification. Some other aspects of the AlienVault USM Appliance Technician will seem more familiar. The exam is delivered in a proctored environment. For this exam, all testing is via online proctoring, which provide a secure environment as you take the exam from your own computer. If you pass, you’ll receive a personalized certificate and an AlienVault USM Appliance Technician logo that you can use on your resume, CV, or business card. A New Recertification Option for ACSE Holders The capstone certification in our lineup, ACSE, is valid for three years from the date earned. Until now, the only ]]> 2017-09-05T13:00:00+00:00 http://feeds.feedblitz.com/~/457121492/0/alienvault-blogs~Introducing-our-Newest-Certification-The-AlienVault-USM-Appliance-Technician www.secnews.physaphae.fr/article.php?IdArticle=404370 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Facebook-owned Instagram was the target of unknown attackers that leveraged a flaw in its API to obtain contact details of some high-profile stars. Instagram has apparently notified some users and warned its verified users to be “extra vigilant” about unexpected phone calls, texts, and emails. Instagram hack: Celebrity contact details revealed (BBC) Social media is a weird game. If you participate, it will probably share far more data about you than you ever wanted. But not playing the game is also not an option, as information security veteran Bruce Schneier discovered recently. Someone noticed that Schneier doesn’t use LinkedIn so they created a profile on his behalf. Schneier was able to get the fake account deleted, but then signed up for LinkedIn in order to prevent a recurrence. One can imagine that while Schneier was able to quickly identify and have the fake profile deleted, not everyone else that has a fake profile would be able to identify or remove it so efficiently. Patch your heart An estimated half a million people in the US are getting notices that they should update the firmware on their pacemakers. St. Jude pacemakers produced by Abbott Laboratories contain critical flaws that allow an attacker within radio range to seize control of the pacemaker. Unlike updating the software on your phone though, patients will have to visit a clinic to allow doctors to safely upgrade the firmware. 465k patients told to visit doctor to patch critical pacemaker vulnerability (ars Technica) Pacemaker patch passes probe by US watchdog (The Register) Abbott Recalls 465,000 Pacemakers for Cybersecurity Patch (RAPS) Essential shared customer driver's licences over email Last night, some customers who had preordered an Essential phone received an email asking for a copy of their driver’s license, ostensibly to verify their address in an attempt to prevent fraud. Dozens of customers replied with their personal information, but those emails didn’t just go to Essential; they went out to everybody who had received the original email. That means that an unknown number of Essential customers are now in possession of each other’s drivers license, birth date, and address information. In colossal screw up, Essential shared c]]> 2017-09-01T13:00:00+00:00 http://feeds.feedblitz.com/~/455685424/0/alienvault-blogs~Week-in-Review-st-Sept www.secnews.physaphae.fr/article.php?IdArticle=403486 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC In fact, it was not difficult for researchers to discover the culprit’s identity: “Following extensive research into the campaign, researchers have revealed the identity of the criminal behind it. He is a Nigerian national, working on his own. On his social media accounts, he uses the motto: ‘get rich or die trying.’” The attacker had sent very crudely written phishing emails with improper punctuation, which would've made me immediately suspicious of if one had ended up in my inbox. Here's what was sent in the body of his emails: “Dear Sir/Ms,... Please confirm the receipt of this mail as we have sent several emails to your esteemed company. Find attach 2 pages of our purchase order request for the month of May, kindly send us PI signed and stamped also do advice bank details for LC processing. Thanks and Regards Nurafi -- Saudi Aramco P.O. Box 5000 Dhahran 31311, Saudi Arabia” The email attachment's file name was “Saudi Aramco Oil And Gas.rar,” and the 591.1 Kb file had NetWire, a remote access Trojan, and HawkEye, a commericial keylogger, bound to it. NetWire is considered to be the first multi-platform RAT malware. It's primarily designed to exploit weaknesses in point-of-sale systems, but can also acquire sensitive financial data from client machines which aren't part of a POS system. It's configured to be spread as an email attachment Trojan, where it can linger for months while undetected. HawkEye is another malware which is sold in the Dark Web to be distributed as an email attachment Trojan. Its payload is a DOCX file, which can then acquire email and web browser passwords and engage in keylogger spyware functions. The only thing the attacker did to obscure his location was to put “Saudi Arabia” in his emails. He used two free Yahoo webmail addresses, which made it easy for the researchers to trace him. Plus, the fact that he only used two email addresses also meant that the companies he was targeting could have easily blocked those addresses to avoided receiving email from that attacker again. Given the simplistic nature of this operation, it's really concerning that his victims were large companies, not small or medium sized businesses. It's often assumed that large companies are more likely to have CISOs and better security monitoring systems with technologies such as SIEM in their server rooms. It's surprising to hear about so many large organizations falling for such a pedestrian, script kiddie sort of attack. Here are lessons that can be learned from its success, which can help you be better prepared and avoid falling victim to similar attacks: Train all your employees and contractors who have business email accounts. Teach them about phishing. Tell them to never open email attachments from senders who aren't known to the company, and to never share financial details except with specific people. Avoid sharing sensitive data o]]> 2017-08-29T13:00:00+00:00 http://feeds.feedblitz.com/~/451946600/0/alienvault-blogs~One-Man-Cyber-Attacked-Companies-Dont-Let-It-Happen-to-You www.secnews.physaphae.fr/article.php?IdArticle=401953 False Guideline Yahoo None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC provided freely via Github, it’s tough to beat its price. What does it do? Well, that’s easy to describe. YARA contains a smorgasbord of pattern matching capabilities. It can be a sniper, zoning in one a single target or a legion of soldiers linking shields and moving across a battlefield. Both are accurate depictions of its ability to detect, either through extreme accuracy or broad strokes. We used to joke that YARA ate artillery shells and drank napalm, a testament to how powerful it was when it came to finding things. It’s also as smart as you make it; with the logic coming from the user. YARA is not just for binaries. More YARA love You might be wondering still, what it is. On one hand, YARA is a lightweight, flexible tool, usable across just about any operating system. With its source code available, it’s easy to tailor or extend to make it fit a specific use case. YARA is an easy one to fit it into a trusted toolset for digital forensics, incident response or reverse engineering. On the other hand, YARA is your bloodhound. It lives to find, to detect and puzzle out twists and turns of logic. Its targets are files, the ones you commonly think of - binaries, documents, drivers, and so on. It also scans the ones you might not think of, like network traffic, data stores, and so on. It’s been quietly woven into the fabric of a lot of tools and you might be surprised that your SIEM, triage tool, phishing, sandbox or IDS can employ it. It’s usually something you find out after the fact when you learn of YARA’s existence. YARA runs from a command line on both Linux and Windows, which is handy when you are working locally for reverse engineering or incident response. You can bring it online fast by opening it up in terminal and just as easily put it to work by handing it logic and a target. Graphically, it wins no awards and frankly makes no attempts to change that. Its better served by leveraging the numerous Python, Ruby, Go and other bindings to it that plug it into something graphical or wrap it in an API. The logic that forms YARA’s brain is the just as streamlined and simple. YARA takes input at the terminal or you can provide it a simple text file of logic. It thinks in patterns that you fashion from rules and its Ying/Yang is pure true or false. The rules are sleek. You provide the name, the elements to match and pattern to match on. You can create the rule from a target, by sleuthing its insides and building matches, or do the opposite; derive a pattern and find targets that correspond to the logic. There was a related blog on YARA support in OTX last week. Writing YARA Rules At its simplest, the elements to match can be something readable in ASCII, Unicode, or Hex. Declarative assignment is easy, it’s either there or it’s not, and the presence or lack of the element in a target takes on meaning to the logical pattern. It also speaks regex, and very intricate patterns can be built as elements to incorporate as the logic. This level of declarative discovery via YAR]]> 2017-08-28T13:00:00+00:00 http://feeds.feedblitz.com/~/450743606/0/alienvault-blogs~Explain-YARA-Rules-to-Me www.secnews.physaphae.fr/article.php?IdArticle=401406 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC last week while I was out topping up my tan on holiday. So without further ado, let’s dive right in. Buckets of insecurity I think this is the week that unsecured Amazon S4 bucket leaks have officially jumped the shark. It’s an almost weekly occurrence, and continues to shine a spotlight on how many organisations simply lack the skills in how to properly secure their cloud environments, or obtain any form of assurance. Groupsize customer information found in publicly accessible buckets Enigma Compromised Enigma, a decentralized platform that’s preparing to raise money via a crypto token sale, had its website and a number of social accounts compromised with the perpetrators netting nearly $500,000 in digital coin by sending out spam. Having worked over a decade in banking, I’m not the biggest fan of the layers of regulation required in financial services. But as we’re seeing with cryptocurrency, a little additional security can go a long way. Hackers nab $500,000 as Enigma is compromised weeks before its ICO Somewhat related Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency Boarding passes and stolen accounts This isn’t a new attack vector. I remember reading about similar attacks not too long ago, but it bears repeating that if you post photos of barcodes, particularly the ones on your airline flights, it’s likely someone can gain access to your account. Post a boarding pass on Facebook, get your account stolen Dangerous airline boarding pass hacking trend puts travellers at risk Your Boarding Pass Barcode Can Reveal Your Future Flight Schedule Bad guys probably work as much as you do It’s not easy putting in a dishonest day's work. According to a recent study, it appears as if most criminal hackers put in just as many hours into their daily grind as many legitimate workers. It’s a shame really, you’d probably think a lot of them would have actually made great colleagues in an alternate reality. Day in the life of a modern spam kingpin: Why hackers work similar hours to everyone else Ransomware changed the rules Another good and insightful post by the Grugq in which he elaborates on a statement (which received some push back on Twitter) on why ransomware (authors and criminals) are doing more to advance the state of cyber security readiness than the last 10 RSA conferences. A controversial statement for sure, but the article makes some valid points that are worth pondering over. Ransomware changed the rules Accept Ts & Cs or be left with a brick ]]> 2017-08-25T13:00:00+00:00 http://feeds.feedblitz.com/~/447140208/0/alienvault-blogs~Week-in-Review-th-August www.secnews.physaphae.fr/article.php?IdArticle=400888 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Every year thousands of eager minds flock to the many InfoSec conferences or meet-ups across the globe only to stumble across a lockpicking station. This raises the question, “Why are they facilitating lockpicking at information security events?” The answer is actually quite simple. InfoSec practitioners and hobbyists share an extremely deep bond in that they are constantly forcing themselves to learn how technology works and what vulnerabilities may exist within an implementation. This drive to fully understand every angle of a particular piece of technology results in a breakdown of the purpose, functions, and limitations present. As locks were, and still are, at the forefront of security technologies they can be found everywhere from the home, to the office, and often out in the public. This presents an easily accessible platform to satisfy all of the aforementioned needs of any security-driven mind. Now that the link between lockpicking and information security has been established we can approach another factor that makes lockpickers become full blown picking wizards...the challenge. Locks are unique and offer multiple levels of difficulty in picking. There is a great sense of pride and satisfaction when you hear the slight click as the cylinder turns after a successful attempt. The ability to have a task facing you with an irrefutable indication of completion gamifies the hobby. As a result, many challenge locks have been created and groups have formed to share resources, tools, and their love of picking. This elevates the community as a whole and brings some people who normally might have passed on an InfoSec event into the fold. As the InfoSec community grows there is an extreme need for more hands-on and fully immersive elements at conferences to engage attendees. Lockpicking stations offer a simple and scalable solution to this while also offering an escape from the blue light of a screen. Lockpicking also can cater to entry-level pickers due to the availability of training supplies and caring people to help them learn. Several shops are now offering picks, instruction videos, and clear practice locks to allow for a gradual introduction to the hobby. By utilizing available materials a fully comprehensive environment can be set up in a matter of minutes and provide hours of entertainment On a personal note, I cannot stress enough the need for us, as a community, to facilitate these stations and provide a welcoming environment for attendees. More often than not, people trying to break into the InfoSec community can become discouraged, but an extended hand can make all of the difference. We need to make sure to always be respectful and share our knowledge freely. Help someone pick their first lock and see how you can make a difference. Elevate your peers by sharing with one another the tips and tricks that make these meet-ups such a great resource. The key to the success and continuation of this field may not be a key at all, but a set of picks being held for the first time. In closing, lockpicking has become a much needed part of Infosec due to the fact that it allows a firsthand view into security. Security professionals have access to an abundance of resources to study up on particular topics these days, but to truly understand the risk we are attempting to thwart, we need to have first hand experience. We need to practice what we preach and force ourselves to take a deep dive in to see how a threat could compromise our security. Lockpicking is one of the easiest ways to drill this into our minds as we can see in real time how human intervention can throw a stick in the spokes of progress and send us back to the drawing board. Without the ability to understand how an attacker could potentially bypass our defenses, we will never be able to improve upon existing ]]> 2017-08-24T13:00:00+00:00 http://feeds.feedblitz.com/~/445956668/0/alienvault-blogs~Why-Is-There-Lockpicking-at-Practically-All-InfoSec-Conferences www.secnews.physaphae.fr/article.php?IdArticle=400476 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Are you new in InfoSec? Perhaps you are not a newcomer, yet you find yourself wanting to have a greater role in the organization’s security functions. Too often, security operations are based on a need-to-know model, which shuts out many people who would love to know more so they can grow as security professionals. The path to the need-to-know group is not an easy one, as it requires developing trust and showing that you have certain skills. Some organizations are very hesitant to allow you to show off your skills, especially while you are on their network. Others do not want the slightest hint that you have any hacker skills, worrying more about their liability in such matters rather than how those skills are useful to protect their interests. This is the odd line we walk as security professionals. Have you considered other ways to break into the circle of trust? Consider the incident response process as an avenue. Many organizations either have, or are in the process of developing an incident response plan. The plan will contain the usual steps for addressing many of the events that will result in the invocation of the plan. If you are not familiar with incident response, now is a good time to learn about it from many of the available resources. Each incident response plan consists of a team of first responders; the folks who identify an event and make a determination about whether that event rises to the level of a true incident. Once that is determined, various roles and responsibilities activate. This is where the folks who have to take action are set in motion to contain and eradicate the problem. Part of the incident response process requires good note keeping. This is not the most glamorous of the incident response tasks, but it may be one of the most important, particularly in later stages of the recovery process and most notably when the event needs to be explained to people outside of the security team and in the post-mortem. Are you up to the task of faithfully recording events, noting just the facts in an emotionally neutral way? This is the perfect opportunity to live out all of your Vulcan dreams, thinking purely logically to capture events. If ever there was a time to volunteer your untapped talent, it may be now. How are your writing skills? Much of what you will do in this field will require good written and verbal communications. You don’t have to be a scholar; you just have to keep the thoughts clear, focused and consistent. Don’t be afraid to seek assistance from others on the team. They have a strong interest in the proper recording of any incident. The incident response recording person is offered the equivalent of an all-access pass to the best show in town. It may not be the most fun show in town, as tensions can run very high when a security incident is unfolding. This is all the more reason to show off your ability to remain calm and take accurate account of the events. This could also be your ticket to a broader role on the security team in your organization.     ]]> 2017-08-23T13:00:00+00:00 http://feeds.feedblitz.com/~/444776730/0/alienvault-blogs~Your-AllAccess-Pass-to-Incident-Response www.secnews.physaphae.fr/article.php?IdArticle=399988 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC YARA rules are a great way of detecting, classifying and hunting for malware. We are happy to announce you can now develop, test and share YARA rules on AlienVault OTX. If you'd like to deploy these rules on your own network, here is a script to download the rules (and a big sample set of rules here). But Yara isn't the only addition to OTX since our last update. More HTTP data We have data on malicious and suspicious URLs going back a number of years. But now you can also see the analysis and relationships with links within the HTML, Whois or SSL Certificate fields.  More users The value in a platform like OTX is in its users, with each added user an exponential gain for the other users of the community. We now have over 65,000 registered users, and the number of visitors browsing the site has more than doubled since the beginning of the year. In addition to that, there are hundreds of groups, including 70 public groups where you can collaborate and share information about specific topics or threat actors. More AlienVault-generated reports Users that subscribe to the AlienVault user, and particularly those that have the AlienVault threat intelligence subscription, may have noticed we're starting to add a lot more of our own reports on attacks to OTX: Our analysts create this content by tracking and analyzing multiple threat actors. They are able to do this with the help of an system (internally referred as SkyChip), that identifies clusters of malware that we haven't encountered before. Integrations and API users We had another blog discussing all the extensions to the API. It's great to see integrations in several places, and this week Hybrid-Analysis.com has built some awesome integrations utilizing the OTX API: What's coming We're hard at wo]]> 2017-08-21T13:06:00+00:00 http://feeds.feedblitz.com/~/442432238/0/alienvault-blogs~YARA-Support-and-Other-Recent-Additions-to-OTX www.secnews.physaphae.fr/article.php?IdArticle=398969 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Vaccine discovered for Cerber ransomware - based on its own evasion from @SCMagazineUK There is a lovely quote from Chris Doman in the article, “If the technique became popular, then the attackers would change this check. And there are thousands of variants of ransomware - it's not scalable to apply local tricks to stop each one,” he said. “When "vaccines" for Locky ransomware became public, the malware authors quickly changed their code so the vaccine no longer worked.” “That said, it's great that Cybereason and other companies are releasing ransomware specific security applications for free.” {snp-blog-cta-gartner-mq} On premises = a false sense of security On-premise workloads less secure than cloud from @cloudpro As if “normal” DDoS is not annoying enough, here’s a new “smarter” DDoS technique Pulse Wave - New DDoS Assault Pattern Discovered from @BleepinComputer Making me pine for good old cash… UK Retail Data Breach Incidents Double in a Year from @InfosecurityMag InfoSec spending rising; fastest in security services Worldwide information security spending will grow 7% in 2017 from @Helpnetsecurity At least the week is over... We can only hope next week InfoSec has more news, and it would be awfully nice if some of it were good news :)     ]]> 2017-08-18T13:00:00+00:00 http://feeds.feedblitz.com/~/438912064/0/alienvault-blogs~Week-in-Review-th-August www.secnews.physaphae.fr/article.php?IdArticle=398387 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC improvements to the depth of data in OTX recently, which are now available via the free API tool. Some of the API functions now include: Malware anti-virus and sandbox reports (example) A Whois API, including reverse whois and reverse SSL (example) View IP addresses that our telemetry indicates a specific network signature has fired on (example) The HTTP contents of a domain or URL (example), as well as finding all pages that link to it (example) Passive DNS history (example) Find malware samples that talk to a domain or ip (example) Retrieve malware samples by anti-virus detection (example) Lists of malicious URLs on domains (example) Download all indicators from users that you subscribe to (example) Find pulses based on the adversary, industry or keywords that interest you (example) What could you build? This depth of data could be used for countless things, but here are a couple of examples the API could used for: Actor Tracking Let’s say you want to get daily updates on an attacker that has targeted your sector before. With the new API, you will get a daily email on name servers they use, domain registration emails they use, and servers that have fired network alerts for their malware. Malicious File Alerting Another common task is when you want to know if files that pass your network or mail gateway (either at the MX or Inbox) are malicious. You can easily extract these files, then check them against OTX to see if they are malicious. Examples Our Python SDK page includes some simple examples of using the API, such as: Storing a feed of malicious indicators on OTX Telling if a Domain, IP, File hash or URL is malicious ]]> 2017-08-17T13:00:00+00:00 http://feeds.feedblitz.com/~/437689044/0/alienvault-blogs~The-Upgraded-AlienVault-OTX-API-amp-Ways-to-Score-Swag www.secnews.physaphae.fr/article.php?IdArticle=397846 False Cloud APT 37 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Ah, the summer anthem. That quintessential song that defines summertime as much as hot nights, barbeques, and beach vacations. Whether it’s the Beach Boys’ “I Get Around” (1964), Springsteen’s “Dancing in the Dark” (1984), or Pearl Jam’s “Last Kiss” (1999), the summer anthem is transcendent, yet perfectly emblematic of its time. If InfoSec had a 2017 summer anthem, we might be hearing Taylor Swift or Drake singing about ransomware. Wouldn’t that be catchy? That’s because global ransomware campaigns like WannaCry and NotPetya have largely defined the summer season this year, and now, there’s a new ransomware remix topping the charts—GlobeImposter 2.0. Originally detected in March 2017, GlobeImposter 2.0 targets Windows systems and is being distributed through malicious email attachments (MalSpam). In recent weeks, we’ve seen a surge in activity in the Open Threat Exchange (OTX) around GlobeImposter and its many variants. Thus, it’s important to understand how the ransomware initiates, spreads, and evades detection. GlobeImposter Ransomware at a Glace Distribution Method: Malicious email attachment (MalSpam) Type: Trojan Target: Windows systems Variants: many (see below) How GlobeImposter Works The recent GlobeImposter attacks have largely been traced to MalSpam campaigns—emails carrying malicious attachments. In this case, the email messages appear to contain a .zip attachment of a payment receipt, which, in reality, contains a .vbs or .js malware downloader file. Sample email subject lines include: Receipt#83396 Receipt 21426 Payment-421 Payment Receipt 222 Payment Receipt#97481 Payment Receipt_8812 Receipt-351 Payment Receipt_03950 Once the attachment is downloaded and opened, the downloader gets and runs the GlobeImposter ransomware. You can get a list of known malicious domains from the GlobeImposter OTX pulse here. Note that some of the known malicious domains are legitimate websites that have been compromised. Like other pieces of ransomware, GlobeImposter works to evade detection while encrypting your files. After encryption is complete, an HTML ransom note is dropped on the desktop and in the encrypted folders for the victim to find, including instructions for purchasing a decryptor. There are no known free decryptor tools available at this time. You can read a detailed analysis of a sample of GlobeImposter at the Fortinet blog, here and at Malware Traffic Analysis, here. GlobeImposter Variants on the Rise What’s striking about the recent uptick in GlobeImposter ransomware activity is the near-daily release of new variants of the ransomware. Lawrence Abrams at BleepingComputer has a nice rundown of new GlobeImposter variants and file e]]> 2017-08-16T13:00:00+00:00 http://feeds.feedblitz.com/~/435614526/0/alienvault-blogs~GlobeImposter-Ransomware-on-the-Rise www.secnews.physaphae.fr/article.php?IdArticle=397413 False None APT 32,NotPetya,Wannacry None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC stackhackr, a new way to surface possible vulnerabilities and gaps in their current security stacks and present leadership with data points that support the need to do more. Since security and IT teams are amongst the most cynical evaluators, and since they typically like to do things themselves, we figured that they’d be most interested in a tool that allows them to assemble some mock malware to test the resilience of their systems. This gives them additional confidence in the test and it doesn't hurt that they are trying it out for themselves in a hands-on manner. What is stackhackr, and how does it work? Stackhackr lets you create and customize your own mock malware. It simulates real malicious behavior on your machine without actually doing any harm. There are currently two mock attack payloads to choose from, and three ways to see it delivered: A fileless ransomware attack: This scenario simulates deleting shadow volume copies, a common ransomware behavior designed to prevent victims from recovering encrypted files. A fileless credential theft attack: This scenario simulates exfiltrating passwords stored on Windows machines in Local Security Authority Subsystem Service (LSASS.exe) memory. In addition to picking your payload, you can also choose how you’d like to simulate it being delivered (via phishing, malvertising, or drive-by download), and customize elements such as choosing what the ransom screen looks like. Why did we create stackhackr? There aren't many good tests out there for behavioral protection. It's easy to check whether your antivirus is up-to-date or to run some file scans, but few tests allow you to see how your security will actually respond to malicious behavior. This is an important capability because we know that the majority of today’s malware is, or can be, modified to evade traditional antivirus file-scanning tools. Many attacks go "fileless" by using exploits, abusing legitimate scripting tools like PowerShell, or streaming malicious code directly into other processes or memory. Blocking these malicious behaviors is the only way to stop these attacks before they result in damage. B]]> 2017-08-15T13:00:00+00:00 http://feeds.feedblitz.com/~/435260982/0/alienvault-blogs~Stackhackr-Build-Your-Own-Mock-Malware-Then-Test-Your-Own-Security www.secnews.physaphae.fr/article.php?IdArticle=396821 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Cybersecurity is just as important for ordinary people—both adults and children—as it is for companies and professional organizations. I first went online in 1995, when I was eleven years old. Back then, only a very small percentage of households had internet access. My parents had no idea what to expect as I explored the World Wide Web and Usenet freely, and I learned a lot of things about online safety the hard way. As was typical for my generation, I didn't get my first cellphone until I was 20. It's a whole different world now. I see fifth graders with iPhones and toddlers with iPads. Now more than ever, it's crucial that parents watch over and protect their children's cybersecurity. Back to school time is the perfect occasion to review how you should allow your kids to use PCs, mobile devices, and the internet. Lucky kids will get new smartphones to help them keep in touch with their families and other children, and laptops to help them do research for their homework. Here are some tips that all parents will find useful to help their kids stay safe in a 21st century world. Online is Forever Remind your children that anything they post online will likely be discoverable forever, even when they're really really old, like 33. This applies to social media posts like on Facebook and Twitter, comments on Tumblr and other blogging platforms, YouTube comments, discussions on gaming networks like PlayStation Network and Steam, and even what they write on social networks and online services that haven't been invented yet. What’s posted online may remain online, even if you think you’ve deleted it. For example, if you dig really deep into the Deep Web all the way back to 1997, you'll find a fan site for Clueless that I made on Angelfire while pretending to be Cher Horowitz. I'd be a bit embarrassed if you saw it, but at least it's nothing that jeopardizes my adult life and career as a cybersecurity journalist. I've seen kids born in the 90s post photos on