This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-05T13:53:47+00:00 www.secnews.physaphae.fr AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC One especially terrible sequel features a criminal hacker hell-bent on destruction of a petrochemical target using the same attack methods as the original–no, I’m not talking about Speed II: Cruise Control—but rather, the recent resurgence of Shamoon malware. After four years of lurking in the shadows, a notorious disk-wiping malware known as Shamoon has resurfaced, with new variants targeting the Middle East and Europe. The new wiper attack variants are more sophisticated, dangerous, and one in particular, StoneDrill, is more elusive than ever. What Is Disk Wiper Malware and Why Is It So Nefarious? Disk wiper is a malware that’s been used in cyber espionage attacks, mainly against oil companies and governmental organizations in Saudi Arabia. Wiper malware is designed to first exfiltrate data and then to cover its tracks by wiping the data from the machine, either by deleting it or overwriting it with garbage data. Shamoon specifically deletes the master boot record (MBR) of a PC, making the machine unable to start. It’s cyber espionage with an aggressive nihilistic twist. Shamoon works to gain administrative privileges within a network and then spreads throughout to infect as many machines as possible. That’s how Shamoon gained notoriety back in 2012. The Shamoon campaign destroyed 35,000 workstations at Saudi Arabia’s state-own oil company, Saudi Aramco. Then-U.S. Defense Secretary Leon Panetta described the attack as, “probably the most destructive attack the business sector [had] seen to date.”(1) While the Shamoon campaign primarily targeted Saudi companies, a wave of similar-style wiper attacks soon followed, notably targeting major Asian financial institutions (DarkSeoul, 2013) and Sony Corp (Destover, 2014). Since then, however, Shamoon had all but disappeared. Then, like a terrible sequel that no one wanted to see, Shamoon recently resurfaced in late 2016 in waves of targeted cyber espionage campaigns against private companies and governmental organizations in the Gulf Region and beyond. StoneDrill and Shamoon 2.0, New Wiper Attacks Are on the Rise A new variant of Shamoon, Shamoon 2.0, emerged in November 2016 and January 2017 in two separate attacks against multiple private companies and government and civic organizations in Saudi Arabia. The new variant has the same goal as the original – to steal sensitive data and then unleash a symphony of destruction on its victims’ networks. According to one Bloomberg news report regarding the November 2016 attack, “Thousands of computers were destroyed at the headquarters of Saudi’s General Authority of Civil Aviation, erasing critical data and bringing operations there to a halt for several days.” IBM researchers traced the initial point of compromise for the Shamoon 2.0 attacks to phishing emails targeting HR employees with resume-like MS Word attachments loaded with malicious macros that launched PowerShell communication with a C2 server.(3) While analyzing Shamoon 2.0, security researchers at Kaspersky Labs identified StoneDrill, a similar-style wiper attack.(2) While StoneDrill has similar attributes as Shamoon 2.0, it has different source code, is reportedly better at evading detection, and does not rely on communication with a C2 server. While StoneDr]]> 2017-03-28T13:00:00+00:00 http://feeds.feedblitz.com/~/285498588/0/alienvault-blogs~StoneDrill-Shamoon-Wiper-Attacks-Reloaded-%e2%80%93-Notes-from-the-Underground www.secnews.physaphae.fr/article.php?IdArticle=348238 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Keeping an eye on the latest in the world of information security week after week illustrates the variety of concerns, errors, and attacks that present themselves. It has been reported that a British bank ‘identifying trafficked sex workers by tracking contraceptive spending’. While the cause may be good, one must wonder how long before banks are sharing full-scale analysis of spending and profiling with big brother? Bug bounties and vulnerability disclosure co-ordination continue to be adopted. With Intel offering up to $30,000 for bugs in its hardware and the UK’s NCSC launching a vulnerability co-ordination pilot, it’s in the news. Self-driving cars have been the fantasy of most kids who grew up in the 80’s watching Knight Rider. There have been many exciting developments in this space, but it still looks like truly self-driving cars have little more than lane-discipline and variable cruise control as Uber’s autonomous cars drove 20,354 miles and had to be taken over at every mile, according to documents. An interesting and in-depth read, The New Handbook For Cyberwar Is Being Written By Russia. People will often complain about government agencies such as the NSA, or GCHQ being able to spy on individuals. However, it’s important not to overlook those who seek to gain access to your systems and data for nefarious activities that can directly impact you. As this article takes the creepiness level up to 11, it’s worth remembering that even simple security measures such as webcam covers (or a bit of tape) can help save harassment. Meet the men who spy on women through their webcams. How to Think About Likelihood, Probability and Frequency. More interesting stories: Hackers: We Will Remotely Wipe iPhones Unless Apple Pays Ransom Saks Fifth Avenue, Three U.K. Mistakenly Expose Customer Data Double Agent attack can turn antivirus into malware With a couple of comments from me, How to keep your laptop safe under the new airline ban. Russian man pleads guilty to over $500m malware s]]> 2017-03-24T13:00:00+00:00 http://feeds.feedblitz.com/~/284529508/0/alienvault-blogs~Alien-Eye-in-the-Sky-th-March www.secnews.physaphae.fr/article.php?IdArticle=345749 False Guideline Uber None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC The general consensus among InfoSec professionals is to patch critical vulnerabilities such as Apache Struts as soon as a patch is made available by the vendor. So why mightn’t your company simply patch Apache Struts and go on your merry way? Not all events can be remediated immediately. Very often, intermediate mitigation measures must be taken to lower the risk of exploit and protect assets very quickly. For example, The Apache Struts vulnerability posed an immediate threat to webservers where the attacker could remotely execute arbitrary commands on the webserver. This is a very serious vulnerability with a high risk of exploitation and a large number of active exploits in the wild. Apache made a patch available for the vulnerability and the solution would seem to be just applying the patch. However, this is not as simple a matter to execute as it may appear. Apache Struts is a framework for building Servlet/JSP web applications and is embedded in web applications. That means the development team in your organization has to update the library and rebuild their application. It then has to be deployed to QA for regression testing before being pushed to production. This requires time and change windows. In addition, if they are running older versions of Apache Struts (and not merely one version before the vulnerability), they may face even more significant development and test time, further delaying the organization’s ability to patch the vulnerability. An interim mitigation measure is to deploy signatures to an Intrusion Prevention System (IPS), thereby blocking the exploit traffic. Test the IPS rules by monitoring network traffic to ensure the malicious traffic is blocked until the system can be safely patched. Important! Containment measures such as this have a very short shelf life as attackers have access to these tools and can change the payload to circumvent the signature. It is critical to monitor traffic to ensure the IPS rule is correctly applied and is not being circumvented until a more permanent fix can be applied. Here’s the OTX Pulse relating to the vulnerability:        Related Stories]]> 2017-03-22T13:00:00+00:00 http://feeds.feedblitz.com/~/283812320/0/alienvault-blogs~Intermediate-Mitigation-Measures-May-be-Required-for-Apache-Struts-Vulnerabilities www.secnews.physaphae.fr/article.php?IdArticle=343108 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Part One: How security challenges persist, are amplified, or are mitigated in public cloud and hybrid cloud environments Part Two: New security challenges that are introduced by cloud environments Part Three: Best practices for securing your hybrid cloud environment Develop good identity and access management practices In Part Two of this series, we looked at how mismanaging your cloud credentials can be an expensive mistake. It’s also a common pitfall in cloud security. According to Gartner analysts Neil MacDonald and Greg Young, “Through 2020, 80% of cloud breaches will be due to customer misconfiguration, mismanaged credentials or insider theft, not cloud provider vulnerabilities.” They recommend building your cloud security on a solid foundation of identity and access management (IAM) practices, and I agree. Cloud identity and access management best practices include both the use of cloud provider IAM services as well as establishing organizational policies around those services. For example, in AWS, you can use IAM groups to more easily manage cloud users who need the same permissions to AWS resources to do their jobs, and, you should define IAM groups based on the principle of least privilege. Whether you’re just starting out with public cloud computing or you already have production systems in play, make the effort now to establish your IAM guidelines and policies and establish a routine to ensure that your IAM services are continually configured and working accordingly. You can find more in-depth best practices on AWS and Azure identity and access management below, respectively. AWS S]]> 2017-03-21T13:00:00+00:00 http://feeds.feedblitz.com/~/283491626/0/alienvault-blogs~Hybrid-Cloud-Security-Part-III-A-New-Approach-to-Threat-Detection-in-the-Cloud www.secnews.physaphae.fr/article.php?IdArticle=341764 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Daniel Cid is the founder and CTO for Sucuri. He’s also on the AlienVault Technology Advisory Board and is the founder of OSSEC HIDS. I interviewed him to get his thoughts on website security, and the security of content management systems (CMS). Q: What are the most serious challenges and trends you are seeing with website security? At a high level, the most popular CMS platforms (eg. WordPress, Magento, Drupal, etc) and frameworks are getting a lot better in terms of security, whether it’s a secure by default configurations or employing more appropriate security coding and best practices. We rarely see major issues in the core of these applications, and even when they do have issues there is a system in place that helps streamline the process of patching environments at scale. The platform that is leading the charge on this is WordPress, and a perfect example of this system is best illustrated with the vulnerability we disclosed in the new REST API. Via their auto-update feature they were able to patch very quickly and effectively millions of sites in a one-week time period. As impactful as these change are however, they aren't& stopping the attacks and the compromises. Simply put, it’s not because platform security is the problem, but rather website security is much more complex than code or tools, and needs the people and processes behind it to remain secure. Consider WordPress, for example. They have their famous 5-minute install. What a great message, and it has been huge in achieving their broad user adoption. Note, it actually takes a lot more than 5 minutes to secure and harden the environment, let it alone configure it to be fully functional to your liking. That isn’t the message a webmaster wants to receive, and this becomes especially challenging when you take into consideration the technical aptitude of most of today’s webmasters - which is very low. So I think the main challenge I see right now is that there needs to be a level of education to the people deploying websites. There are additional steps that go beyond the basic installation and configuration requirements, and it includes investing some energy into security. These steps need to be more visible, actionable and easier to adopt. Q: Can just buying products really fix website security? No. Technology alone will never be the solution; just buying a product won’t work at any level of security. Note that we do sell a cloud-based security software (a WAF for websites), but we work very hard to have a dialog with our customers where we try to educate and communicate the importance of people, process and technology in their security posture. Q: What do you think about OWASP and other organizations that are focused on web application security? I think they are great. They are a powerful resource for developers and security professionals to be more aware of web application security issues. Q: We hear a lot of fear, uncertainty and doubt (FUD) around WordPress security. What helpful advice could you give our readers who are using Wordpress currently? The problem in the WordPress security space is that the majority of users are not very technical, and there is also a lot of misinformation and disinformation being spre]]> 2017-03-20T13:00:00+00:00 http://feeds.feedblitz.com/~/283151240/0/alienvault-blogs~Interview-with-Daniel-Cid-founder-of-OSSEC www.secnews.physaphae.fr/article.php?IdArticle=340899 False Guideline APT 19 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC It was a busy week in the world of security with many people wondering if Twitter had been hacked when they saw many verified accounts posting spam. Luckily it turned out that Twitter was secure, and the compromise occurred at a third party. Serving as another reminder of the importance of third party and supply chain security. Other interesting news articles from the week included: What if your life depended on secure code Phishing exercises without the “ish” Robert Mercer: the big data billionaire waging war on mainstream media Oscar envelopes explained: how presenters get winning names Vice News YouTube video commenter set for retrial over 'menacing' posts Cop blocked: uber app thwarted arrests of its drivers by fooling police with “ghost cars” Attacking machine learning with adversarial examples The Dark web has shrunk by 85% Lets Encrypt are enabling the bad guys, and why they should. Tim Berners-Lee, who invented the World Wide Web, now wants to save it      ]]> 2017-03-17T13:00:00+00:00 http://feeds.feedblitz.com/~/282151436/0/alienvault-blogs~Did-Twitter-Get-Hacked-Alien-Eye-in-the-Sky-th-March www.secnews.physaphae.fr/article.php?IdArticle=340037 False None Uber None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC My job was to receive incoming calls, type out the message, and send it to the relevant pager. On the whole it was a boring and repetitive job, with few breaks, and strict managers. On the plus side, the workforce consisted mainly of students like myself that were grateful for an easy job that paid £4 an hour. Mixing youthful exuberance with decent pay created a certain buzz around the office. Particularly on warm summer days when the sun would pour in through the windows, and just over 350 operators would be busy on calls, spinning on chairs, throwing Maltesers at each other - trying desperately not to laugh while typing out a message informing Dr. Jones she was needed in ward number 3. It created a vibrant atmosphere that resembled a mixture of a daytime club with a scene out of Wall Street. But nothing lasts forever, and a few short years later the office was abandoned and the company had folded. Mobiles phones were the reason. Lower prices had made them accessible to the masses - and once text messaging services took off, the humble pager became obsolete. Usually a new technology will cannibalise one industry, like how CD’s impacted vinyl records. Mobile phones, on the other hand, were not satisfied with just impacting the pager industry. As functionality and capabilities of handsets grew, so did its targets. Mobiles became the de-facto camera, music player, email client, and internet browser. With the explosion of ‘apps’ the capabilities have only increased. The term ‘disruptive’ is thrown around a lot regarding technology. Perhaps mobile devices deserve the term more than any other - forcing many industries to change, or wiping them out altogether. Standard point-and-shoot camera capabilities have been outpaced by mobiles, forcing camera manufacturers to focus more on the ’prosumer’ market, catering to consumers that don’t necessarily need professional equipment, but need something that packs more of a punch than the standard phone camera. Similarly, toy manufacturers are seeing children move away from physical toys to software-based entertainment. Everything from publishing, taxis, shopping, or even banking and payments has been disrupted as consumers want maximum functionality crammed into their handheld device. The “other” disruptor - Tales from Three Former Colleagues * Based on his work experience, I guess “Tim” to be in his mid-forties. His heavy set and weary face tell the story of someone that has lost far too many hours on support calls over the years. He started work in IT and then moved into IT Security, working his way up the ranks to middle-management in charge of a team of 11 at a fortune 500 company. We are in a coffee shop tucked away in one of the many small lanes behind Aldgate East. The melting pot of where London’s financial hub bleeds into the East-End, Jack the Ripper territory of Brick Lane. Tim lets out a deep sigh when I ask about disruptive technologies and mobile phones. He runs his index finger along the brim of his coffee cup, before flashing the briefest of smiles. “Mobiles, tablets and this whole bring your own whatever nonsense has changed stuff for sure. But cloud is where the real change has hap]]> 2017-03-15T13:00:00+00:00 http://feeds.feedblitz.com/~/281253079/0/alienvault-blogs~Change-is-Automatic-Progress-is-Not www.secnews.physaphae.fr/article.php?IdArticle=337846 False None Uber None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Centralized logging is essential to network security and compliance reporting. So, how does log management evolve as you migrate services and workloads to public cloud infrastructure? Not to sound dramatic, but log data is the lifeblood of your security posture. The data captured in the logs of your network devices, systems, and applications feeds into your Security Information and Event Management (SIEM) solution, telling you who, what, when, where, and how an attack happened—or, better yet—how an attack is happening so that you can respond immediately. As you migrate services and workloads to a public cloud infrastructure like Amazon AWS or Microsoft Azure, it’s important to know what log data is available to you, how to access it, and how to analyze all your log data to get a complete view of your security and threat posture. In this blog, we’ll look at how centralized log management changes in the public cloud as well as the native logging and monitoring services and components provided by AWS and Azure. We’ll also look at how to centralize all your log data—cloud and on-premises—in a cloud-ready unified security management solution. Logging in the Cloud – A Shared Responsibility When you run your systems and applications and store your data on- premises—whether in a physical or virtual network environment—centralized logging is a relatively straightforward process. When you own your physical infrastructure, you get complete, top-to-bottom visibility of your IT stack. In this environment, you can readily access, aggregate, and send log data from all your network devices, systems, and applications to your SIEM or unified security management platform for security analysis and storage. By contrast, when cloud service providers like Amazon and Microsoft own the network infrastructure and make it available to you as a service—whether as Infrastructure as a Service (IaaS) or Platform as a Service (PaaS)—you no longer have the same control over the underlying hardware, computing, and networking resources that support your cloud workloads. Instead, the cloud service provider takes responsibility for maintaining and securing the cloud infrastructure (basically, everything from the hypervisor down to the physical layer), while leaving you responsible to secure the guest operating systems, services, and applications running on top of the cloud infrastructure. This separation of security concerns is known as the Shared Responsibility Model—a main pillar of cloud and hybrid cloud operations and security. While the shared responsibility model does put some limitations on your visibility and control of your cloud IT stack, it’s not a total black box. Cloud service providers expose log data from their services and APIs through native log collection and monitoring services, so you have visibility of your cloud environment, resources, and activities. You can leverage these services to collect and send log data to your SIEM environment, where it can be correlated along with other data sources, to get a complete picture of the security posture of your hybrid cloud environment. The cloud logging and monitoring services provided in AWS and Azure include (but are not limited to): Amazon AWS CloudWatch CloudWatch is a logging and monitoring service for your AWS resources and the applications you run on AWS. You can use CloudWatch to retrieve log data from your AWS instances (EC2), Elastic Load Balancing (ELB), S3 storage, as well as logs from the applications you run on your EC2 instances. Amazon AWS CloudTrail AWS CloudTrail is a log monitoring service that records all the user (human or machine) activity within your AWS envi]]> 2017-03-14T13:00:00+00:00 http://feeds.feedblitz.com/~/280754010/0/alienvault-blogs~Centralized-Logging-in-the-Cloud www.secnews.physaphae.fr/article.php?IdArticle=336926 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC study conducted by Juniper Research in 2015, the estimated cost of cybercrime could shockingly reach up to 2.1 trillion by the year 2019. Hard to believe, but that’s true! No matter the motive and extent of crime executed online, the consequences can be devastating for the victim, be it an individual, a company, a group or the government. Have a look: • Identity Theft According to ITAC, around 15 million Americans lost their online identities in the year 2012. One of the most common techniques used for Identity theft is phishing emails. Sending fraudulent email messages purporting to come from a legitimate source, say a bank, and asking customers to share their confidential information is typically how it happens. Surprisingly, using someone else's identity for personal gain could be easily done through an app, Zeus, an extremely hacker-friendly malicious software used for infecting users’ software. • Monetary Losses Amongst most of the cyber-crimes committed, the major goal is to rip off money. According to the FBI, there were 2,453 complaints in 2015, costing victims more than $24 million dollars. • Wasted Time A victim of cybercrime has to deal with it and work on alternatives to handle losses. More specifically, if it’s an organization, then the Information security staff has to dedicate quite a bit of time to handling data security breaches rather than working on something productive and creative. • Piracy Circulation and usage of pirated digital assets is a cybercrime that hugely impacts the entertainment, music, and software industries. Revulytics Intelligence Data 2016 shows some eye-opening statistics about global software piracy: Globally, 2 out of 5 copies of software in distribution is unpaid. The commercial value of unlicensed software is $52.2 billion. Amidst all the security challenges and questions in front of us, stopping cybercrime is a priority. Here are some preventive measures that are really useful for online users: Choose strong passwords and use different passwords for different accounts. Do not share your passwords with anyone. Keep reliable and secure backups of all your crucial data and keep it updated. Use encryption for your sensitive files and store in a secure location. Avoid being scammed by unknown links or files. Check the source of a message that asks for your personal information such as user login, password and avoid sharing such information over the internet. For businesses, it is crucial to form a strong, well-defined, and up-to-date se]]> 2017-03-13T13:00:00+00:00 http://feeds.feedblitz.com/~/280336764/0/alienvault-blogs~Cybercrime-and-Its-Devastating-Consequences-Ways-to-Beat-Attackers www.secnews.physaphae.fr/article.php?IdArticle=335267 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC This is the first in a series of blogs dedicated to Amazon Web Services (AWS) security monitoring and best practices. AWS Security Best Practices As more and more organizations of all sizes are moving applications and workloads to the public cloud, it is critical to understand the security challenges of the cloud in general, and AWS in particular. IT environments are increasingly hybrid in nature, with many organizations maintaining some on-premises infrastructure as well as cloud infrastructure, using one or more cloud providers. It is critical to leverage security solutions that can monitor