Facebook of their drunken antics. They obviously weren't considering what future employers might think. It's difficult to get kids to think about how their actions now will affect them possibly decades into the future, but it’s important to keep reminding them of this with persistence and patience. Behave Online Like You Would In Person It's time to stop pretending that what you and your kids do on the internet isn't “real.” So much of our lives are online these days that it's as real as anything else. It’s a good idea to remind your kids to be polite on the internet, and to avoid harassing or trolling as there are real human beings on the other side of monitors and touchscreens. But online behavior is also something to keep in mind because it can impact your children's information security as well. Would you tell strangers your deepest secrets, or ask them to meet you in a secluded location? Would you leave your front door open, making the contents of your house vulnerable to thieves? If the answer in the “real world” to such questions is no, then the same standards should apply with online communications and actions. While this might seem obvious, reminding your children about it never hurts. Private information isn't only communicated with words, but also with images and video. For example, a YouTube video shot in your driveway might inadvertently reveal your physical address, while screenshots of your text messages and emails might reveal people's private phone numbers and email addresses. So you should also reinforce to your children the need to be aware about the content they post online. Make Friends With All of Your Kids' Friends Not only should you fo]]> 2017-08-14T13:00:00+00:00 http://feeds.feedblitz.com/~/434000932/0/alienvault-blogs~Security-Tips-for-Parents-with-Kids-Going-Back-to-School www.secnews.physaphae.fr/article.php?IdArticle=396427 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC report accusing Carbon Black products of leaking customer data. With levels of click-bait usually reserved for buzzfeed, it managed to get some coverage referring to Carbon Black as running a pay-for-play exfiltration botnet. Apparently Direct Defense didn’t care to contact Carbon Black prior to releasing its report, according to Carbon Black in a rapid rebuttal. In my younger years, I spent many an hour watching wrestling (rasslin’). And if there’s one thing I learnt from all the body slams, pile drivers, and promos – is that if you’re a mid to low level jobber, trying to climb up the rungs to a title shot can be a long and thankless process. So the best way to get a quick title match, is to generate some heat by taking a cheap shot at the champ or any other fan favourite. Adrian Sanabria examines the whole fiasco in a well-written post, words have meaning. Gimme (UK critical infrastructure) Shelter The UK government has announced that businesses providing essential services like energy and transport could be fined as much as £17m or 4% of global turnover for failing to have effective security measures in place. I blame GDPR for popularising the penalty of x% of global turnover. Maybe this is the regulators version of speaking softly and carrying a big stick. NotBeingPetya: UK critical infrastructure firms face huge fines for lax security UK Gov: Firms could face £17M fine if cyber security is not up to scratch £17 million fines for CNI companies under proposed EU SNIS plans Satisfaction There’s something quite satisfying when you stumble upon a nice repository of data. Which is exactly what happened when I followed a tweet from Hack with GitHub to the appropriately named, awesome hacking GitHub repository. I found some nice tools – and clearly a lot of effort has gone into organising them all. Have a browse. All Sold Out ]]> 2017-08-11T13:00:00+00:00 http://feeds.feedblitz.com/~/430390470/0/alienvault-blogs~Week-in-Review-th-August www.secnews.physaphae.fr/article.php?IdArticle=395876 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC USM Anywhere to help ease these headaches and reduce the complexity of realizing security and compliance in their Amazon Web Services (AWS) cloud environments. As an AWS Advanced Technology Partner, AlienVault provides AWS users with centralized and easy-to-manage threat detection, incident response, and compliance management for their cloud, on-premises, and hybrid IT environments. AlienVault USM Anywhere combines a continuous stream of threat intelligence updates from AlienVault’s Security Research Team with the five most essential security capabilities, enabling organizations to more quickly detect threats and better secure their AWS environment. USM Anywhere is a unified SaaS solution purpose-built for the shared AWS security model where AWS secures the infrastructure and the customer is responsible for the security of their applications, content, and systems. Starwood Waypoint Combats Phishing Attacks (01/20/2017) Starwood Waypoint (formerly known as Colony Starwood) is the third-largest single residential home rental organization in the country. The company cannot afford a security breach, especially with 800 employees managing tens of thousands of properties. No one knows this better than the Security Engineer (SE) who runs Starwood Waypoint’s security team. At first, the SE had to juggle volumes of security data from multiple systems. It was too much. He decided his team needed an all-in-one solution that could provide easy-to-view insights into the company’s security posture. “I wanted something I could put into an all-in-one solution” After evaluating numerous SIEMs, the SE chose AlienVault USM Anywhere, a solution that simplifies and centralizes threat detection and incident response across cloud and on-premises environments. The SE deployed USM Anywhere’s AWS cloud sensor to natively monitor the Starwood Waypoint network. Using USM Anywhere’s purpose-built sensors for cloud and on-premises, the SE now monitors his cloud environment and local environment together while incorporating features, like reporting and security capabilities, in one unified system. USM Anywhere’s consolidated approach combines asset discovery, vulnerability management, intrusion detection, SIEM and behavioral monitoring in one cost-effective, centralized SaaS solution. This massive breadth of security solutions rolled under one unique banner coupled with the benefits offered by AWS give organizations a purpose-built solution for securing an ever-changing AWS environment. Now, the SE and his team can spend less time on hardware administration and number crunching for security preparation and more time focusing on actually protecting the IT infrastructure against threats. With “everything under one roof,” the SE and his small security team can focus on what matters most: threat mitigation.    Starwood Waypoint relies on USM Anywhere integrations with AWS CloudTrail, CloudWatch and S3, using USM Anywhere to flag AWS configuration changes for instance, anytime an S3 bucket is made public. They also use USM Anywhere to detect vulnerabilities and system permission changes, as well as generate alerts on emerging threats based on the latest threat intelligence. “Everything is under one roof” The SE combats m]]> 2017-08-10T13:00:00+00:00 http://feeds.feedblitz.com/~/429194652/0/alienvault-blogs~Starwood-Waypoint-and-CeloPay-Use-AlienVault-USM-Anywhere-to-Secure-Their-AWS-Cloud-Environments www.secnews.physaphae.fr/article.php?IdArticle=395270 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Security Controls Your SaaS infrastructure should have built-in controls to manage user access and data in a secure way. Data and application controls help to keep your data secure. There are different mechanisms you can employ: Data encryption is a mechanism all SaaS systems should have. Whichever ciphers you use, the encryption keys should be managed and stored securely within a key management system (KMS), which can be as simple as a secure server that operates in your premises, with a trusted third party, or in some other physical or logical proprietary or open source solution. As much as possible, data should be encrypted, both when at rest (such as when it's stored on a disk) and while it's in transit. Data loss prevention (DLP) mechanisms and policies should also be employed. There are two aspects to DLP, detection and action. DLP detection systems can look for certain keywords and phrases in transmitted text to determine if your corporation's sensitive data is being leaked to an unauthorized party or entity. There are also SaaS APIs you may implement in your development that can determine events such as when a file is opened, and by whom. All such events can be configured to appear in DLP logging. Then an administrator or SIEM solution can receive an alert, and decide if it's a false positive or a true positive. If a true positive incident is reported, the next step is action. Company security policy determines how to respond to incidents such as a sensitive file being emailed to an unauthorized party. Never assume that just because your application runs through the cloud that you don't need to have your own backups. You can never have too many backups. What if something terrible happens to your web servers? Make sure the metadata of your files is included in your backups. Metadata plays a vital role in determining who created your files, how, and various permission and usage rights. To simplify your operations, there are third party backup services such as Spanning, Barracuda, and Backupify. Comparison shop carefully. Identity and access management is just as important in your SaaS environment as it is in any of your other traditional applications hosted on your on-premises and corporate networks. Make sure that each employee, user, or authorized contractor who is allowed to use your SaaS application has authentication cred]]> 2017-08-09T13:00:00+00:00 http://feeds.feedblitz.com/~/427998974/0/alienvault-blogs~Basic-Best-Practices-for-Secure-Internal-Software-as-a-Service-SaaS-Applications www.secnews.physaphae.fr/article.php?IdArticle=394590 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Verizon Data Breach Investigations Report, a whopping 81% of hacking-related breaches leveraged either stolen or weak passwords. Establishing and communicating a policy to promote good password hygiene for your company is an obvious and necessary first step. However, the risk of compromised credentials extends well beyond the immediate control of your organization. Employees are adopting more and more cloud-based services, which are only sometimes sanctioned by IT, and using their corporate e-mail addresses when signing up. To add to the risk, password reuse continues to be an all too common practice, with many using the same credentials across multiple accounts and services. Given these trends, it’s a safe bet to assume that you don’t have full control over what happens to your users’ credentials or visibility into all the places that these could be stored. So, what happens when one of these cloud services gets hacked? Well, let’s just say it’s not good, as it could be months, or even years, before that breach is discovered and disclosed. Meanwhile, these stolen credentials could have been bought and sold on the “dark web”, a haven for cybercriminals that – due to its illicit nature – is exceedingly difficult for most organizations to monitor. Introducing the AlienApp for Dark Web Monitoring AlienVault USM Anywhere addresses the compromised user credential problem with its new AlienApp for Dark Web Monitoring. Taking advantage of the extensibility of USM Anywhere, the AlienApp for Dark Web Monitoring is powered by technology from SpyCloud, a pioneer in breach discovery. By extending the USM Anywhere platform with the expert human and machine intelligence provided by SpyCloud, you can quickly identify when your users’ credentials have been compromised, and immediately take action to mitigate risk. The AlienApp for Dark Web Monitoring provides monitoring for all e-mail addresses related to a domain, along with monitoring for up to 10 individual email addresses, such as those of executives and other high-risk targets in your organization. Now, let’s take a closer look at how it works. As with all AlienApps, USM Anywhere customers do not need to purchase or download anything additional to leverage this functionality – the AlienApp for Dark Web Monitoring is available immediately within USM Anywhere. To begin monitoring the dark web for compromised credentials, navigate to the AlienApp for Dark Web Monitoring configuration screen (under Settings | AlienApps). Enter your company’s domain name to monitor all email addresses related to that domain, along with up to 10 individual e-mail addresses that you wish to monitor for compromise. For both domains and e-mail addresses, you will need to verify ownership before monitoring will be enabled. Once you have set up your watchlists and confirmed ownership of the domain and/or e-mail addresses, USM Anywhere will automatically query the SpyCloud breach database every 24 hours. If any of your employees’ credentials have been newly exposed in a breach, USM Anywhere will raise an alarm with the following information: The e-mail address of the exposed credentials Whether the breach has been publicly disclosed Whether the exposed password is hashed or stored in cleartext Whether the credentials have been seen in a prior breach Whether the credentials were obtained through an infecte]]> 2017-08-08T13:00:00+00:00 http://feeds.feedblitz.com/~/426748278/0/alienvault-blogs~Shine-a-Light-on-the-Dark-Web-with-USM-Anywhere www.secnews.physaphae.fr/article.php?IdArticle=394039 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC In the inaugural session of the AlienVault experts’ opinions and ideas, Roger Thornton, CTO at AlienVault, interviews Dr. Ed Amoroso, former Chief Security Officer for AT&T and currently the CEO and Founder of Tag Cyber. Click here to watch the entire version. The topic is SDN (software-defined networks) and the implications on security both good and bad. Roger leads off by recounting, “7 or 8 years ago an employee of mine was in my office, banging on the table and banging on the doors that SDNs were going to change everything, and the world was going to be a completely different place. And I’ve got to admit I didn’t get it. I didn’t get it technically. I think I have an idea now, but I also didn’t understand how quickly it would be upon us”. Ed Amoroso explains more in the video, “So, if you think about software-defined, it’s a way of using software to virtualize something that previously was tangible. For example, when was the last time you bought a calculator? Never, right? I mean, if you go back, you and I would go buy a calculator. We would buy a TI calculator. It was a piece of equipment we held in our hands. Eventually, that became virtualized as an application that ran on another platform. So, we all use calculator apps on other things—software-defined calculators. When was the last time you bought a flashlight, right? Now we use our phones. A piece of software has actually virtualized something that you would never have dreamed in a million years could be virtualized. A flashlight? What are you talking about? I need something that’s going to emanate light, and the idea that now flashlights are apps on some other platform is also kind of natural, but we don’t always think about that. When you take a moment to think, ‘Hey, you’re right! I do use my phone as a flashlight. I do use my phone as a calculator,’ so the question becomes “Can you use infrastructure—a vanilla, baseline computer infrastructure—to implement other types of hardware components that you never would have dreamed could be virtualized”. The video also addresses the pros and cons of security with SDN. According to Ed Amoroso, “SDN is software - but it still has the same concepts - I think you’ll see patching and provisioning are simpler because we can build clean images off in some laboratory, make sure it’s right, and then just deploy those images, and that’s a simpler kind of thing. Forensics is made simpler because we can basically grab an entire image, drop it into a forensics lab, do what we need to do”. The video is great, have a look!    ]]> 2017-08-07T13:00:00+00:00 http://feeds.feedblitz.com/~/425618330/0/alienvault-blogs~Software-Defined-Networks-and-their-Implications-on-Security www.secnews.physaphae.fr/article.php?IdArticle=393416 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Motherboard has an interesting podcast with Kevin on the topic of creating fake identities. Listening to this, I was reminded of the Defcon talk a couple of years ago by Chris Rock (the security professional, not the comedian / actor) entitled “I will kill you” Abusing GDI Objects for ring0 Primitives Revolution Speaking of Defcon, Saif El-Sherei, an analyst at SensePost, gave a talk in which he released two exploits and a new GDI object abuse technique. The slides and white paper exploits are available here Associated Github And blogpost Is Amazon’s Cloud Service Too Big To Fail? Microsoft’s Peers says concentration risk is a “genuine issue”. "I don’t think you can have the world’s financial systems in the hands of one bank or on one cloud provider. It seems completely incomprehensible to think that a Microsoft or Amazon would ever disappear but you can’t allow for that possibility.” I thought this write up on Amazon Web Services regarding the size and influence it is rapidly gaining was very well-researched and put together. Azure security boss tells sysadmins to harden up and properly harden Windows server. Vanity, My Favourite Sin The first organization that Jahanrakhshan targeted was Leagle.com, a website that offers copies of court opinions and decisions. In the beginning, Jahanrakhshan contacted the site's team from his personal email address, asking them nicely to remove copies of past court decisions mentioning his name on the premise that it was tarnishing his reputation and violating his privacy. When the Leagle team refused, the suspect even offered to pay a $100 fee to have the documents removed. When Leagle refused again, Jahanrakhshan — who also used the name "Andrew Rakhshan" — sent them a threatening email saying that he had made friends with dangerous hackers and that they should heed his final warning.                                                               &]]> 2017-08-04T13:00:00+00:00 http://feeds.feedblitz.com/~/421995426/0/alienvault-blogs~Week-In-Review-%e2%80%93-th-August www.secnews.physaphae.fr/article.php?IdArticle=392927 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC vote hacking village at DefCon25 was an eye-opening experience in the world of what-ifs, worst-case scenarios, and the results of utter carelessness. How We Worked As the village opened on Friday, I sat down at a Diebold ExpressPoll 5000, along with another teammate. For the next five hours we worked together to figure out how to compromise the device, but the first step was making the thing work. The ExpressPoll 5000 is a voter registry lookup device that is supposed to allow election workers to verify voters in a precinct, and print voting cards at the polling station. Optional peripheral devices for the Express Poll include a printer, and a barcode scanner. The Express Poll has two slots in the top - one for a PCMCIA card, and one for a Compact Flash card, as well as 2 USB ports and a cat5 networking port in the back. The physical security of the Diebold ExpressPoll 5000 is weak, to say the least. The PCMCIA and Compact Flash cards are covered by a small plastic case, with a very small loop that one could attach tamper evident tape, or a very thin zip tie to. Tamper evident tape and zip ties, however, are very easily breached, as demonstrated in the DEF CON Tamper Evident village next door. The USB ports, and networking cable, on the other hand, are completely open to the world, and very easy to access. We removed the PCMCIA card from the ExpressPoll, and put it into a reader, to see just what was on there. To our delight, there was a file called PollData.db3 - a great place to start. The PollData.db3 file was empty, but not encrypted, so writing to it was simple matter. The main login screen for the Express Poll 5000 has fields for a Poll Number, User Name and Password. A quick trip to Google for some documentation for the device showed a hard-coded admin user name of 1, and a password of 1111. Surely this couldn’t be the case, we thought. We were wrong, and 1 and 1111 got us into the device. Upon typing in the password, we were greeted by a SQLite error, stating that a required data table was missing. Well, how convenient! We could create the table and fields ourselves, in the PollData.db3 file, and see where that would lead us. We popped the PCMCIA card out, and into a reader, and within seconds had that SQLite error resolved, and were on to another one. Note: for those who know a little about databases, the use of SQLite as a production (never mind election) database is a questionable one. SQLite does not allow for multiple levels of privileged access, meaning that anybody with access to the database and read and write to the database. After a couple hours of shuttling the card between the device and the reader, and solving SQLite errors that popped up, and we were finished. We had a working Diebold ExpressPoll 5000, that let us cycle through screens, and open polls for voting. The next step was to load some fake data, including a precinct, a polling place, and a voter, Votey McVoteface. This was an easy enough matter, and already we have exposed vulnerability in the machine - the ability to simply write to the database using a card reader, without having to deal with encryption, or write protection. Using this method, one could add voters, delete voters. We could also change the defined boundaries of a voting precinct, in order to add or drop voters from th]]> 2017-08-01T23:31:00+00:00 http://feeds.feedblitz.com/~/418998468/0/alienvault-blogs~How-the-Vote-Hacking-Was-Done-at-DefCon www.secnews.physaphae.fr/article.php?IdArticle=391453 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Ruby script, which helps brute force for AWS S3 buckets using different permutations, caught my eye. However, is such a tool really needed when there are so many misconfigured AWS storage servers out there leaking data publicly? It’s like shooting fish in a barrel. It’s not Amazon’s fault that people assume, “secure because it's Amazon” because they do have a well-published shared responsibility model. CSO online has a good video discussing cloud security responsibility. Experts warn too often AWS S3 buckers are misconfigured, leak data Yet another misconfigured Amazon S3 bucket exposes Dow Jones Customer Data Densely Connected Convolutional Networks I won’t even pretend to say I fully understand this research paper, but it looks interesting. Recent work has shown that convolutional networks can be substantially deeper, more accurate, and efficient to train if they contain shorter connections between layers close to the input and those close to the output. In this paper, we embrace this observation and introduce the Dense Convolutional Network (DenseNet), which connects each layer to every other layer in a feed-forward fashion. Whereas traditional convolutional networks with L layers have L connections—one between each layer and its subsequent layer—our network has L(L+1) 2 direct connections. For each layer, the feature-maps of all preceding layers are used as inputs, and its own feature-maps are used as inputs into all subsequent layers. DenseNets have several compelling advantages: they alleviate the vanishing-gradient problem, strengthen feature propagation, encourage feature reuse, and substantially reduce the number of parameters. We evaluate our proposed architecture on four highly competitive object recognition benchmark tasks (CIFAR-10, CIFAR-100, SVHN, and ImageNet). DenseNets obtain significant improvements over the state-of-the-art on most of them, whilst requiring less computation to achieve high performance. Full paper Code and pre-trained models. Be a Fake Cop to Get Real Weapons Apparently there’s a surplus of military weapons that the Pentagon is trying to offload to local law enforcement. But weapons are dangerous things, so you’d hope there would be plenty of checks and balances in place to prevent them falling into the wrong hands. Unfortunately, this is actually not the case. The Government Accountability Office (GAO) created a fake law enforcement agency, a fake website, and a bogus address that traced back to an empty lot and applied for military-grade equipment]]> 2017-07-28T15:05:00+00:00 http://feeds.feedblitz.com/~/413991926/0/alienvault-blogs~Week-in-review-th-July www.secnews.physaphae.fr/article.php?IdArticle=390390 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC In today’s cyber world, decision makers continuously question the value of their security investments, asking whether each dollar is serving to secure the business. In the meantime, cyber attackers are continually growing smarter and more proficient. Today’s security teams frequently find themselves falling behind and left to analyze artifacts from the past and try to decide on future actions. As organizations work to bridge this gap, cyber threat intelligence (CTI) is growing in popularity, effectiveness and applicability. Technically, threat intelligence is the process of understanding the threats to an organization based on available information. It combines various data and information in order to determine relevant threats to the organization. To address the security concerns that easily bypass our traditional cyber security solutions, security professionals have to be ever-attentive and observant. That’s where threat intelligence comes into action. Cyber threat intelligence helps you identify security threats and make informed decisions. Threat intelligence can help you solve the following problems: How do I keep up to date on the overwhelming amount of information on security threats, including bad actors, methods, vulnerabilities, targets, and so on. How do I get more proactive about future security threats? How do I inform my business leaders about the dangers and repercussions of specific security threats? Sources of Threat Intelligence: Threats to organizations come from internal as well as external sources. Due to this, organizations are under terrific pressure to control threats. Although information in the form of raw data is available in abundance, it is difficult and time-consuming to get actionable information. The first step for an organization to improve its information security capabilities with threat intelligence is to choose appropriate sources of the intelligence. Sources are: Internal Threat Intelligence: Information that is gathered from within the organization itself is considered as internal threat intelligence. External Threat Intelligence: Information that is gathered from outside the organization, from internet, newspaper, books and other external sources, such as Open Threat Exchange (OTX) is considered as external threat intelligence. Threat Intelligence Capabilities: Cyber threats to organizations generally include SQL injections, DDoS, web application attacks and phishing. It is essential to have an IT security solution that offers threat intelligence capabilities to manage these attacks by being both proactive and responsive. Here are some examples that show how cyber threat intelligence is being used to aid in addressing different threats: Improved Patch Management Process: True CTI can help governance, risk management, and compliance (GRC) teams with patch management. Using actionable weakness and exploitation data, these teams can prioritize when to patch which vulnerability. More Effective “Attack Surface” Protection Systems: CTI plays a significant role in enhancing the effectiveness of security tools. Many security protection tools are sightless to today’s threats. Additionally, even when tools can be configured to automatically block on the basis of data in raw threat feeds, network operations may does not turn this feature ON in fear of false blockage impacting business operations. Situational Awareness & Event Prioritization: Hig]]> 2017-07-26T13:00:00+00:00 http://feeds.feedblitz.com/~/411512256/0/alienvault-blogs~Revealing-the-Power-of-Cyber-Threat-Intelligence www.secnews.physaphae.fr/article.php?IdArticle=389304 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC OPSEC model 2. Identity compartmentalization 3. Mental health & psychological vulnerability The First Factor: OPSEC Model An OPSEC model – a set of standard procedures to ensure operational success – should be established for maintaining each individual persona. The goal of our OPSEC model is to mitigate the risk of the operation being jeopardized while maintaining operational capabilities, it is the bridge that allows us to rationally execute operations with success. This OPSEC model will describe the rules and conditions to be followed while using that persona, this protocol will also outline how a persona will react to various situations. The established protocols of our OPSEC model should always be followed. Retrieved from: https://goo.gl/xKjjr4 So, Who Needs an OPSEC Model? Everyone needs to follow rules of some sort to perform their daily operations safely, but the need for an OPSEC model depends on the operational circumstances. There are a limitless number of possibilities for the various different models that could be created, again, respective to the operational circumstances. Ross Ulbricht, better known as Dread Pirate Roberts, is an ex-darknet marketplace operator convicted of founding and running the Silk Road. Determining the OPSEC model for a darknet marketplace operator is difficult since there is a vast variety of metrics that must be considered: law enforcement investigators, state level adversaries, targeted blackmail and extortion, and even assassination attempts. A darknet marketplace operator would require dedicated compartmentalization, the capability of plausible deniability, regular anti-forensic action, a cover-up career, effective money laundering, and strong self-discipline to avoid sharing stories in real life. Additionally, they would require a strong understanding of how to maintain cyber anonymity through cryptocurrency, secure messaging, understanding of metadata, cryptography, and much more. This is an example of an extremely delicate OPSEC model, to say the least. Corporate OPSEC Models in InfoSec Realistically, not everyone is a darknet marketplace operator, but we often see OPSEC models used in our very own workplaces; we can think of defensive security policies, rules and guidelines as pieces of a greater corporate OPSEC model. InfoSec professionals often say that the human factor is the weakest link in security. By developing rules and defensive security policies in the workplace, various types of social engineering attacks can be prevente]]> 2017-07-24T13:00:00+00:00 http://feeds.feedblitz.com/~/409218162/0/alienvault-blogs~Managing-Pseudonyms-with-Compartmentalization-Identity-Management-of-Personas www.secnews.physaphae.fr/article.php?IdArticle=388382 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC https://bartblaze.blogspot.co.uk/2017/07/the-purpose-of-ransomware.html On The (Perceived) Value of EV Certs, Commercial CAs, Phishing and Let's Encrypt When Troy Hunt tackles an issue, you’re pretty much guaranteed an in-depth view, and he doesn’t disappoint with his post on Extended Validation (EV) certs, commercial certificate authorities, and let’s encrypt. https://www.troyhunt.com/on-the-perceived-value-ev-certs-cas-phishing-lets-encrypt/ Life is about to get a whole lot harder for websites without HTTPS Let’s encrypt with DNS Round Robin How to revoke a Let’s Encrypt certificate Securing an Amazon S3 Bucket There have been several so-called breaches involving AWS S3 servers. However, the common element in all of these stories has been user error. It’s been the users that have been making the data public, then scratching their heads wondering what went wrong when millions of records were viewable by anyone with an internet connection. Mark Nunnikhoven has written a great easy guide on how to secure an Amazon S3 bucket. 11 simple, yet important steps to secure AWS Steal millions in ether with one simple trick Someone tricked would be investors during an ethereum ICO into sending their cryptocurrency to the wrong address. Ether is a popular cryptocurrency alternative to Bitcoin. It’s not entirely surprising though, given the rapid rise in popularity of cryptocurrency, companies are jumping on the bandwagon – prioritising speed over security. With an estimated market value of $100bn in a completely unregulated environment – we’ll likely see more of these occurences. Hacker allegedly steals Ethereum with incredibly simple trick These hackers stole $85, in Ether to save it from the real crooks (or so they say) Parity Wallet Hacker Cashes out $90,000 in Stolen Ether Burglary in mind? Easy, just pwn th]]> 2017-07-21T14:57:00+00:00 http://feeds.feedblitz.com/~/405946532/0/alienvault-blogs~Week-in-Review-st-July www.secnews.physaphae.fr/article.php?IdArticle=387906 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC It’s that time of year again! The Aliens are in full motion, gearing up for Black Hat 2017, July 24-27th at Mandalay Bay in Las Vegas. If you’re planning to attend Black Hat, please stop by booth #923. Look for the lunar module complete with a life-size astronaut where you can take a photo and share with your InfoSec community on social! At our booth you can: Get a live demo of our USM platform – USM Anywhere, USM Appliance, new AlienApps and the latest version of Open Threat Exchange (OTX). Catch a product presentation every 30-minutes. If you ask a question our Lunar Rover may deliver a t-shirt to you! Fill out a short survey to get a light-up fidget spinner. Stop by the Rocket Fuel station where we will be serving up out-of-this-world candy! Looking for a new job opportunity? Check out our careers page or stop by and chat with our Chief People Officer. Also, be sure to catch Sacha Dawes, Product Marketing Manager at AlienVault, speaking on Wednesday, July 26th 4:00-5:00 pm in Theater A of the Business Hall on “Strength in Numbers: Threat Intelligence for the 99%.” We’ll have some fun t-shirts to give away at this session as well! See you in Vegas!       ]]> 2017-07-20T13:00:00+00:00 http://feeds.feedblitz.com/~/404619572/0/alienvault-blogs~Countdown-to-One-Giant-Security-Event-Black-Hat www.secnews.physaphae.fr/article.php?IdArticle=387299 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Quentyn Taylor, Director of information security, Canon EMEA, and data protection and privacy expert Rowenna Fielding of Protecture. Concerns We didn’t waste time in trying to understand the challenges and main concerns of participants.   Rowenna discussed the fact that organisations treat GDPR as compliance, or legal for IT is a challenge and one that will likely cause them issues. A sentiment that was echoed by Sarah Clarke who added that companies tend to not factor in issues like contracts & due diligence. Carl “The GDPR guy”  Gottlieb also weighed in around the lack of clarity on ePrivacy regulation.             72 hours to comply The 72 hour breach notification rule seems to be a hot topic for many organisations. Rowenna clarified that the breach notification was applicable only where there is an impact to individuals rights or freedoms. The scope of which extends far beyond financial data. But as Kate Brew pointed out, in many large organisations, it can take 72 hours just to schedule a meeting. Dead or alive? The scope of GDPR is still a bit uncertain for some; so we sought to determine in what context does GDPR apply. Apparently, the dead are except from it, so funeral directors losing a list of the deceased would be except. It is also worth bearing in mind the fact that GDPR applies to EU citizen and residents. No matter where the controller or processor is based. ]]> 2017-07-19T13:00:00+00:00 http://feeds.feedblitz.com/~/403344748/0/alienvault-blogs~Tweetchat-Roundup-GDPR-Commentary www.secnews.physaphae.fr/article.php?IdArticle=386743 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AlienApp for Okta that enables you to monitor user activities and detect threats against your Okta account directly from USM Anywhere. Okta is an enterprise-class identity management service that features provisioning, single sign-on (SSO), Active Directory (AD) and LDAP integration, multifactor authentication (MFA), mobile identity management, and more for cloud and on-premises applications. Recognized by Gartner Inc. as a leader in the “Magic Quadrant for Access Management, Worldwide 2017,” Okta connects and protects employees of many of the world's largest enterprises and provides deep integrations to over 5,000 applications. The AlienApp for Okta—automatically made available today in USM Anywhere at no additional cost to users—collects and analyzes data directly from the Okta API to detect user credential theft, abuse, policy violations, and other threats. The AlienApp for Okta joins a growing collection of AlienApps that extend the threat detection and security orchestration capabilities of USM Anywhere. Let’s take a look at how you can leverage identity data from Okta to improve your overall security posture. Connect USM Anywhere and Okta in Minutes The AlienApp for Okta is available out of the box in USM Anywhere, with nothing to download or install. All it takes to enable the connection is the URL of your Okta instance and an API key, which can be easily generated from the Okta administration interface. Once connected, USM Anywhere begins to collect data from Okta. USM Anywhere enriches this data and summarizes it in an interactive dashboard, allowing you to easily monitor your Okta activities and to drill down on any data for deeper investigation. Correlate Identity Data to Detect Potential Threats Collecting event log information from Okta is a necessary first step, but if you’re like most security professionals with limited resources, you don’t have a lot of time for data exploration and threat hunting. This is where power of combining Okta and USM Anywhere really shines. With AlienVault’s best-in-class threat intelligence built in to USM Anywhere, you can take advantage of continuously updated correlation rules that the AlienVault Labs Security Research Team researches and writes for you, so that you can focus your attention on the events that, in context with other event data flowing into USM Anywhere, represent likely threats. Let’s take a look at a few examples. Certain activities within Okta may appear innocuous, but can also be an indicator that a user account has been compromised. A user permission modification may be a normal part of your operating procedure, but it can also represent the first step of a malicious actor. These types of events are classified as environmental awareness alarms in USM Anywhere, alerting you to the need to validate that the update was expected and performed by an appropriate user. Other activity related to identity and access is more overtly suspicious, and in these cases USM Anywhere will generate alarms with higher severity to focus immediate attention on the issue. For example]]> 2017-07-18T13:00:00+00:00 http://feeds.feedblitz.com/~/402216222/0/alienvault-blogs~Detecting-IdentityBased-Threats-with-the-AlienApp-for-Okta www.secnews.physaphae.fr/article.php?IdArticle=386223 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC How often do you receive a message from your friends or family that indicates the type of phone they are using at the end of the message? Message tags such as: “Sent using the Galaxy Note 8”, or “Sent from my iPhone” can tell a person a few things about you. Or, how about the messages that “suggest” that you use the same messaging application as the sender, such as “Get Outlook for iOS”? Think about what your E-Mail signature is broadcasting about you. First, if you send messages from your work computer, and that computer does not contain the same identifying post-script, then it is easy to know when you are most likely in your office or away from the office. Next, if you advertise different signatures on your various devices, you may be projecting an image of yourself that you may not necessarily want to be your “final word” on any matter. For example, imagine if you ended each conversation with an advertisement for your favorite mouthwash. It is funny when placed into the context of a conversation, but when you consider that you probably send many more e-mails than you have actual conversations, you can see the point. Perhaps you are of the belief that people will “tune out” the signature line of your message. That is as bad as writing a message that you wouldn’t mind that people won’t read. On the other hand, what if people simply do not read the last line of all your messages? That doesn’t seem great either. When you think about the constant flow of information, coupled with all the advertising to which we are subject to during our online activities, it is easy to see that perhaps it is best to declutter any advertisements from your messages. Your signature need not be an elaborate display; it should just be uniform across all your communication media. If you use two different messaging applications, you can go so far as to have one signature for your personal messages, and one for your professional messages. My personal messages are signed with a simple “-Bob” at the end. It doesn’t take much effort to adjust your signatures to be identical across all your messaging devices. It also shows that you consciously took the time to make that choice to be just a bit more thoughtful and “present” in your communication stream. And isn’t that the best reason to communicate?       ]]> 2017-07-17T13:00:00+00:00 http://feeds.feedblitz.com/~/401110020/0/alienvault-blogs~Your-ESignature-Matters www.secnews.physaphae.fr/article.php?IdArticle=385739 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC A license to hack The Singapore government may soon require hackers to get a license. As part of a draft bill that will make sweeping changes to Singapore’s national cybersecurity regime, already rated the world’s best by the International Telecommunication Union (ITU), hackers who conduct investigative work such as penetration testing—probing systems for holes in their security—will be required to obtain a license. The same goes for specialists conducting forensics work. Anyone caught hacking without a license could be facing 2 years jail time and a hefty fine. In theory it’s may be a good idea… actually I’m struggling to think as to any good reason why this is a good idea. The definition of hacking is very wooly at best. Changing a character in a URL could be perceived as parameter tampering, or it could be a genuine mistake. And would tools need to be licensed too? Of course, rules never hurt the bad guys, they will presumably still carry on doing what they’ve always been doing. Singapore is planning a new law to license hackers Draft Bill 5 Key proposals from Singapore’s new cyber security bill Visualising The Information Tracking Superhighway Remember when the internet was often referred to as the information superhighway? Well, it probably still is, except the real juicy information is heading in the opposite direction. But just how much information is being tracked? Whatever your guess is, you should probably double it. This visualisation does a great job of showing just how much tracking is going on, and the biggest culprits. The future of privacy looks pretty bleak. When Cyber crime hits the books What is the real cost of a cyber security attack? Many guesses and estimates have been thrown out. Some believe each breach costs companies multi-million dollars, while others believe it is almost negligible with no immediate impact on share price. But Reckit Benckiser Group in its last annual report ranked cyber security as eighth on the top 12 biggest specific risks it faces. That danger became real when the consumer goods giant was hit by the Petya attack last month. Reckitt said this will probably cost it 2pc of second-quarter sales, some of which will never be recovered. It's tempting to see this as an unlucky one-off. That would be too kind. At last, the true cost of cyber crime turns up on the books The Uber of Umbrellas I imagine that investors must be sick to their back teeth of pitches that start off with, “We’re like the Uber of x…” But why not, crowdsourcing and sharing seem to be fashionable at the moment. So it isn’t necessarily surprising to see all manner of companies looking to pursue this route. What is surprising is when a Chinese-based company was able ]]> 2017-07-14T13:00:00+00:00 http://feeds.feedblitz.com/~/397598328/0/alienvault-blogs~Week-in-Review-th-July www.secnews.physaphae.fr/article.php?IdArticle=385195 False None Uber None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Javvad Malik prepared a survey for the Infosecurity Europe 2017 conference, was there in the AlienVault booth where the survey was completed by 918 attendees, and has written up a delightful summary of the results. InfoSecurity 2017 took place against a backdrop of change; so much change in fact, that some might call it chaos. The deadline for the GDPR moves ever-closer, but the British government is in a state of disarray at a time when negotiations to leave the EU are underway, all while it’s trying to increase its surveillance capabilities as well. Enterprises are feeling the brunt of these changes. While cloud, in all its various guises, continues to shape digital strategies, we were curious to find out how security professionals were adapting not just to cloud technologies, but also to the increased focus on privacy that the GDPR will bring within the overall context of a government that’s eager to increase its powers. There were some interesting findings, like some trepidation about cloud security expertise: Key Findings 50 percent of participants think the GDPR’s 72 hour rule of breach notification could do more harm than good, and 42.6 percent reported that they were unsure if they could identify and report a data breach within 72 hours. 49 percent don’t have or are unsure if they have data processing agreements with cloud providers, and 28 percent say that the level of cloud security expertise in their organization is either ‘novice’ or ‘not very competent’. A significant section of respondents (37.5 percent) said that their organization would refuse to put a backdoor in their product if asked to do so by the government. The cybersecurity industry has a dim view of Theresa May’s policies, which seek to undermine information security fundamentals like encryption and threat intelligence sharing. So many tasty bits! You can read the full report here.       ]]> 2017-07-12T08:00:00+00:00 http://feeds.feedblitz.com/~/394817880/0/alienvault-blogs~Infosecurity-Europe-Survey-GDPR-the-Cloud-and-Government-Spying www.secnews.physaphae.fr/article.php?IdArticle=383503 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC A significant percentage of online cyberattacks are email related. Enterprises are often required to host their own email servers for the sake of compliance and practicality, instead of using one of many third party email services that are often offered by ISPs. But if an email server that your business operates is subject to attack, not only can your business experience lost productivity, you can also be subject to litigation for leaking sensitive data. Fortunately, there are some basic best practices for configuring your email server in a more secure way, which should significantly reduce your risk. This isn't a comprehensive guide to secure email configuration, and your business may be subject to compliance standards that aren't covered here, depending on your industry. But this is an excellent starting point. Sometimes, even the most experienced IT professionals forget about the basics. For the sake of this piece, I use the phrase “email server” to refer to backend programs that are mail transfer/transport agents (SMTP), or mail delivery agents (e.g. POP3, IMAP). There are many popular mail transfer agents, and mail delivery agents that businesses use, such as sendmail, Postfix, Microsoft Exchange Server, Apache James, MDaemon, and Citadel. These best practices can be applied to the configuration of most commonly used email server applications, regardless of your OS platform. Basic steps Here are the usual steps for setting up a mail transfer agent: Install the application of your choice. Generally, you can only have one application for using SMTP per email server. For instance, if you want to use postfix, you may have to uninstall sendmail packages first. Whether your MTA application is opensource or proprietary, installed via repository or removable media, choose carefully. Consider any requirements that compliance and company policy may have. If you can use an application that has added security features, that's probably a better choice. Also make sure that your application will be well supported in the coming years with frequent patches as necessary. Configure carefully. It's always more secure to make sure you're running no default settings. Also make sure that you change administrative usernames, and use only complex passwords. Change all passwords according to a set schedule, once every three months is usually good. Some of the settings specific to SMTP include total number of connections, total number of simultaneous connections, and maximum connection rate. Those will need to be tweaked for a while during operation until you find what works. Test, test, test! Have some test emails sent through your SMTP application, and commence full operation only when that's successful. But testing for incidents like DoS attacks will probably require the work of penetration testers. If you can arrange it, having a red team work on your SMTP server before you launch it may be a good idea. Review the functionaity and security of your SMTP server on a regular basis, to a set schedule that works for your organization. And here are the usual steps for setting up a mail delivery agent: Install the application of your choice. As with mail transfer, you should only have one application installed as a mail delivery agent per email server. So uninstall any existing packages for mail delivery agents that you don't want to use first. Everything else that applies to choosing a mail transfer agent also applies to installing a mail delivery agent. Except for one thing- there's more than one commonly used TCP/IP protoc]]> 2017-07-11T13:00:00+00:00 http://feeds.feedblitz.com/~/393817320/0/alienvault-blogs~Basic-Best-Practices-for-Configuring-Email-Servers www.secnews.physaphae.fr/article.php?IdArticle=383258 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC According to the SANS 2017 Incident Response Capabilities Survey, 47% of organizations reported taking more than 24 hours to move from detecting an incident to containing it. Given that every minute between compromise and containment represents potential data exposure and damage, these results reveal a serious need to shorten incident response times. At the same time, security teams face significant obstacles to swift incident response. The threat landscape changes constantly, bombarding analysts with new threats to contend with every day. Detecting and responding to these threats often requires a wide variety of different security products, adding the workload of buying, maintaining, and managing a set of tools that aren’t typically designed to interact or work together. With disconnected tools, incident response activities can include a lot of time-consuming, manual tasks that take away from more strategic response efforts and slow down the incident response process. To cut down the time between detection and response, organizations should consider how orchestration and automation can help. With a solution like USM Anywhere, security teams can eliminate their biggest incident response challenges and dramatically reduce their time to response. This is Part Three of a three-part blog series that examines how incident response automation and orchestration can make life easier for security teams. The blog series covers the following topics: Part 1: Incident Response Orchestration: What Is It and How Can It Help? Part 2: Automated Incident Response in Action: 7 Killer Use Cases Part 3: Incident Response Automation Challenges (and How USM Anywhere Can Help) In Part One, we covered what security orchestration is and how it can help you speed up your incident response (IR) processes. In Part Two, we looked at examples of incident response automation in action to give you a taste of what’s possible for your organization. In this installment, we’ll examine how USM Anywhere addresses the most pressing IR automation challenges facing security teams. Unlike solutions built to solve one security problem at a time, USM Anywhere provides a unified platform for security monitoring and compliance on-premises and in the cloud. The platform integrates asset discovery, vulnerability assessment, intrusion detection (IDS), behavioral monitoring, SIEM, and log management—all within a single pane of glass. With advanced security orchestration capabilities built directly into this unified platform, USM Anywhere is uniquely equipped to help resource-constrained teams save time and money by easing and automating these common IR challenges. Problem: With Siloed Security Products, Emerging Threats May Go Unnoticed Solution: Accelerate Time to Detection with Unified Security Essentials Rapid detection is key to effective incident response. The longer it takes to detect an intrusion, the more time a malicious actor has to steal data and cause damage. However, when your security plan involves managing information from a variety of point solutions that weren’t built to work together, it’s challenging to form a complete picture of what&rsquo]]> 2017-07-10T13:00:00+00:00 http://feeds.feedblitz.com/~/392641174/0/alienvault-blogs~Incident-Response-Automation-Challenges-and-How-USM-Anywhere-Can-Help www.secnews.physaphae.fr/article.php?IdArticle=382838 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Car breakdown service provider the AA apparently suffered an issue whereby it was publicly disclosing customer data. Except it wasn’t. But it was. Short version is that AA published 13GB worth of customer data to the internet, including partial credit card details. However, in a masterclass on how not to handle a data breach, the AA proceeded to deny any such leak had occurred, despite there being clear evidence to the contrary. Then, when Graham Cluley pointed out that the AA may be fibbing, he was warned (threatened?) of being in breach of the computer misuse act. Note, that this is for posting a redacted screenshot of leaked data, that apparently didn’t occur in the first place. Troy Hunt breaks down the five stages of data breach grief The AA Exposed Emails, Credit Card Data, and Didn’t Inform Customers AA Shop investigating 13 gigabyte data breach On the flip side, DaFont had a pretty reasonable response to being breached. A self-destructing PC I remember watching the Mission Impossible TV series where at the end of the mission briefing, the director would say, “This message will self destruct in 30 seconds” and always found it to be so cool. When my first MP3 player was stolen; I sorely wished that it had a similar functionality whereby I could remotely ‘detonate’ it so that the internals would go up in a puff of smoke. It appears as if such a device is no longer in the realm of fantasy, as Orwl takes physical security to the next level. Not only do you need a password and wireless fob to turn it on, if the fob moves out of range, the processes goes to sleep and the USB and HDMI ports shut off. If an attacker is persistent, the device will wipe data on the encrypted drive. This $1,699 "secure PC" will self-destruct if tampered with It will be interesting to see how law enforcement view this, and if such devices become favoured by those looking to do no good, if a master fob is requested. Certificate revocation is broken A nice piece by Scott Helme (why does autocorrect insist on referring to him as Helmet?) in which he illustrates the challenges that as more and more sites are using certificates, there isn’t a good way to revoke them if someone obtains our private key. Kaspersky agrees to turn over source code to US government In a story that will likely continue to take twists and turns along the way, Kaspersky has worryingly agreed to share its source code with the US government in order to continue conducting business with them. CEO Eugene Kaspersky has stated that h]]> 2017-07-07T13:00:00+00:00 http://feeds.feedblitz.com/~/389203700/0/alienvault-blogs~Week-in-Review-th-July www.secnews.physaphae.fr/article.php?IdArticle=382352 False Guideline NotPetya None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC BSides Chicago July 15. If you haven't yet, register to attend! Follow Garrett on Twitter:  Question: You work with a lot of different customers on a daily basis. How would you describe the consensus of how people are feeling about InfoSec in business right now? Are you seeing any signs of battle fatigue, with all this recent Ransomware activity? Much like fashion and pop culture, InfoSec goes in cycles. We’ve seen trends like this before, with viruses, worms, and RATs. Ransomware and Ransomware-as-a-Service are just the next new trend. Veteran InfoSec pros are accustomed to this pressure to learn and adapt quickly. Now, IT generalists are a different story. Especially in mid-size businesses and businesses that have very limited or no dedicated InfoSec staff, IT generalists are having a terrible time dealing with the stress of Ransomware prevention and incident response. It is becoming overwhelming. Question: The defender does have some disadvantages against the attacker in most situations, including companies defending their infrastructure and business. What advice would you give to Blue Teamers? This is a huge hurdle. The defender must be successful 1000/1000 times and the attacker only must be successful 1/1000 times. I urge Blue Team defenders to be constantly vigilant in their jobs and focusing on the basics. Use the right technology for prevention, detection and incident response, focus on process, embracing security advocacy and leveraging the InfoSec community for help and support. Question: How critical is emerging technology, such as Machine Learning, for the typical business trying to maintain a robust security posture? ML/AI is definitely compelling and, in the right hands, can be a very powerful tool for correlating data. However, for the ‘typical business’ (small IT/security team), it usually ends up being a distraction. Whats important for most IT teams are the basics – threat detection, endpoint protection, user training, and security advocacy. Question: The InfoSec community is pretty helpful to new folks. What advice would you give to InfoSec newbies? Don’t be afraid to ask questions. Most tenured security pros love nothing more than empowering and educating the next generation. There is a robust InfoSec community that includes Twitter, LinkedIn groups, Open Threat Exchange (OTX), various vendor forums and even Reddit as resources. There are also inexpensive regional conferences like BSides, as well as the bigger cons like RSA, DefCon and Black Hat. Get out there an engage with the community! Question: Tell me a little about information sharing methods and strategies in InfoSec. Historically in InfoSec, especially in financial and defense industries, there’s been an extreme reluctance in sharing telemetry on attacks; some folks would even see this an “admission of guilt”. However, we now feel that the pros outweigh the cons in sharing threat information, as the value of the shared information coupled with a unified front of defenders is a game-changer. In addition, open source offerings and technologies like TAXII, STIX and CybOX are opening the door for more effective threat information sharing by standardizing the data. Question: What are the most significant problems you are seeing in the customers you work with on implementing and upgrading their security posture? So many problems… First, there’s the proclivity to]]> 2017-07-06T13:00:00+00:00 http://feeds.feedblitz.com/~/388401408/0/alienvault-blogs~Sneak-Peek-of-BSides-Chicago-Keynote-Garrett-Gross www.secnews.physaphae.fr/article.php?IdArticle=381928 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Per a recent study released by Javelin Strategy & Research, identity fraud hit a record high in 2016 targeting 15.4 Million U.S. Victims and with hacker/fraudsters netting around $16 billion dollars. Those findings are not so shocking, as breaches from companies, government, and untold individual accounts are becoming an unfortunate norm. The reason for the increased rate of identity fraud is clear. As we become more and more connected, the more visible and vulnerable we become to those who want to hack our accounts and steal our identities. The surface threat landscape has expanded exponentially with smartphones, wearables, and the Internet of Things. Moreover, those mobile devices, social media applications, laptops & notebooks are not easy to secure. With all the targets available it is a truly a hacker’s world. A Clark School study at the University of Maryland quantified the near-constant rate of hacker attacks of computers with Internet access—every 39 seconds on average. This means that identities are perpetually at risk. The means for hackers and fraudsters are varied across the levels of sophistication and depending upon the actors. But identity theft does not have to be rocket science, particularly withal the low hanging fruit available to criminals. Phishing is one preferred way of gaining access to personal data. It usually done by employing a fake website which is designed to look almost like the actual website. The idea of this attack is to trick the user into entering their username and password into the fake login form which serves the purpose of stealing the identity of the victim. Hackers can easily mimic known brand websites, banks, and even people you may know. The old days of foreign emails with crammed with misspellings saying that you have inherited money are mostly by the wayside. Another growing method of reaping financial gain has been the growing trend of Ransomware. That is used by hackers to hold computers and even entire networks hostage for electronic cash payments. Ransomware has been around for more than a decade, but attacks have exploded in the past few years. Hospitals, businesses, and educational institutions have been seeing a rise in cyber-attacks with ransomware, botnets and malware because of their more distributed and less protected networks. Individuals are also easy targets. Microsoft estimates that by 2020 over 4 billion people will be online, many in remote work environments. That is a large array of targets and digital currencies such as bitcoin make it easier for hackers to extort payments for return of individuals and company’s computer operations. Another contributing factor in identity threat has been the growing use of social media. Our work histories, friends, locations, and interests are public. It is an avenue to gather information for phishing or placing malware. Personally, I have had my Facebook, LinkedIn and Twitter accounts copied and used by others pretending to be me. Luckily, I caught the fraud early. The fact is that no one is invulnerable if they are on the internet. The Javelin Study found that “Social Networkers share their social life in digital platforms (like Facebook, Instagram, Snapchat and other netwo]]> 2017-07-05T13:00:00+00:00 http://feeds.feedblitz.com/~/386886920/0/alienvault-blogs~Identity-Theft-the-Not-So-Hidden-Scourge www.secnews.physaphae.fr/article.php?IdArticle=381503 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Our own AlienVault labs team broke down what they saw Microsoft has a nice technical post on how the attack works Lesley Carhart has written a very accessible post explaining the attack and the surrounding issues. Perhaps the biggest victim this time round was Cadbury’s, as it had to shut down its famous chocolate factory in Hobart. How I obtained direct publish access to 13% of npm packages This is a great post on how ChALkeR was able to obtain direct publish access to 13% of npm