both cloud and on-premises environments. Here are some simple yet important tips to help secure your AWS account and infrastructure: Lock Down Your Root Account Credentials: When you create an AWS account, it comes with root account credentials. You can use these credentials to access all resources in the account (full access). Our recommendation is to delete the root account access keys and create an Identity and Access Management (IAM) admin user instead. Note, you will still need root account access for critical users to perform certain operations, and you can still access the root account using the username/password on the AWS console. As a final recommendation, you should enable multi-factor authentication (MFA) to protect your account. Use Security Groups: Use AWS Security Groups to limit access to administrative services (SSH, RDP, etc.) as well as databases. In addition, try to restrict access and allow only certain network ranges when possible (and avoid using 0.0.0.0/0). It is also important to monitor and delete security groups that are not being used and to audit them periodically. CloudTrail: AWS CloudTrail is a critical resource for monitoring your AWS environment. CloudTrail logs every event related to your AWS infrastructure, including API calls and changes made from the AWS Console, SDKs, or command line tools. While CloudTrail contains an amazing level of detail related to your AWS account activity, it is often hard to understand all the events and to identify what is important from a security point of view. That is why the CloudTrail data is much more valuable when using a solution such as USM Anywhere that has out-the-box correlation and alerting capabilities for CloudTrail events. IAM Roles and Temporary Credentials: IAM roles can be used to define permission levels for different resources and applications that run on EC2 instances. When you launch an EC2 instance, you can assign an IAM role to it, eliminating the need for your applications to use AWS credentials to make API requests. This is one of the best tools when it comes to security in AWS. First of all, IAM roles can be very granular; you can control access at a resource level and for actions that can be performed. And when using IAM roles, if your EC2 instance gets compromised, you do not need to revoke credentials. Use Virtual Private Cloud (VPC): An Amazon Virtual Private Cloud (or VPC) is a virtual network that runs in your AWS account. This virtual network presents some key advantages from a security point of view: the network is isolated from other resources, it is not routable to the Internet by default, and you can apply security groups and access control lists to reduce the attack surface. Implement A Bastion Host: A bastion host provides access to your Linux instances deployed in a priva]]> 2017-03-09T14:00:00+00:00 http://feeds.feedblitz.com/~/278969706/0/alienvault-blogs~Simple-Yet-Important-Tips-to-Secure-AWS www.secnews.physaphae.fr/article.php?IdArticle=333349 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC recent (February) launch USM Anywhere, our SaaS-delivered Unified Security Management solution for monitoring your cloud, hybrid cloud and on-premises environments, including Microsoft Azure implementations. Since USM Anywhere is a cloud service we’re able to create new product features and push updates much more frequently, allowing our customers to have all the latest features and capabilities without having to do any deployments themselves. Driving many of those improvements have been our USM Anywhere customers, who we talk to regularly to get feedback and input on capabilities and experience. With our product improvements moving at a clipping pace, we’re dedicating some space here on the AlienVault blog to product-specific info, tools, tips, and tricks. Consider this the inaugural post in the series (cue the fanfare!) and we look forward to reading your comments and feedback! In this post, I want to delve into USM Anywhere for Microsoft Azure security monitoring. Now, make no mistake—one of the biggest benefits of USM Anywhere is you can monitor all of your environments (AWS, Azure, on-premises physical and virtual IT) from a single pane of glass. But, for the Azure folks in the house, I want to specifically focus on a few Azure-related USM Anywhere questions that relate to some of our top customer questions and Azure security best practices, including how to: Keep up to date on what Azure VMs are running in your subscription (asset discovery) Use Azure Diagnostic logs to monitor your deployed assets including Windows hosts, IIS and the Azure SQL Database service. Keep up with changes made by users with access to your Azure subscription. Detect vulnerabilities on your Azure VMs. Deploying USM Anywhere to monitor Azure is simple, and designed in concert with the Azure security model. As shown in the image below, USM Anywhere Sensors deploy natively into each cloud and on premise environment. The Azure Sensor can be easily installed from the Azure Marketplace. It discovers Azure assets, collects security data and sends it to the cloud-based USM Anywhere service for storage and reporting. Asset Discovery As in any environment, cloud security monitoring starts with asset discovery. In USM Anywhere, Azure assets are virtual machines (VMs) or platform services like Azure SQL Database with an IP address or fully qualified domain name. Whereas in on-premises environments you would run a network scan to discover assets, in Azure cloud environments it’s a best practice to discover assets directly from Azure APIs. To do this USM Anywhere uses direct hooks into Azure APIs, allowing it to automatically discover VMs and services as they are spun up and to collect additional information about those assets (e.g. the Azure VM type, and which Azure region(s) the asset is running in beyond what would be provided in a traditional network scan). The screenshot below from the USM Anywhere setup wizard summarizes the discovered Azure VMs that it automatically discovers within an Azure environment. ]]> 2017-03-07T14:00:00+00:00 http://feeds.feedblitz.com/~/278204206/0/alienvault-blogs~Security-Monitoring-in-Azure-using-USM-Anywhere www.secnews.physaphae.fr/article.php?IdArticle=330868 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC The New York State Department of Financial Services has adopted a new cyber security regulation for all banking, insurance, and financial institutions that conduct business in New York State. The new law is in effect as of 01 March, 2017. Firms that have more than 10 employees or that meet the specific gross revenue requirements detailed in the regulation over the course of three years must abide by the full regulation. Organizations that do not meet the revenue and staffing requirements will still have to abide by many of the requirements of the regulation. Within security and legal communities, it is widely believed that this regulation will be the template that many other states will use to enact similar regulations. New York State has assumed somewhat of a leadership position with this law. The regulation, known as “23 NYCRR part 500” prescribes the following: Within 180 days of the effective date (August 28, 2017), all affected organizations (known as “Covered Entities”) must: Designate a person as a Chief Information Security Officer (this can be a third-party). Develop a cyber security program. Review access privileges for all people who have access to non-public personally identifiable information (PII). Develop cyber security policies. Develop a cyber incident response plan. Utilize qualified cyber security personnel and intelligence (this may also be provided by a third party. By February 15, 2018, the designated CISO must file the first certification of the organization’s compliance with the regulation. 12 months after the effective date (01 March, 2018), all affected organizations must: Present a report from the CISO outlining the cyber security practice of the organization. Conduct annual penetration tests and bi-annual vulnerability scans of all financial systems that hold personally Identifiable information. Conduct a risk assessment of all in-scope systems. Use multi-factor authentication for access to financial systems (unless the CISO establishes reasonably equivalent security for system access). Establish a cyber security awareness training program in the organization. 18 months after the effective date (04 September, 2018), all affected organizations must: Establish a mechanism to provide a five-year audit trail of financial transactions as well as a three-year mechanism to reconstruct financial transactions. Establish limitations on data retention. Review application security for all in-house developed applications. Establish risk-based policies and controls for authorized users. Use encryption to protect affected data (unless the CISO establishes compensating controls for the use of encryption). 2 years after the effective date (01 March, 2019), all affected organizations must: Establish a security policy for access by all third-parties with whom the covered entity conducts business. This regulation underwent two revisions prior to its final release. The original regulation was very strict, and many of the requirements of the original proposal were moderated so as not to cripple small and medium-sized businesses. The effects of this regulation are rippling through many organizations, as it places direct responsibility for cyber security on the Board of Directors or any similar senior management positions within a covered entity. Cyber security has truly hit the C-Suite in New York State. The big question now is: will other states follow New York’s lead? ]]> 2017-03-06T14:00:00+00:00 http://feeds.feedblitz.com/~/277836062/0/alienvault-blogs~New-Law-in-New-York-State-Could-Shape-Cyber-Security-Across-the-US www.secnews.physaphae.fr/article.php?IdArticle=329415 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC RSA conference 2017 is over and a ton of roundups are being written, so here's mine. As expected, the hottest security topics and vendors were related to IoT and the cloud. Additionally, Threat intelligence and SOCs were the subject of conservation with many vendors on the floor. Below are my top 10 key takeaways: 1. CSA Summit: The Summit was the day before RSA and the key theme throughout the day were levels of trust: identities, devices and roles. But the biggest takeaway was the release of the publication from the Software Defined Perimeter (SDP) Working Group, exploring how the SDP can be applied to Infrastructure-as-a-Service environments. Download your copy here.   2. Google’s BeyondCorp: Google has reinvented its security perimeter around devices through its groundbreaking “BeyondCorp” initiative. They introduced three core principles: Connecting from a particular network must not determine which services you can access. Access to services is granted based on what we know about you and your device.  All access to services must be authenticated, authorized and encrypted. View their presentation here. 3. Mirai Botnet: Chris Young of Intel Security, in an opening keynote, showed us how McAfee researchers bought an “off-the-shelf” DVR known to be targeted by Mirai Bonet. Within 60 seconds of connecting it to the Internet, the device was compromised. His keynote can be seen here. 4. Cryptographer’s Panel: Adi Shamir, the “S” in RSA, stated "I'm skeptical that Artificial Intelligence (AI) will have much of an impact on security… If you talk about 15 years from now, when AI systems are going to be super intelligent, I can foresee when you give all of the information about cybersecurity to the AI and it will think about it and then say, in a very calm voice, In order to save the internet, I'll have to kill it.” To view the panel talk go here. 5. SANS: Four SANS experts took the main stage to talk about the seven most dangerous cyberattacks. Some notable items were: Software developers are not properly validating remote network services they are utilizing and the Internet Storm Center is seeing continuous scanning for vulnerable "nosql" databases. Lastly, there are folks still not changing default passwords. Go here to view the talk. 6. GDPR: General Data Protection Regulation (GDPR) was discussed in a few talks. At a very high level, it states organizations must know what data they have and understand the risk that it poses. Johannes Ulrich, SANS Institute, advised that tokenization for data protection is the best answer. May 2018 is the deadline for companies to adhere to the regulation before they potentially face fines for noncompliance. View one of the talks here. 7. Hacking Exposed: The Hacking Exposed presentations by the CrowdStrike folks never disappoint, and this year they featured “Real-World Tradecraft of Bears, Pandas and Kittens.” My favorite hack they demonstrated was the malicious LNK file. This was embedded PowerShell and Payload inside of a Windows shortcut file (LNK). The full presentation is pos]]> 2017-03-03T14:00:00+00:00 http://feeds.feedblitz.com/~/276970154/0/alienvault-blogs~CISO-Perspective-on-RSA-Top-Takeaways www.secnews.physaphae.fr/article.php?IdArticle=328037 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Are you thinking about adding more senior resources to your security team? It may be that you are looking to create your first stand-alone security role or maybe you’re prioritizing security experience as a desired skill in your newest senior IT hire. If so, you aren’t alone. Recently, a workforce survey done by the International Information System Security Certification Consortium (ISC)2 projected that the gap for cybersecurity personnel will grow from 1.5M jobs in 2015 to 1.8M by 2022. This means that your plan to fill your position will have to be a strong one. Finding the right security leader requires locating, qualifying, and then closing on a candidate who is operating in a turbulent seller’s market. Here are three steps that can help you succeed, while minimizing wasted time and effort. 1) Create a Sufficient Slate of Candidates There are boutique recruiting firms that can connect you with their own network of cybersecurity personnel, but for those on a tighter budget, LinkedIn will provide plenty of fodder for your recruiting mill. At last check, over 200,000 members call out cybersecurity as a skill. To make the number of potential candidates more manageable, you can apply some filters, such as CISSP certification, industry, and years of experience. Using the CISSP certification as a discriminator is not universally embraced, and in fact, I am not a CISSP. There are undeniably plenty of excellent security candidates who aren’t certified. However, given a dataset of over 200,000 candidates, employers with limited security expertise, and an amorphous market consensus on security skills, I recommend that organizations start with people that took time to learn and get certified on the CISSP material. In a survey of several hundred security analysts by ESG and the ISSA, 56% had acquired the CISSP and thought it was valuable. 2) Assemble a Qualified, Diverse Interview Team It’s very difficult to interview candidates who bring an entirely new skillset to your team. In security, if you are hiring your first leader, there is probably no one on staff who will be able to ask the kind of specific questions that you need. So what to do? You are likely to have some good resources among your vendors and your own contacts. If you are using an MSSP or are engaged with a security consultancy, they can help to create the position description and to vet the resulting candidates. If you are concerned about a potential conflict of interest, think about retaining some supplemental hours from a resource recommended by your network or your own IT people. Don’t shy away from this. In their “State of Cybersecurity 2017” report, 64% of ISACA respondents report that less than half of applicants are actually qualified, and an unqualified security leader can wreak havoc in a very short time. In an effort to get the right cultural fit, remember that security is a job that is mostly defined by the needs of the organization. Being good at security also means being good at viewing the best practices of security through the lens of your business. When constructing your interview schedule, include other departmen]]> 2017-03-01T14:00:00+00:00 http://feeds.feedblitz.com/~/276210994/0/alienvault-blogs~Three-Steps-to-Hiring-a-Great-Security-Lead www.secnews.physaphae.fr/article.php?IdArticle=325665 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Brier & Thorn has performed where it was network isolation, not vulnerability management, that prevented the compromise of some mission critical servers in the environment and prevented a much la]]> 2017-02-28T14:00:00+00:00 http://feeds.feedblitz.com/~/275862758/0/alienvault-blogs~Demystifying-Network-Isolation-and-MicroSegmentation www.secnews.physaphae.fr/article.php?IdArticle=324822 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Data theft is a major threat to businesses in today’s economy. With large corporations like Arby’s, Popeye’s, and Intercontinental Hotels all reporting breaches since the beginning of this year alone, it’s essential for IT professionals to keep an eye out for emerging threats that target valuable user data. Just last month, researchers at MalwareHunterTeam discovered a relatively new botnet called GhostAdmin that quietly siphons data from infected devices while it masquerades as a legitimate antivirus tool and obscures the symptoms of its attack with specialized features. Its network of infected devices is still small, but it has already been used to steal hundreds of gigabytes of data from large companies, making it a threat you need to understand and watch out for. GhostAdmin is a botnet, a type of malware that ope­rates by creating a network of infected host machines (a robotic network) that are all controlled by the botnet’s owner. While a single device may or may not be useful on its own, leveraging an entire network of devices provides rocket fuel for almost anything that a botnet owner wants to accomplish. For example, you may remember when the high-profile Mirai botnet was in the news last year for causing widespread internet outages with its distributed denial-of-service (DDoS) attack against Dyn DNS. Mirai executed that attack by first creating a network of Internet of Things (IoT) devices and then commanding them to flood Dyn with traffic. The power of a botnet’s network can also be used to spy on a victim’s personal information, distribute malware, and steal huge amounts of data, which is how GhostAdmin has been used so far. GhostAdmin infects PCs by mimicking well-known security tools that users might be inclined to trust and download. One version of GhostAdmin posed as Symantec Endpoint Protection, and a related variant called Zodiac mixed the Avast product name with the logo for Avira. Even a user with a vague awareness of security precautions could mistake it for legitimate software and be convinced to download the malware. Once a device has been compromised, the botnet is designed to cover its tracks and keep users in the dark about its presence. For example, it can remove log files, wipe internet history, and self-terminate, and its own components may mimic ordinary Windows files. The botnet is also able to gain boot persistence, meaning that restarting an infected device will not remove the malware. While GhostAdmin has mostly been used for data theft, its available commands give the botnet owner the power to take over devices, spy on users, download data, and install more software for other nefarious purposes. GhostAdmin operates by establishing an infected Internet Relay Command (IRC) channel that the botnet’s owner can use for Command and Control (C&C). Using the IRC channel, the owner can execute requests for infected devices to download files, record audio, take screenshots, copy files, enable remote desktop, and more. Stolen data is sent to the botnet owner’s File Transfer Protocol (FTP) server, and the owner is notified each time the malware is used. GhostAdmin’s network of infected computers is still small. Two large companies – an internet cyber café and a lottery website - have been reported as presumed victims of live attacks so far. Several hundred gigabytes of data were downloaded from the cyber café alone. From the lottery website, the botnet downloaded a database containing sensitive customer information including names, addresses, email]]> 2017-02-27T14:00:00+00:00 http://feeds.feedblitz.com/~/275528972/0/alienvault-blogs~GhostAdmin-The-Invisible-Data-Thief-Notes-from-the-Underground www.secnews.physaphae.fr/article.php?IdArticle=323925 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC We’re back for another roundup of all things security that caught our eye. And there is plenty to dig through on this edition. My favourite blogger from down-under, Troy Hunt, has been running haveibeenpwned for a while, providing valuable insight into where users credentials may have been compromised in a breach. However, he has introduced a new concept called ‘fabricated’ data breaches. That's where it’s not been possible to verify the authenticity of data, but there is enough legitimate data contained within to merit inclusion. More details on his blog. You spend some time looking for a blog about Domain fronting, and all of a sudden two show up at once. High-reputation Redirectors and Domain Fronting and Domain Fronting Via Cloudfront Alternate Domains The security impact of HTTPS interception in the wild Scott Helme writes an interesting piece about his experiences around Bug bounties and extortion. A long, but fascinating tale of espionage. I thought I was smarter than almost everybody: My double life as a KGB agent Do you want to analyse malicious PCAP files and don’t know where to do the analysis? Turns out, there’s a free website to do that. F-Secure published their 2017 state of cyber security report - it’s a good read. I found this ransomware tube map to be particularly well done. Microsoft is calling for a Digital Geneva Convention, as global tensions rise. It’s a nice idea in concept, but it's unlikely any such thing will happen. University of Surrey develops an innovative ‘all in one’ user authentication technology Banks often conjure up images of stringent checks and balances. You wouldn’t expect one of the largest banks in the world to be falsifying letters and manipulating transcripts of phone calls with customers to cover up its own wrongdoing would you? Would you? The startup idea matrix. Gotta love the Register. In between their snark and witty h]]> 2017-02-24T14:00:00+00:00 http://feeds.feedblitz.com/~/274458260/0/alienvault-blogs~Alien-Eye-in-the-Sky-th-February www.secnews.physaphae.fr/article.php?IdArticle=322690 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC There is one skill that I, unfortunately, have perfected over the years—the ability to search for a job. I, like millions of others, have experienced being laid off, which required me to learn techniques to find new opportunities. The objective of this article is to share my personal job-searching experiences from an Information Security (“InfoSec”) perspective. This information and my observations arefrom my experiences only and not from any study, survey or research. The following three general categories are my personal observations as to why companies are experiencing difficulties filling out their InfoSec programs or hiring experts. Unrealistic Expectations The InfoSec field has not yet fully matured and is also complicated by rapid IT innovation, so it is not surprising that businesses often have trouble keeping abreast of the latest threats that accompany such innovation. For example, there have been substantial improvements to mobile devices since the iPhone’s announcement in 2007, the concept of “software-as-a-service” and cloud solutions didn’t exist twenty years ago, and artificial intelligence is also on the horizon. All of these developments introduce a new series of threats that people had never before had to consider. Unfortunately, the expectations that some companies have about InfoSec roles are often based upon outdated expectations that often lead to mixed priorities. Companies sometimes look for candidates with the exact qualifications they think they need,and while it’s understandable for any company to want to find the perfect candidate that satisfies every requirement, no two InfoSec programs are exactly alike. While general best practices exist, each company has its own set of unique risks that require unique solutions. A “one-size-fits-all” template does not exist, so companies should instead seek candidates who are able to accurately assess industry-unique risks (including applicable laws and regulatory requirements) and implement unique solutions. It's important to remember that threats are always changing so what may have worked five years ago may not be applicable today. This same approach applies to retaining talent, too. I’ve mentored many security engineers over the years and during discussions about their career objectives the number one reason I often hear as to why they want to look for another job is because they feel that there is no opportunity to expand their skills in their current one. First, let there be no misunderstanding that the primary goal of any engineer must be to do the work that’s expected for the organization but engineers, by their nature, are also