packages – with an estimated reach of up to 52% once you factor in dependency chains. It’s interesting because it’s relatively straightforward using three basic techniques of bruteforcing, reusing passwords from leaks, and npm credentials on GitHub. The issue has been addressed in an npm blog post. Just in case you need to check your credentials You are not Google Neither are you Amazon, or LinkedIn, or Facebook, or Netflix etc. A great post especially for engineers. This line of thinking can be expanded into security too. Just because a large, well-funded, and highly targeted company is using the latest bleeding edge next generation security products and tools, it doesn’t mean every company needs to adopt the same toolset. Rather, it’s about looking at what matters most, and getting security controls that are appropriate. I really need to find better ways of explaining my thoughts, the paragraph I just wrote throws me back to days of being a consultant. Legal boundaries and privacy The long-running case between the US Department of Justice and Microsoft has taken another turn as the DoJ has petitioned the US supreme court to get involved in allowing the US government access to Microsoft emails stored at its Dublin data centre. As Microsoft president and chief counsel Brad Smith argued in a blog post, if the US government has the right to directly seize internationally-held data, then other countries will of course expect the same right. This in effect would allow international digital raids for American or other nations’ data, in the US or around the worl]]> 2017-06-30T13:00:00+00:00 http://feeds.feedblitz.com/~/381207770/0/alienvault-blogs~Week-in-Review-th-June www.secnews.physaphae.fr/article.php?IdArticle=380340 False Guideline NotPetya,Wannacry None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC I started my career with only basic fundamental knowledge of information security. However, applying the work ethic and desire to excel I learned in the Submarine Force, I set out to become the best information security professional that I could. My first job out of the Navy was not very technical. I realized this and enrolled for both online and in-person training. I took a UNIX and Linux class in person and that itself has taken me far. I use Linux or a UNIX variation often in my current role and have used it in my past two roles as well. I learned auditing as part of being a government employee, so that I could assess the security of systems to support them, attaining Certification & Accreditation (C&A; now known simply as Authorization in the federal space). I continued to push myself to learn technical concepts and refine my knowledge. After I left the federal government and came back to the same agency as a contractor, my former supervisor commented that I "was too technical to be a 'govvie'." As a UNIX administrator, I was able to unleash my theoretical knowledge and be at ground-zero for technology. I was involved with patching and remediation, system migrations from PA-RISC to Itanium, and modernization of the web experience. Over the course of a few years, I had already worked as an auditor, a systems engineer, and a Senior UNIX Administrator focused on security, and had completed my undergraduate and graduate degrees in Information Security as well. At this point, I wanted a change and wanted to be closer to family, so I accepted a job as Director of IT Security/ISSO in Atlanta. Background: 2013 to Mid-2017 When I started this job, I was afforded something I had never had before: freedom and latitude. I found that I could be as technical as I wanted to, as long as it didn't cost much. Over time, I learned how to administer Active Directory, Group Policy, McAfee ePO, Tenable Security Center, Gigamon, and Sourcefire. Prior to this role, I had only managed HP-UX and Red Hat servers. It felt like a knowledge explosion to have a chance to learn so many new things. As Director of IT Security and ISSO, I had to revisit my roots in Governance and Regulatory Compliance (GRC) in writing Policies and Procedures to meet federal and contractual requirements. Beyond this, I was able to build on my technical foundation and deploy, analyze, and maintain various technologies as well as participate in "Hack the Pentagon." This was a confidence booster and a challenge. I had no other security people to consult internally. I had to learn to make things work in an efficient and secure manner. As time went on, things changed with the contract, the management, and the team. Within three years, I had outgrown my position. There was no more opportunity for development or upward mobility and things were beginning to feel toxic. I felt like I was losing my passion for Infosec. Luckily, Sword & Shield came to my rescue. I began my ]]> 2017-06-29T13:00:00+00:00 http://feeds.feedblitz.com/~/379960878/0/alienvault-blogs~Data-Carving-in-Incident-Response-Steps-Toward-Learning-More-Advanced-DFIR-Topics www.secnews.physaphae.fr/article.php?IdArticle=379939 False None APT 32,Wannacry None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC release notes for more details, update your systems, and let us know what you think by posting your questions and comments on the product forums! Streamlining your Threat Detection and Response We’ve made a number of enhancements in USM Appliance 5.4 focused on giving you time back in your day. Let’s dig into these. Moving Threat Intelligence Forward Don’t worry about staying up to date with our frequent Threat Intelligence and Plugins feed updates anymore by scheduling auto-updates! Once configured, USM Appliance will check to see if an update is available every day at a time of your choosing. In the event of an update attempt, you’ll get a message in the Message Center that will confirm the success or failure. We’re hoping this eliminates one more thing from your “To Do” list and makes keeping your USM Appliance software up to date and as simple to maintain as possible. Optimized Network IDS (NIDS) rulesets With new optimized NIDS rulesets in the USM Appliance 5.4 update, USM Appliance users should experience better NIDS performance and better event matching. Ultimately, this means fewer false positives and more indicators identified for most environments. Easy Open Threat Exchange (OTX) Lookups Ever wondered if OTX has anything to say about that IP address associated with an event or an alarm in USM Appliance? Now, you can right-click on any IP address in the Alarms or Events views to quickly search for additional details in OTX, or even to create your own pulse associated with that IP address. Behavioral Monitoring in USM Appliance Just Got More Advanced There are many anomalies that can be detected by monitoring NetFlow, such as an unusual amount of bandwidth used by a host or a large number of flows generated. These cases often find successful exfiltration attempts, given that the host is now acting differently than normal on a network. With USM Appliance v5.4, you can now use USM Appliance to generate alarms and get alerted when your NetFlow goes above or below certain thresholds. And setting up alerts is super simple! Just set your thresholds and if any asset in your network exceeds this threshold, USM Appliance will generate an alarm. *NOTE: this feature is only available for "All in One" and “Standard” deployments. The World of Plugins Just Got Bigger... Plugin builder (previously called Smart Event Collector or ASEC) is back. We now have an intuitive way for users to easily create their own custom plugins. After uploading a sample log file, USM Appliance will guide you through a set-up flow to add properties to the plugin and map parts of the log file to specific event types. With this tool at your disposal, monitoring logs from any non-commercial software that you have running in your environment within USM Appliance will be easier than ever. Give it a shot and let us know what you think! We do, of course, understand that you may not have the time to build a plugin yourself. No problem! We still encourage you to ]]> 2017-06-28T13:00:00+00:00 http://feeds.feedblitz.com/~/378953078/0/alienvault-blogs~What%e2%80%99s-New-in-AlienVault-USM-Appliance.4 www.secnews.physaphae.fr/article.php?IdArticle=379401 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Picture this: It’s 2AM on Saturday and you’re startled awake by an alert on your phone. Indicators of a new variant of WannaCry ransomware have been detected in your network. But your home network provider is having an outage (again!) and you can’t remote in. You get dressed and race to office, maybe breezing through a few stop lights on the way, all while new alerts arrive on your phone indicating more systems have been compromised. As you arrive and start investigating the alarms and logs, the attack continues to spread rapidly . Desperate to stop it, you run to the server room and rip all the cables out of the routers and servers. In the stillness of your dead network, you sigh. You head to the break room to brew a pot of coffee and settle in for a long weekend. Now imagine how vastly different that experience would be with automated incident response capabilities. As soon as the ransomware is detected and an alarm is raised, your system automatically responds by isolating the infected machines, and you hit the snooze button. With the right automated incident response tools, IT security teams can stay in control of their incident response (IR) activities and respond to threats and intrusions swiftly and effectively, with less manual work—no wire-ripping required. This is Part Two of a three-part blog series that examines how incident response automation and orchestration can make life easier for security teams. The blog series covers the following topics: Part 1: Incident Response Orchestration: What Is It and How Can It Help? Part 2: Automated Incident Response in Action: 7 Killer Use Cases Part 3: Incident Response Automation and Orchestration in USM Anywhere In Part One, we looked at what incident response orchestration is and how the right automation tools can help security teams respond to intrusions more quickly. While automation can’t replace human security analysts, it can help analysts conserve time for higher priorities and make the incident response processes run as swiftly as possible. In this installment, we’ll take a look at examples of incident response automation in action, comparing them to what it would take to handle them manually. As you read through these examples, consider what kinds of automated IR capabilities would have the greatest impact on your own organization’s incident response processes and timelines. 1. One of your users interacts with a malicious IP address. You need to update your firewall to block the IP. Firewalls help protect you from bad actors by filtering network traffic. Still, they have limits. Most firewalls aren’t connected to your other security tools and their rules are infrequently updated, meaning they may not be current to address the latest threats. Addressing this situation might entail detecting the problem using other security software, prioritizing the event, and manually updating a firewall with a new rule to block the malicious IP. At some organizations, you might even need to open a ticket to have another team or team member take action, further slowing down the response process. With automated incident response, you can automatically update your firewall to block malicious IPs as they are detected. For example, USM Anywhere detects traffic to and from an external IP address that, through its integrated threat intelligence, it knows is malicious. USM Anywhere can instruct your Palo Alto Networks next-generation firewalls to block or isolate the IP address, using an automatic or manual incident response action. 2. One of your systems has been infected with malware. You need to limit the damage and find out how many systems are vulnerable before it spreads. Relying on ]]> 2017-06-26T13:00:00+00:00 http://feeds.feedblitz.com/~/376390882/0/alienvault-blogs~Automated-Incident-Response-in-Action-Killer-Use-Cases www.secnews.physaphae.fr/article.php?IdArticle=378520 False None Wannacry None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Geolocating Miriam Steimer Please stop posting your X-rays to social media The role of automated data discovery in a GDPR programme A great piece by Sarah Clarke on the automation of data discovery in GDPR. Data is not a religion. It is not a panacea. Data isn’t going to tell you what data you need to listen to. Humans are going to tell you what data you need to listen to. Opinion: The role of automated data discovery in a GDPR programme Open-sourcing abandoned code There’s an argument that old, abandoned code should be made open source. Think of it like upcycling someone’s old, discarded sofa. The theory sounds good, but Rob Graham puts forward a strong argument as to why it’s a really bad idea. Notes on open-sourcing abandoned code A matchmaking site for abandoned open source projects Free software is suffering because coders don’t know how to write documentation Documentation, the bane of everyone’s existence. Ask pen testers the worst part of their job, or developers, or risk managers – nearly everyone despises documentation. But according to GitHub’s 2017 open source survey, 93% of people reported being frustrated with incomplete or confusing documentation. It’s a shame, because documentation shouldn’t be viewed as a chore. Documentation is the opportunity to tell a story, to get your message across. It’s where the developer is the marketer and can control the narrative. If they don’t take advantage of it, then someone else will… or won’t. Free software is suffering because coders don’t know how to write documentation Open source survey Migrating to BeyondCorp Maintaining productivity while improving security The newest Google BeyondCorp paper is fascinating. Just try to count all the “Major projects” and stakeholders. Migrating to BeyondCorp: Maintaining productivity while improving security Microsoft faces antitrust Suit Earlier this month, Kaspersky lab filed an antitrust complaint against Microsoft over allega]]> 2017-06-23T13:00:00+00:00 http://feeds.feedblitz.com/~/372583328/0/alienvault-blogs~Week-in-Review-rd-June www.secnews.physaphae.fr/article.php?IdArticle=378288 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Today, 76% of organizations have adopted or are planning to adopt cloud services, including cloud storage. Amazon Web Services (AWS) is the public cloud market leader with 40% cloud market share. Its Simple Storage Service (Amazon S3) is one of its most popular services, used by nearly 195,000 unique domains. Amazon S3 is probably one of the most popular services, especially among those companies that are already leveraging technologies from AWS. By default, when you create an Amazon S3 bucket, the bucket will be private and only accessible by users or credentials belonging to that user account . To control who has access to data stored within the S3 bucket, users can apply an Access Control List (ACL) to the entire bucket, or different ACLs to specific objects stored within the bucket or the bucket itself. Every S3 bucket has a unique name, for example, “: myinsecurebucket”. And, buckets are always private by default. Since the bucket is private, even if an attacker can guess the name of the bucket, it won’t be able to list or retrieve files from it: $ aws s3 ls s3://myinsecurebucket A client error (AccessDenied) occurred when calling the ListObjects operation: Access Denied On the other hand, if the bucket is not properly configured, like if it is mistakenly configured as a public bucket, an attacker will be able to view and access the files in the bucket: $ aws s3 ls s3://myinsecurebucket 2017-06-20 10:27:11 910 myfile How often does this happen? Unfortunately, this is a fairly common error that can expose sensitive information, as evidenced in the following two examples: A few weeks ago, a security researcher found an S3 bucket exposing highly sensitive US military data due to a US defense contractor making it publicly accessible. While I was working on this blog post, another data breach was discovered that exposed the personal information of about 198 million American voters stored in an unsecured S3 bucket. We have also found many instances of this same issue when searching for bug bounty issues and vulnerability disclosures. Here are some examples from HackerOne: Affected Company Link Twitter https://hackerone.com/reports/129381 Shopify https://hackerone.com/reports/57505 Zomato https://hackerone.com/reports/229690 Ruby ]]> 2017-06-22T13:00:00+00:00 http://feeds.feedblitz.com/~/371364106/0/alienvault-blogs~Amazon-S-Security-and-File-Integrity-Monitoring www.secnews.physaphae.fr/article.php?IdArticle=377744 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC To carry out attacks, malware and botnets rely on communication with a Command & Control server (C&C or C2) to receive instructions. As a result, today’s security tools have become extremely adept at detecting traffic to and from malicious IP addresses. When a system or device starts talking to a malicious IP or domain, alarms sound and IT security pros roll up their sleeves. In recent years, however, malicious actors have begun to launch attacks from the depths of Twitter, trying to evade detection and prevent their C2 infrastructure from being found and shut down. In 2016, Twitoor—a widespread Android botnet controlled by Twitter—affected millions of Android devices. And, earlier this year, researchers at University College London discovered a Twitter botnet of over 350K bots called the Star Wars Botnet because, oddly enough, the bots tweet partial Star Wars quotes. (Cue Admiral Ackbar.) Attackers are increasingly using legitimate websites and servers as infrastructure in their attacks, knowing that it can be more difficult to detect, especially to the untrained eye. The RAT of Twitter: ROKRAT In April, security researchers at Cisco Talos uncovered a new malware campaign that does just that. Dubbed ROKRAT, this new piece of malware uses multiple anti-detection techniques, including the use of legitimate websites like Twitter, Amazon, and Hulu to hide its malicious activities. Researchers found that ROKRAT uses the public APIs of Twitter along with two other legitimate cloud platforms—Mediafire and Yandex—to get commands and to exfiltrate data. According to researchers, the malware can receive orders by checking the most recent message on the Twitter account’s timeline and can also post tweets. The malware uses the Yandex and Mediafire APIs to download and upload stolen data to the cloud. Going further with its anti-detection tactics, researchers found that ROKRAT has a feature to detect if the victim’s system is running any processes associated with malware detection, debugging tools, or sandbox environments. If detected, the malware will generate dummy HTTP traffic to legitimate websites, including Amazon and Hulu, to mask its malicious activities. To the untrained eye, the victim appears to be watching anime at work. ROKRAT is the latest example of how today’s sophisticated malware and ransomware campaigns layer on a wide breadth of tools, tactics, and procedures (TTPs) to evade detection. Here’s the full rundown of the TTPs discovered in the ROKRAT campaign, as described by the Cisco Talos researchers: A spear-phishing email campaign from a compromised university email account A social engineering tactic, using a conference on unity in Korea as its pretext A malicious Word file attachment (Hangul Word Processor, used mainly in Korea) An embedded EPS object to exploit a well-known vulnerability (CVE-2013-0808) A remote administration tool (RAT) payload disguised a JPG image file The use of Twitter, Yandex, and Mediafire clouds for C2 communication A feature that executes an infinite loop of sleep if the OS detected is Windows XP or Windows Server 2003 A feature that detects the use of debugging or sandbox tools like Wireshark or File Monitor and, if detected, generates “normal-looking” dummy HTTP traffic to legitimate Amazon or Hulu pages A keylogger that also captures the tit]]> 2017-06-21T13:00:00+00:00 http://feeds.feedblitz.com/~/370115302/0/alienvault-blogs~A-RAT-that-Tweets-New-ROKRAT-Malware-Hides-behind-Twitter-Amazon-and-Hulu-Traffic www.secnews.physaphae.fr/article.php?IdArticle=377085 False None Wannacry None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Internet fraud is one of the most common motivators of cybercrime. Millions of dollars are stolen every year from victims who are tricked into initiating wire transfer payments through social engineering tactics and computer breaches. This is typically accomplished using one of three methods: business email compromise (BEC), email account compromise (EAC), and spoofing. All three of these methods can be attempted against any organization that relies on email for communication. Being a smaller company doesn’t protect you from attempts at fraud - malicious actors target organizations of all size. When proper procedures and tools are in place, it can be relatively easy and inexpensive to protect against them, but failing to take precautions and ignoring the risk can have a negative impact on both your financials and your brand reputation. For example, your customers will not be happy if your organization unintentionally loses their money by sending it to bank accounts that don’t belong to them. The good news is that each of these can be detected and prevented with proper tools and monitoring techniques. Brian Krebs has published a fantastic article on the value of a hacked email account, which I highly recommend reading, to get a better sense of why the data held by companies is a lucrative target and why email fraud is so common. Business Email Compromise Business email compromise is an attack that targets customers or employees that work with your external-facing business associates. Here’s an overview of how it might work: Customer A (we will call them Able for this scenario) falls for a phishing scam and their email credentials are compromised. The attackers snoop around Able’s email account and notice that they conduct business, including wire transfers and payments, with your company. The attackers use Able’s email account to send a request for a wire transfer or payment that doesn’t particularly stand out as unusual because it is similar to other requests you’ve received in the past. However, instead of using the bank account on file, they ask you to send the payment to a different bank account that’s not on file. The scammer may even proactively offer some kind of reason for this, such as “Our accounts are under audit right now, please send to the account below instead”. Essentially, attackers in this scenario use a compromised email account to manipulate the trust between you and your customers. This can also happen in reverse. Your employee could fall for a phishing scam and then the attackers use his or her credentials to target your customers, hoping to initiate a fraudulent wire transfer in your company’s name. The FBI has reported that as of May 2016, over 15,000 organizations have become victims of business email compromise scams losing a combined total over $1 billion dollars. These victims range from small businesses to large corporations in a wide array of business sectors. Thankfully, this type of fraud can often be detected and stopped by having standard operating procedures (SOP’s) and processes in place that require your employees to verify transfer requests before initiating payment. In addition, you should never change bank account or address information for your customers or vendors via email; such changes should always require a follow up phone call at the very least for verification. Furthermore, enabling two-factor authentication for email where possible can mitigate the risk of unauthorized access to business email. As an added measure, it’s important to be aware of the information relating to your employees and your organization available on social media. Many attackers do their homework before attempting these types of scams; the more information that’s publicly av]]> 2017-06-19T13:00:00+00:00 http://feeds.feedblitz.com/~/367719776/0/alienvault-blogs~How-Hackers-Manipulate-Email-to-Defraud-You-and-Your-Customers www.secnews.physaphae.fr/article.php?IdArticle=376240 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Photo credit: wdstock Does this scenario look familiar to you? Monday – “Roll up your sleeves, people! We’re going to patch some security vulnerabilities this week! I can FEEL it!” Tuesday – “Reports are sent out and tickets have been created. They can’t ignore all those Highs and Critical CVEs THIS time!” Wednesday – “I haven’t heard back from anyone yet. Maybe they’re so busy patching, they forgot to message me. I’ll email them a friendly reminder.” Thursday – “No tickets have been closed? Wait, NO TICKETS HAVE BEEN ASSIGNED?!” Friday – “Sigh. Backlogged again.” After days, weeks, months, and years(!) of trying the same approach to solving the “vulnerability management problem”, in which your impassioned pleas for security fixes are largely ignored or de-prioritized, you start to realize something. Your approach to vulnerability management does not work. Creating vulnerability reports, attending vulnerability review meetings, opening tickets to patch vulnerabilities, validating fixes and patches, etc. takes too much time, energy, and head-banging to make a large-scale difference in our respective companies’ admittedly woeful vulnerability statistics. Because we all have something like 1,000 existing security vulnerabilities in our systems, right? Or is it closer to 10,000? 100,000? Does the number even matter? Changing and improving the format and frequency of the reports, while seemingly beneficial, is a superficial band-aid to the underlying root cause of the vulnerability management problem: vulnerability reports, even good vulnerability reports, will be ignored. But WHY? WHY don’t years of vulnerability reports make a dent in the overall number of vulnerabilities? WHY do teams take a low-priority approach to fixing critical security vulnerabilities? WHY do InfoSec teams struggle to garner support and momentum for security activities? The short answer is this: The vulnerability management problem, and by extension, InfoSec policy, budgeting, and executive-support problems, are largely symptomatic of an ineffective, incomplete, and unsupported approach to Information Security Governance. Effective Information Security Governance requires several interconnected partnerships within an organization, but the MOST important of these is support at the executive board-level. In other words, every executive board should*: Treat information security as a critical business issue Appoint a board member (or equivalent) to take overall responsibility for the organization’s information security governance approach Define the overall objectives of the Information security governance approach, including: Aligning the organization’s information security strategy with the organization’s business strategy Ensuring that the governance approach delivers value to stakeholders through reduced costs, enhanced reputation, and improved risk management Providing assurance that information risks are being adequately addressed. A solid Information security governance framework should always include the following components: Information security strategy Stakeholder val]]> 2017-06-14T13:00:00+00:00 http://feeds.feedblitz.com/~/361507010/0/alienvault-blogs~The-Problem-with-Vulnerability-Management www.secnews.physaphae.fr/article.php?IdArticle=374200 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC But the experts weren’t so divided. In fact, every security expert we spoke to on camera agreed that backdoors were a bad idea. A collaborative approach A digital stalemate will remain as long as governments continue to beat the drum of wanting to weaken encryption or introduce backdoors. However, this can be potentially resolved by turning the conversation around. Rather than governments dictating methods that are either insecure or not feasible; it should list out its requirements to technology companies. In return the technology and security experts should work through the requirements and make practical and feasible suggestions as to how best to achieve the goals of maintaining privacy and security for customers while being able to conform to legal requests for information.       ]]> 2017-06-13T13:00:00+00:00 http://feeds.feedblitz.com/~/360048294/0/alienvault-blogs~Governments-and-Backdoors www.secnews.physaphae.fr/article.php?IdArticle=373633 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Article Originally appeared on MSPmentor Since 2013, over nine billion data records have been lost or stolen. Previously obscure InfoSec conversations are now front page news. Your CEO has been paying attention, and suddenly, your IT department has a budget for security and compliance for 2017. You remember taking a course on cybersecurity in 2003, but other than that, you’re not sure you have the chops to take on a full security management program. You remember a friend at another company mentioned that they use a Managed Security Service Provider (MSSP) for their compliance initiatives. MSSPs provide security management services to customers of all sizes (like your MSP). But before you run off and find a new service provider, ask yourself the following questions: What is Your Driver for Considering an MSSP? When you start looking for an MSSP, you need to be clear about what you want from the engagement. Are you looking to achieve PCI compliance? Or do you just want to make sure that your network/environment is protected? Different MSSPs provide different services. If it’s compliance you’re after, you’ll want to look for MSSPs with a Qualified Security Assessor (QSA) on staff. If it’s threat detection and security management, it’s important to understand the abilities and limitations of the MSSP’s security analysts. Do You Already Have Some Security Tools in Place? Hopefully you’re already covering the basics and have a firewall and antivirus in place (if not, stop what you’re doing and go buy those now!). But beyond those tools, what else are you doing in terms of security? Do you have a vulnerability scanner? Are you monitoring for network intrusions? If you already have those in place, who is managing those tools? Do you need an MSSP to take that over or are you looking to do something beyond what you currently have in place? Each MSSP has their specialty but many of them are willing to work with you to define a package that will work best for your business. How Much Budget Do You Have? Every MSSP has a plethora of services that they provide with different levels of engagement. Understand what budget you have available for the year and what types of offerings the MSSP provides. In many cases, a basic package would consist of security monitoring, managed firewall, etc. but if you also need someone to investigate and respond to an incident, that will typically cost extra. Lastly, if budget is an issue do you have someone internal who has the skills needed to make up the gaps of your MSSP service? What Areas of Security Are You Comfortable with Managing and Where Do You Need Help? Similar to the question about budget, you need to evaluate what skills you have on your own team and how much time those employees have to dedicate to your security goals. If your IT team has someone with experience in security and has the time to monitor the security tools you have in place, then you may only need an MSSP to fill the gap of responding to an alert. What Does Your Network Architecture Look Like? What Type of Environment Do You Need Help Monitoring? Is most of your environment in the cloud? Is it on-prem or in a data center? Depending on what you want to monitor (maybe you only care about your HQ in Dallas or your PCI environment), you’ll need to look for MSSPs who can provide those services. If you’re already using an MSP service to host some of your critical servers, you may be able to ask them if they provide additional security services. At the end of the day, the pros and cons of hiring an MSSP are completely dependent on the needs of your business and the res]]> 2017-06-12T13:00:00+00:00 http://feeds.feedblitz.com/~/358725312/0/alienvault-blogs~Why-Use-a-Managed-Security-Service www.secnews.physaphae.fr/article.php?IdArticle=373214 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Please note the sentence that I’ve marked with a red box. As you will quickly see, CTF tasks are often based on real world incidents/vulnerabilities that give you a chance to experience how it’s actually done and better prepare you to defend your own systems from these types of attacks. So not only are CTF events fun, they can also be educational and professionally rewarding. CTF Preparedness If you’ve never experienced a CTF event before, don’t get frustrated or give up, because the key to any type of hacking is patience. While this is sometimes a difficult thing to have, the only way to learn is to persist and practice on your own (see this post further down on how to practice) and maybe next time you’ll score first place! One thing you can try to do during your first CTF event, if possible, is find a experienced team that’s willing to let you join them. Make sure you’re clear that this is your first CTF event and you’d really love for them to show you the ropes. In my experience, members of the InfoSec community are usually very willing to share their knowledge with anyone interested in trying to learn and grow in this field. At the same time, however, one common theme you also often hear in the community is that there is a shortage of talent. At times this can be a very real struggle, and many professionals who have worked their way up in the field have spent considerable time to do so, sacrificing much to learn, practice and hone their craft. For this reason, before reaching out for help with basic questions, you should first research the topic and make an effort to figure things out on your own. Within the InfoSec community, trust isn’t something you can place value on. If your job is to hack into a client’s network, they last thing anyone wants is for that sensitive information to be shared with anyone outside of the team. Trust is a critical component of this relationship and I cannot express enough how important it is to remain ethical during competitions as well. Finally, last but certainly not least: when you go to a CTF event, don’t forget to bring a laptop or another computer that has an operating system with various tools already installed (more on this below) as without that you’re going to be off to a rough start. In summary, CTF are a great opportunity to learn, so if you’ve never experienced a CTF event or even a BSides event, I strongly encourage you to jump in and join one as soon as you can! Types of Events There are usually two different types of CTF events. The two most common types are: Red Team/Blue Team In this style of event the red team atte]]> 2017-06-09T13:00:00+00:00 http://feeds.feedblitz.com/~/354735076/0/alienvault-blogs~Capture-The-Flag-CTF-What-Is-It-for-a-Newbie www.secnews.physaphae.fr/article.php?IdArticle=372941 False Guideline Wannacry None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Amazon AWS account. So, create an Amazon AWS account, or if already have one, log in to your account. After successful login, provide your payment details (note, you will not be billed until you exceed the free tier limitation). After providing your payment details, let Amazon confirm your identity using the call verification process. Once verified, select the basic plan and move on to the next step. In the next step, you’ll need SSH key pairs to access Kali Linux from your host computer. So, to generate SSH key pairs, go to your Amazon AWS console, click on the key pairs (under the network & security navigation), select the Create Key Pair option and give your selected pair a name. The private key will be automatically downloaded to your device; keep it secure because you will not be able to get it again if you don’t have it. Now, from your Amazon AWS Marketplace, locate the Kali Linux instance. Before proceeding with the instance, make sure that the suitable region is selected. You can confirm the region from your AWS console account as shown in the figure below: Click on the “Launch with 1-click” button to launch the recently configured instance. You can also view the status of your machine from the Amazon AWS console. The process of configuring the Kali Linux in the cloud is now completed; let’s discuss the steps to access it from your Windows OS. You need the following tools: PuTTY PuTTygen Download and install the tools from the official website then open PuTTygen and load the previously downloaded private key file. The purpose is to convert it into the PuTTY supported format: Save the private key and close the PuTTYgen program. Open the PuTTY program to connect it with your Kali Linux and load the private key in the Auth tab under the SSH navigation: NOTE, in the session, use the username (ec2-user) and the public DNS detail of the Kali Linux mach]]> 2017-06-07T13:00:00+00:00 http://feeds.feedblitz.com/~/352019164/0/alienvault-blogs~Configuring-Kali-Linux-on-Amazon-AWS-Cloud-for-FREE www.secnews.physaphae.fr/article.php?IdArticle=372102 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2016 SANS Incident Response Survey. That survey also found that the median time to response (TTR) of detected incidents hovers between 2 to 7 days. These results, while dismal, may come as little surprise to most IT security professionals, who contend daily with an ever-changing threat landscape. As new threats emerge, IT security teams are tasked with detecting and responding to evidence of those threats in their environments. This typically requires an arsenal of security products—firewalls, endpoint security, intrusion detection systems, and more—that are not typically designed to seamlessly integrate or work together. Further compounding the complexity of threat detection and incident response, organizations continue to add new products to their IT environment. As new products and IT infrastructure are introduced, IT security teams must ensure that their existing security products continue to give them the security coverage and visibility they need. In short, it’s a lot to manage, so it’s easy to understand why IT security professionals report a less-than-stellar outlook on the speed and sophistication of their incident response processes. Introducing AlienVault® AlienApps With this in mind, AlienVault launched the AlienApps ecosystem, extending the threat detection and incident response capabilities of USM Anywhere to essential third-party IT security and IT operations products. With AlienApps, IT security teams can centralize their security monitoring and threat detection activities in a single pane of glass and can orchestrate and automate their incident response activities across their IT security environment. In doing so, organizations can drastically reduce their time to threat detection (TTD) and time to response (TTR), while saving time, money, and resources. Each AlienApp in USM Anywhere is a purpose-built modular extension to USM Anywhere that readily connects to an external product, allowing USM Anywhere to detect threats and to trigger response actions automatically based on the threats detected. AlienApps are delivered out of the box to USM Anywhere, and AlienVault is continuously developing and releasing new AlienApps for USM Anywhere. At AlienVault, we’ve made it our mission to make security easier, more affordable, and overall better for IT security teams of all shapes and sizes. We pioneered the unified approach to security management by bringing together multiple essential security technologies—asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring, SIEM, and log management—onto a single, easy-to-manage platform. The development of AlienApps is the next phase in our mission. In addition to unifying core security technologies, USM Anywhere now brings together third-party security tools from leading vendors like Cisco, Palo Alto Networks, and Carbon Black, all while avoiding the traditional costs and complexity associated with integrating and automating incident response activities across multiple products. With AlienApps, IT security professionals can orchestrate a larger portion of their security management activities within a single pane of glass. Discover the Latest AlienApps in USM Anywhere In previous blog articles, we featured our new AlienApps for Microsoft Office 365, ]]> 2017-06-06T13:00:00+00:00 http://feeds.feedblitz.com/~/350643644/0/alienvault-blogs~Incident-Response-with-USM-Anywhere-AlienApps-for-Palo-Alto-Networks-Carbon-Black-amp-ServiceNow www.secnews.physaphae.fr/article.php?IdArticle=371723 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Tomorrow, we'll be announcing some big news about our USM Anywhere AlienApp ecosystem! Stay tuned for our annoucement, and be sure to ask us about the cool, new capabilities we've added to USM Anywhere, our all-in-one solution for monitoring cloud and on-premises environments. Stop by the booth to see for yourself how USM Anywhere works! At the booth, you can learn more about security and the threat landscape in general and find out how AlienVault's all-in-one security solutions can help. Each day, we'll have some great theater presentations by Garrett Gross, Director of Field Enablement, Chris Doman, Threat Engineer, and Sacha Dawes, Principal Product Marketing Manager. You'll have the chance to learn about the following topics (rotating every 30 minutes): Threat intelligence USM Anywhere USM Appliance Stay for the Rock Star Bar! We'll be serving out-of-this-world coffee every day and will have beer during the reception on Tuesday and Wednesday. We'll also be giving away AlienVault koozies to keep your beer cold so don't miss the chance to get one of your own! The reception won't be the only time to enjoy a beverage with us. We're hosting a Happy Hour for our Partners & Customers on Tuesday, June 6th. To learn more about the event and RSVP, please speak with one of the staff at our booth. Social Media Contest We will also be giving away our little mascot, baby Avy, to select guests who attend a presentation, ask questions, or engage with the team, so stop by the booth and ask us for one to take home. We are encouraging folks to take photos with Avy at the show, as they travel around London, return home and beyond. Share your pics of Avy's adventures on Facebook and Twitter, and be sure to tag AlienVault. One lucky winner will receive a $100 gift card after the show!   Finally, you can score a pair of our famous flashing sunglasses by filling out our short survey about GDPR & the cloud.  The countdown is on. Hope to see you all at Infosecurity 2017!  ]]> 2017-06-05T13:00:00+00:00 http://feeds.feedblitz.com/~/348486804/0/alienvault-blogs~Rock-Out-with-the-AlienVault-Team-at-Infosec www.secnews.physaphae.fr/article.php?IdArticle=371338 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Wake up calls WannaCry hit around 150 countries, unleashing ransomware indiscriminately against hospitals, telecoms providers, and an assortment of companies across all verticals and of all sizes. So, it’s not wrong to suggest, as Microsoft President Brad Smith did, that the governments of the world should treat this attack as a wake up call. However, there’s one snag. As Alina Selyukh states in this article, there have been decades of cyber ‘wake up calls’ with little evidence that anyone has woken up.  The question for the security industry is, whether yelling from the bottom of the stairs like a parent trying to wake up a teenager is the solution, or would they need to resort to more drastic measures? What is consent? Consent is one of those topics that gets a lot of air time for the wrong reasons. Not least of all when it comes to making someone a cup of tea - as in this great video.  But in the realm of security, and more specifically the General Data Protection Regulation (GDPR) there is the issue of consent that is getting a lot of air time. Many are interpreting the regulation to mean that under GDPR consent is a mandatory requirement for all processing of personal data. This well-written article articulates what GDPR does and doesn’t say about consent, and why it’s not always mandatory.  Free course by Troy Hunt: The GDPR Attack Plan  Biker gang hacks Jeeps A biker gang allegedly stole and smuggled to Mexico over 150 Jeep Wranglers. They did this by matching VIN’s with credentials stolen from a Jeep dealer that contained the information needed to cut and program duplicate keys. This serves as another reminder of how connected functionality can be taken advantage of by miscreants. So one has to wonder how much liability should rest with the Jeep for pairing sensitive data with publicly visible VIN. The rise of ‘stalkerware’ While everyone is looking at the theatrics on display - the NSA or other government agencies with a vast array of surveillance tools, it can be easy to overlook the dangerous, and potentially life-threatening rise of stalkerware which enables domestic violence. Online harassment and cyberstalking  This software company may be helping people illegally spy on their spouses  Abusers using spyware apps to monitor partners reaches ‘epidemic proportions’  Economic analysis of ransomware]]> 2017-06-02T13:00:00+00:00 http://feeds.feedblitz.com/~/343771496/0/alienvault-blogs~Week-in-Review-nd-June www.secnews.physaphae.fr/article.php?IdArticle=370991 False None Wannacry None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC What's black and red and picaresque all over? Persona 5, of course. I only write professionally about cybersecurity, I'm not a video game reviewer or critic. I've previously played the PSP version of the first Persona game, the PSP version of Persona 2: Innocent Sin, the PSOne version of Persona 2: Eternal Punishment, Persona 3 Portable, and Persona 4 Golden. I've been eagerly anticipating Persona 5 since it was first announced by Atlus in 2013. This March, I preordered the PS3 version with my own funds, and it arrived at my home via mail in mid-April. As of this writing, I've played about 65 hours of what I expect to be an over 100 hour first playthrough. Persona 5 is an excellent game, and I'm thoroughly enjoying every minute of it even though on occasion I stress out about time management. I bought the game because I'm a fan. Before I got it, I was aware that one of the characters, Futaba Sakura, is a computer hacker. But I had no idea how significantly cybersecurity themes would be woven into the plot of the game. Nor did I expect my gaming hobby to give me an idea that I can use in my information security writing. But it turns out that many details of the game's plot rely on cybersecurity concepts. If you don't want Persona 5 spoilers, I recommend that you stop reading this. In the cybersecurity world, women are a minority. I'm a woman, and I've made a point of highlighting other women in my field in a series of interviews for Tripwire's State of Security blog. I've read all of the novels in Stieg Larsson and David Lagercrantz's The Girl with The Dragon Tattoo (Millennium) series. Admittedly, what first compelled me to read those books was the Lisbeth Salander character, a female hacker. I enjoyed reading those novels and watching the Swedish movies, which are based on the Larsson-written trilogy. But I knew that the nature of some of Salander's “hacking” would be unrealistic in real life. (She couldn't have taken money from Hans-Erik Wennerström's bank account in the way it was described in the first novel, for example.) Even with those technical inaccuracies, those books were a lot of fun to read. I don't expect cybersecurity themes in fiction to always be portrayed realistically. I would describe the setting of the Persona games, Persona 5 included, as contemporary fantasy. It's kind of like Buffy The Vampire Slayer in the sense that the characters live in the modern world with modern technology, but there are also magical or fantasy elements, like vampires in Buffy, or “Persona” spiritual entities with magical attacks in the Persona series. I really enjoy that sort of setting. I enjoy it more than high fantasy, quite frankly. (Come at me, nerds!) In Persona 5, you play a male Japanese high school student, who you get to name yourself. I named mine Kimiko Kururai, inspired by my English real name. (The closest phonetic approximation to “Crawley” in Japanese is “Kururai.”) Yes, the “ko” suffix makes his name feminine, but “Morgana” is a feminine name for a male non-cat, eh? While in his hometown, your protagonist catches a shady politician while he tries to rape a young woman. The protagonist intervenes, and the politician, with the cooperation ]]> 2017-06-01T13:00:00+00:00 http://feeds.feedblitz.com/~/342262402/0/alienvault-blogs~The-Cybersecurity-of-Persona www.secnews.physaphae.fr/article.php?IdArticle=370561 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC With the recent WannaCry ransomware attack still top of mind for many IT professionals worldwide, it’s an important reminder to that you should monitor not just your networks and security devices, but also data on your servers and desktops.  In the case of WannaCry, having File Integrity Monitoring (FIM) in place can enable you to detect changes to key data files that WannaCry tries to encrypt and inform you of the threat before the affected asset and its data become unusable and possibly irretrievable. With emerging variants of WannaCry and the continuous onslaught of attacks against your infrastructure, whether you’re looking to protect a key asset like Active Directory, or perform change audit on any of your critical servers, a File Integrity Monitoring solution should be a part of your security defense. With that in mind, it’s important to re-iterate that FIM is not the ‘silver bullet’ of security solutions, but is definitely a powerful and effective defense that you should have in your IT security arsenal. In my previous blogs on FIM, I introduced (part 1) the ‘what’ and the ‘why’ behind FIM as one invaluable approach to monitoring for malicious changes to files.  I then introduced (part 2) some best practices for FIM, including what files to monitor and how to get the best value from your FIM deployment.  This week I’m going to discuss what to look for when selecting a FIM solution, caveats to be aware of, and how our AlienVault Unified Security Management (USM) products – AlienVault USM Anywhere and AlienVault USM Appliance – can help you implement a multi-faceted security program with its several essential security capabilities, including FIM. Selecting a File Integrity Monitoring Solution It can be difficult to find the right solution for your unique environment.  Just a quick search on ‘File Integrity Monitoring’ brings up an overwhelming number of search results.  But, which to look at and what are the differences among the various solutions? Well, let’s start with the following list, which will provide you the key things to look for in your final solution: Agent vs. agentless.  Agent-based FIM solutions leverage software agents installed on target systems. They typically yield the most powerful analyses and can deliver change monitoring at or near real-time.  In contrast, agentless FIM tools get up and running very quickly because no agent is required. However, the feature set and depth of functions of agentless FIM tools is generally reduced, and the analysis isn’t real-time. This leaves potential risk from not being able to monitor change when you need it most. If you require the depth and feature richness of an agent-based system, consider a unified approach that integrates multiple security functions into a single agent for a smaller footprint and less management effort.   Standalone vs. HIDS.  Some FIM solutions integrate with, or are a part of, a host-based intrusion detection system (HIDS).  HIDS capabilities are a superset of FIM capabilities and can detect threats in areas other than files, such as system memory (RAM) or I/O.  Standalone FIM tools generally provides file analysis only.   Performance.  The more people in the organization you tal]]> 2017-05-31T13:00:00+00:00 http://feeds.feedblitz.com/~/340804828/0/alienvault-blogs~File-Integrity-Monitoring-Solutions-%e2%80%93-What-Are-They-and-Why-You-Need-One-Part www.secnews.physaphae.fr/article.php?IdArticle=370151 False None Wannacry None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC The other day, I invited about twelve friends to my apartment for dinner—on a weeknight. “Don’t worry about bringing anything,” I assured everyone. “I can handle it myself.” As it turns out, I couldn’t. While I had plenty of food on hand, I’d never cooked such a large meal by myself before. I had no idea how long it would take to prepare the ingredients, let alone how to time it right so that everything would be ready at the same time. My very patient friends waited well over an hour for dinner, which was cold when I finally served it to them. (I did give them snacks while they waited. I’m not a monster.) In spite of the food, everyone had a great time. More importantly, I learned a lesson about the value of orchestration. Essentially, I didn’t need more cooks in the kitchen, just a few simple shortcuts to make the whole process more efficient and allow me to focus on the entire meal, rather than tediously peeling carrots and chopping garlic.  I was struck by the idea that successful security teams could use some incident response shortcuts to make their work more efficient. That’s what security orchestration is all about. By using automated incident response to reduce simple and repetitive tasks, compared to having to use multiple tools and involve numerous individuals to do that same task, security teams can save time and focus on security, not process. For example, opening a ticket to have another team update a firewall with a new rule to block a malicious IP can take time that may be exacerbated by the other team’s priorities or miscommunications. An orchestrated, automated incident response can remove much of the friction and improve efficiencies when it comes to incident detection, response, and remediation. Security teams of every size should consider how the right orchestration solutions can help their IR processes run as efficiently as a well-planned dinner party. Understanding Orchestration: Automation vs Incident Response Orchestration Automation refers to replacing one or more manual tasks, which typically slow down incident response, with immediate reactions to security events identified across your environments. Automating certain repetitive tasks can ease the security operations burden and help you respond to threats more quickly—and more effectively. However, let’s be clear: Just as you wouldn’t want a machine to take over your favorite restaurant, the human element of incident response isn’t going away any time soon. There are certain pieces that require human judgment, which means complete automation may not be preferred for some scenarios. Instead, security teams should focus on orchestrating the incident response processes that help human security analysts respond to threats as quickly and efficiently as possible. Elements of incident response orchestration get left out of discussions that focus explicitly on automating individual tasks. For example, switching between an intrusion detection solution and an application where you need to take an action in the event of a breach can slow down the entire incident response process. To take full advantage of incident response orchestration and improve processes across multiple steps and toolsets, look for solutions that help you unify your IR activities within a single solution, like USM Anywhere.  What Incident Response Orchestration Can Do for You Incident response orchestration will look slightly different at every organization—that’s where the human element I mentioned earlier comes into play. As you consider your organization’s incident response plans and compare different solutions ]]> 2017-05-30T13:00:00+00:00 http://feeds.feedblitz.com/~/339413532/0/alienvault-blogs~Incident-Response-Orchestration-What-Is-It-and-How-Can-It-Help www.secnews.physaphae.fr/article.php?IdArticle=369718 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Travel Mode which effectively removes passwords, except those marked safe for travel from the device. Which can then be re-added once successfully crossed the border. It’s not a perfect solution, but it will be interesting to see how other vendors cater to this growing need. Target to pay $18.5m in Settlement Remember back in 2013 when Target suffered a huge security breach whereby millions of customer card details were compromised. Well, after much legal wrangling that apparently cost Target $202m in legal fees and other costs since the breach, according to the company’s annual statement. It has settled to pay $18.5m to 47 states. While the fine may be one of the largest for a data breach, one has to consider that the company made $69.5 billion in revenue. To put it in a different context, £18.5m (pound sterling) was the price tag of a 23 year old footballer (soccer) in 2015 Which coincidently was the same year football star Christiano Ronaldo purchased an $18.5m loft in NYC Target reaches breach settlement: $18.5 million fine, security controls Target will pay $18.5M to 47 states to close investigations tinto 2013 data breach Twitter flaw allowed you to tweet from any account Perhaps the closest thing to a dormant cyber pathogen we will see had a twitter flaw go undetected for years that allowed attackers to post messages masquerading as any user they chose. Fortunately, the researcher who discovered the flaw disclosed privately to Twitter to allow the company to fix the issue before announcing it. Twitter rewarded the researcher with $7,560 for his efforts. Is it just me or does $7,560 seem like a completely random number? Couldn’t they have rounded it up or something? Twitter flaw allowed you to tweet from any account Critical flaw in Twitters code could let hackers take over your account ]]> 2017-05-26T13:00:00+00:00 http://feeds.feedblitz.com/~/334789696/0/alienvault-blogs~Alien-Eye-in-the-Sky-th-May www.secnews.physaphae.fr/article.php?IdArticle=368901 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Many years ago, I was working at a financial institute that processed several millions in transactions every night. Like many institutes, it relied on a (t)rusty mainframe to crunch through the numbers overnight. These were the days where business continuity was a relatively simple process. You simply had two of everything. So there were two overnight batch processes to process payments, the primary and a backup. The backup was only used in emergencies, and there was a process to swap systems to use the backup if need be. It so happened that there was a developer who had grown tired of working and decided it would be a good idea to plot a heist and retire. The plan was relatively simple. To introduce an extra payment instruction of several million to be transferred to an offshore personal account. All that was needed was a few lines of code inserted into the overnight batch process to make it all happen. However, the slight snag was that it wasn't very easy to make any changes to the production system. It was closely monitored, and all changes were subject to strict scrutiny and several layers of approval. Any changes would have raised many questions, ones for which there were no good answers. But the devilishly-minded developer had other plans. The backup batch job wasn't subject to the same rigour. So, the developer figured that if they inserted the code into the backup system it could go undetected. As the developer anticipated, the commands were successfully inserted into the backup process without raising any alarm bells. Now, all the developer needed to do was to wait for the production system to hit an issue and for processing to take place through the backup system. This presented a problem though. Once the payment instruction had been executed, sending millions into their offshore account, the developer would need to get out of the country quickly before the payment discrepancy was discovered. The plan was relatively simple, take a flight to a country that had a non-extradition treaty. Second was to extract all of the money out and place into several other accounts to limit any chances of payment being reversed and to make tracking difficult. Everything was set and ready to go. The developer just had no way of predicting when the overnight process would switch from production to the backup system. So the developer took a chance and booked the first flight out of the country for the next morning. Then, before leaving work that night, the developer manually forced the system to process from the backup process overnight. It was the almost perfect heist. Almost. Police arrested the developer at the airport just before boarding the plane. Our manager was a nice guy. One of those people who cared about his team, but was perceived as being too soft to hang with the senior managers of the company. Several weeks after the incident he presented the timeline of events and findings to his senior management on the attempted heist. Everyone was rather pleased at the outcome and one executive piped up about how, "we were lucky to catch the developer." It was at that moment that our manager displayed an assertive trait that no-one in the team thought he possessed. Luck? Do you mean that we were lucky to have extensive monitoring controls on the production system? Or that we were lucky to automatically raise an incident whenever an overnight job switched to the backup system. Perhaps it was luck that we captured all administrator level access to highlight any unauthorised changes. Or that it was by pure luck that we had existing relationships with law enforcement who could arrest our suspect within a few hours. If that's what you mean by luck, then yes, absolutely, were very lucky. Good securit]]> 2017-05-25T13:00:00+00:00 http://feeds.feedblitz.com/~/333445012/0/alienvault-blogs~Lucky-Security www.secnews.physaphae.fr/article.php?IdArticle=368659 False None Wannacry None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Encouraging organizations to follow the usual security best practices didn’t prevent the spread of WannaCry. Let’s acknowledge that and focus on new ideas that will. In the aftermath of the WannaCry ransomware outbreak, a familiar pattern is beginning to play itself out. Now that we all know the general details behind how WannaCry infections were initiated and spread (by exploiting a known vulnerability that Microsoft patched back in March), initial alarm and concern is gradually giving way to an expected reaction from the security community. “How could they not have patched yet?” “Why are they still running Windows XP?” “Who leaves port 445 open to the Internet?” Before we go blaming the estimated 300,000 victims for bringing this attack on themselves, and before we pigeonhole the cause of the attack as simple negligence, we should consider that overly simplistic assessments may be part of the reason these attacks appear to be so frustratingly “inevitable”. The real revelation of the WannaCry outbreak isn’t that there are a staggering number of outdated and unsecured systems out there, it’s that anyone believes that making the same old pleas and showering victims with blame will change anything. If you read most recommendations from security vendors and experts in response to this attack out loud, you’ll sound like a broken record: Patch regularly. Don’t use outdated systems. Update your antivirus. Tell users not to click on things. Run backups. These are all good pieces of advice. So are “Get more exercise,” “Avoid sweets,” and “Obey the speed limit.” But when the rubber meets the road, as it has in the WannaCry outbreak, they sound like security industry platitudes, not solutions. At best, they’re proved difficult to follow in the face of competing business pressures. At worst, they fail to address the real issues that leave companies vulnerable as we watch for repeat and copycat attacks undoubtedly coming down the pike. So, rather than repeat these same old recommendations and throw up our hands when no one seems to listen, let’s break them down, describe where they fall short, and suggest alternatives that will help companies to take more productive steps toward protecting themselves. Updating the 5 Most Common Recommendations for Protecting Your Company from the Next WannaCry 1) Patching Current advice: “Keep all systems up to date with all patches.” Better advice: “Treat security patches seriously.” WannaCry was able to spread far and wide by utilizing an exploit called ETERNALBLUE, one of the NSA hacking tools leaked by a group called the Shadow Brokers in April. Microsoft released a patch addressing the vulnerability that ETERNALBLUE targets in March (MS17-010). Following the WannaCry outbreak, it also took the unusual step of rolling out additional patches for older versions of Windows. With]]> 2017-05-23T13:00:00+00:00 http://feeds.feedblitz.com/~/330924546/0/alienvault-blogs~Are-We-Learning-the-Right-Lessons-from-WannaCry www.secnews.physaphae.fr/article.php?IdArticle=367850 False None Wannacry None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC WannaCry We should start by addressing the elephant in the room. In the past week WannaCry has dominated the news and still looks to be the topic on the tips of everyone’s tongues. There’s probably not much to add without repeating much of what has already been said. A Twitter moment capturing much of the early and subsequent commentary on WannaCry Making sense of WannaCry Ongoing WannaCry vulnerability spreading through SMB vulnerability Microsoft: TechNet's Coverage?  