inquisitive and love new challenges. Good engineers are never satisfied with their current skill set so it’s important to give them the opportunity to grow whether it’s by self-study, classes, conferences, professional meetings or internal cross-training. Some of these opportunities are available at no cost to the company other than time. Engineers will tend to look for and likely find new opportunities elsewhere if they feel stifled and stagnant. Lack of Leadership Unfortunately, some businesses still view InfoSec as an IT issue only. While that may have been true in 1995, the emergence of a “connected society” has changed that paradigm considerably. While data, especially customer data, may be a company's most valuable asset, some companies treat data as if it’s a disposable commodity. Years ago, I was conversing with the CEO of a startup and the topic of InfoSec was raised. The CEO told me that he strongly believed in computer security and employed the best and brightest to protect his company but when I I asked him, he had no idea what were t]]> 2017-02-23T14:00:00+00:00 http://feeds.feedblitz.com/~/274121918/0/alienvault-blogs~How-to-Hire-InfoSec-Professionals-for-your-Company www.secnews.physaphae.fr/article.php?IdArticle=321821 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Observe .equal-width td { width: 33.33%; } table { float: left;} .half-width td { width: 50%; } Use security monitoring to identify anomalous behavior that may require investigation. Type of IR Tool Why You Need It Open Source Options Log Analysis, Log Management, SIEM Logs are your richest source for understanding what’s going on in your network, but you’ll need an IR tool that makes sense of all of those logs, and that’s what log analysis is all about. ]]> 2017-02-21T14:00:00+00:00 http://feeds.feedblitz.com/~/273334324/0/alienvault-blogs~Beginner%e2%80%99s-Guide-to-Open-Source-Incident-Response-Tools-and-Resources www.secnews.physaphae.fr/article.php?IdArticle=320117 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Work Primarily, I’m looking at whether I have any official ‘work’ business to tend to whilst at a conference. Unless I’m attending a conference on my own time and money, there needs to be some benefit for my employer in it. This can manifest itself in many ways depending on the nature of your work. If you sell a service or product, then perhaps generating leads is needed, or working out what trends are emerging. Perhaps you want to raise awareness of some of the research your company has undertaken, and weave it into an educational presentation. Enterprises users can catch up on what trends are prevalent in their particular industry, connect with peers, or attend relevant talks and take back the knowledge gained to the office and share with colleagues. Education Conferences are an absolute goldmine for knowledge. Education can be in the more formal environment of attending talks or workshops. But it can also come from informal avenues such as "hallway con" whereby there is no shortage of people discussing and sharing ideas. Often times these can be even more informative than formal presentations as more intimate details can be shared privately. The pitfall to look out for is that there can be almost too much free education. Which is why it is important to understand your objective prior to attending. For example, sayyou're looking to understand more about incident response processes. Try to identify in advance the talks, products, and the individuals that you can connect with at a conference on this topicto help further your cause. For large conferences, this preparation can begin weeks, and sometimes months in advance. Reach out to people and try to get some time to chat with them in advance of the event. Don't forget vendors can be a particularly good source of information. It can be a good idea to contact them on social media and ask if they'll have someone available to show a demo, or help answer a few questions for you. You may be surprised at only how often you can get face time with some extremely knowledgable individuals. Networking Networking means different things to different people. Some will classify going to as many after-parties as possible that stretch into the early hours as 'networking'. There may be some truth to this, but it's not the only way. I try to maintain a healthy mix of catching up with old friends and colleaguesand meeting new people. I'm not much of a party person, so ]]> 2017-02-17T14:00:00+00:00 http://feeds.feedblitz.com/~/272026230/0/alienvault-blogs~Planning-for-an-InfoSec-Conference www.secnews.physaphae.fr/article.php?IdArticle=317935 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Malwarebytes Labs, Registry cleaners are “digital snake oil.” They believe that making changes to the registry with those utilities at best make improvements that are so subtle that they're barely perceivable, and at worst do harm that can be significant enough to require a complete reinstallation of Windows. If users believe that their Windows performance is improved after running a utility, it's a placebo effect. BleepingComputer.com says there's no statistical evidence of the performance improvement claims of registry utility vendors. Each vendor has different criteria for what constitutes a “bad entry.” Some utilities don't make a backup of the registry before making changes to it, so if something bad is done it cannot be easily reversed. Removing registry entries can make malware removal more difficult, and the usefulness of making changes to the Registry is overrated and can be dangerous. Microsoft Support's official statement on third party registry utilities is that they don't recommend their use. They aren't liable for problems caused by those applications, but if one is used, they recommend backing up the registry first. There are a lot of third-party applications that advertise themselves as registry fixing utilities that can be downloaded from the internet. They cannot all be malware, but I suspect that some of them are. I decided to do a little experiment of my own, to see if any popular registry utilities might threaten the security of Windows PCs. Experiment Methodology I installed a virtual machine of Windows 10 Pro with Oracle VirtualBox under Kubuntu Linux. I gave my VM a 32GB virtual disk, and 2GB of RAM. I used all of the default settings during the installation process. I used the default Express settings during the Windows 10 installation process. I made a System Restore point as soon as the installation was finished. That way, I can try to revert to the equivalent of a clean install of Windows 10 after I tested each application. Installing a new Windows 10 VM for each of the six applications I was testin]]> 2017-02-15T14:00:00+00:00 http://feeds.feedblitz.com/~/271228360/0/alienvault-blogs~Are-Windows-Registry-Fixers-Safe www.secnews.physaphae.fr/article.php?IdArticle=316009 False None CCleaner None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AlienVault. Steve has been in InfoSec for 16 years now and has worked all over the industry and in the Department of Defense. Steve said that dynamic MSSPs find great success with AlienVault’s Unified Security Management (USM) platform. Steve gave the analogy of USM as a high-performance race car. AlienVault sells the car; however, we don’t sell the race car driver or the team. Winning the race requires a dynamic team. The simplicity of Steve’s response to a class of my questions about MSSP behavior impressed me. I asked how to respond to alarms, set up and staff SOCs, establish proactive policies and procedures, and more. Steve said that before an MSSP can know how to act, they first need to clearly establish what services they will offer and what agreements they will have with their clients. For example, an MSSP may decide to only offer monitoring. In this case they would only need the staff and resources necessary to set up and maintain USM, and give a phone call to their clients whenever an alarm of an attack bubbles up. However, if the MSSP decides they want to offer a more complete service, perhaps incident response and context around the incidence (NetFlow and packet capture), then the MSSP can focus on hiring the right personnel for that. So, decisions such as, what hours do we man the SOC, what types of skills do we hire, do we need someone on call, etc. become clear once the MSSP decides what they are going to offer their clients. Steve also insisted that, “Security is not a technical problem, it is a human problem.” You should not focus on protecting your business against attack tools. For example, it is misguided to think that “Malware struck company X.” Instead, think, “A group of hackers used malware to strike company X”. It is much better to find out “what is their goal” and “why did they do it” rather than “how did they do it?” You should focus on protecting your business from teams of organized and focused criminal hackers who have a specific motivation to hack your business. Steve used the contemporary example of China hacking paint companies in the US. China has had explosive urban development, so there is a large market for industry-grade paint intellectual property. Security teams that understand the human element beforehand are more prepared for this threat. So, if an MSSP decides they are going to work with unknown and serious threats, they will need someone on their team with analytical skills who understands human factors for their situation, perhaps a liberal arts major who understands Chinese culture. Steve also talked about the difference between known and unknown threats. There are lots of tools, SOCs, antivirus, etc. to protect against known threats. These threats are typically known already because they have already successfully attacked another entity who reported it. Steve worked for 4 years in a ‘Hunt’ SOC, where they sought out unknown threats. An unknown threat could be something that IDS misses or something previously unknown that slips past the firewall. Our conversation turned to automation and compliance, and Steve’s complaint was that a lot of partners rely solely on automation and compliance. The problem, he says, is that these can only address known threats and these can lull partners into a false sense of security. Ultimately, only a security team can really protect against unknown threats. This team can either be in-house, or through an MSSP. I also asked Steve about automation and procedures. Steve said the purpose of automation is to help with scaling. And the purpose of procedures is so you, the practitio]]> 2017-02-14T14:00:00+00:00 http://feeds.feedblitz.com/~/270803182/0/alienvault-blogs~Great-MSSP-Advice-from-a-Seasoned-InfoSec-Veteran www.secnews.physaphae.fr/article.php?IdArticle=314521 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC RSA 2017 in booth #1215 in the South Hall at Moscone Center. We are really excited to see all of our favorite InfoSec folks there! Have questions about security, the attacker landscape or AlienVault in general? If so, stop by and meet with Jaime Blasco, vice president and chief scientist and members of our product management team. We’ll also be having our traditional lime slushies in the booth, plus beer with AlienVault koozies at the happy hour on Monday from 5pm-7pm! Visitors who stop by our booth will have a chance to win a Super Swag Bag! In order to be entered, watch a demo in our booth or join us for one of our theater presentations. The presentations take place every 20-30 minutes at our booth. We will choose a winner after the show! Name That Alien! We want your help to name our alien mascot! This contest is exclusively for our social followers, so be sure to follow us and check out our posts on Twitter and Facebook. To enter, stop by the AlienVault booth and suggest a name for our mascot. The first 50 people to submit a suggestion will win a blow-up alien! If you Tweet a picture of the alien at RSA, in San Francisco and beyond using #AlienAdventures, you’ll be entered to win a $100 Amazon gift card; a random winner will be chosen after RSA. We’re looking forward to seeing you all at RSA!       ]]> 2017-02-13T14:00:00+00:00 http://feeds.feedblitz.com/~/270436402/0/alienvault-blogs~Rock-Out-with-AlienVault-at-RSA www.secnews.physaphae.fr/article.php?IdArticle=313138 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Brian Honan CEO, BH Consulting Does it have a reputable track record in addressing the issue it is being implemented for? This means researching independent reviews of the product, talking to existing clients who are using it, and seeing if it is being used by respected peers in the industry? Does it address the business issue/risk that needs to be addressed? It is not just enough that it can technically address the problem, but how easy is it to deploy, maintain, and manage? Is there a good support structure provided by the vendor, or if open source is there a strong community behind it or the possibility to pay for support for it. And finally, what additional costs are involved such as hardware, training, support, and upgrades Last, but not least what is the reputation of the provider and its ability to deliver? Is the vendor recognised and respected in the industry? This does not mean you have to stick to traditional vendors or adhere to the “no-one got sacked for buying IBM” mentality, but do check the vendor has a track record in delivering what it sells, that it has respected experts on staff, and that it has some clients that are similar to your business and challenges. Dave Shackleford Principal Consultant, Voodoo Security / SANS Institute These answers assume that the product has been vetted and presumably functions as promised. While sort of "meh" - Do I have budget? This HAS to be a consideration. Can I demonstrate a return on investment within 6 months? This is usually measured in operational time spent. Is the vendor going to be a partner to me? Will they treat me like a number, or work with me to help me succeed? Yoav Leitersdorf Managing Partner, YL Ventures Strength of the team (building the security product) Total addressable market (must be over $1B within about 3 years) Competition (relatively scant; no existing 800 pound gorillas) Jitender Arora Information Security and Risk Executive Meeting Functional and Non-Functional Requirements Cost and Ease of implementation Overall fit with the Enterprise Architecture blueprint (covers all aspects from future proofing perspective) Saqib Syed Partner, Boston Meridian Long term vision of the product so that it can continue to keep up with the newly emerging threats Its current ability to show least false positives and stop real threats. Least Total Cost of Ownership Adrian Sanabria Senior Analyst, 451 Research First, they must use buzzwords properly. I’m not buying anything from a company t]]> 2017-02-10T14:00:00+00:00 http://feeds.feedblitz.com/~/269373884/0/alienvault-blogs~Top-Considerations-Before-Buying-a-Security-Product www.secnews.physaphae.fr/article.php?IdArticle=311791 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Make the best use of security budget windfalls when they happen In a given year, 90% of companies are going to get hacked or DDoSed. It might be ransomware, a data breach, or a denial of service, but damage is occurring and everybody is worried. As a result, three-quarters of large-enterprise IT managers are looking to increase their security investments in 2017, and they have plenty of choices. According to a recent Momentum Partners report, there are currently hundreds of established security companies, providing 16 different types of security capabilities, to choose from. What is a CIO or IT manager to do? She is hungry for more security, the budget has just opened up, and so many of these solutions could help. It is finally time to upgrade and advance. At this moment I recommend that the organization adopt...restraint. Target Multiple Investments When you are responsible for security management, your comfort level is like the horizon. It moves consistently away from you no matter how fast you improve. This is why security projects start with an attempt to push a single security technology or approach across an entire organization, whether it is authentication, data leakage, event monitoring, or red team testing. But your organization isn’t as flat and featureless as that. There are areas where you know the data is more private, the service is mission critical, or the employees are more prone to mistakes. To get the most leverage from your new investment use it to mitigate the most serious threats to your most vulnerable or valuable resources. Deciding how much to invest, and where, can be a challenge. Try this: In 1947, Judge Learned Hand created the idea of the “calculus of negligence” to resolve an interesting tort law case. ( United States vs. Carroll Towing ). To the point, Hand judged that if the cost of preventing a loss (Prevention $) is less than the probability of the loss (Likelihood) occurring multiplied by the amount of the loss itself (Value $), then the offending party has been negligent. This kind of concrete mathematics is difficult in security, were both likelihood of attack or breach and the ultimate cost of the damage can be difficult to pin down. This is still a valuable model. From a relative perspective, it shows that investments should be made that will provide protection against risks to assets that are either rising in popularity as targets or are subject to new or innovative threats. Additional security dollars should be applied to those areas that most significantly improve protection for the organization, and organizations should look beyond their past best practices to validate their choices. Think Beyond the Implementation Reappraisal of security investments takes conscious thought. Most organizations will continue to add more money to areas where they are already spending, while also increasing funds for new potential protections. Much of this will happen without additional staffing, and this can lead to abandonment of some efforts and the underutilization of others. Osterman Research has foun]]> 2017-02-08T14:00:00+00:00 http://feeds.feedblitz.com/~/268658418/0/alienvault-blogs~Managing-Your-Security-Appetite www.secnews.physaphae.fr/article.php?IdArticle=309732 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AlienVault USM Anywhere™—the latest product to leverage AlienVault’s unique, unified approach to security management. A cloud-based security monitoring platform, USM Anywhere combines the essential security capabilities needed for effective threat detection, incident response, and compliance management. Unlike other security solutions, USM Anywhere monitors cloud, hybrid cloud, and on-premises environments all from a single pane of glass. Because it’s delivered as a service, customers can sign on and start detecting security threats in just minutes. AlienVault® successfully pioneered this comprehensive approach to security management with our first USM product, Unified Security Management™, now known as USM Appliance™. USM Appliance opened up effective threat detection and response to organizations of all sizes, especially those with limited resources—time, budget, or staff—to deploy a suite of heavy enterprise solutions. It delivers five security essentials in a single on-premises appliance that can be deployed in hours with little or no professional services required. USM Appliance also receives continuous threat intelligence updates from the AlienVault Labs Security Research Team—a boon to IT departments that don’t have in-house research teams to constantly scour the global threat landscape for emerging threats. With over 5000 customers, USM Appliance has proven the immense value of AlienVault’s unified approach to security. So where does USM Anywhere fit in? We've seen a couple of tectonic shifts happening in the IT world, and these changes have shaped our new product. First, our customers have been moving more and more of their infrastructure to the cloud—a trend that has been accelerating in recent years. Cloud providers like Amazon Web Services and Microsoft Azure have moved well beyond the experimental phase. In the nascent days of cloud infrastructure, the early adopters were developers who wanted to bypass IT and build applications quickly without the constraints of IT rules. Of course, as developers succeeded and started to deliver apps sitting in the cloud, those experiments became production environments that suddenly needed all of those IT rules, because those rules are what ensure high availability and security. The IT professionals who inherited these cloud infrastructure environments began asking us to deliver a solution to monitor their cloud environments. It had been challenging for them to find security tools that were truly designed to monitor threats inside cloud environments. Unfortunately, many so-called cloud security monitoring tools are, in reality, retrofits of legacy on-premises security products. They can monitor servers running in the cloud, but they don’t really “know” that they’re in the cloud, and they’re not able to monitor all the new elements of a cloud environment that simply did not exist in the traditional data center. What’s more, they often do not work across cloud and on-premises environments. This disconnect forces IT security professionals to run two siloed security systems, which is a hassle and potentially creates security blind spots. Consequently, when we started our cloud security journey, we knew that we needed to build something from the ground up that would natively and centrally monitor both cloud and on-premises security. That is USM Anywhere. The architectural principle behind USM Anywhere was to build a powerful security analysis platform that is agnostic to the environment, and then combine that with native sensors that are hyper-aware of each different environment and its unique elements. Thus, USM Anywhere has sensors for AWS, Azure, VMware, and]]> 2017-02-07T14:00:00+00:00 http://feeds.feedblitz.com/~/268246918/0/alienvault-blogs~Introducing-USM-Anywhere-Unified-Security-Management-in-the-Cloud-for-the-Cloud www.secnews.physaphae.fr/article.php?IdArticle=308509 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Investigating breaches can be a bit overwhelming and very intimidating for teams that are not prepared. Your incident response (IR) plan should be written so that any of your team members can pick it up and understand going from daily incidents to investigating a major breach. I’ll write more on the IR plan on a later post. Between now and when you’re breached, you must arm your team members with knowledge. As with any profession, building a solid foundation is key. Therefore, formal training is necessary and every manager should ensure there is a training budget for each team member. I highly recommend training classes from the SANS Institute. A rule of thumb is to take one or two formal classes each year. For a better understanding and appreciation investigating a breach two books come to mind: The Cuckoo’s Egg by Clifford Stoll Take-Down by Tsutomu Shimomura  These two books are true tales that take you into the work of computer espionage and computer crime. Stoll takes us from a 75-cent accounting error alert to hunting the intruder across international borders using great investigative techniques. Shimomura details the capture of an attacker that stole millions of dollars in credit card numbers and corporate trade secrets. Logs, logs, logs…everywhere there are logs, and they are valuable. Team members should take time and review raw logs to get a better understanding of what exactly is in those logs. Log management tools and SIEMs do a good job at parsing logs but its always good to double check their work. But wait, remember logs are everywhere, so don’t forget to review logs on an endpoint that are not going into your SIEM. For Linux, most logs are located under /var/log: /var/log/messages – Contains global system messages /var/log/auth.log – Contains system authorization information /var/log/btmp – Contains information about failed login attempts /var/log/secure – Contains information related to authentication privileges. /var/log/wtmp or /var/log/utmp – Contains login records I’m speaking of processes training, not process training. Team members should know system processes like the back of their hands. For example, in a Windows environment if ctfmon.exe is running from c:\windows\temp, is that bad? Below are some great resources: Know your Windows Processes or Die Trying A comprehensive list of processes running in your computer  Malware Hunting with the Sysinternals Tools SANS DFIR Poster "Finding Evil” Blogs are a great resource and two incident response blogs come to mind: JIIR and WindowsIR. In 2010, Corey Harrell started Journey into Incident Response (JIIR) to document his entry into this world we call i]]> 2017-02-06T14:00:00+00:00 http://feeds.feedblitz.com/~/267843600/0/alienvault-blogs~Training-for-the-Breach www.secnews.physaphae.fr/article.php?IdArticle=307706 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC No matter what happens in the world you can be sure that we will continue to observe and report on all the interesting, random, and informative security topics of the week. Or at least the ones that came to our attention this week. A useful cheatsheet on TLS / SSL vulnerabilities by Holly Graceful that helps to differentiate BREACH, CRIME, FREAK, Logjam and others. Many growing technology departments reach a tipping point where they have to make a choice. Either continue to grow out their internal team, or partner with an MSSP. An interesting post on five signs that it’s time to call an MSSP. Would be interesting to hear if you’ve engaged an MSSP and your reasons to do so. The Grugq doing his thing again, this time publishing an article on twitter activist security guidelines. The very devices that keep you alive can turn on you. Fascinating and pretty scary account on how cops used pacemaker data to charge homeowner with arson and insurance fraud. HBOS Bank manager found guilty of corruption and fraud. Do you have a printer, is it secure? DO you know what attacks could be undertaken against it? If so, read up on Printer security. This is a pretty insightful account of the impact of big data. It showcases how it’s not so much ‘fake news’ that is a problem, but the way it is tailored and targeted. The data that turned the world upside down. Planet PowerShell - An aggregator of content from the Powershell community.       ]]> 2017-02-03T14:00:00+00:00 http://feeds.feedblitz.com/~/266680626/0/alienvault-blogs~Alien-Eye-in-The-Sky-%e2%80%93-rd-February www.secnews.physaphae.fr/article.php?IdArticle=306527 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Cyber is on the tip of everyone’s tongue, from the news to the local shopkeeper. Everyone has heard of it, and many hold strong opinions on technology, security, and hacking. The dangers of working in technology or security have been well documented. Most of us have probably been roped into being the family IT help desk, or been asked by someone at a party to validate whether or not they have been hacked. They say that a little knowledge is a dangerous thing, and when coupled with soundbites from a sensationalist media, it can become more dangerous than Walter White knocking at your door. I personally have lost track of the number of times people have asked if I can show them the dark web or hack into an ex’s social media account. Hacking friends and influencing people Once, I was hanging out with a few of my colleagues in a hotel that, in a corner, had a third party ATM. The kind that independent venues place on their premises, and isn’t run by a particular bank. I asked if they wanted to see something “cool”. They nodded and came over as I beckoned them towards the ATM. I pressed a few buttons, entered a password, and viola, I was in the service menu. (a trick shown to me by Dan Tentler). It was met by sounds of approval and bro-hugs. However, the approval from my now new best friends was just the beginning. The following night there was a social event. I was at the buffet looking at the food, working out the delicate balance between what looked nice, and what I could fit on my plate without it all falling down; when I heard my name being called. A couple of my colleagues from the night before were calling me over to join a larger group of friends. One of them was in the middle of telling a story that seemed to have the group engaged. He pointed at me whilst saying, “you gotta be careful on this one. He’s dangerous – just last night I saw him hack into an ATM in the hotel.” Before I could point out that I’d merely entered the settings panel, another colleague jumped in, “Yeah man, I was like woah, is he gonna rob the bank? I started to step back thinking that the ATM was gonna start spitting out fifty dollar bills. I was ready for it I tell you.” The conversation was buzzing as others started sharing their stories of perceived hacking, and it dawned on me that people like to part of something cool. They like to be able to tell a good story. Of course, no-one would ever believe that I could actually hack an ATM, but it’s a nice conversation lubricant that can help one make friends, become popular, and meet the love of your life. What’s your favourite IT Security Party Trick? Any sufficiently advanced technology is indistinguishable from magic.” – Arthur C Clarke I was curious as to what the favourite IT Security party trick was for other professionals, so I turned to twitter, which never fails to disappoint. Lewis liked the old trick of pretending to hack via inspect element. @J4vv4D pretending to friends I know how to hack by doing inspect element and changing password field type to "text" and revealing their pw — Lewis Morgan (@LewisMorgan_) January 9, 2017 Or one could point websites to local html files. @J4vv4D Swapping out or adding host file information to point agency websites to local html files: "L]]> 2017-02-01T14:00:00+00:00 http://feeds.feedblitz.com/~/265789842/0/alienvault-blogs~IT-Security-Party-Tricks www.secnews.physaphae.fr/article.php?IdArticle=304341 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Unified Security Management & threat intelligence platforms to enable our customers to more effectively defend their networks and accelerate response times to mitigate damage if a breach occurs. Our proven solution is now used by more than 5,000 commercial customers and over 400 MSSPs worldwide. We also expanded our reach through global channels, yielding double digit growth in all regions last year. We were once again the only vendor called out as a visionary in the Gartner SIEM MQ, which evaluates vendor solutions that address specific end-user problems and pain-points from a broad, high-level perspective. Time and time again, our solution has received honors and awards that recognize our innovative approach to security management, one which provides customers with all of the essential capabilities they need at an affordable price-point. We are very proud of these accolades, which are a testament to the work of the incredible team that we have built at AlienVault – a team that is continually focused on enhancing our Unified Security Management and threat intelligence platforms and improving the overall customer experience. We now have more than 300 employees worldwide, and we kicked off 2017 by expanding our leadership team with three newly created positions—Chief Revenue Officer, Chief Information Security Officer and Chief People Officer. For more highlights from 2016, check out the press release we issued today. I would like to thank all of our loyal customers and partners who put their trust in AlienVault daily, and rely on our products to improve their professional lives and better defend their IT infrastructure. I look forward to another great year of expanding our business and servicing our customers and partners worldwide! Barmak President & CEO AlienVault     ]]> 2017-01-31T14:00:00+00:00 http://feeds.feedblitz.com/~/265342236/0/alienvault-blogs~Banner-Year-at-AlienVault-a-Recap-from-CEO www.secnews.physaphae.fr/article.php?IdArticle=303520 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Elliot Alderson uses his computer to hack into an organization, he doesn’t want to leave a trace. No hacker wants to be traced by the victim IT team and investigative agencies like the FBI. Tor can solve the issue, if you take care of the exit node. This is because unencrypted traffic can be sniffed once it leaves the TOR network. The last server on the TOR network is called exit node or exit relay. However, integrating Tor with Kali Linux requires a lot of effort. In this article, we will discuss how to install / configure Whonix and how to integrate it with Kali Linux. What is Whonix and how does it work? Whonix is a Debian-based Linux operating system that aims to provide privacy, security and anonymity on the internet. The architecture consists of two main components: Whonix workstation Whonix gateway The workstation and the gateway both get installed in a virtual machine. The workstation consists of the desktop application, which connects with the Whonix gateway. he Whonix gateway is the only way for the workstation to communicate with the outside world because the workstation is an isolated machine and it has no idea about its own host IP and configuration. The workstation uses a Whonix gateway to connect to the internet, and this gateway uses the Tor network. In addition, all traffic first gets encrypted before leaving the network. The workstation doesn’t reveal its real IP, which it doesn’t know. DNS leaks are also impossible and not even malware with root privileges can find out the user's real IP. We can replace the Whonix workstation with Kali Linux and use Kali Linux anonymously. Here are the steps: Install and configure the Whonix gateway in a virtual machine Install and configure Kali Linux (using Whonix gateway in the DHCP) in the virtual machine All the traffic (Kali Linux) will be routed through the Tor network And you can browse anonymously The things that you need: VirtualBox Kali Linux ISO setup Whonix Gateway The first step is to import the Whonix gateway into your VirtualBox. Click on New and then import the appliance. Accept all the components. Here, we have not downloaded the Whonix workstation because there is no need to get it. And, also we will not be installing the Whonix gateway - we]]> 2017-01-30T14:00:00+00:00 http://feeds.feedblitz.com/~/264935244/0/alienvault-blogs~How-Does-Whonix-Make-Kali-Linux-Anonymous-amp-How-to-Prevent-It www.secnews.physaphae.fr/article.php?IdArticle=302596 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC why you don’t need a Chief Security Officer, the command-line for cybersec, and how you can steal passwords from McDonald’s users. Investigative journalist Brian Krebs takes a stab at unmasking the author of the Mirai Worm, while MIT wants you to help it’s ‘moral machine’ decide who dies in a car crash. What secrets can red teamers learn by purple teaming? Links to stories from the video Fired IT employee offered to unlock data — for $200,000 Ankle mounted WiFi jammers Cellbright hacked Hamas honeytrap       ]]> 2017-01-27T14:00:00+00:00 http://feeds.feedblitz.com/~/263769736/0/alienvault-blogs~Alien-Eye-in-the-Sky-th-Jan www.secnews.physaphae.fr/article.php?IdArticle=301778 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Open Threat Exchange (OTX) platform. As a way to say hello, I’ve put down some thoughts on why I was so keen to come work on OTX. A lot has changed since I jumped into cyber security just 5 years ago. First there was the Target breach. Then Sony. OPM. Yahoo. The elections. Between those infamous landmark case studies IT administrators have been battling constant attacks against their own networks. Ransomware trashing network shares. Users clicking “Enable Macros”. Finance teams approving fraudulent wire transactions. The security industry has had to continuously evolve to respond to ever-changing threats. The Evolution of Threat Intelligence Back in 2011 an employee of an incident response company was frustrated at the lack of threat intelligence sharing across the industry. So, they leaked the domain names used by the biggest group of attackers to Pastebin. It was a desperate attempt to prevent the mass of attacks the group was committing against both companies and governments. Two years, and hundreds of compromised organisations later, Mandiant released their landmark APT1 report. It was on the very same attackers, still using many of the same domain names. We’ve come a long way since then. Now security vendors race each other to share new waves of attacks first and government institutions are mandated to do the same. But this has led to other problems. Keeping up with all the reports is in itself a full-time job. And some reports contain false positives that set off security devices like Christmas tree lights. OTX From my viewpoint, Alienvault OTX solves these problems by: Reducing the manpower and effort organisations require to pull IoC’s out of every report. The indicators are peer reviewed for problems and fixes are applied almost instantly. The information is easy in, easy out with a growing API and list of integrations. The power of the massive community that can perform vetted information sharing in a structured format at no-cost. The key for any network like OTX is the community, and so far it’s going strong. Interested in vetted sharing of ransomware indicators? An OTX user has made a group for that. How about importing the indicators into your MISP instance? There's a group for that too. AlienVault has a long history of building community solutions that are available to organisations of all sizes, not just those with the largest security budgets. Some of you may know me from a community project I’ve worked on in my spare-time called ThreatCrowd - another open threat intelligence platform. ThreatCrowd has become used by more people than I could have hoped. It’s been a fun experiment to keep a prototype running for thousands of simultaneous users from a single Linux box! But there are serious limitations to how much I can tack onto a prototype, in my spare time and limited by my own knowledge. I’m looking forward to working with the top-notch team of AlienVault engineers to help enhance OTX and the overall community experience. I’ve only been at AlienVault a few days but I’ve seen there are some awesome enhancements planned to the interface, data-set and integrations. I won’t ruin the surprise! If you’re a user of Thr]]> 2017-01-26T14:00:00+00:00 http://feeds.feedblitz.com/~/263345200/0/alienvault-blogs~The-Evolution-of-Threat-Intelligence www.secnews.physaphae.fr/article.php?IdArticle=300868 False None APT 1,Yahoo None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Part One: How security challenges persist, are amplified, or are mitigated in public cloud and hybrid cloud environments Part Two: New security challenges that are introduced by cloud environments Part Three: Best practices for securing your hybrid cloud environment Safeguarding the Keys to Your Kingdom As mentioned in Part One of this series, access keys and root account credentials are a major security concern in public cloud environments. They are the proverbial “keys to your kingdom,” and if an attacker compromises them, they can gain access and control over your cloud account. Once inside your account and with full permissions, an attacker can spin up cloud resources on your dime, steal your data, or run malicious software on your resources and with your reputation. Compared to physical network environments wherein the infrastructure is ultimately finite and static, cloud environments are super elastic and can be scaled rapidly from a central management console. The only real limitation is the size of your wallet. A malicious actor with your root account credentials could easily spin up an enormous amount of resources (to mine bitcoins, for example), leaving you with an enormous bill. While it’s seems like a no-brainer to not publically share your root account credentials, there have been many cautionary tales in recent years of web developers and even security industry analysts who have accidently published their AWS access keys to GitHub or other public locations, resulting in thousands of dollars of fraudulent charges racked up overnight. And, although the cloud service providers in these tales often come to the rescue to notify victims of fraudulent activity and to remediate charges, it’s important to remember that it is ultimately your responsibility to keep your credentials and access keys secure. You can read more on how to secure your AWS root access keys ]]> 2017-01-25T14:00:00+00:00 http://feeds.feedblitz.com/~/262904740/0/alienvault-blogs~Hybrid-Cloud-Security-Part-II-New-Security-Challenges-Take-Shape-in-the-Cloud www.secnews.physaphae.fr/article.php?IdArticle=300089 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC blog@advancedpersistentsecurity.net This blog aims to inform you about insider threat. This is from both a personal and a commercial perspective, meaning that it can be applied in both settings. Disclaimer: I am in no way, shape, or form - past or present, compensated to endorse any solutions or software mentioned throughout this blog post. Introduction This is a time when organizations are spending more than ever before on information security solutions. Often, these solutions are effective in protecting much of an organization's assets. The one element that there is no true comprehensive solution to protect from attack is the human element. As Social Engineering evolves and grows in application and popularity, people are being exploited more frequently to enable successful attacks that would be otherwise unthinkable. Department of Homeland Security Insider threat, per the US Department of Homeland Security and Carnegie-Mellon University CERT (Computer Emergency Response Team), is a "current or former employee, contractor, or other business partner who has or had authorized access to an organization's network, system, or data and intentionally misused that access to negatively affect the confidentiality, integrity, or availability of the organization's information or information systems." Director, National Intelligence The Director of National Intelligence via National Counterintelligence and Security Center (NCSC) : An insider threat arises when a person with authorized access to U.S. Government resources, to include personnel, facilities, information, equipment, networks, and systems, uses that access to harm the security of the United States. Malicious insiders can inflict incalculable damage. They enable the enemy to plant boots behind our lines and can compromise our nation's most important endeavors. We are seeing more attacks and incidents being associated with various forms of insider threat: One theory of the Ashley Madison data breach is that insider threat enabled the “Impact Team breach” or readily handed the data over. With limited knowledge and insight, some believe that the Bank of Bangladesh SWIFT attacks were insider threat. Seemingly without information, the Yahoo data breaches may be due to insider threat. What is Not Insider Threat There is a level of ambiguity in terms of what constitutes insider threat. Some entities state that all actions dealing with users is insider threat. I tend to disagree with this broad generalization. If I am able to crack a password or find a password on a dump site, that is ]]> 2017-01-23T14:00:00+00:00 http://feeds.feedblitz.com/~/261985142/0/alienvault-blogs~What-is-Insider-Threat www.secnews.physaphae.fr/article.php?IdArticle=298101 False None Yahoo None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC The Certified Ethical Hacker CEH) certification is more than just another paper to add to your collection. While one could argue that it’s just another multiple choice exam, there is no mistaking the value of the knowledge you learn from studying for and then gaining this certification. What is the CEH? It’s a multiple choice exam which verifies your knowledge of the penetration testing structure and the tools used within that structure. It equips prospective job seekers in the information security industry with a solid start, making sure the holder of the certificate knows how to do the basics like: information gathering attacking computers or servers wireless attacks and social engineering The concept is great, teaching students the theory of how tools work and how to evaluate situations and look for weaknesses and vulnerabilities, which is a major part of studying for the CEH; one thing it does well is to bring in real world tools for each of these situations. By the end the journey to obtain your CEH, you’ll know what tools do what job, how to use the tools properly and how to conduct an ethical penetration test. What the CEH Isn’t. Here’s what it isn’t. The CEH is not your one stop shop for everything you need to learn. Rather, it is a great start into the realm of information security. As with technology, it’s always best to stay ahead and current; thus, the CEH should be looked at as a gateway to higher levels of knowledge as well as proof that you can administer a penetration test. Why is it important? While talent and ability aren’t established only by certifications, they do help when proving your knowledge and skill to others. Unlike other certifications, the CEH gives you the knowledge that will last outside of the exam by teaching you a methodology that will carry into your real world jobs and tools that you will use in real world engagements. Few certs have that to offer and the few that do are further down the road from the CEH. What makes the CEH different? There are many certifications one can get on their journey in the information security world, but few come to the level of training and understanding required to earn the CEH certification. The biggest factor of what makes the CEH such a unique certification is its method of teaching. Unlike other security certifications which teach defensive tactics such as firewall configuration or other forms of preemptive security, the CEH takes an alternative approach. Offenses are featured as your best defense - which is a major difference from certifications that only focus on defensive tactics. The CEH imparts offensive tactics supplemented with defensive countermeasures. This ensures that the CEH professional can have a more holistic security perspective of the organization. What’s the CEH test like? The test consists of: 125 questions You have 4 hours to complete the test at a certified testing center You’ll know within five minutes if you have passed or failed the test and be given a report detailing the sections you did poorly on. It takes roughly a week to gain your digital certificate and a month to gain your physical certificate along with a welcome letter officially giving you the title of a Certified Ethical Hacker. What can you expect on the test? To give you an overview, I’ve placed some sample questions below. 1. You have been hired to test security for a business headquarters in Chile. Which regional registry would be the best place to go for the network range determination? A) APNIC B) RIPE C) ARISK D) LACNIC Answer: The correct choice is D) LACN]]> 2017-01-18T14:00:00+00:00 http://feeds.feedblitz.com/~/259837776/0/alienvault-blogs~Certified-Ethical-Hacker-CEH-What-It-Is-What-It-Isn%e2%80%99t-and-Why-Its-Important www.secnews.physaphae.fr/article.php?IdArticle=294840 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2017-01-17T14:00:00+00:00 http://feeds.feedblitz.com/~/259363180/0/alienvault-blogs~The-Priority-of-the-GovernmentIndustry-Cybersecurity-Partnership www.secnews.physaphae.fr/article.php?IdArticle=293986 False Guideline Yahoo None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Purple Teaming is for Red Teamers too. No, really! Sure, the job is ultimately to help the Blue Team be able to fight off more sophisticated attacks, but this is not a bad thing. It means as a Red Teamer you must get better, which means cooler attacks! So the normal Red Team / pentest involves executing attacks, trying NOT to get detected, gaining domain admin or access to sensitive data and handing a report over. In a Purple Team exercise there is the ability to do all this and more, repeatedly, to try for more sophisticated attacks. You learn by getting caught then trying different techniques to not get caught. It’s an iterative process. For a more in-depth Red Team description please visit the Red Team Journal In a simple example, a pentester may drop a basic executable on disk assuming that it will not get caught by antivirus. It gets caught when the Blue Team discovers it. Game over. In comparison, a pentester drops an executable and it gets caught by antivirus. The Blue Team lets them know, so they restart and try again with something else (potentially running in memory). Thus the iterative process which increases the Blue Team's security controls and has the added benefit of increasing the Red Team pentester’s ability There are multiple advantages of Purple Teaming for a Red Teamer. Below I outline several different attack steps, some things to try, and the value you will get out of it. Most clients are Windows-heavy so I reached out to a good friend of mine, @invokethreatguy (https://twitter.com/InvokeThreatGuy), who is a co-founder of a local Canadian ‘Red Team’ (that's how I distinguish it from a pentest puppy mill) to get some advanced examples of PowerShell to use (as presented later in this piece.) Why as a Red Teamer You Should Purple Team It Gaining Access Phishing is extremely successful. Users click, but it's not that simple to get command execution. There are many items to bypass: first, the email filter (spam, attachment); then the antivirus scan; and potentially sandbox analysis. This is known as the “email minefield” by Red Teamers, and it is very treacherous. Even if a user clicks the link (if it is delivered), any detection in the chain and the Red Teamer will not get the desired command-execution. Thus, learning the different parts of the chain and how to bypass each one is extremely valuable as an attacker. These can include: Different ways to infect, like droppers, .exe, .dll and in memory Testing with different file attachments Using this tool by Chris Gates (https://twitter.com/carnal0wnage) to help Making the phish less obvious – looking at whether it ‘looks’ the same on the receiving end as it does when launching the email Here’s an example of a security tool that will give you trouble: Ironport - Understanding why and how to bypass this tool is very advantageous Privilege Escalation: The OSCP course is great for teaching many different privilege escalation techniques inboth Linux and Windows, but it does not allow you to test against any security devices]]> 2017-01-16T14:00:00+00:00 http://feeds.feedblitz.com/~/258923488/0/alienvault-blogs~Red-Teamers-Can-Learn-Secrets-by-Purple-Teaming