SOCs are maturing, but need more automation According to a new SANS survey, it appears as if security operation centres (SOCs) are getting better. The survey indicates that SOCs need more automation, particularly for prevention and detection. There are two sides to automation. One part is to understand the workflows that are needed, in other words what is the playbook to follow once certain events occur. The second part is around having technology that is tightly integrated so that the automation can occur across the IT stack. Neglecting one at the cost of the other can greatly reduce effectiveness. Building a SOC on a budget Practitioners guide to a SOC Data keeps getting stolen Getting media attention when there’s a data breach is a great thing. However, some days it feels as if fatigue has set in and breaches are reported and shoulders are shrugged as if it was a normal an occurrence as the bus being late. Despite growing regulation, and better technologies, companies seem to repeat the same errors repeatedly, resulting in huge data losses. Such as the case of a hacker that stole millions of users accounts from education platform Edmodo, which includes usernames, email addresses, and password hashes. But even that pales in comparison to where breaches can affect entire countries. With reports of Indian biometric system data being leaked that could impact over 130m people. GDPR Before WannaCry hijacked all security conversations this past week, GDPR has remained a popular topic. While it is good to see awareness of the upcoming regulation, it also invites a lot of uninformed commentary. Many claims are made about the implications, and frankly hijacking the conversation to suit an InfoSec and technology narrative. GDPR rubbish Artificial Intelligence AI continues to be touted and discussed wide and far, with many potentially interesting security applications. Apple acquired a data mining and machine learning company called Lattice.io at an estimated c]]> 2017-05-19T13:00:00+00:00 http://feeds.feedblitz.com/~/326235370/0/alienvault-blogs~Alien-Eye-in-the-Sky-th-May www.secnews.physaphae.fr/article.php?IdArticle=367090 False None Wannacry None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AlienApp for G Suite, which enables G Suite threat detection and incident investigation directly from USM Anywhere. It allows you to monitor and analyze user and admin activities in G Suite cloud applications, including Gmail, Google Calendar, and Google Drive (Docs, Sheets, Slides, and Forms). With the AlienApp for G Suite, USM Anywhere users can track user activities, monitor changes to files and policies, and be alerted to suspicious or anomalous activities within G Suite. The app further extends the security orchestration capabilities of USM Anywhere, helping small to mid-sized security teams to monitor their G Suite environments alongside the rest of their critical infrastructure: physical or virtual on-premises, AWS or Azure clouds, or any hybrid of. Let’s take a closer look at some key features of the AlienApp for G Suite. Anomaly Detection with G Suite Dashboards With USM Anywhere, you have at-a-glance summaries of user activity with pre-built dashboards that show trends and summaries of G Suite activities. For example, the G Suite Audit dashboard summarizes login attempts and failures based on user, country, and source IP address. You can drill down on any data point to investigate further, faster. Alarms & Pre-Built Correlation Rules for G Suite With out-of-the-box correlation rules written specifically for G Suite, USM Anywhere generates alarms by keying off the events collected by the AlienApp for G Suite. Alarms notify you of suspicious activity, such as when a user: Enables data sharing with malicious entities outside of the organization, possibly resulting in a breach of confidential data Restores files in Google Drive, indicating a possible attempt to retrieve historical data Disables two-factor authentication making a user’s account more susceptible to exploit Fails at multiple login attempts indicating a potential brute force attack These are just a few examples of the out-of-the-box correlation rules we include with the AlienApp for G Suite, not to mention the ability to create custom orchestration rules and alerts based on your unique environment and security monitoring needs. Advanced Search & Analytics Capabilities that Accelerate Threat Investigation The AlienApp for G Suite shows you a wealth of events from your G Suite environment, and uses Elasticsearch capabilities to make searching, filtering, and analysis fast and efficient. As you explore the Activity Events page or drill down from a dashboard or an alarm, you’ll notice that you can quickly filter and identify activities related to specific users, helping you to detect insider threats sooner. Events related to Google Drive include file access, file changes, uploads, and downloads. Google Audit events provide visibility into user login activity, as well as admin user creation, user deletion and password changes. Summary USM Anywhere’s AlienApp for G Suite provides you with several key benefits including: Deepens security visibility of G Suite Enables fas]]> 2017-05-18T13:00:00+00:00 http://feeds.feedblitz.com/~/325095112/0/alienvault-blogs~G-Suite-Security-Monitoring-with-USM-Anywhere www.secnews.physaphae.fr/article.php?IdArticle=366756 True None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2017-05-17T13:00:00+00:00 http://feeds.feedblitz.com/~/323973256/0/alienvault-blogs~Basic-Best-Practices-for-Securing-LDAP-and-Active-Directory-with-Red-Hat www.secnews.physaphae.fr/article.php?IdArticle=366300 False None Wannacry None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC The user experience Anytime there are new features or functionality added, user experience takes a hit. Even ‘good’ updates require users to learn new menu commands, alter their workflow, or simply having to retrain muscle memory to click on a different part of the screen. But more so, it can disrupt the natural use of a product or technology. For example, an email client should be an email client. When it morphs into an all-singing-all-dancing CRM with context-aware reminders, and bluetooth enabled functionality, one wonders whether the product is actually an email client at all. Security is not immune to these problems. Whether these be in-house scripts that evolve into a homegrown SOC, or enabling of additional capabilities - it adds unnecessary complexity and confusion. The impact of such security changes is amplified when they impact the end user. Password reset policies, multi-factor authentication, phishing exercises, etc. all add to the mental workload of the users. Technology, and by extension security, shouldn’t need to go through innovation for the sake of innovation. While arguments can be made for the progress such innovation brings, the risks often-times outweigh the pros. Instead, I propose technology be put on an ‘Atkins diet’ of decluttering. While there are many intricacies to decluttering, they can be broken down into two broad steps: Simplify When looking at your ]]> 2017-05-16T13:00:00+00:00 http://feeds.feedblitz.com/~/322791302/0/alienvault-blogs~Innovation-for-the-Sake-of-Innovation www.secnews.physaphae.fr/article.php?IdArticle=365864 False Guideline Wannacry None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Luckily, we made out relatively unscathed. Thanks to the magical fraud detection capabilities of today’s financial industry, our bank had already declined the fraudulent transactions, froze the account, and alerted us right away. Case closed, right? Yet, what happened next was an IRL (in real life) tale of the power of community-sourced threat intelligence. My husband and I began looking through his recent credit card activity, searching for clues as to where and how his credit card may have been compromised. Could it have been the little Mexican restaurant where he (*ahem* stayed out too late) with friends the night before? The florist where he bought me apology flowers the next day? (JK…on the flowers anyway.) It seemed pretty hopeless that we would ever find out where this credit card theft originated. That is, until yesterday, when a neighbor posted on Nextdoor (a popular social networking app for neighborhoods) asking if anyone had recently had their credit cards stolen after getting gas at a specific, shall-remain-nameless-despite-my-vindictive-urges gas station near our house. A ha! Yes! I responded, along with three other neighbors, that we too had credit cards stolen within hours of pumping gas. My vigilante neighbor (the OP) then promptly returned to the gas station, where she snapped this photo, showing the security seals broken off the credit card machines. She also posted instructions to report it to 3-1-1 to prompt a police investigation. As a result of the thread, my entire neighborhood on Nextdoor knows to avoid or otherwise be extra diligent at that gas station. This experience taught me (a non-cybersecurity layperson) the power of community when it comes to threat intelligence. See, when my husband and I tried to investigate the attack in isolation, by searching just the data in our own environment, we could only speculate on the list of potential bad actors. But, by sharing our threat data with the community and comparing it to other in-the-wild (or, in-the-neighborhood) attacks, we were able to connect those data points to build a threat story, and we gained confidence in it as more neighbors shared their data about the attack. Finally, because we all publicly shared our threat data with the rest of the neighborhood, everyone in the community (or at least, those who use the app) is alerted and better protected from falling victim to the same attack. We even had our own form of remediation guidance in calling 3-1-1 to report it. This is pretty much how the AlienVault Open Threat Exchange works, but on a global cybersecurity scale. Our 53,000 members share threat data from their environments, whether that’s their USM deployments or their security research labs, so that the community can stay informed on the latest emerging threats. It’s like the neighborhood watch of the global InfoSec community. And, it’s free to join. To be fair, OTX is much more sophisticated than my pissed-off band of neighbors cutting up our credit cards. In addition to the ten million indicators of compromise that the OTX community contributes on a daily basis, the AlienVault Labs Security Research Team leverages machine learning and human brainpower (from some very skilled and reputable security researchers) to deeply analyze security events and trends, which they then deliver to the community and directly to USM in the form of actionable threat intelligence, including correlation rules, IDS signatures, and response guidance. Even if you do not use the USM platform, you can still consume ]]> 2017-05-15T13:00:00+00:00 http://feeds.feedblitz.com/~/321523858/0/alienvault-blogs~The-Power-of-Community-My-RealLife-Lesson-in-CommunitySourced-Threat-Intelligence www.secnews.physaphae.fr/article.php?IdArticle=365399 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Whenever a calamity befalls, it's only natural for people to try and rationalise and identify the problem. As is now happening with the WannaCry ransomware outbreak that affected the UK's NHS service, and other services in over 100 countries. People are discussing what should have been done to prevent it. On one hand, there’s a debate ongoing about responsible disclosure practices. Should the NSA have "sat on" vulnerabilities for so long? Because when Shadowbrokers released the details it left a small window for enterprises to upgrade their systems. On the other hand, there are several so-called “simple” steps the NHS or other similar organisations could have taken to protect themselves, these would include: Upgrading systems Patching systems Maintaining support contracts for out of date operating systems Architecting infrastructure to be more secure Acquiring and implementing additional security tools. The reality is that while any of these defensive measures could have prevented or minimised the attack, none of these are easy for many enterprises to implement. Also, none of these are new discussions or challenges. Most security professionals have witnessed these same occurrences, albeit not as wide scale, for many years. Sometimes the infrastructure or endpoint devices aren’t all controlled by IT. Also, patching or updating a system can sometimes lead to other dependent applications breaking or having other issues. For example, the operating system can’t be updated until another vendor updates their software, which in turn can’t be updated until an in-house custom application is updated. There are many other technical nuances; but it boils down to risk management. And often times if systems are working as desired with no issues, then they will be kept running as such, especially where the costs of upgrading is a taxpayer expense. That’s not to say security measures shouldn’t be implemented. In an ideal world it would be good to see no legacy systems, regular patching, and securely architected infrastructure. Unfortunately, that is the exception for most companies; not the rule. So while its easy to simply say that the government should have put more money into systems; it’s more a case of the senior decision-makers and purse string holders weighing risks - understanding the exposure they have, the pros and cons, and the potential impact. Only then can decisions be made that can result in meaningful change. This should include addressing the root causes for the Wannacry outbreak and other threats. It’s inevitable there will be copy-cats soon, with it being trivial to replace the transport mechanism (the SMB worm) with a new payload (variant of ransomware). But more could be done. Australia is notable for their success in enforcing higher than average security across government. Departments are mandated to enforce four technical controls. The first attacks would have been limited by the first two controls - application whitelisting and regular patching. Enforcing these controls on legacy systems requires a significant investment in personnel. That’s not to say stricter legislation is the answer. However, blaming companies for not patching, or running legacy systems, or asking that intelligence agencies cease cyber activities is not going to fix the issues. Here's the video!   ]]> 2017-05-13T17:17:00+00:00 http://feeds.feedblitz.com/~/320635328/0/alienvault-blogs~Making-Sense-of-WannaCry www.secnews.physaphae.fr/article.php?IdArticle=364827 False Guideline Wannacry None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC It’s about ethics in bug bounties I’m a big fan of bug bounty programmes and responsible disclosure. I think they work well as additional checks and balances that may slip through the initial security reviews. Bug bounty platforms are similar to a dating service. They pair up companies with researchers that will look for vulnerabilities within the defined scope and facilitate the payment of the bounty. But what happens when a company that sells morally dubious (but not necessarily illegal) software wants to run a bounty? It puts the bounty provider in a bit of a dilemma. On one hand it could remain completely impartial and simply act as a conduit to help create secure software. On the other hand, they are facilitating the betterment of software that could be used for malicious purposes. Such was the case when spyware company, FlexiSPY, showed interest in moving their bug bounty program to HackerOne. The resultant blog post illustrates some of the ups and downs in arriving at an answer. Casey Ellis, CEO of BugCrowd was far more direct in his approach and dismissal of FlexiSPY On the bright side of bug bounties It’s great to see researchers rewarded for finding bugs and vulnerabilities fixed. But for the rest of the security community, it’s always great to read a detailed writeup on how the researcher discovered the bug and validated it. It serves as a good learning experience for the rest of us. How my car insurance exposed my position Hacking my trash company Emergency Microsoft patch It feels like the topic of responsible disclosure is never-ending. I’m going to add responsible disclosure to the list of things I won’t talk about in social settings, joining politics, religion, and passwords. Last Friday, Google researcher Tavis Ormandy stated that he and fellow researcher Natalie Silvanovich had discovered “the worst Windows remote code exec in recent memory” While no further details were released, it left many security professionals hanging over a nail-biting weekend to learn about this vulnerability. Some disagreed with the approach and timing, stating that it was scaremongering, or an attempt to gain exposure. Either way, Microsoft turned it around very quickly, earning the praise of Ormandy and others, and pushed a critical out-of-band update for the Microsoft Malware Protection Engine to plug the vulnerability. MS plugs crazy bad bug with emergency pathc& Crazy bad bug in microsoft’s windows malware scanner can be used to install malware The Government's Role in Insecurity As much as I personally try to steer clear of politics, cyber security and politics are well and truly bed-fellows in this day and age. Whether it be hacking during elections, leaks, or spying. The Guardian ran a piece entitled Cyber-insecurity is a gift for hackers, but it’s our own gover]]> 2017-05-12T13:00:00+00:00 http://feeds.feedblitz.com/~/318027030/0/alienvault-blogs~AES-th-May-Keeping-an-Eye-on-IT-Security-So-You-Don%e2%80%99t-Have-To www.secnews.physaphae.fr/article.php?IdArticle=364829 False Guideline Uber None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Here are five non-security tips to help security teams: 1. Put toothpicks in your data Security historically has presented data in a rather statistical manner. But merely stating how many suspicious emails your spam filter caught is akin to describing your umbrella by the number of raindrops it stops. The debate to find the ideal security metrics has raged on for many years without showing any signs of slowing down. One way to look at the problem is by asking how the existing data could be presented in a way that is aligned to the target audience expectations. For example, research has found that when you tell people that what they are eating or drinking is a high-end product, they won't just say that it tastes better than a cheaper product — their brains will actually experience it as better. This was proven by two Dutch pranksters who snuck into a large food-industry expo in Houten, The Netherlands. The pranksters served McDonalds food cut into pieces with toothpicks on trays, telling attendees it was an organic product. Tasters described the samples as tasting very rich, and very pure. Try presenting data differently with some toothpicks and see how it changes perceptions. 2. Reframing Security on its own has little meaning. Many businesses will judge security teams and their effectiveness based on how they feel about it. Most will tend to frame risk based on how they have perceived it in the past. Although this isn't wrong in some cases, at other times, particularly where experience is tied to a negative perception, these habits need to be changed - or reframed. In this regard, there are two areas that a CISO can focus on to reframe. The first aspect is around framing context correctly and involves framing something that seems undesirable, and showing the benefits in another context. For example, Rudolph's red nose was an anomaly that made him stick out from the other reindeers. But the red nose saved all the reindeer on a dark and stormy night. Similarly, many security controls may seem undesirable in some situations, can become a great asset given the right con]]> 2017-05-11T13:00:00+00:00 http://feeds.feedblitz.com/~/316912190/0/alienvault-blogs~What-Got-CISOs-Here-Wont-Get-CISOs-There www.secnews.physaphae.fr/article.php?IdArticle=364375 False Guideline Solardwinds None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC my last blog on file integrity monitoring (FIM), news of a malware breach at InterContinental Hotels Group (IHG) hit the headlines. Unfortunately, the malware ran undetected from September through December 2016, and it took until March 2017 to get final confirmation that it was fully eradicated. More recently,  Chipotle announced a similar POS breach, with echoes of the malware remaining in place and active for at least a month. There is no question that the bad actors out there often have the advantage of surprise, but all businesses (not just retailers or hotel chains, but across every industry) need to ensure that all their devices and assets, from their POS and endpoint devices to their central systems, are locked down and monitored. But, the question remains: how do you protect yourself against malware and other nefarious hacks against your systems and applications? While it’s not the silver bullet to protecting against malware and other attack vectors, a well-configured File Integrity Monitoring (aka FIM) deployment can go a long way to identifying anomalous changes across your IT environment, such as changes to legitimate binaries, configuration files, and the like. Simply put, every organization should consider file integrity monitoring as one of the essential tools in their security arsenal. In my last blog on File Integrity Monitoring (part 1 of 3), I introduced the ‘what’ and the ‘why’ behind file integrity monitoring (FIM) as one invaluable approach to monitoring for malicious changes to files. In this week’s blog, I’ll introduce some best practices for FIM, including what files to monitor and how to get the best value from your file integrity monitoring solution. What Files Should I Monitor? It can be a challenge to determine what files to monitor. Frankly, operating systems and applications can be a bit of a minefield when it comes to understanding what files they deploy and where. Just when you think you’ve nailed it, a new release of the software can introduce new files and folders that you need to monitor. In general, it’s better to monitor too many files rather than too few. That said, striking the right balance is important as file monitoring can be taxing on system resources, particularly when there are a lot of files to monitor, when files are in a constant state of flux (e.g. log files, virtual memory swap files, the Windows Registry), or when the file size is so big that analyzing it takes extra time. File integrity monitoring solutions often come preconfigured with recommendations. In many cases, the authors of these packages are very well informed, and those recommendations may suffice for your needs. However, there is no standard IT environment, so you may want to refer to guidance from trusted entities like the Center for Internet Security (CIS), whose security benchmarks provide recommended settings for operating systems, middleware, software applications, and network devices. In essence, the following file types should be monitored across your environment. Note that default installation directories can typically be modified at installation, and some applications use their own custom locations, so administrators should verify with their sof]]> 2017-05-10T13:00:00+00:00 http://feeds.feedblitz.com/~/315978404/0/alienvault-blogs~What-is-File-Integrity-Monitoring-and-Why-You-Need-It-Part www.secnews.physaphae.fr/article.php?IdArticle=364013 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC The General Data Protection Regulation (GDPR) is Europe’s newest framework set to come into force in May 2018. It is designed to replace local data protection laws such as the UK’s Data Protection Act 1998, the Belgian Privacywet, or the German Bundesdatenschutzgesetz (BDSG). The primary objective of GDPR is to strengthen security and privacy protection for individuals. While GDPR shares many principles from its predecessors, consisting of 11 chapters, 99 articles, and 187 recitals, it is by no means a minor adaptation. Who GDPR Applies To The GDPR applies to all data controllers and processors. There are specific legal obligations placed on processors and controllers under GDPR. It applies to processing carried out by organisations within the EU as well as organisations outside the EU that provide products or services to individuals within the EU. It primarily focuses on individual data which is defined in two categories of ‘personal data’ and ‘sensitive personal data’. Personal data will include individual data as well as any information that can be used as an online identifier, e.g. an IP address. Sensitive personal data casts a wider net and covers data elements such as biometric or genetic data. What GDPR Means for Enterprises In order to comply with GDPR, enterprises will need to implement a number of security and privacy measures and controls, such as: Assigning a data protection officer Data breach notification within 72 hours Inventory of all personal data processed Data protection by design and by default Data Privacy Impact Assessments Fines of up to €20 million or 4%. What Does It Mean from a Practical Perspective? If you don’t already have the required security tools and controls in place, your organisation will need to implement several new security controls, policies, and procedures. You will also need to demonstrate compliance with GDPR. For security and privacy-conscious organisations, the new regulation should not bring about too much technical overhead. For those that haven’t, the impact will be much greater. Here are some tips for implementing some of the key security requirements outlined in GDPR: Article 30: Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility Key tips to implement: - If you don’t already have one in place, acquire and implement a log management or Security Information and Event Management (SIEM) tool. SIEM tools are important for monitoring all users and system activity to identify suspicious or malicious behaviour. - Don’t forget about data stored, or processed in cloud environments. Cloud is also in scope and records of activity maintained. Article 32: …the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk… Key tips to implement: - Create an inventory of all critical assets that store or process sensitive data to allow for more stringent controls to be applied. - Undertake vulnerability scanning to identify where weaknesses exist that could be exploited. Ideally using a tool that can be easily integrate with existing security tools. - Conduct risk assessments and apply threat models relevant to your business - Regularly test to gain assurance that security controls are working as designed Articles 33 & 34: Notification of a personal data breach to the supervisory authority; and; communication of a personal data breach to the data subject. Key tips to implement: - Put in place a threat detection controls to]]> 2017-05-09T13:00:00+00:00 http://feeds.feedblitz.com/~/314812092/0/alienvault-blogs~The-General-Data-Protection-Regulation-GDPR www.secnews.physaphae.fr/article.php?IdArticle=363646 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Photo courtesy of http://BenCovello.com He then got a glimpse of my son, and his entire demeanor changed. My son, an innovator in his own right, dresses in a style that is a mix of Punk Rock and Heavy Metal, and he has the hair to prove it. I chuckled, because I wish these young kids would stop reading us old books by our covers. It made me think about how we risk the same misperceptions in the InfoSec community. That blue-haired youngster who initially sneered at me could end up being the next-generation InfoSec professional. The early InfoSec contributors are no longer the brash young crowd they once were. Those who were there in the early years are now 20-years older, and while many still have long hair, plenty of ink, and piercings, they also have children, houses, and careers. In fact, sadly, some of the early pioneers are no longer with us. What can we do to make sure that the future blue-haired InfoSec professionals take the time to visit the past, and to understand that the person with the gray hair is not afraid of new ideas, new technology and may actually be a vital part of the Information Security evolutionary chain? Do you mentor? There are some unique mentoring opportunities out there, including the excellent work offered through the BSides events, but we need more. Something as simple as an internship can go a long way toward training a new InfoSec professional. Make historical perspectives part of your mentoring “program”. The part I find most enjoyable about mentoring is the reciprocity of ideas, an exchange that enables you to stay abreast of some of the new approaches and mindset of the next generation. When we think of folks like Grace Hopper (that’s Rear Admiral Hopper to you, sailor!) an unsuspecting person might think that she was a kindly old grandmotherly type who was ignorant of technology. How far from the truth is that? The same is true of many of the aging hackers and other InfoSec professionals. Our “seasoned” appearance could be used as a new deceptive advantage, or it could be used to lend a new perception to the new breed of InfoSec innovators and practitioners. We have come a long way, yet we are still a young profession. Let’s use our years of experience to spread our knowledge. And to my sneering blue-haired friend; when I played in a rock band at CBGB’s one evening many years ago, I also had blue hair. We can learn a lot from each other.     ]]> 2017-05-08T13:00:00+00:00 http://feeds.feedblitz.com/~/313699722/0/alienvault-blogs~Misperceptions-Experience-and-Mentoring-in-InfoSec www.secnews.physaphae.fr/article.php?IdArticle=363146 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC @alienvault ability to start services quickly, pay as you go #AlienChat — Martin Hepworth (@maxsec) April 27, 2017 Why a good cloud provider may have better security than you @alienvault Nope. Good CSPs have rigorous controls in place. & they’re not burdened with those ancient Windows NT boxes you’re still running. #AlienChat — Dave Shackleford (@daveshackleford) April 27, 2017 And why monitoring is important in the cloud @alienvault I need to be able to monitor data in the cloud as robustly as I can on-prem. This feature still needs to mature. #AlienChat — Austin Hummert (@ahummert) April 27, 2017 Check out the full stream below: AlienVault Tweetchat - Cloud Security The conversation continued well past the time we wrapped up, see what you missed by following the #AlienChat hashtag.      