www.secnews.physaphae.fr/article.php?IdArticle=293108 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC If you predicted that 2017 would be the year that manufacturers of insecure IoT devices would be facing legal action, and that penalties would be issued for slow reporting of breaches, then you can rub your hands gleefully and tout yourself as the cyber Nostradamus! If not, you can catch up on the latest goings-on which includes these stories as well as California’s new ransomware law, and how two friends got into restricted areas with just a hi-vis jacket. Links to this weeks stories: The FTC offering $25,000 prize for securing IoT The FTC suing D-Link for insecure IoT New California law to imprison ransomware distributors for four years Healthcare provider fined $475,000 for tardy breach notification Getting into restricted areas with nothing more than a hi-vis jacket       ]]> 2017-01-13T14:00:00+00:00 http://feeds.feedblitz.com/~/257631702/0/alienvault-blogs~Alien-Eye-in-the-Sky-th-January www.secnews.physaphae.fr/article.php?IdArticle=291941 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Usability challenges Whenever a new technology is adopted, there tends to be “teething pain”. The user interface for smart devices is often a mobile app which often needs a painstaking process of installation, account creation, pairing and configuration. Or worse, the device communicates its status through a series of LED’s that makes cracking the enigma code seem trivial by comparison. Some devices are also designed to only work when online, and not have any redundancy to operate when offline. This can make them susceptible to intentional, as well as unintentional denial of service attacks. There is also the issue of updates. To fix flaws, or introduce new functionality, companies have to push out updates to devices. Unfortunately, many times these occur at inopportune moments, rendering a device unusable for the duration. And all of that is not withstanding the bandwidth and load of having a dozen extra devices placed on networks. Opting-out is not an option Even with all these flaws, “smart”capabilities are making their way onto nearly all devices. One can hold out for as long as possible, but with the direction the market is heading towards, it looks like it will soon be impossible to buy a non-internet connected device; regardless of whether one wants the functionality or not. Terms & Conditions of usage will also apply in very different ways to such devices. These T’s&C’s will need to be accepted in order to utilise the functionality, which could lead to data about personal habits being shared widely, as well as targeted advertising. A target-rich environment However, putting aside the ridiculousness of some smart devices, and some of the challenges with others there’s more to the story. As smart-devices increase in popularity, they become a more attractive target to hackers and cyber-criminals. One of the most rapidly growing areas of cyber-crime in recent months has been ransomware. Cyber-criminals operate much like any other business, looking for low costs and high returns with minimal risks. Ransomware ticks the traditional business boxes of having a low customer acquisition cost, has good pricing potential, and it instils a sense of buying urgency. ]]> 2017-01-12T14:00:00+00:00 http://feeds.feedblitz.com/~/257111678/0/alienvault-blogs~The-Internet-of-Ransomware www.secnews.physaphae.fr/article.php?IdArticle=290805 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC iPhone or Android device. There are also many articles about the importance of backups in all aspects of our digital lives. The question becomes: Have we failed as InfoSec evangelists? Here we are, preaching the importance of backups, phone protection, security awareness and overall digital hygiene, and our flock seems to be wandering far afield, only to return in a panic when the wolves are nipping at their ankles. I spent considerable time beating myself up over the failings of the InfoSec profession, and then I remembered how everything we have learned about human nature and the desire to take risks is hard-wired into our brains. This is compounded in the developing brains of our youthful friends, all with their cracked phone screens. “Why don’t you buy one of those protective cases?” “Oh, don’t worry, I won’t drop my phone.” Have we failed? Absolutely not. We must keep repeating the message until it resonates loud and clear beyond the InfoSec echo chamber. Think about how long it has taken the medical profession to impart the knowledge that certain bad habits can kill us. Have the medical professionals given up because the message of healthy living has not reached 100% of their patients? Of course not. There are new studies and new medical journals published every day that constantly reinforce the findings. Tobacco bad, drugs bad, etc. As InfoSec professionals, we must keep up the same vigilance in repeating and solidifying the message. Will we eventually reach 100% of the smartphone population? Of course not. However, this is no reason to stop. We may be bored by the seemingly infinite blogs about the importance of having good backups, but we are the messengers of InfoSec, and there is always a way to tell the same story in a different way to reach a new person. Let’s not lose sight of our mission.  ]]> 2017-01-10T14:00:00+00:00 http://feeds.feedblitz.com/~/256152522/0/alienvault-blogs~Have-We-Failed-As-InfoSec-Evangelists www.secnews.physaphae.fr/article.php?IdArticle=289469 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Privacy is something everyone should be concerned about, regardless of your political affiliation or threat model / perceived level of risk. Whether a malicious actor is foreign or domestic, they generally want to know as much about you as possible, and aren’t very likely to ask your permission first. It would be great if common security measures could protect us completely, but unfortunately exploits happen even with the best security technology and training. Even when our machines aren’t actively compromised, we have to worry about being tracked. If you’ve ever maximized your browser window when using Tor, you’ve seen a warning about not having your browser size match the full size of your screen to avoid being tracked via that metric. There are many other ways to use metadata available to any site you visit to track your activities. Our first desire is probably to not be tracked at all, but another option is to make the information that is retrieved by malicious actors as useless as possible. For that we can turn to something that specializes in abstracting, or hiding physical details, virtualization. Virtualization Virtualization is a technology now widely used in data centers that allows you to create a completely isolated machine, or virtual machine that runs on your physical computer, or host. There are many different vendors offering virtualization solutions for the enterprise, but there are also virtualization options available for the individual desktop, usable on either a Windows or Linux machine, which is what we’re going to focus on. Generally, any desktop virtualization solution will have software known as a hypervisor that will take some input files and turn them into a running virtual machine, or VM for short. Those files generally fall into the following categories: Storage Configuration Logs Storage and Logs are fairly straightforward, the former being files interpreted as virtual hard drives or the volatile RAM of a machine, and the latter logging actions the hypervisor takes in running the VM. Configuration is the most critical input to the hypervisor, these files tell the hypervisor how the virtual machine should be constructed. How many virtual CPU’s, network card configuration and much more is found in the configuration files. How does this help our privacy? To answer that, we have to look at a surveillance technique known as fingerprinting. Fingerprinting Much like the pattern of swirls on our fingertips, fingerprinting aims to establish as many unique elements of information about someone to enable tracking a trail of activity. As it relates to virtualization, we’re going to focus on hardware fingerprinting. A collection of all the hardware installed in your physical machine like your video card, CPU type, motherboard model and so on constitutes your unique hardware fingerprint. Much like a web server can use User-Agent metadata, it is possible to collect information about your hardware and use that as a tracking mechanism. This is of the most concern to those who build computers themselves rather than purchase pre-built machines, as a hardware fingerprint of a particular configuration of a Dell laptop is far less unique than the hardware fingerprint of a computer built with a specific video card, motherboard, and so forth. In both cases however, it]]> 2017-01-09T14:00:00+00:00 http://feeds.feedblitz.com/~/255654006/0/alienvault-blogs~Privacy-Virtually-Speaking www.secnews.physaphae.fr/article.php?IdArticle=288509 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Welcome to the new year, a year where new possibilities exist. A time when gym memberships soar higher than eagles dare. But the ‘cyber’ world doesn’t recognise dates or aspirations, which is why we also keep our keen eyes on the happenings. Being the return from the holiday season, we’ve collated some of the most interesting stories from the last few weeks as they’ve trickled through. Holly Graceful has shared several pen testing cheat sheets. Indispensable resources for the discerning penetration tester. How do security professionals study threat actors and why do we do it? An insightful piece as always by Lesley Carhart. Stop, collaborate and listen about data protection. Rowenna Fielding weighs in on the information commissioner’s office taking action against two leading UK charities. We got 1.6 million students’ Google search histories! OK, it’s a somewhat clickbait title, but it has some good points. Related to this is a post from 2006 where AOL provided ‘anonymised’ users search history. Not a blog post, but there was a great exchange on Twitter between journalist Tom Fox-Brewster and Alex Muffett around debugging which came about as a result of Tom’s commentary on Evernote’s new privacy policy. It’s worth reading through the thread of which I captured most in a twitter moment. How Argentina’s political crisis gave rise to hacker culture. Wifi-Dumper, an open source tool to dump the wifi profiles and cleartext passwords of the connected access points on the Windows machine. How to setup a Raspberry Pi 2 model b for wlan sniffing. Hope you have a great year ahead of you! See you next week, where we hope to resume our scheduled program.   ]]> 2017-01-06T14:00:00+00:00 http://feeds.feedblitz.com/~/254190268/0/alienvault-blogs~Eye-In-The-Sky-th-January www.secnews.physaphae.fr/article.php?IdArticle=287763 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC all-source analysis, digital forensics, and adversary targeting to identify, monitor, assess, and counter the threat posed by foreign cyber actors against US information systems, critical infrastructure and cyber-related interests. Essential Skills: Cyber threat analysts are professional intelligence officers who apply their scientific and technical knowledge to solving complex intelligence problems, produce short-term and long-term written assessments and brief the organization. This work demands initiative, creativity, analytical skills, and technical expertise. However, the most important piece of an intelligence analyst is analytical skill. At times, this skill is more of an art form than a hard science. However, it can be developed in a few ways. First, it requires that an analyst become a technical expert. Unfortunately, many analysts who are just starting out feel that intelligence tradecraft is a “fuzzy” field in which people without technical skills can still be experts. As they work in the field, however, they’ll find that the opposite is actually the case: cyber threat intelligence analysis, when performed correctly, is also very demanding from a technical perspective. A good analyst should be able to pick out what is obviously true or obviously false almost instantly, which requires extreme technical skills and experience in cyber security. When looking for a job as a cyber threat intelligence analyst, you should be well-qualified and solid in your skills. Earning a certification like Certified Ethical Hacker (CEH) and Offensive Security Certified Professional (OSCP) will definitely help prepare you for this job, but in general, the minimum qualifications are: Bachelors or Master's degree in computer science, computer engineering, digital forensics, cyber security, telecommunications, information assurance or security studies. A minimum GPA of 3.0 on a 4-point scale. Hands-on experience. Strong verbal presentation and writing skills, including the demonstrated ability to write clear and concis]]> 2017-01-05T14:00:00+00:00 http://feeds.feedblitz.com/~/253645734/0/alienvault-blogs~Role-of-Cyber-Threat-Intelligence-Analysts-in-an-Organization www.secnews.physaphae.fr/article.php?IdArticle=286528 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC People in information security know to heed the advice of Bruce Schneier. What we often forget to do, however, is heed the advice of Don Norman, who is considered to be the father of User Experience design. In fact, when Apple hired Norman in 1993 as an Apple Fellow and User Experience Architect he was probably the first person ever to have the phrase “User Experience” in his job title. Norman earned a Bachelor's Degree in Electrical Engineering and Computer Science from MIT followed by a PhD in Mathematical Psychology from the University of Pennsylvania. He worked as an engineer and computer scientist for a number of years, but the human element of technology always fascinated him. In 1979, he helped found the Institute for Cognitive Science at University of California San Diego. On coining the phrase User Experience, Norman said, “I invented the term because I thought Human Interface and usability were too narrow. I wanted to cover all aspects of the person’s experience with a system, including industrial design, graphics, the interface, the physical interaction, and the manual.” If we review what was being developed at Xerox PARC in the 1970s, we can see that Norman wasn't alone in his thinking about how technology could be more user friendly. Many of us are aware that the GUI and mouse were developed at Xerox. However, instead of becoming a patented and profitable product line for Xerox, Apple and Microsoft jumped on the ideas and successfully used and marketed them. Xerox’ work and research happened before “User Experience” or UX for short, became a bonafide area of study. Norman's seminal book, The Design of Everyday Things, was ground-breaking when it was published in 1986. It can be credited with changing how people thought about interactions between humans and technology. Much has changed since then. Today most tech companies around the world have dedicated staff who focus on improving user experience. In information security, we often feel that there is a compromise that needs to be made between usability and security - they can seem at odds. However, sometimes increasing usability may actually increase security, too! To elaborate on this, effectively securing endpoints requires user cooperation, whether the client machine or mobile device is being used by an employee or a consumer. When made aware of the issues, people will be concerned about security and will generally want to use their computer technology in more secure ways, as long as they can understand what's going on and it doesn't involve too much hassle or inconvenience on their end. Recently, major technology vendors, in neglecting basic UX and UI design principles, have failed to aid users in making their devices more secure, as evidenced by the following example: The ASUS SoHo Router Design Flaw Last February, Security Researcher David Longenecker discovered a UI problem that affected a range of ASUS router models which run ASUSWRT firmware. ASUSWRT's GUI contained two settings in the firewall section that were written as “Enable Web Access from WAN: No” and “Enable Firewall: Yes.” Unfortunately, even if &ldquo]]> 2017-01-04T14:00:00+00:00 http://feeds.feedblitz.com/~/253131362/0/alienvault-blogs~UX-Design-An-Overlooked-Aspect-of-Endpoint-Security www.secnews.physaphae.fr/article.php?IdArticle=285734 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC subscribe to our blog to ensure you get all the new goodies either daily or a weekly summary in your inbox. With our further ado, following are the top 12 AlienVault blogs of 2016: Building a Home Lab to Become a Malware Hunter - A Beginner’s Guide - The top blog of 2016 was written by @sudosev and explains how he set up his own home malware lab. How Penetration Testers Use Google Hacking - Jayme Hancock describes how to do Google hacking / dorking cleverly as a pen tester. It even includes a helpful "cheat sheet". Security Issues of WiFi - How it Works - Everyone loves WiFi, but Joe Gray explains how WiFi works and describes the many security issues and nuances associated with WiFi. Reverse Engineering Malware - In this blog, I interview some members of our AlienVault Labs team to learn how they reverse engineer malware when they're doing security research. The team describes several approaches and tools to use in analyzing malware samples. The Mirai Botnet, Tip of the IoT Iceberg - Javvad Malik talks about IoT security challenges in general, and focuses on the Mirai botnet which focused on XiongMai Technologies IoT equipment in a recent attack. Web Application Security: Methods and Best Practices - The OWASP top 10 and web application security testing are covered in this educational blog by Garrett Gross. Common Types of Malware, 2016 Update - Lauren Barraco outlines the different categories of malware and highlights What's New in 2016. PowerWare or PoshCoder? Comparison and Decryption - Peter Ewane of the Labs team talks about his research into PowerShell vulnerabilities and exploits. He focuses on PowerWare, whick seems to be heavily based on PoshCoder. Can You Explain Encryption to Me? - In this blog by Javvad Malik, he describes encryption to his boss in a hilarious exchange of notes. Javvad then outlines the basics of encryption in a very understandable way. OceanLotus for OS X – an Application Bundl]]> 2017-01-03T14:00:00+00:00 http://feeds.feedblitz.com/~/252664318/0/alienvault-blogs~Top-AlienVault-Blogs-of www.secnews.physaphae.fr/article.php?IdArticle=284657 False Medical APT 38,APT 32 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC What do action, adventure, cool gadgets, Vodka martinis—shaken not stirred—and ransomware all have in common? One word – GoldenEye. For my fellow Gen Xers, you probably remember this iconic James Bond film starring Pierce Brosnan as 007. I sure do. It was one of the best James Bond films ever made. The film involved an insidious plot by malicious actors bent on destruction and monetary theft using an electromagnetic Soviet Cold War satellite weapon called GoldenEye. In the film, only 007 can save the day. And, course, he does. If only it were that easy, right? Find the coolest, smoothest, martini-drinkin’ good guy to swoop in and take out the megalomaniac bad guys to save the day, maybe your computer, your data, or your customer’s data. Unfortunately, in real-world cyberattacks, the bad guys do sometimes win, take your data, compromise your systems, and make you pay (or at least try to) to get it back. It’s criminal exploitation at its best. 2016 has been a lucrative year for ransomware malefactors, and now we have yet another strain, GoldenEye, out there to contend with. Luckily, it is localized right now for the most part in Germany, but this doesn’t mean that it won’t find its way to a country near you. IT security team, beware. About GoldenEye So, what is GoldenEye? Before we go into that, let’s first understand some of the predecessors created by the same threat actor, Janus Cybercrime Solutions, a self-proclaimed criminal organization responsible for GoldenEye and several other ransomware variants. The GoldenEye ransomware is a variant of the notorious Petya ransomware, which is best known for its unique signature of overwriting the Master Boot Record of the infected host. The best (or worst) part of this particular ransomware is that the user watches in idle incomprehension as the malware reboots the system in front of them, displays a fake check disk (chkdsk) screen, and then informs the user on how to purchase bitcoins to unlock their system. By the time the user realizes their system is compromised, it’s too late. There is hope, though. At least, a little bit. Petya is delivered most often via email to the victim and requires that the victim download and execute it. For Petya to do its dirty deed, it needs administrative access to the system. To get administrative access, a User Access Control (UAC) challenge is presented to the user, and the user must accept it to grant the access. The best defense is to be wary and suspicious of attachments and to not click on and download them. If you do download an attachment and a UAC challenge is presented, that should be a clue. Don’t allow the program to have administrative privilege. You may think to yourself at this point, “OK, I got it. Don’t click on things that look suspicious. Don’t let attachments escalate privilege. No problem.” Well, there’s more. Our dear friends at Janus Cybercrime Solutions don’t like missing out on an opportunity to steal your money. So, they came up with yet another malware variant and packaged it with Petya to increase their opportunity. This additional package is called Mischa. Sound familiar? For those of you Bond buffs, you may recognize both Petya and Mischa as the two satellites that comprise the GoldenEye weapon in the GoldenEye movie. Petya was used by the Bond villain Alec Trevelyan (a.k.a. Janus) to blow up the GoldenEye satellite facility in Severnaya. The second satellite, Mischa, was to be used by Alec to steal “millions of dollars” from the Bank of England. Nothing better than wreaking destruction and making a few bucks along the way, I guess. Mischa is another variant of ransomware, but this one behaves similarly to other common ransomware variants. It simply looks for data files on the compromised system and encrypts them. When a sy]]> 2016-12-29T14:00:00+00:00 http://feeds.feedblitz.com/~/250505776/0/alienvault-blogs~GoldenEye-Ransomware-Shaken-Not-Stirred-Notes-from-the-Underground www.secnews.physaphae.fr/article.php?IdArticle=282107 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC We were somewhere in the second half of 2016 when the breaches began to take hold. I remember saying something like, “I feel we’re losing the security battle; maybe I should choose a different profession, one which isn’t cloaked in failure…” Suddenly, there were bats, music swelled loudly and a heard a familiar English accent: “Why do we fall? So we can learn to pick ourselves up”. I’d fallen asleep watching "Batman Begins" again, and apparently the medication I’d taken for my cold had me on edge. Beyond the movie, though, the security concerns I had were real. The steady march of companies getting breached continued throughout the year. There were plenty of shiny boxes, cool widgets, and even ‘pew pew’ maps, all designed to help companies be more secure – and yet the breaches kept happening. Ransomware, DDoS, password dumps, privacy breaches, third-party failures, critical infrastructure, and many more security-terms crept further into the mainstream lexicon with every new incident. Many widespread security issues stem from poor architecture and include a lack of segregation, critical dependencies on legacy systems, and non-existent network diagrams or asset inventories. At the other end of the spectrum, a lack of user awareness and education often becomes a root cause of system compromise. However, re-architecting systems, or re-training users, can be a bit like advising a zoo-keeper not to shoot a gorilla dragging a 5-year-old child – these are tasks that are easier said than done. In addition, replacing or upgrading legacy systems can be as challenging as getting the Titanic to perform a three-point turn. This whole situation paints a grim picture, one which brings to mind the words of famed English poet William Wordsworth: “We poets in our youth begin in gladness; but thereof come in the end despondency and madness.” However, IT security is not poetry, and despondency and madness need not overtake the reality that many breaches could have been prevented, or their impact minimised. This can, in fact, be accomplished by sticking to some of the fundamentals of security operations (SecOps) that have been practiced for many years. Segregation of Duties Segregation of duties goes beyond simply splitting a workload in half. You’re probably familiar with Uncle Ben’s phrase, “With great power comes great responsibility.” The problem with this quote is that, in real life, people often can’t handle this responsibility. Power seems to have a strange effect on people. I’m perhaps one of the laziest people when it comes to fixing or decorating anything around the house. However, hand me a power-tool and I become a solution looking for a problem. My wife often reminds