Related St]]> 2017-05-04T13:00:00+00:00 http://feeds.feedblitz.com/~/308996560/0/alienvault-blogs~TweetChat-Roundup-%e2%80%93-Cloud-Security www.secnews.physaphae.fr/article.php?IdArticle=362126 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC That Google Phish There was a lot of buzz as many people received phishing emails disguised as invitations to open a Google Doc. By authorising it, users unwittingly gave access to their emails to attackers. The size and scale of the attack was reminiscent of the viruses of days gone by, such as Melissa. While Google has worked to close the flaw, it doesn't help those users that have clicked on the link. If you have clicked on the link, then you need to follow these steps: Go to google account permissions page and remove access for the fake app Change passwords on Google and any other sites that may have been using the same password. Enable two factor / two step verification (like needing an SMS code in order to log on). Some are suggesting that given the similarities between this fresh phishing scam and the past activity of the DNC hackers, known as APT28, the Google phishers could be the allegedly Kremlin-backed crew. But to Jaime Blasco, chief scientist at security company AlienVault, that's unlikely: "I don't believe they are behind this though because this is way too widespread. Many people/organizations have received similar attempts so this is probably something massive and less targeted." - Full article Threat post article Smaller nations hacking skills As the joke goes, on the internet, nobody knows that you’re a dog. Technology has done a great job in balancing the shift of power into the hands of the many. Now, with modest budgets and technology, startups can challenge well-established brands. But that also means small nations can build cyber capabilities that match those of much larger nations. We knew the U.S. and Russia were hacking powers, but Ethiopia and Pakistan? GDPR While a lot of European companies are looking to the future wondering what GDPR will bring, the Register looked back and retrospectively estimated what regulator fines on data loss would have been last year had GDPR been implemented. Where last year British companies were fined £880,500; under GDPR regulation that sum could have been £69 million. Register Story Gartner predicts GDPR flouters will be in the majority Google cloud will be ready for GDPR in May 2018 It’s just Metadata It's why many governments have pushed for mandatory metadata retention laws, and have been successful. Because in the minds of many, it's only metadata. Troy Hunt wrote a good article on why Australia just showed the world the problem with mandatory data retention ]]> 2017-05-03T16:49:00+00:00 http://feeds.feedblitz.com/~/309240180/0/alienvault-blogs~Alien-Eye-in-the-Sky-%e2%80%93-th-May www.secnews.physaphae.fr/article.php?IdArticle=362127 False Guideline APT 28 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Everytime I see one of those Capital One commercials where Samuel Jackson gives the tag line, “What’s in your wallet?”, I can’t help but think of a similar question in the context of network security. It’s a question fit for networking teams, security teams, and especially CISOs, which is, “What’s in your network?” Would you even know? How would you know? As networks continue to become more complex with applications, virtualization, and devices, these questions can be very difficult to answer. To help answer these questions there certainly has also been an explosion of fancy new solutions in the marketplace to monitor activity on a network. However, in addition to those great monitoring tools, I’d like to suggest implementing a simple concept that has been around in information security for quite a while. Every enterprise should consider running good old fashioned honeypots. If this is the first time you are reading about honeypots in the context of security, it’s really quite simple. A honeypot is a computer on the network that is intended to look like it has a legitimate production purpose, but it is really there to act as a sort of tripwire for malicious activity. Since no legitimate users would be directed to the honeypot, any traffic hitting the honeypot is likely not legitimate. A honeypot can be configured to look like anything on the network, e.g. print server, web server, file server, etc., so when an attacker is probing the network and comes across a honeypot they think they’ve found a legitimate target. The value of running a honeypot shouldn’t be underestimated, even if you’re running some of the new AI and machine learning endpoint security solutions available today. Honeypots can be very inexpensive to deploy and maintain, and since they really should receive very little traffic, any log or alert from a honeypot is of high value. Any alert will contain information that is indicative of either malicious traffic (you want to know about that!) or a misconfigured system on the network (you still want to know about that!). There are no false positives here. This information helps you find bad things lurking on your network, but it can also enable you to assist operations when something has been misconfigured. A honeypot is not just a network security sensor solution, it is also a component of your broader approach to applying network security. Going through the process of implementing a honeypot can actually help you to become more familiar with what your network looks like - from both a topology and behavior perspective. Having a better understanding of your network puts you in a better position to defend it. Also, those cases where you’ve identified misconfigured systems are opportunities to bridge relations with operation teams by providing additional value. Ultimately however, to the detriment of an attacker, your network should be a really noisy place. The attacker wants to be stealthy, but if your network is layered with noisy bumps and misleading routes, you’re raising the risk to the attacker. When you increase the risk to the attacker you’re also increasing what it actually costs the attacker to be successful, which makes you a less attractive target. If you are interested, and i hope you are, in adding honeypots as a layer in your approach to network security I have some resources to help you get you started. The first resource is an open source honeypot I’ve created called ]]> 2017-05-03T13:00:00+00:00 http://feeds.feedblitz.com/~/307779949/0/alienvault-blogs~How-Honeypots-Work-Things-that-Go-Bump-in-the-Network www.secnews.physaphae.fr/article.php?IdArticle=361643 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AlienApp for Cisco Umbrella (click here to watch a quick video from Cisco highlighting this exciting new integration with USM Anywhere and other new Umbrella features). Cisco Umbrella is a cloud security platform that enforces threat intelligence at the DNS- and IP- layers, which makes it a natural extension to the threat detection capabilities provided by USM Anywhere. (In addition to this blog, AlienVault and Cisco will be presenting a joint webcast showing the AlienApp for Cisco Umbrella on May 18th at 10AM PDT.  Register for this webcast to learn much more!) As an example, let’s look at how the combination of USM Anywhere and Cisco Umbrella can help provide an effective response to a phishing attack. First, the analyst reviewing the Alarms page of USM Anywhere sees an alarm related to phishing activity that has been detected by the AlienVault Network IDS. The AlienApp for Cisco Umbrella, which is included as part of the USM Anywhere platform, allows the security analyst to respond immediately to this threat. By clicking on the alarm, the analyst can not only review the relevant details of the event, but also initiate a response right from the USM Anywhere interface to send the malicious domain to Cisco Umbrella for enforcement. From the alarm detail view, the analyst can simply click the “Select Action” button, choose the Cisco Umbrella app, and then select the “Report by HTTP hostname” action. This will automatically send the HTTP hostname to Cisco Umbrella via the Cisco Umbrella Enforcement API. Alternatively, USM Anywhere can be configured to automatically send this information to Umbrella whenever phishing activity is detected, providing a fully automated response. Returning to the alarm detail view, the analyst can click “Create Rule” and create an orchestration rule that will automatically send the relevant information to Umbrella anytime this type of activity is detected. To]]> 2017-05-02T13:00:00+00:00 http://feeds.feedblitz.com/~/306663694/0/alienvault-blogs~AlienVault-USM-Anywhere-and-Cisco-Umbrella-Move-Quickly-from-Detection-to-Protection www.secnews.physaphae.fr/article.php?IdArticle=360996 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 1. About those NSA backdoors The DoublePulsar NSA backdoor detected on Windows boxes can now be remotely removed. Microsoft believes the number of infected machines is under 10,000; whereas some researchers have claimed to have found anywhere between 30 – 100 thousand infected machines. Related IPs in OTX NSA zero day actively wreaking havoc on Windows PCs DoublePulsar spreading rapidly in the wild 2. Hacker sentenced to 27 years Crime shouldn’t go unpunished, and I’m glad a hacker responsible for running vast credit card and identity theft operations has been apprehended. But 27 years for a non-violent crime seems rather heavy-handed. Or maybe it’s just the authorities way of sending out a statement to other would-be hackers. On the other side of the pond in the UK, Adam Mudd, who created the titanium Stresser program to carry out attacks that netted him the tidy sum of £386,000 has been jailed for two years. At the time of sentencing, Judge Michael Topolski stated that the sentence must have a “real element of deterrent.” Teenage hacker jailed for global attacks Russian hacker received record 27 year jail sentence in USA Russian MP Seleznev incensed after son jailed in US 3. GDPR cometh GDPR mania is running wilder than Hulk Hogan ever did in the 80’s. So finding sensible advice on the upcoming regulation is getting difficult to find. But fear not, this Alien keeps its eye peeled for good sources of information. GDPR: Both a threat and an opportunity for the channel Met Police: Quarter of cyber-crimes solved, GDPR could be the next PPI 4. Threats from the inside Dmitry Sazonov was charged with attempted theft of trade secrets for his alleged attempted theft of proprietary code for a trading platform from his employer. This is just an allegation and still needs to be proven, but illustrates the growing need for strong detection controls that can identify any rogue behaviour by an employee.]]> 2017-04-28T13:00:00+00:00 http://feeds.feedblitz.com/~/301937188/0/alienvault-blogs~Alien-Eye-in-the-Sky-th-April www.secnews.physaphae.fr/article.php?IdArticle=360345 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Open Threat Exchange (OTX) team has been hard at work and we wanted to update everyone on some new functionality that we believe will be very useful to you. We're happy to announce that Alienvault OTX is now a STIX/TAXII server. What Does That Mean? What is STIX/TAXII? STIX provides a formal way to describe threat intelligence, and TAXII a method to deliver that intelligence. For example, an Information Sharing and Analysis Center (ISAC) might share information about attacks against an industry via STIX/TAXII. Companies that are members of the ISAC then collect this (and other) information in a threat intelligence platform, then feed this information onto their security devices. They might also skip the threat intelligence platform and feed information from the ISAC directly to their security devices. OTX can now act as both a provider and a platform in your environment. Getting set up To consume the OTX STIX/TAXII feed you'l need to enter the following details into your TAXII client: Discovery URL https://otx.alienvault.com/taxii/discovery Username:(Your API key) Password: (Blank) Deliver your own intelligence from OTX to your network and your customers You can use the group functionality of OTX to store threat intelligence and privately share it with people you specify. You can then deliver this by STIX/TAXII to your devices, or if you are a service provider, to your customers. You can also maintain feeds within these groups. How are you using STIX/TAXII? Despite a mammoth specification, we found there is little standardisation in the way TAXII client implementations work. For example, some clients will poll for updates every minute, some every hour. Please email us at otx-support@alienvault.com if our implementation isn't working for your client, or if you have any questions or suggestions. Testing / exploration To get an idea of how TAXII works with OTX, you can try it out using any number of available TAXII clients. Here are some examples using a client called cabby. Cabby can be downloaded and installed, or if you have a working Docker installed, you can run it via a Docker container. If you're using Docker, your command line will look something like: if you're running from a locally installed cabby instance, the same command would just be: Discovery taxii-discovery is a cabby program that will call the taxii discovery endpoint, which tells you what services are available and some of the options they support. ]]> 2017-04-27T13:00:00+00:00 http://feeds.feedblitz.com/~/300946476/0/alienvault-blogs~OTX-Is-Now-a-Free-STIXTAXII-Server www.secnews.physaphae.fr/article.php?IdArticle=359963 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC This week, my colleagues and I furiously investigated the mystery of Felismus, a sophisticated, well-written piece of malware discovered recently by researchers at Forcepoint Labs. The malware’s modular, self-updating construction is a nod to the apparent skill of its creators and the severe risk it poses to victims. While little has been uncovered so far about Felismus’s creators or their intentions, a different puzzle captivated my team. Inquiring minds had to understand the malware’s name, which supposedly relates to the Tom & Jerry reference in its only human-readable encryption key: “Tom&Jerry@14here.” What episode did the term “Felismus” come from? Why couldn’t we find a connection? As it turns out, the answer had been staring us in the face all along. In Latin, felis means cat; mus means mouse. Tom & Jerry, cat and mouse. Of course. One mystery solved, a dozen more to go. Although researchers believe Felismus plays a role in a targeted campaign due to its scarcity, its creators’ targets and intent remain murky. Still, the significant power that Felismus grants to its operators makes it a potentially devastating threat to victims. Security and IT professionals should be aware of how it works and how it could affect their organizations. Felismus is a Remote Access Tool (RAT), a type of malware that allows malicious actors to take complete control of an infected system. Like most RATs, it allows attackers to communicate with a remote server, download files, and execute shell commands. Felismus appears to infiltrate systems by posing as an Adobe Content Management System file, as evidenced by the “AdobeCMS.exe” filename present in samples of the malware found in the wild. A malicious actor might fool unsuspecting users into downloading the file by presenting them with an update notice through a compromised ad network or phishing email campaign: “To view this media content, click here to update to the latest version of Adobe.” When the Felismus executable is run, it deposits two Dynamic Link Library (DLL) files in the file system. The DLLs provide functions for the executable to call, allowing the original executable file to take up less disk space. The malware creates an invisible window when it is run, camouflaging it as a Windows process by registering a WindowProc function to it. This enables the window to accept and process messages, which is how the malware communicates with its C2 server. The original process sends encrypted commands through the invisible window to a domain, disguising the activity as normal browsing and shopping behavior. Because the activity is designed to look like normal, whitelisted behavior, antivirus products are unlikely to pick it up. Although the contents of these commands have not been deciphered, they appear to be related to the malware’s setup process. In response, the server sets up a UUID for the victim, which is a unique identifier that is used later as part of the encryption process. Once communication has been established, the attacker can execute a shell command, save the results of the shell command, upload those results to a remote server, download a file from a remote server, execute a file, and create and save a text file. On their own, these functions already pose a significant threat. What makes Felismus particularly dangerous is its modular construction, which can help it hide or extend its capabilities. Once Felismus has compromised a system, an attacker can easily add a new functional module designed to accomplish whatever they want within the environment. This could be a keylogger, a network traffic analyzer, a tool to automate exploration of the system, or anything else the attacker might want. Felismus is also capable of self-updating, which means ­­­it can be updated to ]]> 2017-04-25T13:00:00+00:00 http://feeds.feedblitz.com/~/298549308/0/alienvault-blogs~The-Felismus-RAT-Powerful-Threat-Mysterious-Purpose www.secnews.physaphae.fr/article.php?IdArticle=359016 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC LookoutMobile locator service with the handy “SCREAM” feature that is sure to catch someone’s attention. But what happens when you leave your phone in a place where none of those methods are available? Think about it, if you are in a big city, it is little help to know that your phone is somewhere near Trafalgar Square in London, or somewhere near Grand Central Terminal in Manhattan, which is all you will get from a phone finder application. What if your phone cannot get a signal and none of those methods of contact are available? A simple method that works well is to change your lock screen to a photo of your business card, or some other contact information to facilitate the return. This might raise red flags to privacy-conscious InfoSec folks. But there are two reasons why this method may maximize the return of your phone. The first reason that this increases the likelihood of the return of your phone is because your contact information on the lock screen makes it very easy for the finder of the phone to contact you. No need for you to frantically call your phone, hoping for someone to answer. In the case of a phone that cannot get a signal, that phone call will only go to your voice mail, which does nothing to reduce your anxiety. Make it easy! My lock screen includes my E-mail address and an alternate phone number where I may be reached. (It would be counter-productive to include your cell phone number, wouldn’t it?) The second reason that the photo of your contact information on your lock screen increases your chances of recovering the lost device is one of subtle social engineering. A person will be less likely to ignore or deny the obvious contact information. Most folks would prefer to do the right thing, rather than knowingly deprive someone of a lost item. If you are concerned about any privacy implications, just remember that you will eventually have to come face-to-face with the person in possession of your phone in order to retrieve it. Also, if the person is a criminal, he already possesses an easily fenced device, and he probably is not also an identity thief. For further incentive, if you use a protective cover on your phone, slip a modest-sized reward into the case with a “reward for return” note. My phone case holds a US $20 bill with a smiling President saying “thanks for returning my phone” along with my faux business card with my contact information. This may be a bit extreme, but when you consider the cost of the phone, wouldn’t you offer a reward for its safe return? Not only is this “reward” concealed, it can serve as your emergency money stash if you ever find yourself a bit short on cash. Just remember to replace it with another smiling Jackson as soon as possible. Sure, your contact information on your phone’s lock screen may not be as cool as the photo of your favorite automobile that currently “blings” your screen, and it may not be as warm and fuzzy as the family photo, but it could mean the difference between a returned or a ]]> 2017-04-24T13:00:00+00:00 http://feeds.feedblitz.com/~/297445298/0/alienvault-blogs~Another-Way-to-Get-Your-Lost-Phone-Returned www.secnews.physaphae.fr/article.php?IdArticle=359017 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 1. How the NSA infiltrated a Middle East banking network The Shadow Brokers leak has brought to light many things, some of which would have been better left in the dark. But it has also highlighted some interesting activities. For example, some clues came to light on how the NSA broke into the SWIFT service of a Middle Eastern bank network. Shadow Brokers lessons: First, Don’t panic Microsoft’s Quiet Patching of Shadow Brokers’ NSA Hacks Signals Policy Win Shadow Brokers IoCs (OTX) 2. IoT Botnet rivalry I grew up with epic rivalries, like the bloods and the cribs, the East vs West side hip hop battles, the Rockers vs the Hart Foundation. And now we have Mirai vs Hajime. True, it kind of lacks that visual punch, but from a technical perspective it's pretty much the same thing. There’s also the possibility that the Hajime worm could be the work of a frustrated white hat who has taken matters into their own hands. It wouldn’t be the first time such a thing has happened. Back in 2001, the year DMX sold 439,000 copies of the album The Great Depression, the “good” code green worm went around patching systems that were vulnerable to the code red worm. Rival IoT malware clash in a botnet territory battle Is a white hat hero trying to protect the IoT from Mirai with a vigilante computer worm? 3. Get your ransomware source code Ransomware has been an increasingly-favoured technique by cyber criminals in recent times. Various business models are in use, from direct use to ransomware as a service (RaaS). CradleCore deviates from the RaaS model and allows the customer to customise the malicious source code as they wish. This could lead to an increase in CradleCore variants. CradleCore Ransomware Sold as Source Code CradleCore ransomware available as RaaS 4. Vendors pose a security risk says SWIFT Following a leak of SWIFT documents, the global bank messaging system has advised clients to place close attention to security. Third parties are increasingly part of the fabric of all enterprises. This can include using a cloud provider to host apps or entire infrastructure, or an outsourced HR function, or a hiring a specialist firm to prepare financial statements. So while it’s not possible to avoid third parties, many fundamental security practises can help mitigate the risks. Examples of such would include: Knowing your assets – by understanding your assets, particularly critical ones, it can be easier to determine effectively what system]]> 2017-04-21T13:00:00+00:00 http://feeds.feedblitz.com/~/295577346/0/alienvault-blogs~Alien-Eye-in-the-Sky-st-April www.secnews.physaphae.fr/article.php?IdArticle=359018 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC That in mind, it’s critical to know when a change or unauthorized access to a critical file is attempted, regardless of whether the attempt was successful or not. This is the realm of File Integrity Monitoring (FIM), a critical tool in the security defense of any organization wishing to protect its assets. Yes, you’ll have noticed that this is the first blog in a series, because frankly there’s a fair amount to cover, and I want to break it into consumable chunks! In this first blog, I’ll cover the basics of what file integrity monitoring is, and why you should use it. In the coming weeks I’ll discuss how you can best apply FIM to your organization, and what to look for when selecting a FIM solution. What is File Integrity Monitoring? Even if you’re already familiar with the technology, it doesn’t hurt to spend a minute or two ensuring we’re all talking at the same level on what FIM is. Today, most IT systems that store and process information use file-based architectures. The core operating system and applications binaries, system and application configuration data, organizational data, and logs are stored in files. These files ultimately: Determine how the operating system, its subsystems and hosted applications should operate; Track (in log files) the actions and activities that take place across the operating system and applications; Store business data. When an attacker compromises these critical files, havoc ensues. Attackers may attempt to overtake the operating system or application, steal or modify business-critical information, or manipulate log files to hide any malicious activities. This is where File Integrity Monitoring helps, by ensuring that you’re notified when such suspicious activities take place on critical files. Even authorized changes may result in misconfigurations or situations that can expose the organization to increased risk and compromise, such as where customer information from one bank was exposed when an authorized vendor uploaded a file to a server without enabling the proper security protocols (read HERE for more).   FIM technologies typically work with one of the following approaches: 1. Baseline comparison, wherein one or more file attributes will be captured or calculated and stored as a baseline that can be compared against at some future time. This can be as simple as the time and date of the file, however, since this data can be easily spoofed, a more trustworthy approach is typically used. This may include periodically as]]> 2017-04-19T13:00:00+00:00 http://feeds.feedblitz.com/~/294590716/0/alienvault-blogs~What-is-File-Integrity-Monitoring-and-Why-You-Need-It www.secnews.physaphae.fr/article.php?IdArticle=359019 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AlienApp for Office 365 that enables threat detection and incident investigation directly from USM Anywhere. It allows you to monitor and analyze user and admin activities in the Microsoft Office 365 suite of cloud applications, including Exchange Online, SharePoint, OneDrive for Business, and Azure Active Directory (AD). With the AlienApp for Office 365, USM Anywhere users can track user activities, monitor changes to files and policies, and be alerted to suspicious or anomalous activities within Office 365. The app further extends the security orchestration capabilities of USM Anywhere, helping small to mid-sized security teams to monitor their Office 365 environments alongside the rest of their critical infrastructure: physical or virtual on-premises, AWS or Azure clouds, or any hybrid of. Let’s take a closer look at some key features of the AlienApp for Office 365. Anomaly Detection with Office 365 Dashboards Do you know where your Office 365 users are? With USM Anywhere, you can readily answer that question and more using pre-built dashboards that show trends and summaries of OneDrive, SharePoint, and Azure Active Directory (AD) activities. For example, the Azure AD dashboard summarizes login attempts and failures based on user, country, and source IP address. You can drill down on any data point to investigate further, faster. Alarms & Pre-Built Correlation Rules for Office 365 With out-of-the-box correlation rules written specifically for Office 365, USM Anywhere generates alarms by keying off the events collected by the AlienApp for Office 365. Alarms notify you of suspicious activity, such as when a user or admin: Enables data sharing with entities outside of the organization, possibly resulting in a breach of confidential data Restores files in OneDrive for Business, indicating a possible attempt to retrieve historical data Changes the Microsoft Exchange content policy that could enable spammers to send phishing emails Updates to password policies that could leave user accounts vulnerable to basic password attacks These are just a few examples of the out-of-the-box correlation rules we include with the AlienApp for Office 365, not to mention the ability to create custom orchestration rules and alerts based on your unique environment and security monitoring needs. Advanced Search & Analytics Capabilities that Accelerate Threat Investigation The AlienApp for Office 365 shows you a wealth of events from your Office 365 environment, and uses Elasticsearch capabilities to make searching, filtering, and analysis fast and efficient. As you explore the Activity Events page or drill down from a dashboard or an alarm, you’ll notice that you can quickly filter and identify activities related to specific users, helping you to detect insider threats sooner. The Event view allows you to filter by app, (SharePoint, Exchange, Azure AD) and many other criteria. Events related to SharePoint and OneDrive for Business include file access, changes, uploads, and downloads. You can also view inbox and distribution list modifications in Exchange Online. Audit events from the Office 365 Security and Compliance Center provide additional visibility into user login and searches. Azure Active Directory events include user logins, passw]]> 2017-04-18T13:00:00+00:00 http://feeds.feedblitz.com/~/294215520/0/alienvault-blogs~Office-Security-Monitoring-with-USM-Anywhere www.secnews.physaphae.fr/article.php?IdArticle=359020 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Data centre (DC) migrations can mean several things depending on the size and scope of the task. It can range from being as small as moving one application offsite, or to the cloud or as complicated as ripping out an entire facility and moving it to the other side of the country. It can also encompass consolidation activities or the upgrading of applications and infrastructure. Whatever the scope, security and networking remain the common challenges and are fraught with the same pitfalls. Here are ten pitfalls to look out for when undertaking a data centre migration. 1. Knowledge is stored in different people’s brains This is true for nearly any major technology project, but it really comes to light when it comes to the DC. Not only is the knowledge of the overall workings of the DC stored in silo's - it's impossible to know WHO has the relevant pieces of knowledge. This often leads to certain aspects being missed out, with the impact not being realised until business processes and applications are impacted. 2. Thinking firewalls will solve everything Many companies seem to hold on to the belief that there is no security problem that can't be solved by throwing more firewalls at the problem. In the short term, it may seem like the easy option, rather than working out network routes for new applications, one can simply deploy a firewall, stick a custom rule on it and call it a day. An activity which is about as effective as applying some water sealant to a leaky dam. 3. No network diagram One of the most basic and common traps many large enterprises fall into is not having an up-to-date network diagram. Any diagram that is available is usually incomplete. Or was designed by a contractor that has since left the company and took the knowledge with them (refer to point 1). 4. Nobody has an idea of what normal looks like When designing the future state of a DC, many assumptions are made and caveats put in place. Very rarely do these assumptions go through any validation process. Thus, there is no actual analysis of production traffic and/or volumes. Without knowing what normal traffic looks like, it’s almost impossible to predict what the future-state traffic will look like. This could render the target model inadequate for it's purpose. 5. False economies Financial forecasts and projections can be inaccurate due to false assumptions. Thus, a DC migration that should be cost neutral in 12 months, ends up costing more than had the old system remained in place. 6. No visibility into application connectivity All too often in DC migrations priority is given to networking at the expense of understanding the applications themselves. Not all applications communicate over standard ports and application dependencies may be deeper than assumed. Not having this information will often lead to applications breaking and a long and tedious process of fault-finding. Points 1, 3, and 4 contribute to this. 7. Insufficient change management Having a well-defined, mature, and effective change management system in place can help eliminate many of the challenges and issues relating to a DC migration. Unfortunately, well-defined, mature, and effective change management systems are overlooked during major projects which tend to conduct many changes under an umbrella change record. 