me that I “only pretend to be responsible when I'm around the kids", but this illustrates the need to have boundaries in place to control individual behaviour. This is a well-understood phenomenon, and is one of the reasons why no-one likes dictators, because nothing can stop them from abusing their power. The potential for mis-use is also why missile launches are controlled with many layers of checks and balances, cumulating in two soldiers having to simultaneously turn their respective keys to activate a launch. However, having properly segregated accounts and roles would not only prevent, say, a junior bank teller from making large financial transfers, but it would also limit the amount of damage that a criminal could do if they were to take over an account. Rotation of Duties Similar to segregation, but a more useful strategy for spotting insider threats, is rotation of duties. This can be a tough control to implement, howev]]> 2016-12-28T14:00:00+00:00 http://feeds.feedblitz.com/~/250100856/0/alienvault-blogs~The-Fundamentals-of-SecOps-that-Forgot www.secnews.physaphae.fr/article.php?IdArticle=281437 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC This is a note I sent to our entire company last week. It was thought to be useful and I've been asked to share it with other readers: IT has noticed an exponential increase in malware, phishing and spoofed email attacks against our users. We have strong filters in place that catch the majority of malicious emails, but nothing is perfect. Our last line of defense is YOU. When you receive an email with an attachment or link, it is important that you exercise caution. Below are a few guidelines that will help you determine whether an email is safe or not. Spoofed email addresses are emails that appear to come from someone @alienvault.com (or another domain), but aren't actually from that user. We have seen the largest jump in these types of emails. These were initially targeting finance personnel and executives, but have recently spread to more users in the organization. We have strong SPF and DKIM enforcement set (SPF lets a mail admin specify what IP addresses are allowed to send email for a domain). While this will protect us from internal spoofed emails, it will not protect us from external domains that are being spoofed. How do I recognize a spoofed email? Analyze the salutation: Is the email addressed to a vague “Valued Customer”, your email address, or ‘Greetings User’? The email is requesting that you perform an action urgently. i.e. transfer money, click on a link, open a file, etc.. Review the signature for anomalies. Phishing email – An attempt to harvest a user’s credentials. These will usually come from a spoofed email address, or from a legitimate user that has fallen victim to a phishing attack. Look but don’t click: Hover your mouse over any links embedded in the body of the email to see the real address. If the link address looks weird, don’t click on it. Example: Secure O365 Login Analyze the salutation. This may actually be legitimate so be careful!!! If the email comes from a compromised user with a good address book, then the salutation may be spot on. Give a fake password: if you not sure if a site is authentic, don't use your real password or username to sign in. If you enter a fake password and still appear to be signed in, you're likely on a phishing site. Attachments: If you open an attachment and it asks you to enable something in word, adobe, etc., it is more than likely a phishing email and may have malware, too. Malware – An attempt to infect a user’s device with malicious software. We are especially seeing a large uptick in trojans being sent. Some were only spotted in the wild a few weeks ago. These are delivered via a URL or email attachment. Does the subject line or body of the email seem out of character or unusual given the sender, especially if you are not expecting an email from that organization or person? Check the URL before clicking by hovering over the link in the email body. Beware of attachments that need to be unzipped or ask for additional action on your part. If you are unsure, please do not hesitate to contact your IT department for assistance.   ]]> 2016-12-27T14:00:00+00:00 http://feeds.feedblitz.com/~/249724064/0/alienvault-blogs~Practical-Advice-To-Stop-Malware-Phishing-amp-Spoofed-Email-Attacks-From-Head-of-IT www.secnews.physaphae.fr/article.php?IdArticle=280742 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC OSSIM or USM, and some customization. Let’s look at a typical network of a small or mid-sized enterprise. For example, we have a few client PCs running Windows 7, 8, 10, and a domain controller which also acts as a DNS server for the client PCs. This network is connected to the Internet through a gateway, which also acts as a firewall and an IPS (IDS). Now imagine one of our client PCs is infected with malware. After the infection the malware tries to communicate with some Command and Control (C&C), perhaps to send some valuable information. The first thing the malware might do is try to resolve the name of the C&C or web-server via DNS. So the infected PC sends DNS requests to the internal DNS server. The DNS server then forwards the requests to the DNS server on the Internet. These requests travel through the gateway (which is also a firewall and IPS(IDS)). In this case, our IPS knows about those C&C and it generates an alert and blocks the request. That’s nice. Yet we still have an infected host on our network. So how can we find it? Of course we can copy the name of the C&C from the alert generated by the IPS and search the logs of our internal DNS for it. But that's not very easy, especially when there is plenty of activity and many alerts. Here the USM/OSSIM comes into play. In the following I will describe how I was able to detect infected hosts on the network. Summary The logs of the IPS and internal DNS are gathered and analyzed by OSSIM/USM. When OSSIM sees an alert from the IDS it gets the name of the C&C from the message (via a custom or a pre-built plugin). OSSIM passes the name of the C&C to a script, which searches the DNS log and gets the IP of the client who made this request. The script writes the client’s IP with the C&C hostname to a log. This log is picked up by a custom plugin of OSSIM and displayed as an alert with the IP of the client’s PC. So the security admin knows which PC is infected at the moment it starts to communicate with the C&C, without manually browsing through tons of logs. The lab environment To test this case I built the following environment (shown in Fig.1): A Linux PC acting as the gateway to the Internet with Snort onboard (10.0.1.37, LIN-GW); A DNS server on Windows 2008 R2 (10.0.1.36, WIN-DNS); OSSIM server (10.0.1.34, OSSIM); Client PC (10.0.1.35, WIN-PC). Fig.1 – Lab Environment How it works (in detail) In my lab I did not infect the client PC with any malware. To test this case I added a Snort signature that alerts whenever it catches a DNS request to resolve eicar.org. To test it I will issue “nslookup eicar.org” command from the client PC (WIN-PC). This setup works in the following way (see Fig.2): WIN-PC sends a DNS request for eicar.org to the WIN-DNS; WIN-DNS forwards this DNS request to the DNS server on the Internet; The request gets intercepted by Snort running on LIN-GW; Snort creates an alert: Discovered resolve request for a (eicar.org) from (10.0.1.36); The Snort alert is received by the OSSIM via syslog and is parsed by a custom plugin (or you may be able to use a built-in one); A directive is triggered for this Snort alert on OSSIM/USM which is included in a policy; The action used in the policy executes a Python script and passes the ]]> 2016-12-21T14:00:00+00:00 http://feeds.feedblitz.com/~/247168218/0/alienvault-blogs~Tracking-an-Infected-Host-Using-OSSIM-USM-with-Customization www.secnews.physaphae.fr/article.php?IdArticle=277760 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Conduct periodic end-user security training: Since ransomware infections spread primarily through spam networks and via phishing attacks including attachments, conducting end-user security training with employees is a particularly effective strategy to prevent them from clicking on fake and phishing emails pretending to come from legitimate and known contacts. The act of clicking on attachments can cause a domino effect, where the malware spreads through the network and encrypts documents it finds. Addressing the human factor in malware infections is the single most important preventive action an organization can take. Obviously not all risk to users’ actions can be prevented. A system-compromising action will happen eventually. With this mind, an organization’s security posture needs to be resilient in a way it needs to have compensating controls to prevent the infection and spreading of the malware. Vulnerability and patch management are the security disciplines that help tremendously in this area. Identifying and remediating critical vulnerabilities not only in operating systems (like Windows) but also in applications, such as Microsoft Office, Adobe Acrobat and Flash, and Java can help prevent the original exploit used by ransomware from working., thus preventing the downloader from getting the ransomware remotely. Again, the last and most difficult frontier of vulnerability management is the application arena. Most of the ransomware found in the wild uses Microsoft Office macros to escalate privileges upon opening the document and executing remote code. Simply disabling macros on the Microsoft Office suite of applications can often do the trick at stopping ransomware from spreading. Another strategy could be using Microsoft Office viewers that do not include macro functionality to check those attached documents. With macros disabled, the exploit trick ransomware uses to install itself and spread is no longer effective. Often times the infection through a Microsoft Office vulnerability or macro launch]]> 2016-12-19T14:00:00+00:00 http://feeds.feedblitz.com/~/246108082/0/alienvault-blogs~Ransomware-Hype-and-Prevention-Strategies www.secnews.physaphae.fr/article.php?IdArticle=276610 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Adult Friend Finder Fling Mate1 Shadi.com Muslim Match Password re-use attacks Carbonite Netflix GoToMyPC Reddit TeamViewer Camelot Deliveroo KFC Heathcare Banner Health which impacted 3.7m patients Turkish state hospitals 10m patients Queen Mary Hospital in Hong Kong saw 3,600 records accessed Al Zahra Private Medical Centre in the UAE had 4,600 records accessed. Specialist healthcare providers such as the New Jersey Spine Centre, and the ]]> 2016-12-16T14:00:00+00:00 http://feeds.feedblitz.com/~/244750874/0/alienvault-blogs~Recap-from-the-Alien-Eye-in-the-Sky www.secnews.physaphae.fr/article.php?IdArticle=275836 False None APT 15,Yahoo None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC IDC report predicted that cloud adoption in organizations will grow 45% by 2018. This prediction is not lost on cyber-attackers, who are constantly adapting their attack methods and devising new ways to target threat surfaces and vulnerabilities in the cloud. To deal with security challenges in the cloud as you do (or should do) in your on-premises environments, you must consider how the threat landscape changes as you move from the data center to the cloud. You must also consider the security resources provided by cloud service providers and how they can augment your own security tools and measures to deliver complete hybrid cloud security. In this blog series, we will explore the security challenges that impact cloud and hybrid cloud infrastructure environments, and discuss the best methods of detecting them. The blog series will cover three main areas of focus: Part One: How security challenges persist, or are amplified or are mitigated in public cloud and hybrid cloud environments Part Two: New security challenges that are introduced by cloud environments Part Three: Best practices for securing your hybrid cloud environment Cloud Security Is a Shared Responsibility Any discussion on hybrid cloud security requires a fundamental understanding of the shared responsibility model and how it applies to cloud infrastructure as a service (IaaS) security concerns. In short, under the shared responsibility model, the cloud service provider (CSP) is generally responsible for ensuring the physical security of its data center, from building access to the securing of network and server hardware, and including oversight of the hypervisor hosting virtual machines. On top of that, the user is responsible for securing the operating systems, applications and data running on cloud accounts. While you are responsible for securing anything that you deploy on the cloud, cloud service providers have a shared interest in your security and provide services to help you more easily implement security best practices for controlling access and limiting network exposures. In fact, many cloud services provide a level of visibility into the cloud environment that IT managers can only dream of from their on-premises infrastructure. Cloud service providers supply tools to help you better defend your virtual environments. For example, leveraging cloud environment logging and monitoring capabilities like AWS CloudTrail provides you with the ability to see the actions being taken by both legitimate users and bad actors operating in your cloud environment. These services are designed to work in conjunction with your cloud-based security management tools. While many traditional security tools, such as firewalls, file integrity monitoring, and centralized logging, remain effective as you expand your perimeter and move data into the cloud, adding layers of security measures that are purpose-built for the cloud can help you to better secure and monitor the full environment. We’ll look at this more closely in part three of this series. Common Attack Strategies and the Cloud Cloud environments face many of the same security challenges as on-premises deployments, including familiar attack strategies. Many of the attack strategies that target on-premises infrastructure, such as code injection and cross-site scripting (XSS), persist in the cloud and can be dealt with using traditional tools like firewalls and proxy servers. However, attack strategies manifest in the cloud somewhat differently than in on-premises environments, thanks to the separation of security concerns in the cloud as well as the unique ar]]> 2016-12-15T18:40:00+00:00 http://feeds.feedblitz.com/~/246210806/0/alienvault-blogs~Hybrid-Cloud-Security-Part-One-Familiar-Threats-in-an-Unfamiliar-Territory www.secnews.physaphae.fr/article.php?IdArticle=276612 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC here. and some of the key findings are outlined below. Speaking of Happiness The skills shortage continues to be a problem felt by many in the field. One third of IT workers said that they are too stressed to take time off during the holiday season this year, and half of those who do will still spend that time worrying about work pressures.  Additionally, over half of those surveyed (53%) believe that their colleagues are overstretched and overworked, and 41% report having unfilled vacancies in their teams for a month or more. For the Love of Money So what motivates those who work in IT to continue working in such a high-pressure environment? Surprisingly, money does not seem to be much of a consideration for IT professionals. In fact, only 40% of respondents cited salary as the most important reason for them to stay in their jobs, despite the high-stress nature of the work. Other reasons given were loyalty to their colleagues (40.7%), loyalty to their bosses (44.2%), and even that they simply loved their jobs (68%). Breached and Insecure It’s clear from the survey that workplace security procedures can take a back seat when the going gets tough. Over a third of respondents (37%) have allowed colleagues to bypass security controls or IT processes for work purposes. Of those, 54% would turn a blind eye if the people involved were higher up than them in the organization, while the others (46%) would apply this to any employee, believing that sometimes you have to turn a blind eye to let people do their work properly. Conclusions Workplace stress affects many IT and IT security professionals and the burnout phenomenon is well-documented. The stress isn’t isolated to just the workplace either, as it ends up having an impact on many professionals’ personal lives as well, even during the holidays. Breaches and policy violations remain a tricky minefield for IT pros to navigate. While a certain degree of flexibility is undoubtedly needed at times, in doing so, security professionals unwittingly take on additional responsibility in the process – a situation that can’t be helpful to a workforce that largely believes it is already overworked. Download the full report here.    ]]> 2016-12-13T14:00:00+00:00 http://feeds.feedblitz.com/~/243163040/0/alienvault-blogs~Money-Happiness-amp-Breaches-Views-from-Spiceworks-IT-Professionals www.secnews.physaphae.fr/article.php?IdArticle=272242 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2015 survey from the Ponemon Institute and Fidelis Cybersecurity highlights troubling data about the state of cybersecurity among corporate C-Suite leadership. In their governance survey, they found that 76 percent of people surveyed indicated that their boards review or approve security strategies and incident response plans. However, only 41 percent of board members claim to have expertise in cybersecurity, while another 26 percent reported that they have minimal or no knowledge of cybersecurity. The most recent large-scale cyber-attacks may result in a wake-up call that makes boards rethink the need for security expertise. On October 21, hackers attacked Domain Name Service (DNS) provider Dyn, causing disruption to major components of the internet’s infrastructure, and temporarily bringing down hundreds of websites, including Twitter, Reddit, PayPal, and Amazon Web Services. The breach was the result of a Distributed Denial of Service (DDoS) attack. A typical DDoS attack sends millions of bytes of traffic to a single server to cause the system to shut down. The Dyn DDoS reached upwards of 1.2 terabytes (1,099,511,627,776 bytes) of data every second, introducing an entirely new scale of attack. Perhaps the most interesting (and frightening) aspect of the Dyn attack was that it leveraged Internet of Things devices. Dyn determined that at least some of the attacks were launched by common devices like digital routers, webcams and video recorders infected with malware. In our evolving digital world, anything and everything is likely to be connected. The rapid proliferation of Internet of Things (IoT) devices (Cisco predicts 50 billion devices by 2020) implies that future DDoS attacks will likely become much more prevalent and disruptive. A report from application delivery firm Incapsula found that an unmitigated direct denial of service attack costs a company an average of $40,000 an hour. But it is not just DDoS threats that are cause for concern – malware, phishing, ransomware, and malicious actions from insider threats have gone rampant, and companies are often easy targets, offering low-hanging fruit for hackers. Currently, ransomware, which is spread mostly via phishing activities, is the top threat to companies in both the public and private sectors. Ransomware allows hackers to hold computers and even entire networks hostage until electronic cash payments are received. Ransomware is not a new threat (it has been around for at least 15 years) but it has become a trending one. Last year, the FBI reported more than 2,500 incidents of ransomware cyber-attacks. Indeed, breaches in all industries are on the rise from a variety of types of digital incursions. This is evidenced by the spate of high-profile breaches over the past few years – Target, Home Depot, Anthem, the OPM and many others. In fact, it is estimated that more than 40% of all corporations suffered a breach during the past year. According to the latest data breach co]]> 2016-12-12T14:00:00+00:00 http://feeds.feedblitz.com/~/242650684/0/alienvault-blogs~Recent-Attacks-Demonstrate-The-Urgent-Need-For-CSuite-Cybersecurity-Expertise www.secnews.physaphae.fr/article.php?IdArticle=270983 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC https://www.grahamcluley.com/couple-sues-toyota-dealership-for-stealing-intimate-photo-off-smartphone/ Nice Security Matrix about Office macros http://www.asd.gov.au/publications/protect/Microsoft_Office_Macro_Security.pdf Counterproductive security behaviors that must end https://speakerdeck.com/chriseng/time-to-grow-up-counterproductive-security-behaviors-that-must-end How HMRC combats phishing by using DMARC https://hmrcdigital.blog.gov.uk/2016/11/25/combatting-phishing-a-very-big-milestone/ How publishers are defeating ad blockers and how ad blockers are fighting back http://blog.bugreplay.com/post/153861574674/fkadblock-how-publishers-are-defeating-ad Fake US embassy in Accra ‪Ghana staffed by Turks, flew an American flag and issued fraudulent visas for $6,000. http://www.state.gov/m/ds/rls/263916.htm Did someone put you in the TO: instead of the BCC: ? Do This… https://www.hiddentext.co.uk/to-not-bcc/       ]]> 2016-12-09T14:00:00+00:00 http://feeds.feedblitz.com/~/241164824/0/alienvault-blogs~Eye-In-The-Sky-th-December www.secnews.physaphae.fr/article.php?IdArticle=270204 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC regulation proposed by the New York State Department of Financial Services (DFS) will impose rigorous cybersecurity requirements on financial service providers in New York. Organizations affected by these regulations include banks, consumer lenders, money transmitters, insurance companies and certain other financial service providers. These so-called “Covered Entities” will be required to annually prepare and submit to the State Superintendent a Certification of Compliance with the new cybersecurity regulation, starting January 15, 2018. This regulation was purposely designed so that it could act as a template to simplify implementation of similar regulation in other states, which seems like it may be a likely scenario. In today’s blog, we’ll outline what the new regulation means for NY-based financial institutions, offer tips for implementation, and show you how AlienVault® can help companies achieve compliance. What does this mean for NY-based financial institutions? To comply with the new regulation, in-scope organizations will need to implement a number of security measures and controls, such as: Establish a cybersecurity program; Adopt a written cybersecurity policy; Designate a Chief Information Security Officer responsible for implementing, overseeing and enforcing the new program and policy, as well as establishing reporting requirements; and Implement a number of additional requirements. What does this mean from a practical perspective? If you don’t already have the required security tools and controls in place, your organization will need to implement a number of new security controls, policies, and procedures. You will also need to demonstrate your compliance with the new regulation. How much you need to do will depend on whether you already have good security hygiene. For organizations that have invested in their security infrastructure, meeting the requirements of this new regulation should be no problem. For those organizations that haven’t, however, you’ll have to loosen the purse strings. The time has come to pay the piper and get those security controls in place. Here are some tips for implementing the key requirements outlined in the regulation: Section 500.02 covers the establishment of a cybersecurity program. Key tips to implement: First and foremost, you will need to have a good threat detection tool in place. Malicious actors are pretty good at getting in, so the key is to detect them quickly. Look for tools that utilize multiple security monitoring techniques and capabilities, and can easily integrate with other security tools. Second, you will need a tool that enables you to respond to events quickly. As soon as you’re able to identify a malicious actor in your system, you need to be able to get rid of them before they get what they came for. Third, you will need to implement strong policies and procedures. Consider the old security mantra – “people, process, technology”. Having strong policies and procedures will help ensure that you are prepared to respond when an incident happens. Finally, you will need a tool that enables compliance with major financial regulatory requirements, including FFIEC, Gramm-Leach-Bliley Act (GLBA), and FDIC. Section 500.03 covers the implementation of a written cybersecurity policy which establishes policies and procedures for the protection of your systems and information. Key tips to implement: You will need to have]]> 2016-12-07T14:00:00+00:00 http://feeds.feedblitz.com/~/239920654/0/alienvault-blogs~New-Banking-Cybersecurity-Regulations-Are-Coming www.secnews.physaphae.fr/article.php?IdArticle=268142 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC http://www.technewsworld.com/story/Facebook-Denies-Ransomware-Infiltration-84115.html San Francisco Municipal Transport agency gets hit by ransomware http://www.itbusinessedge.com/blogs/data-security/san-francisco-muni-ransomware-attack-should-be-a-warning-to-critical-infrastructure.html National Lottery accounts breached http://www.bbc.co.uk/news/technology-38155710 Other interesting stories PhishLulz is a Ruby toolset aimed at automating Phishing activities: https://github.com/antisnatchor/phishlulz Syscall Auditing at Scale https://slack.engineering/syscall-auditing-at-scale-e6a3ca8ac1b8#.3h0v8zfmr EU General Data Protection Regulation FAQ’s http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ Security operations centre (SOC) buyers guide https://www.ncsc.gov.uk/guidance/security-operations-centre-soc-buyers-guide InPage zero-day exploit used to attack financial institutions in Asia https://securelist.com/blog/research/76717/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/ Generate Geolocation map using WireShark http://www.kalitut.com/2016/11/geoip-map-wireshark.html Brief lessons on handling huge traffic spikes https://www.troyhunt.com/brief-lessons-on-handling-huge-traffic-spikes/ WiFi Frequency hacker https://github.com/singe/wifi-frequency-hacker   ]]> 2016-12-02T14:00:00+00:00 http://feeds.feedblitz.com/~/237348432/0/alienvault-blogs~Alien-Eye-In-The-Sky-December www.secnews.physaphae.fr/article.php?IdArticle=266148 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AlienVault’s Open Threat Exchange (OTX) is a fantastic tool to help you determine if some observed behaviour is malicious or not. In this article, we explore how malware can be detected on an old Windows XP client (believe it or not… they still exist on legacy networks) and how OTX data clinches the case in determining if the anomalous behaviour is malicious or not. Scenario: DNS logs show some anomalous and apparently random requests being made by a particular client - requests which never resolve to an IP. An analyst is tasked with determining if the client is infected and is risky enough to be shut down and wiped. (P.S. This was a real scenario) Below we follow the steps that the analyst took to determine this: 1. Windows by default comes with a “DNSClient” service. This service basically caches the DNS requests where possible; otherwise it will make DNS requests on behalf of other programs. This interferes with the investigation since all DNS requests will appear to come from this service (typically “svchost.exe”) rather than the actual program. So we first disable the "DNSClient" windows service so that all DNS lookups will be performed directly by the requesting program allowing us to trace them. 2. Next, we download “Process monitor” (procmon.exe) from Windows Sysinternals and monitor all DNS connections. This is done by adding a new filter with the following parameters: Adding the filter above will restrict the program to displaying only DNS requests. In this case, "Winlogon.exe" popped up as soon as the random DNS request was made. Tip: Install Wireshark on the PC under investigation and filter for DNS to know exactly when a request was made. 3. We opened “Process explorer” in Sysinternals and checked out the TCP/IP connections that the “Winlogon.exe” program is making. We immediately notice something odd about the top connection...why would the login process be making a remote connection to an HTTPS server that isn’t in our domain? 