8. No rollback capabilities In any project, there is always the risk that things will not always go per plan. Having things go wrong is part and parcel of a major project like a DC migration. In preparation for this, rollback capabilities need to be considered well in advance of an]]> 2017-04-12T13:00:00+00:00 http://feeds.feedblitz.com/~/291181526/0/alienvault-blogs~Ten-Data-Centre-Migration-Pitfalls www.secnews.physaphae.fr/article.php?IdArticle=359021 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Topic #1: Customizing SIEM View and Custom Report Modules One of THE most powerful features of the AlienVault USM SIEM view is the ability to create custom views and save those as re-usable views and as report modules. HOW TO First, you need to navigate to the SIEM view, “Analysis-->SIEM”, and select your search criteria, be it a data source, asset or asset group, date range, etc. and get it looking the way you want it. Then, click the “Change View” button, and select “Edit Current View” (or “Create New View” if you want to start from scratch). Set the “View Name: field to a meaningful name, like “Cisco VPN Logins.” (Do this first to avoid accidentally overwriting current view). Make sure the “Include custom search criteria…” check box is ticked. That will ensure your selected search terms are preserved. After that, select which fields you wish to be displayed, and remove those that aren’t that useful. Verify you have set a unique view name, and hit the “Save As” button. When you change your view to the new one, it will be in the list, but at the bottom. Verify everything looks the way you like it. Notice the search criteria is preserved. One last step, let’s create a report module from this view. Click the “Change View” button and select “Edit Current View” again. Remember seeing the “Save as report module” button? Click that, and it will save a report module under “Reports”-->”All Reports”-->”Report Modules”-->”Custom Security Events”. You can now use this report module as is, or incorporate it into a custom report by combining with other modules. Just hit the little blue button next to the module to create a custom report from the module. Please note this functionality is not available in OSSIM. Use case: Custom view/report module name – “Windows FIM Report” Create a view: Date range – Today Event Name – contains “FIM” Data Source – AlienVault HIDS Columns – Event name, Date, Source, Sensor, Category, Subcategory, Username, Userdata1, Filename Schedule to run this module daily for daily file change reports. You can also restrict the report to specific assets when you set the schedule. Reference: Creating Custom Reports from Security Events Topic #2: Email Alert Configuration and Notification Say for instance you see an event in the SIEM view where a configuration change has been made to your firewall. You would like to be notified from now on whenever this event occurs. HOW TO Determine Event Type First we need to open an event and look at the event details. In this scenario, we will use the “ASA: A user made a configuration change” event which is Data Source ID 1636, and Event Type ID 111010. Make a note of these two numbers. (Data Source ID 1636 is the general cisco-asa data source that holds all the Cisco related event types.) Create Data Source Group The process takes a little bit of planning. First, you need to create a data source group into which you can insert the event. Navigate to “Configuration” --> “Threat Intelligence” --> “Data Source.” Click on the “Data Source Groups” button, then click on “Add New Group]]> 2017-04-11T13:00:00+00:00 http://feeds.feedblitz.com/~/290815260/0/alienvault-blogs~Tips-and-Tricks-for-Using-USM-OSSIM-from-an-AlienVault-Engineer www.secnews.physaphae.fr/article.php?IdArticle=359022 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Improving protection will always require increasing investment. Attackers change tactics to avoid the protections that they have already seen, and advanced attackers continue to prove they can develop attack technologies that penetrate even sophisticated targets. At the same time, pedestrian attackers and automated campaigns rely on finding new victims for older attack vectors, so existing defenses need to remain strong. The IT Pro or security administrator needs to consider this blend of existing and expected threats when making recommendations to their organizations about areas to apply additional funds to maximize the total security provided after the next dollar has dropped. The security investment model and diversification In a security strategy, as in a financial investment portfolio, a conservative strategy requires assessment of two main areas: asset strength and portfolio diversity. Each investment needs to be validated as solid, so that the investment isn’t lost, and the portfolio needs to be diverse, either in markets or asset types, to ensure consistent performance against a variety of potential adverse conditions or threats. It helps to really think of your protection as a portfolio, and your choices as investments. One of the leaders of this train of security thought is the current CSO of Aetna, Jim Routh, who has long treated the acquisition of security technologies as a forward-looking investment. He looks internally for areas needing improvement, and then externally for new ideas to fill the gaps created by new threats or deteriorating effectiveness of existing solutions. While you may not have Jim’s experience or Aetna’s scale, this is a good mindset to have. Spending the Next Dollar Evaluating the strength of your current security assets is straightforward: You, or your predecessor, acquired and deployed solutions that addressed a critical security challenge at that time. This strength will erode over time, as new forms of threat and entirely new classes of attack rise up, and this is where you need to entirely replace the existing solution with something new and hopefully better, or you need to diversify and add new protection to the infrastructure you have already deployed. & Whichever you choose, you should consider the following three questions in making your decision: What specific improvements am I looking for? Maybe you are subjected to a new threat from denial of service attacks, from targeted attacks against your own custom web applications, or you have read about ransomware’s path of destruction over the past couple of years. There are likely to be multiple areas, so take the time to prioritize the risks. As you look for solutions that can help — be they perimeter defenses, runtime protection, or threat detection and incident response tools — overlay any new provider’s functionality over your existing protections. You need to be able to identify the cost of your additional protection, and discount the value of redundant protection that the new solution may provide. How quickly will I realize value? Security weaknesses continue to add liability every day that they are left open, and the rapid evolution of the threats dictates that solutions lend themselves to rapid adoption. This is an area where there needs to be serious consideration of additional solutions versus complete replacement. It can be tempting to think about the]]> 2017-04-10T13:00:00+00:00 http://feeds.feedblitz.com/~/290051548/0/alienvault-blogs~Investing-in-Security-The-Next-Dollar-In www.secnews.physaphae.fr/article.php?IdArticle=359023 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC It's been an exciting week for sure in InfoSec. Here are some of the top stories I found: 1. New features in Open Threat Exchange (OTX) The worlds largest open threat sharing platform has introduced some new tricks. There are many improvements, but perhaps one of the most interesting is the new adversary pages. Each adversary gets its own page and pulls together information from various sources. Operation Cloud Hopper Operation Cloud Hopper Pulse 2. Robbing banks Cyberciminals apparently took control of a Brazilian Bank for five hours. During this time they intercepted all of its online banking, mobile, point of sale, ATM, and investment transactions. The attack made use of valid SSL digital certificates and Google Cloud. Fileless banking malware attackers break in, cash out, disappear More evidence N. Korea linked to Bangladesh heist 3. Password managers don’t have to be perfect Troy Hunt weighs in on the LastPass issue and why despite these issues, the benefits of a password manager outweight the disadvantages. Overall, this is an excellent point which many security professionals often lose sight of. Often, much time and many resources are spent in an attempt to get the perfect security solution, when in actual fact, “good enough” often is adequate. How changing your Netflix password can save your marriage 4.Infrastructure diversity – Hunting in Shared Infrastructure A really good read that also serves as a reminder to red teams not to fall into a rigid routine Russian hackers have used the same backdoor for two decades 5. Explaining the broadband privacy bill The average person remains somewhat confused around what the privacy bill is and what does it mean. Like what can your ISP track or not? So JD wrote a letter to his family explaining it. 6. Don’t mess with your IoT provider It’s not just cyber-criminals that are looking to hold your IoT devices to ransom. A customer purchased an IoT garage opener and wasn’t overly happy with it, so left a negative review. The result – the manufacturer blocked the device from accessi]]> 2017-04-07T13:00:00+00:00 http://feeds.feedblitz.com/~/288788704/0/alienvault-blogs~Alien-Eye-in-the-Sky-th-April www.secnews.physaphae.fr/article.php?IdArticle=359024 False None LastPass None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Cyber threats are rapidly evolving due to broadening motivations behind attacks, and the increased sophistication of attacks themselves. Protecting organizations from cyber threats often requires expertise available outside the organization. For security professionals and executives, threat intelligence is the information that expands your visibility into cyber threats beyond the physical edge of your network. Conducting threat intelligence that is significant and actionable requires specialized proficiency, knowledge and tools. Experts must know where to dig for information that may be hiding in the most unexpected areas of the Internet, including hacker communities, to create the “big picture” from thousands of different pieces of data. Threat intelligence is evidence-based facts, including framework, mechanisms, implications and actionable suggestions, about an existing or emerging threats and risks to organization’s assets that can be used to make decisions regarding the response to that threat and risk. Why Threat Intelligence? Organizations are under terrific pressure to handle threats. However, there is a vast variety of information available, but it’s hard and time-consuming to get meaningful information from it. This caused many users and organizations to look towards threat intelligence, as it can help prioritize threats and alerts and provide actionable information. Threat intelligence can: Prevent Financial Loss Whenever informed decisions are made in a timely manner, it prevents system downtime. Moreover, it also prevents the theft of confidential data, protects your intellectual property, and saves your organization’s reputation and customers. Not only would a breach cost your organization upfront, but the post-incident remediation and restoration costs can run in the millions of dollars. Encourage Efficient Utilization of IT Resources Conducting threat intelligence is a time- and resource-consuming process. Most organizations do not have enough specialized staff to generate relevant information fast enough. Instead of engaging internal resources to organically generate this intelligence, leveraging platforms that are designed to automatically generate and integrate this intelligence in an organization’s infrastructure can free up staffing resources for other work. This can save organizations hundreds of thousands of dollars. Let You Invest Wisely in Your Infrastructure Threat intelligence helps you make informed decisions about investing in your infrastructure and business. For example, when you notice an increase in connections from a specific geographic location that are suspicious to your company, you can consider investing in a tool to counter the issue. In order to prevent risks and threats to your organization’s processes, a threat intelligence team should be prepared to deliberately look for potential threats to the organization’s intellectual information. There are many factors that should be considered before creating a team to effectively use intelligence to drive enterprise security, some of which include: 1. Establish an intelligence priorities framework To effectively use intelligence, organizations must first set up and prioritize the information they will need. This can be done by identifying intelligence gaps that exist, formulating requirements, and then classifying requirements into categories that are suitable to the organization’s framework. 2. Incorporate and consolidate intelligence sources There are various sources that can be used to collect intelligence for enterprise security: Technical sources: This includes the IDS, firewall, next-generation endpoint security, ]]> 2017-04-06T13:00:00+00:00 http://feeds.feedblitz.com/~/288437182/0/alienvault-blogs~How-to-Prepare-an-Effective-Threat-Intelligence-Team www.secnews.physaphae.fr/article.php?IdArticle=355143 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC What Is Insider Threat – read more The recent “Vault 7” WikiLeaks download of thousands of pages of sensitive CIA hacking tools and techniques is the latest episode of high profile insider breaches. Other noted examples include Army Pfc Chelsea Manning - 400,000 documents - Iraq War logs, 91,000 documents- Afghanistan database, Edward Snowden - 50,000 to 200,000 NSA documents, Harold Thomas Martin III NSA Contractor- 50,000 gigabytes, about 500 million documents, Home Depot data breach - 56 million credit cards, Yahoo - 1 billion accounts, and Twitter - 32 million accounts. Healthcare – 4 million patient records. Average cost of a data breach in 2016 was $4 million dollars/company (Ponemon). Global business loss in 2014 – $1.7 trillion dollars with 23% annual growth. 2016 losses could be higher than $3 trillion dollars globally (stats courtesy of Mr. Thomas Kupiec – Chief Information Security Officer – SMS and former CISO of the National Geospatial Intelligence Agency) There are voluminous lists of breaches (see infographic), not all of them are insider breaches, but many of them can be attributed to actions from someone on the inside. These data breaches touch every vertical of society; security, healthcare, financial, transportation, and commerce. Source for Infographic For Chief Information Security Officers (CISOs), defending against insider threats is a biggest challenge. In fact, according to a recent SANS Survey on Insider Threats, 74% of CISOs expressed concern about employees stealing sensitive company information. In the 2016 Cyber Security Intelligence Index, IBM found that 60% of all cyber- attacks were carried out by insiders. The Verizon 2016 DBIR Report [KB2] disclosed that that 77 percent of internal breaches were deemed to be by employees, 11 percent by external actors only, 3 percent were from partners and 8 percent involved internal-external collusion which makes them hard to categorize. And according to Accenture HfS Research 69% of enterprise security executives reported experiencing an attempted theft or corruption of data by insiders during the last 12 months. TYPES OF INSIDER BREACHES To understand vulnerabilities to insider threats, it is important to be able to define and categorize the types. The Information Security Forum (ISF) provides a good framework for describing insider breaches: Malicious: Malicious insider behavior combines a motive to harm with a decision to act inappropriately. For example, keeping and turning over sensitive proprietary information to a competitor after being terminated. Negligent: Negligent behavior can occur when people look for ways to avoid poli]]> 2017-04-05T13:00:00+00:00 http://feeds.feedblitz.com/~/288094132/0/alienvault-blogs~Defining-and-Addressing-the-Growing-Cyber-Insider-Threat www.secnews.physaphae.fr/article.php?IdArticle=353728 False None Yahoo None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Sometimes cybersecurity trends are counterintuitive. Credit and debit cards that use integrated circuit chips, EMV technology, were designed to be less vulnerable to fraud than the previous magnetic stripe only standard. But as more and more of us have EMV cards in our wallets, credit card fraud appears to be on the rise. EMV is an acronym for Europay, MasterCard, Visa. Those three entities originally developed the standard. But now the standard is managed by the EMVCo consortium, and institutions around the world use it for credit and debit cards, including Interac, American Express, Discover, ZKA, JCB, RuPay, and Banrisul. Cards with the standard include magnetic stripes and raised lettering for backwards compatibility. The enhanced security of the chip is only enjoyed with “card present” transactions through chip-reading ATMs and retail point-of-sale terminals. “Card present” transactions specifically exclude manual entry of the card number for an online purchase. Those transactions are referred to as “card not present” or CNP. EMV implementation seems to be reducing fraud in “card present” transactions. In the United States, merchants that accept MasterCard and other EMV cards have been required to use EMV compliant terminals as of October 1st, 2015. When that requirement took effect, legal liability for credit card fraud was shifted from banks to retailers. According to a study by MasterCard, within less than a year, fraud incurred through EMV-compliant merchants reduced by 54%. That's great news, right? It is if you are an American retailer that uses EMV-compliant terminals for “card present” transactions. But there's bad news for online retailers and other merchants that take CNP transactions. For American retailers, the weekend between Black Friday and Cyber Monday, kicking off the holiday shopping season, is the most lucrative period of the year. And more and more Americans are shopping online than ever before. Well, per Iovation, CNP fraud during that weekend increased by 20% when comparing 2015 to 2016, and by a whopping 34% when comparing 2014 to 2016. Yikes! An Aite Group/Iovation study estimated that credit card fraud in total would hit $4 billion in 2016, a record level. That's total credit card fraud, including “card present” and CNP transactions in the United States. Theoretically due to wider EMV implementation, attackers appear to be shifting their efforts from attacks which target magnetic stripes to cyberattacks which target CNP online retailing. The stolen card data then gets sold via the Dark Web, costing American consumers billions of dollars. “It is going to get worse. We should still be going to EMV, but people should not get a false sense of security,” Aite Group research director Julie Conroy said. That insight is reflected in the Javelin 2016 Identity Fraud report, published in February 2016. According to the report, there has been a 113% increase in new account fraud since EMV compliance was made mandatory on October 1st, 2015. That sort o]]> 2017-04-04T13:00:00+00:00 http://feeds.feedblitz.com/~/287721742/0/alienvault-blogs~Attackers-Shifting-to-CNP-Exploits-as-EMV-is-Implemented-for-Credit-Cards www.secnews.physaphae.fr/article.php?IdArticle=352371 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Think of one of your favorite empowerment songs. A song that inspires; a song that matters. Sing along with the sound in your head. Sing until it affects you the same way it does when you hear it coming out of your speakers or blasting in your headphones. Now, stop and think for a moment: What is it about that song that makes it special to you? Perhaps it is a particular word, a phrase, the way it is built up to a tension point and then released. Or maybe it is a special cadence or other harmonic development that makes it special. Music communicates on a deep level that goes beyond the mere notes and words. It makes us feel a special connection; it transcends! Can the “music” of InfoSec be just as impactful as that special song? How do we communicate our message? Take something as simple as how you start your sentences. Do you begin describing a security concept with “The problem is . . . “, or do you approach it in a way that is more inspiring than the traditional impending doom-speak so common in our profession? I can name at least one song that actually begins with the words “The problem is . . . “ but that is not the point of this. (It is also not a very uplifting song.) Think about how you construct the narrative when speaking, writing, or in any way communicating your vision of Information Security to others. Is it possible to start slowly, with an idea that you can grow into a chorus that will appeal to others on the same level as that song that makes you feel empowered? Please don’t write an InfoSec song, there are enough of those, and while many are quite good, they entertain the already initiated few of us. Instead, think of how you can start with the idea of security and grow it into the main point that you are trying to convey. Words without music. Can you relate your point to a story? People love stories, and our field is filled with wonderful, sometimes riveting tales that makes what we do interesting. Tell the story the same way that a good song leads up to the “Hook” that drives the message home. Remember, you are the face of information security in your organization, amongst your friends, and wherever else you go where you are known as the subject matter expert. If your song is one of doom and gloom, whenever those folks see your face or hear of information security, they will get triggered into feeling doom and gloom. If you have ever tried to write lyrics to a song, you will know that it is not easy. Lyricists are a special breed who know how to reach into the soul. InfoSec is also not easy. But rather bemoan the difficulties of communicating our vision, perhaps it is time for us to find a way to reach into the souls of those we want to touch, not through fear, but through empowerment.     ]]> 2017-04-03T13:00:00+00:00 http://feeds.feedblitz.com/~/287371330/0/alienvault-blogs~What-Is-Your-InfoSec-Song www.secnews.physaphae.fr/article.php?IdArticle=352100 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Backdoor The Encryption The British government is making fresh calls to ban end-to-end encryption, claiming how apps like WhatsApp provide a safe haven for terrorists. The home secretary Amber Rudd said it was “completely unacceptable” that the government could not read messages protected by end-to-end encryption If all of this sounds familiar, it’s because it is. It's echoing what David Cameron said should happen after the Charlie Hebdo shooting. The Independent refer to Amber Rudd’s call to end WhatsApp encryption as “Incredibly naïve”. ArsTechnica ask, Why not ban cars Amber Rudd? It’d be more effective than banning encryption The Guardian “WhatsApp must be available to authorities” US ISP’S Can Sell Browsing History Is this the final nail in the coffin for privacy? Has it been taken around the back and double-tapped? Or was it never alive to begin with? These are interesting questions, ones that future generations will probably be too scared to ask. From a business perspective, it does put ISPs at odds with VPN’s, or indeed any form of protection that makes it difficult to track user activities. The Register, Your internet history on sale to the highest bidder Gizmondo, Congress just gave internet providers the green light to sell your browsing history without consent. My Video Of The Week It’s all well and good getting aggravated at the fact that that governments and service providers don’t appear to be overly concerned about preserving individual privacy. But that doesn’t mean individuals can’t restrict the information about them that can be accessed. Where possible individuals should take control, and pass on good habits to friends and family around them. Troppers 2017 Wrap Up It was the 10th anniversary of the TROPPER conference in Germany. Xavier Mertens (xme), attended and wrote a wonderful four-part series highlighting the key elements from the talks he attended. If you’re not familiar with Xavier’s work, he consistently provides some of the best written wrap-ups from conferences. As more conferences tend to record their talks, it appears as if fewer people take notes beyond tweeting out a few lines. Which makes Xavier's recaps a welcome change of pace, especially for those who don’t have time to sit and watch hours of talks. Day 1 wrap-up Day 2 wrap-up ]]> 2017-03-31T13:00:00+00:00 http://feeds.feedblitz.com/~/286309866/0/alienvault-blogs~Alien-Eye-In-The-Sky-st-March www.secnews.physaphae.fr/article.php?IdArticle=351016 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Given the right circumstances, most people can be fooled easily with tried and tested pranks that have been repeated and perfected over the years, like swapping out salt for sugar, or applying a liberal dose of Vaseline to a door knob. Making the same mistakes repeatedly, or falling for the same pranks will make for a good laugh amongst friends, but in a business context, the impact can be more far-reaching and harmful. Let's look at five of the most common issues that crop up repeatedly for businesses: Injection flaws Injection flaws such as SQL Injection and cross site scripting (XSS) are well-documented and have existed in applications for many years. However, they are still frequently found in production systems - time and time again - despite being widely publicised and relatively straightforward to find and address. Suggested April Fool’s prank: Developers that repeatedly push out insecure applications need to have scented air fresheners hidden all over their office! Legacy systems Running legacy systems is sometimes required. It's not easy to replace old architecture, but when it begins to undermine the security of systems and limit the controls that can be put in place, such legacy systems become liabilities. After all, you can only run your core business functions on Windows XP for so long. Suggested April Fool’s prank: For those who procrastinate too long, place a balloon over their car exhaust so it will pop when they start their car. Phishing One of the most prevalent and common techniques attackers use to access systems and defraud companies is phishing. Most people have either been the victim of a phishing scam, know someone who has been a victim, or at the very least have heard about the dangers of phishing. Some modern techniques appear very convincing, so users are not entirely to blame, but a bit of extra vigilance can never hurt. In addition, it does appear that phishing crooks can fool some of the people quite often. Suggested April Fool’s prank: For those who are slow to learn, hard boil all the eggs in a carton and place them back in the fridge. Passwords Much like politics and religion, passwords are a touchy subject. However, password re-use remains a large problem, allowing criminals to use data from one breach to access accounts on different sites. This indeed is one of the oldest tricks in the book to fall for. Suggested April Fool’s prank: The only way to deal with a chronic password re-user is to fill their hair-dryer with baby powder. It's not a matter of if... Being attacked and even breached is no longer reserved for the largest of companies. Companies of all sizes have data that can become a target. Despite this fact, we see far too many companies that are ill-equipped to detect or respond to an attack. Trying to formulate a response plan once an attack is underway is akin to trying to change a flat tire while driving down the motorway – it won't end well. Suggested April Fool’s prank: To help develop on-the-fly response skills, replace Oreo cream-filling with toothpaste and offer one to someone. Conclusion This April Fool’s Day would be a great opportunity to reach out to employees to remind them to be vigilant and stay on their toes! Employees that are trained ]]> 2017-03-30T13:00:00+00:00 http://feeds.feedblitz.com/~/286041510/0/alienvault-blogs~Fool-Me-Once-Shame-on-You www.secnews.physaphae.fr/article.php?IdArticle=350025 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC survey on cloud and IoT security for RSA 2017. He missed RSA due to having a new baby, but we went ahead and conducted his survey in our booth at RSA. While we missed him, we were able to get input from 974 RSA conference attendees. Here's a brief summary of the results and Javvad's conclusions from the data we gathered: Key Survey Findings Our RSA survey finds that one third of respondents describe the state of security monitoring within their organization as “complex and chaotic” Although there are concerns around the use of IoT devices, nearly half of respondents believe that the benefits of IoT technology outweigh the risks. Approximately one-fifth of security professionals don’t know how many cloud services are in use within their organization, and 40 percent of them are not consulted before a new cloud platform is deployed. Nearly half of security professionals prefer to monitor cloud environments rather than on-premises ones. Gaining visibility into the cloud was a significant concern, with 42 percent responding that the lack of visibility presents a security risk. Conclusions It’s vitally important to know what assets you have and where. Cloud and IoT each present different challenges in this regard. Cloud can spin instances up and down on demand, but what you don’t always know is how many different cloud apps are in use at a particular point in time in a given environment. IoT, on the other hand, introduces physical devices into the environment and while keeping track of the assets might be easier than with cloud, physical security becomes a larger concern. Ultimately, you can’t stop progress. Instead, you need to adapt to it and find ways to make it better through better monitoring. Regardless of how technologies continue to change and evolve, the principles of threat detection will largely remain the same. This involves knowing which assets you have, identifying where vulnerabilities exist, and monitoring to detect when attempts are made to exploit those vulnerabilities, be it directly, or indirectly. Growing complexity remains an ever-increasing challenge for security professionals. For this reason, steps should be taken to streamline the technology stack and associated business process. Unification of security utilities can prove invaluable to streamline monitoring for threats across the different cloud, on-premises, and physical environments. Finally, it’s important to understand that for many new businesses, and indeed even traditional businesses, the value of the business no longer resides in the physical premises or inventory – rather it is contained within its data. This makes data security all the more important from an organizational point of view. Criminals are also wise to the value of corporate data and continually evolve attack techniques that can increase their chances of success. For this reason, a reliable and continuous source of threat intelligence can help keep companies on top of all the latest attack techniques and emerging threats, whether they affect the public cloud, private cloud, onpremises infrastructure, or Internet of Things devices. Read the full report!  ]]> 2017-03-29T13:00:00+00:00 http://feeds.feedblitz.com/~/285756322/0/alienvault-blogs~Survey-Results-Cloud-and-IoT-Security www.secnews.physaphae.fr/article.php?IdArticle=349144 False None None None