4. To investigate further, we next run netstat -nao to find other anomalous established connections: We can now match the connections being made to the program with their PID (those are the red lines drawn on the figure above) enabling us to identify that "winlogin.exe" and “regsvr32.exe” are anomalous. At this stage, the question as to whether the process is malicious has still not been completely determined. The process is definitely acting in a strange manner; however, there is still a possibility that these IPs are legitimate. This is a common problem encountered when an investigator is not familiar with the environment. At this point in our investigation, OTX comes in for the win. Using OTX data, we can check the IPs that the programs above are communicating with. OTX performs several]]> 2016-11-30T14:00:00+00:00 http://feeds.feedblitz.com/~/236142364/0/alienvault-blogs~Using-Open-Threat-Exchange-OTX-to-Investigate-Anomalous-Requests www.secnews.physaphae.fr/article.php?IdArticle=263211 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC rising adoption in the past year. You may be contemplating moving workloads to Azure, particularly if you are a Microsoft shop. But like most organizations moving to the cloud, you are probably concerned about the security of your Azure environment. In this blog, we will detail some Azure security best practices, and what you should be doing as you make the move to the Azure cloud. At the outset, you should understand that security in Azure is based on the shared security model, similar to other cloud platform providers. This means that while Azure is responsible for securing its infrastructure, you are responsible for securing your applications and workloads running in Azure. If you think about the cloud continuum going from Infrastructure as a Service (IaaS) to Platform as a Service (PaaS) to Software as a Service (SaaS), as you move towards SaaS on that continuum, you are responsible for more and more of your individual security controls. Therefore, you will need to follow cloud security best practices in Azure, including proper scanning, monitoring, and access control. We will dig into these Azure security best practices, and break them down as follows: Establish secure access control and account management policies Configure your Azure virtual machines with security in mind Scan your Azure virtual systems regularly for vulnerabilities Monitor your environment for inappropriate or suspicious use Apply continuously updated threat intelligence to find new and emerging threats 1.Establish secure access control and account management policies Your Azure account holds the keys to your kingdom. It is extremely important to apply the appropriate security to this account to ensure that your environment is protected. To do this you will need to start by setting up your Azure account properly, following the guidelines that Microsoft provides. You will need to answer one key question: who in your organization needs access? As a best practice, you should limit access to only those individuals who require it. When access is given to too many people, the security of the account becomes more at risk. So, protect it! To help further protect your Azure accounts, Microsoft allows you to add multi-factor authentication to all accounts. Make sure you implement this, particularly for administrators and other privileged users. After you have set up your account and your virtual machines (VM’s), one of the most important things you can do is to have strong account security and access control policies in place. Principal to this is following strong password management practices. Also, good credential management is critical, which is a function of access control. Key to all security strategies, particularly in the cloud, is your organization’s ability to control access to your systems. And access control depends on the proper use of credentials to validate users and applications.]]> 2016-11-29T14:00:00+00:00 http://feeds.feedblitz.com/~/235572048/0/alienvault-blogs~Azure-Security-Best-Practices www.secnews.physaphae.fr/article.php?IdArticle=262618 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC http://www.bbc.co.uk/news/technology-37896273 AdultFriendFinder hacked http://arstechnica.co.uk/security/2016/11/adultfriendfinder-hacked-exposes-400-million-hookup-users/ Facebook buying stolen passwords http://www.itpro.co.uk/security/27565/facebook-is-buying-stolen-passwords-from-dark-web IP Bill set to become law http://www.scmagazineuk.com/the-investigatory-powers-bill-is-now-set-to-become-law/article/573616/ Other interesting stories Cyber Security Challenge UK crowns youngest ever champion http://www.scmagazineuk.com/cyber-security-challenge-uk-crowns-youngest-ever-champion/article/571063/ GCHQ wants internet providers to rewrite systems to block hackers http://www.telegraph.co.uk/technology/2016/11/05/gchq-wants-internet-providers-to-rewrite-systems-to-block-hacker/ Researchers' Belkin home automation hacks show IoT risks http://www.databreachtoday.com/researchers-belkin-home-automation-hacks-show-iot-risks-a-9500 UK halts Facebook's WhatsApp data dip http://www.bbc.co.uk/news/technology-37896935 Data cleanliness and patch verification https://www.liquidmatrix.org/blog/2016/11/10/data-cleanliness-patch-verification/ A Cybercrime report template https://bartblaze.blogspot.co.uk/2016/11/cybercrime-report-template.html Smart light bulb worm hops from lamp to lamp http://www.infosecurity-magazine.com/news/smart-light-bulb-worm-hops-from/    ]]> 2016-11-17T16:41:00+00:00 http://feeds.feedblitz.com/~/228122096/0/alienvault-blogs~Alien-Eye-in-the-Sky-th-November www.secnews.physaphae.fr/article.php?IdArticle=257058 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Probably the best £100 I’ve ever spent was on a Nest Protect. It’s awesome. In a nutshell, it’s a Wi-Fi enabled smoke and carbon dioxide detector. My “dumb” one worked just as well but this one has a number of key advantages. Firstly, it lets me know when my batteries are running low. It also means that I can check on the safety of my home, from literally anywhere in the world. I could be on a beach in Bali, or at a conference in California. It really doesn’t matter. I know it sounds a bit trivial, but I’m a dad. This kind of thing is important to me. But I also recognize that there’s another side to the convenient world of the Internet of Things (IoT), which is responsible for some serious security issues. Attack of the toasters! So, why is your internet-connected widget a security threat? Well, it comes down to design. The way we create “Internet of Things” and “smart home” appliances is fundamentally flawed. As we saw with the Mirai botnet, many devices come poorly secured by default. This makes it an enticing target for attackers, and has led to people’s security cameras and alarms becoming spambots and botnets. There’s also the issue of obsolescence. While you might only replace your smoke alarm once every twenty years, it’s unreasonable to expect a technology company to support a product for this long. It’s not out of the question for an attacker to identify a vulnerability in a popular, but long-abandoned smart home product. Just imagine what the Windows XP of IoT will look like. It isn’t pretty. But when devices aren’t being used to attack, it’s possible for the devices themselves to be attacked. As IoT devices from a particular manufacturer reach a critical mass they become enticing targets to hackers. We have seen various attacks that target the computer systems found in modern cars. There’s also the potential for ransomware to be placed on household items. Earlier this year Andrew Tierney and Ken Munro - two British security researchers with Pen Test Partners - demonstrated the first variant for a smart thermostat at the Def Con conference. Imagine what it would be like if your home’s central heating was hijacked unless you paid an attacker one bitcoin. To incentivize you to pay up, the attacker might crank your heat up to 30º Celsius in the middle of summer, or turn it off entirely in the dead of winter. Insecure IoT and smart home devices also present a troubling threat to our collective privacy, and make it easier for an attacker to collect intelligence about us. Most devices provide at least two pieces of information - a status and a location. With these two bits of information, an attacker can infer many things about a potential target. For example, knowing the location and status of a Loxone security system could tell a burglar if their mark is at home. It’s ironic. The tools we depend on to prevent things like this happening could be the things that allow them to happen. IoT could also change the way people are “doxed”. This used to be just addresses, passwords, phone numbers. But with Internet of Things, an entire new dimension could be added containing information about how we eat, sleep, live, and love. This is]]> 2016-11-16T14:00:00+00:00 http://feeds.feedblitz.com/~/226437970/0/alienvault-blogs~IoT-Usability-Dream-or-Privacy-Nightmare www.secnews.physaphae.fr/article.php?IdArticle=255451 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Ransomware is now the biggest cybersecurity threat — Danny Palmer asserts that ransomware has replaced the Advanced Persistent Threat (APT) as the most problematic cyber threat. He’s not wrong. Ransomware has become a real problem. The FBI states that ransomware attacks have already cost victims $209 million — in just the first three months of this year. It is not unreasonable to assume the total amount paid could reach $1 billion by the end of 2016. Not a bad business if you are a criminal and enjoy ripping people off. For those not familiar with ransomware, it’s important to understand what ransomware is, how it works, and how to defend yourself against it. Knowing this will help you understand a well-known variant of ransomware called Shade and how the recent updates made to it change the nature of the ransomware game for the worse. Ransomware is a form of malware that gets installed to a computer and prevents the user from accessing the computer itself or the files on the computer until some kind of payment to the malefactors is made. There are hundreds of different ransomware variants, including some of the well-known variants that have made it into the news, such as Cryptowall, Cryptolocker, Reveton, JIGSAW, TelsaCrypt, Cerber, SDLocker, Torrentlocker, Shade, and even more recently ShinoLocker. The specific techniques used by these ransomware variants differ, but they all act with a single end goal in mind: to take your money! Some of the older, immature ransomware variants will simply pop up a message and scare the user into thinking that the system is truly compromised. Other more sophisticated ransomware variants will actually utilize public key encryption tools to encrypt the files on the system and prevent the user from accessing them, the operating system, and sometimes the entire hard drive. Ransomware is most often distributed to a victim’s computer using two commonly utilized methods: (1) Phishing messages. This is the most common method of compromise. Malefactors send emails and other spam to get an unsuspecting end-user to download and open an attachment. This is not terribly sophisticated, but it works well. Users need to be educated about phishing emails, even from what may look like a trusted source - friends and family - that may have been compromised already. Continual diligence and suspicion is not a bad way to look at every email, especially those with attachments that could contain a malicious payload. Of course, users are users. They make mistakes. In this case, a mistake can lead to a ransomware infection. (2) Exploit kits. This delivery mechanism is far more dangerous and can impact even the most diligent of users. This type of delivery happens when a user unwittingly visits a web site that has been compromised. Sometimes referred to as a “drive by” attack, the web site has malicious code (the exploit kit) that runs on the victim’s computer and downloads the ransomware directly to the user’s machine. The user does not know this has happened, even as they continue to browse other web sites. Once the ransomware gets installed it is very difficult to remove it , and it can easily spread throughout an entire organization if not put in check. Once installed and active, the malware communicates with its command and control (C&C) server to get instructions. In many cases, this communication is detectable with the right tools. The ransomware also informs the user that the system is compromised and then typically requires the user pay the malefactor to unlo]]> 2016-11-15T14:00:00+00:00 http://feeds.feedblitz.com/~/225859882/0/alienvault-blogs~Ransomware-A-New-Shade-of-Evil www.secnews.physaphae.fr/article.php?IdArticle=254586 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC      ]]> 2016-11-14T14:00:00+00:00 http://feeds.feedblitz.com/~/225278612/0/alienvault-blogs~Positive-Password-Psychology www.secnews.physaphae.fr/article.php?IdArticle=253707 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Part 1 - we looked at Inventory of Authorized and Unauthorized Devices. Part 2 - we looked at Inventory of Authorized and Unauthorized Software. Part 3 - we looked at Secure Configurations. Part 4 - we looked at Continuous Vulnerability Assessment and Remediation. Part 5 - we looked at Malware Defenses. Part 6 - we looked at Application Security. Part 7 - we looked at Wireless Access Control. Part 8/9 – we looked at Data Recovery and Security Training. Part 10/11 - we looked at Secure Configurations for Network Devices such as Firewalls, Routers, and Switches and Limitation and Control of Network Ports, Protocols and Services. Part 12 - we looked at Controlled Use of Administrative Privileges Part 13 - we looked at Boundary Defense Part 14 - we looked at Maintenance, Monitoring and Analysis of Audit Logs Part 15 - we looked at Controlled Access Based on the Need to Know. Part 16 - we looked at Account Monitoring a]]> 2016-11-10T14:00:00+00:00 http://feeds.feedblitz.com/~/222982910/0/alienvault-blogs~Free-and-Commercial-Tools-to-Implement-the-Center-for-Internet-Security-CIS-Security-Controls-Parts www.secnews.physaphae.fr/article.php?IdArticle=252072 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AlienVault USM, our small business bundles and Security as a Service offerings. SpiceWorld 2016 was another great opportunity to get valuable feedback from the Spiceworks community. We had an awesome time meeting so many SpiceHeads who we interact with every day in the community. One of our favorite SpiceHeads and a part of our VIP Alien Squad, Danny Santiago, stopped by to hang out with us! Of course, SpiceWorld wouldn’t be complete without a celebrity spotting of Spice Rex hanging out at our booth! We had an amazing turnout with standing-room-only for our speaking session: BINGO, Bacon and Bad Guys! Several lucky winners went home with cash prizes, swag bags and yummy bacon we were cooking up while presenting! Our team had a great time serving up cosmic margaritas, and handing out fun swag like our light-up sunglasses and koozies! We look forward to meeting more and more SpiceHeads in the community! Search for our vendor page in Spiceworks and follow us to join in the fun and win some fun Alien swag we like to promote!      ]]> 2016-11-08T14:00:00+00:00 http://feeds.feedblitz.com/~/221733036/0/alienvault-blogs~SpiceWorld-Rocked-Out-With-Aliens www.secnews.physaphae.fr/article.php?IdArticle=250257 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC http://www.theregister.co.uk/2016/10/24/chinese_firm_recalls_webcams_over_mirai_botnet_infection_ddos_woes/ http://www.bbc.co.uk/news/technology-37761868 https://www.veracode.com/blog/managing-appsec/do-you-use-open-source-components-find-out-what-our-latest-research-reveals https://www.ft.com/content/ed9ff168-9b03-11e6-8f9b-70e3cabccfae (may require subscription to read) https://www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m-vehicles-bug-fix/ Other interesting links Independent researchers have confirmed MedSec's findings, including hack to zap someone's heart http://medsec.com/stj_expert_witness_report.pdf Surveillance Evasion https://protectioncircle.org/2016/06/14/surveillance-evasion/ 15 hacker kids under 15 http://passcode.csmonitor.com/HackerKids Is Ireland ready to police the data world? https://www.siliconrepublic.com/enterprise/data-police-ireland Silicon Valley Decides it’s just too hard to build a car https://www.bloomberg.com/news/articles/2016-10-25/bill-ford-to-silicon-valley-the-future-of-cars-is-in-detroit?utm_content=business&cmpid=socialflow-twitter-business&utm_campaign=socialflow-organic&utm_source=twitter&utm_medium=social Guide to automatic security updates for PHP developers https://paragonie.com/blog/2016/10/guide-automatic-security-updates-for-php-developers Dyn Analysis summary of October 21st attack http://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/ Mozilla no longer accepts audits carried out by Earnst & Young https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/ The difference between SecDevOps and Rugged DevOps https://securosis.com/blog/the-difference-between-secdevops-and-rugged-devops Crack WPA/WPA2 Wifi Password Without Dictionary/Brute Fore Attack using Fluxion ]]> 2016-11-04T11:59:00+00:00 http://feeds.feedblitz.com/~/220257558/0/alienvault-blogs~Alien-Eye-in-the-Sky-th-November www.secnews.physaphae.fr/article.php?IdArticle=248157 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC blog that got posted last weekend on Mirai, then thought perhaps I should compose an open letter to IoT manufacturers. I made this short video to explain. Stay safe, consumers of IoT!      Related StoriesCommon Types of Malware, 2016 UpdateCleaning Up Before You Move OnSeven Tips to Optimizing Security ]]> 2016-11-01T13:00:00+00:00 http://feeds.feedblitz.com/~/219059974/0/alienvault-blogs~Understanding-the-Mirai-Threat-on-IoT-Open-Letter-to-Manufacturers www.secnews.physaphae.fr/article.php?IdArticle=240656 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Cyber Security Awareness Month, we thought we’d talk about common types of malware, and let you know about some emerging threats in the security landscape. We continuously strive to 'arm' our readers with the latest information about new attack methods and techniques so that they can be ready to make informed decisions about how to best protect their environments. Malware, short for malicious software, is basically any software on a system that is not installed intentionally by the user / administrator. Malware behavior can range from being a simple annoyance, like causing advertising to pop-up, to actions which are much more damaging, like stealing passwords and data or infecting other machines on the network. According to Verizon’s 2016 Data Breach Investigations Report (DBIR), the nine major security incident classification categories are: web application attacks, point-of-sale intrusions, insider and privilege misuse, miscellaneous errors, physical theft and loss, crimeware, payment card skimmers, cyber-espionage, and denial of service attacks. The 2016 report analyzed 64,199 incidents, of which 2260 were data breaches. Financial gain was far and away the most common motivation for attacks, with 89% of breaches having a financial or espionage motive. Malware was involved in the vast majority of these attacks. With malware playing such a significant role in breaches, knowing how to detect infections can be very valuable – especially for incident responders. There are many different types of malware in the threat landscape, and in this blog, we’ll discuss their characteristics, infection methods and potential impact. Although new types of malware are constantly under development, they will generally fall under a few broad categories: Viruses & Worms virus, which consists of harmful programs designed to infect legitimate software programs. Once a person installs and runs the infected program, the virus activates and spreads itself to other programs installed on the computer before taking further malicious action like deleting critical files within the operating system. Similarly, worms are stand-alone programs that are able to transmit themselves across a network directly. Unlike a computer virus, a worm does not need to attach itself to an existing program. However, both worms and viruses can cause severe damage to systems because they are able to exploit shared files and databases. Trojans Another common type of malware is a Trojan Horse. Similar to the Greek myth, Trojans present themselves as harmless, useful gifts in order to persuade victims to install them on their computers. While Trojans typically appear to be regular software, they are often bundled with other software that can introduce backdoors allowing unauthorized access to your computer. Trojans do not attempt to inject themselves into other files or applications like computer viruses do; instead, they use tactics such as drive-by downloads or installing via online games in order to reach their targets. According to the 2016 DBIR, banking Trojans were a critical component in the majority of all crimeware incidents (e.g. Zeus, Dyre, and Dridex). Shadyware, PUPs, Adware and Keyloggers The next type of malware that we’]]> 2016-10-27T13:00:00+00:00 http://feeds.feedblitz.com/~/217000082/0/alienvault-blogs~Common-Types-of-Malware-Update www.secnews.physaphae.fr/article.php?IdArticle=228721 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Not only are your files available for restoration from the restore points shown in that window, but they are also probably stored on backup disks and possibly remote offline disks and tapes as well. If your data is stored in the Cloud, there could be multiple backups in multiple locations around the world, depending on how your cloud architect and cloud administrator have chosen to configure backups. If deleted, all of the information you created on you company’s systems is easily reconstructed just as it was prior to your departure. Good luck on your next adventure! On your way out, be a dear and clean up your desk. Perhaps you can go the extra mile and grab a small hand vacuum and clean out the drawers, but don’t waste your time trying to erase your digital existence, as it is an impossible task, recoverable before your elevator reaches the lobby.   ]]> 2016-10-26T13:00:00+00:00 http://feeds.feedblitz.com/~/216521738/0/alienvault-blogs~Cleaning-Up-Before-You-Move-On www.secnews.physaphae.fr/article.php?IdArticle=225532 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC sourced from XiongMai Technologies IoT equipment. IoT devices have proliferated at a rapid pace, and anyone that can take control of them can wield significant power. This power came into full display on September 20, 2016 when the Mirai botnet launched a record DDoS attack, estimated at around 620 Gbps in size, inevitably taking the Krebs on Security website offline. But this appears to be the beginning of IoT-based attacks, as the source code for Mirai has been published online. The IoT Security Challenge The challenge with IoT devices is that, not only are they often insecure by design; but lack the options to apply patches or upgrade. Enterprises deploying IoT devices may spend the time needed to change default credentials, place the devices in a segregated network zone, or otherwise harden their systems – but consumers are highly unlikely to implement any such measures. Opening Pandoras Linux Box With the Mirai source code published, and no plan in place to patch or otherwise protect vulnerable IoT devices, it was inevitable that the source code would be used for malicious purposes, or even out of curiosity. The AlienVault labs team analysed the source code and developed signatures to detect Mirai activity. With the data in Open Threat Exchange (OTX), the team was able to see a significant spike in Mirai activity once the source code went live, both in terms of how many times the signature was hit, and the number of affected devices.   Outlook IoT device security has been spoken about, even joked about for some time. IoT manufacturers have overwhelmingly chosen convenience and neglected to heed any of the security warnings. The Mirai botnet has given us the first real glimpse into the power of an IoT botnet and the damage that can be done. With no patching feasible for most devices, there is no easy fix in sight. IoT device manufacturers will need to consider architecting fundamental security principles into the designs, such as avoiding the use of default credentials. Until such a time that IoT devices have secure options, these devices will feature prominently at the forefront of the cyber security. You can find IOC’s related to the Mirai infrastructure in Open Threat Exchange:    ]]> 2016-10-22T15:58:00+00:00 http://feeds.feedblitz.com/~/215001344/0/alienvault-blogs~The-Mirai-Botnet-Tip-of-the-IoT-Iceberg www.secnews.physaphae.fr/article.php?IdArticle=215636 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC We’ve got the week’s news covered for you. In This Week's Episode Nation State Threat Attribution Mercedes autonomous cars Stephen Hawking on AI Banks failing to report hacks Indian Bank debit card breach Other Stories of Interest Female speakers for your tech event How hackers handle stolen login data DFIR and Threat Hunting The real reason shops want you to sign up for e-receipts Intelligence Oversight and How It Can Fail Salesforce’s M&A Target List Excluded Twitter Poor and/or reused passwords lead to Chinese spam flood on iMessage Threat report En Route with Sendit       ]]> 2016-10-21T13:57:00+00:00 http://feeds.feedblitz.com/~/214490536/0/alienvault-blogs~Alien-Eye-In-the-Sky-st-October www.secnews.physaphae.fr/article.php?IdArticle=213325 False Guideline APT 28 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC For many years the defense and intelligence communities have relied upon a concept called gamification to test concepts, strategies, and potential outcomes in various scenarios via computer simulation. They have found that gamification heightens interest of the players involved and serves as a stimulus for creativity and interchange of ideas which is vital for keeping an edge. As computers have become faster and more capable and data gathering abilities have has exponentially grown, gamification has become a “go to” process for many involved in the security community. The information and technology research firm Gartner defines gamification as “the use of game mechanics and experience design to digitally engage and motivate people to achieve their goals” They note that gamification applies these ideas to motivate the audience to higher and more meaningful levels of engagement. Recently, one of global the “Big Four”, consulting firm PwC, held a gamification exercise with its senior executives. They created a game that pitted defenders against attackers that simulated a cyber-attack comprised from real-life data that of some of their clients. The mostly non-technical executives who participated were able to get a better grasp of how their actions impacted outcomes. Christian Arndt, a cybersecurity director at PwC, said the participants in the game were able to “develop a better knowledge of the threat actors, tools and techniques which could threaten their systems and data”. Gamification in cybersecurity for both the public and private sectors makes great sense for several reasons. 1) It creates an ability to discover gaps in in the monitoring framework, 2) It can be a guiding element in allowing companies to best determine how they direct their resources toward mitigating vulnerabilities and threats, and 3) It helps address the workforce shortage and plugs the skills gap by cultivating a next generation of computer and video gamers. The reality is that most workers in government and industry do not understand the basics of cybersecurity. Although there are mandatory training programs often mandated by policy, a quick test or refresher on cyber policies is not enough to create an awareness of the multitude of threats in an increasingly digital world. Gamifying the worker experience can enhance interest in the subject matter and also create a better understanding of how and why cybersecurity attacks occur. This makes sense especially in an environment where phishing has become a preferred hacker attack method. We have seen the implications of workers creating costly data breaches opening malware in government agencies, hospitals, universities and especially corporations. Gamification can provide a better mechanism for training everyone on how to prevent and respond to the changing landscape of cybersecurity and educate people on methods, means, prevention, and who are the probable adversaries. Most companies are learning the hard way that what they thought was secure is really not. Data breaches are an epidemic and every year of intrusion reports outpace the previous year. As a result of procrastination on cyber threats, corporate leadership has been playing catch up by procuring IT security technologies, educating their boards of liability issues, and hiring cybersecurity talent. However, deciding how to best allocate resources, focus on specific industry threats, and design prevention and contingency plans are not an easy task. Gamification can be helpful in providing testing and simulation for a custom cybersecurity strategy while stimulating the workforce at the same time. It is widely noted on almost a daily basis that the cybersecurity industry is facing major skilled worker shortages. Despite determined efforts in recruit]]> 2016-10-20T13:00:00+00:00 http://feeds.feedblitz.com/~/214071554/0/alienvault-blogs~The-Emerging-Trend-of-Gamification-in-Cybersecurity www.secnews.physaphae.fr/article.php?IdArticle=210544 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 1. Start with why Unless you’re running a security business, chances are security is just a function to support the business. Therefore, it is crucial to understand what the business is, what actually makes the money, and therefore what needs to be protected. Professionals understand what security is, how security is done, but do they really understand why? A CIO at a drinks company was once asked what his job was, his response was, “My job is to help the company sell more beer.” Think about what your security function is doing and whether it’s helping your company sell more beer. A useful resource in this regard is a TED talk by Simon Sinek. 2. Simplify Complexity is probably the single biggest contributor to security breaches. Given enough time, spreadsheets evolve into Frankenstein-esque systems running the core of a trading floor. Mergers and acquisitions bring together disparate systems, and security initiatives purchase layer upon layer of security products in the hope it will solve the problem. Simplifying systems is not an easy task – and neither is it one that the security team can do in isolation from the organization. But simplifying the security estate is a good starting point. Simply having more tools isn’t the answer, and more data is useless without the ability to make sense of it. 3. Manage alerts As attacks increase, from both external and internal sources, prevention is not enough, therefore threat detection controls need to be put in place. But even in medium-sized enterprises, the number of alerts being generated across multiple systems can quickly become overwhelming. The first step in managing alerts usually comes in the form of a Security Information and Event Management (SIEM) or similar correlation tool that can pull all the alerts into one platform. Then with the help of correlation rules, combined with knowledge of the environment such as assets and existing vulnerabilities, provide relevant information. Threat intelligence can also play a big part in managing alerts, by ensuring you are kept abreast with the latest threats that are relevant to your organization. Honeytokens can also help reduce noise in the environment. When implemented correctly, alerts generated by honeytokens are of high quality and can pinpoint malicious activity. Good system architecture can also help in managing and reducing alerts. For example, designing simple communication flows between components can help identify where traffic is behaving in a non-standard way – such as lateral movement by hackers within your system. 4. Leverage]]> 2016-10-19T13:00:00+00:00 http://feeds.feedblitz.com/~/213628276/0/alienvault-blogs~Seven-Tips-For-Optimizing-Security www.secnews.physaphae.fr/article.php?IdArticle=210545 True None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 1. Start with why Unless you’re running a security business, chances are security is just a function to support the business. Therefore, it is crucial to understand what the business is, what actually makes the money, and therefore what needs to be protected. Professionals understand what security is, how security is done, but do they really understand why? A CIO at a drinks company was once asked what his job was, his response was, “My job is to help the company sell more beer.” Think about what your security function is doing and whether it’s helping your company sell more beer. A useful resource in this regard is a TED talk by Simon Sinek. 2. Simplify Complexity is probably the single biggest contributor to security breaches. Given enough time, spreadsheets evolve into Frankenstein-esque systems running the core of a trading floor. Mergers and acquisitions bring together disparate systems, and security initiatives purchase layer upon layer of security products in the hope it will solve the problem. Simplifying systems is not an easy task – and neither is it one that the security team can do in isolation from the organization. But simplifying the security estate is a good starting point. Simply having more tools isn’t the answer, and more data is useless without the ability to make sense of it. 3. Manage alerts As attacks increase, from both external and internal sources, prevention is not enough, therefore threat detection controls need to be put in place. But even in medium-sized enterprises, the number of alerts being generated across multiple systems can quickly become overwhelming. The first step in managing alerts usually comes in the form of a Security Information and Event Management (SIEM) or similar correlation tool that can pull all the alerts into one platform. Then with the help of correlation rules, combined with knowledge of the environment such as assets and existing vulnerabilities, provide relevant information. Threat intelligence can also play a big part in managing alerts, by ensuring you are kept abreast with the latest threats that are relevant to your organization. Honeytokens can also help reduce noise in the environment. When implemented correctly, alerts generated by honeytokens are of high quality and can pinpoint malicious activity. Good system architecture can also help in managing and reducing alerts. For example, designing simple communication flows between components can help identify where traffic is behaving in a non-standard way – such as lateral movement by hackers within your system. 4. Leverage t]]> 2016-10-19T13:00:00+00:00 http://feeds.feedblitz.com/~/213628276/0/alienvault-blogs~Seven-Tips-to-Optimizing-Security www.secnews.physaphae.fr/article.php?IdArticle=207773 True None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Knowing your assets, establishing acceptable baselines, and having reliable threat intelligence can all contribute to helping manage vulnerabilities.                                                                                                                     ]]> 2016-10-18T14:46:00+00:00 http://feeds.feedblitz.com/~/213247078/0/alienvault-blogs~Vulnerability-Scanning-Tip-Tuesday-for-NCSAM www.secnews.physaphae.fr/article.php?IdArticle=205622 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Global Information Security Workforce Study (GISWS) by Frost & Sullivan for the (ISC)2 foundation, a shortfall of 1.5 million security professionals is forecast by 2020. These are large numbers, but it’s important to remember that skills shortages and surpluses aren’t unique to information security, so it’s useful to understand both the dynamics of the employment market as well as some things that organizations can do to reduce the impact that a skills shortage can have on them and their security teams. If we look more closely at what the “cyber security skills gap” covers, there are at least three broad areas which are worth defining, as they all have a part in contributing towards the current deficit that the industry is facing. 1. Skills Shortage: A skills shortage occurs when there simply aren’t enough workers who are qualified, available, and willing to work under the existing market conditions. 2. Skill Gap: A skill gap refers to a situation where employers are finding workers to employ, but those workers are considered under-skilled, lacking some of the skills that are needed in their positions. Another aspect of this could be that in today’s ever-evolving security market, a company’s existing workforce might prove to be under-skilled relative to a desired level or benchmark. 3. Recruitment Difficulties: These refer to situations where there is an ample supply of qualified candidates in the market, but employers are not able to fill their vacancies. This can be due to poor pay, non-standard working hours, or commuting challenges. One thing to bear in mind is that the information security industry isn’t one homogeneous discipline; rather it’s made up of many sub-disciplines. Using the medical field as an analogy, a lack of heart surgeons doesn’t necessarily equate to a lack of all doctors overall. Similarly, not all areas of information security have similar gaps, or indeed concerns. In the aforementioned (ISC)2 study, 72% of respondents were concerned about application vulnerabilities with only 48% worried about cyber terrorism. With these factors in mind, there are a few things enterprises can do in order to minimise the chances or impact of information / cyber security skill shortages. 1. Outcome-based security It’s easy for enterprises of all sizes to fall into the trap of wanting to implement security controls that they see others implementing. Often this takes the shape of adopting a standard such as ISO27001, or other ‘best practices’. Whilst this is a safe approach, it doesn’t take into account what an individual company’s requirements are with regards to the actual security risks it faces. By first formulating the security outcomes that a company requires in alignment with its business requirements, it can develop a more efficient and potential leaner security organization that only deploys security controls and resources where most needed. 2. Closing Gaps In some cases, a skills gap can be filled by personnel in other departments or areas of the organization. For example, while the production of a compliance report may be a security function, it doesn’t need to be executed by the security team itself. Similarly, enterprises should evaluate which security roles could be filled by providing additional training to existing non-security staff. Finally, at times, companies may need to get creative about how and from where they recruit people. For example, offering the opportu]]> 2016-10-17T13:00:00+00:00 http://feeds.feedblitz.com/~/212708778/0/alienvault-blogs~Overcoming-Skill-Gaps-Shortages-and-Recruitment-Challenges-in-InfoSec www.secnews.physaphae.fr/article.php?IdArticle=202715 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC We’ve got the weeks’ news covered for you. Links to stories in the video The beginning of the end(point): where we are now and where we’ll be in five years The strange way people perceive privacy online Tesla responds to Chinese hack with a major security upgrade Good cybersecurity can be good marketing Cyber: Ignore the penetration testers Other stories of interest When automated bots were primed to sell the UK Pound The ethics and morality behind APT reports Scott Helme went wardriving Internet of things botnets – SSH just got real! Lloyds combats call center fraudsters with new tech F-Secure pens an open letter to businesses that block VPNs on their free WiFi Sarah Clarke gives a perspective on GDPR, a personal and professional journey Akamai finds longtime security flaw in 2 million devices.      ]]> 2016-10-14T14:00:00+00:00 http://feeds.feedblitz.com/~/211348006/0/alienvault-blogs~Alien-Eye-in-the-Sky-th-October www.secnews.physaphae.fr/article.php?IdArticle=197404 False None Tesla None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Threat Intelligence Feed is a horrible way to describe the effort, time and care that goes into the intelligence that powers our security programs. The people who are behind these 'Threat Intelligence Feeds' are some of the hardest working, brightest, most imaginative people we have. They spend hours crafting signatures, verifying reports, reversing malware, digging deeper to make sure that we can accurately detect the latest threats. How can we use the term feed for an effort like that? To me, feed is sold by the pound and given to horses or pigs. It is the basest of commodities; it is the word we use when we can't even bring ourselves to call "food". This is why AlienVault is powered by a Threat Intelligence Subscription. It is not the best term, but it is a small effort to recognize the effort made by the hard working researchers who come to work every single day fighting a battle that will never end. What they produced is not available in a mercantile store, it is a premium offering, it is something to value, it is what makes our lives just a little bit easier as we strive for better security.      Related StoriesBehavioral Monitoring - Tip Tuesday for NCSAMAlien Eye in the Sky, Friday 7 October]]> 2016-10-13T13:00:00+00:00 http://feeds.feedblitz.com/~/210881752/0/alienvault-blogs~Threat-Intelligence-Feed-is-for-Horses www.secnews.physaphae.fr/article.php?IdArticle=195641 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC During Week Two of National Cyber Awareness Month (NCSAM), our focus is on behavioral monitoring. Often times, behavioral monitoring is uttered in the same sentence as big data analytics, or algorithms - making it sound as if behavioral monitoring is a form of witchcraft. In many instances, behavioral monitoring can be undertaken with few resources in a simple way. Behavioral monitoring is more about understanding what constitutes normal or acceptable behavior. For example, it is normal, or expected, that many children will cry on their first day of school as their parents leave them alone for the first time. But after a few years, a child crying when dropped off to school is a less common occurrence and such behavior warrants some investigation. Here's a video on behavioral monitoring with some examples. In monitoring terms, analysts can monitor certain aspects of the infrastructure in order to gain insight into normal behavior. For example, service monitoring provides visibility into the service uptime – and any unexpected outages can be identified quickly if being unavailable is not expected behavior for these services. Similarly, netflow analysis can provide high level trends related to which protocols are being used, which hosts use the protocol, and the average bandwidth usage. Any major deviations from the norm can indicate malicious activity. If the IT team develops a regular routine to monitor activity and analyze patterns, anomalies can be spotted. Several studies have shown that despite the advancements in AI, the human brain still remains one of the best pattern-recognition machines. In his book ‘how to create a mind’ Ray Kurzweil argues that the brain contains a hierarchy of pattern recognizers. The real value in behavoral monitoring is that one does not need to be intimately familiar with the underlying technology to recognise an anomaly. For example, if traffic between two systems is relatively stable, but then suddenly spikes, it can be recognised as an anomaly – even if information about the kinds of systems, or the protocols used, are unknown. Developing even basic behavioral monitoring capabilities can be extremely beneficial for spotting unknown threats, suspicious behavior, and even policy violations.      ]]> 2016-10-11T13:00:00+00:00 http://feeds.feedblitz.com/~/209997424/0/alienvault-blogs~Behavioral-Monitoring-Tip-Tuesday-for-NCSAM www.secnews.physaphae.fr/article.php?IdArticle=190485 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Ransomware operator shut down Stealing an AI Nobody is bidding on shadowbrokers files US government IP address contract ends Don’t be Yahoo Verizon wants $1bn discount You don’t have to be stupid to work here Links to other interesting stories from the week MMD-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled Hacker releases code that powered Botnet attack against Krebs Microsoft has announced it is to harden the edge browser for enterprise users A really sweet presentation format and great information for incident response and security operations teams by Frode Hommedal Thrillseekers stuck on rides at Universal Studios after massive power outage --- redundancy fail? Or all part of the show? Halvar flake was asked why he works in security – and gives a nice response. What he didn’t give was my 3 favourite answers. Good pay, Sponsorship money, and VC money What makes call-out culture so toxic? The three infrastructure mistakes your company must not make Hootsuite’s CEO on what he learned from getting hacked on social media AlienVault OTX Maltego Transforms In other news from the week: Singing for the Unsung Heroes of IT Security AlienVault was a proud sponsor of the 2016]]> 2016-10-07T13:11:00+00:00 http://feeds.feedblitz.com/~/208328478/0/alienvault-blogs~Alien-Eye-in-the-Sky-Friday-October www.secnews.physaphae.fr/article.php?IdArticle=175862 False Guideline Yahoo None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2016 Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data presented by Ponemon Institute, May 2016, revealed that a large number of healthcare organizations have experienced multiple data breaches resulting from evolving cyber threats. Hackers have already exploited medical facilities and hospitals - and the problem is escalating. Earlier this year, Hollywood Presbyterian Medical Center was victimized by ransomware. For ten days the computer systems were unavailable because of the hackers and Hollywood Presbyterian ended up paying the hackers in cryptocurrencies to recover control of their systems. Another US hospital, Boston Children’s Hospital was the target of a series of breaches including distributed denial of service attacks. Medical institutions in Europe and Canada have also been subjected to intrusions. The reality is that hospitals are a logical hacker target for several reasons. They are susceptible to phishing attacks and insider threats because of the large data flows throughout various systems. They are many points of vulnerability for malware/ransomware extortion because their systems are networked with multiple stations and devices. In addition, most workers in medical facilities are not trained in basic cybersecurity hygiene. For hackers, healthcare facilities are viewed as achievable targets where they can reap quick monetary gains. Hackers can steal medical records that are commodities with a resale value on the Dark Web. And, the likelihood is pretty strong that hospital administrators will pay ransoms to gain back operational control over facilities to reduce liabilities and putting patients at risk. Hospitals and healthcare facilities also want to protect their reputations and prevent cybersecurity incidents from going public. The increasing reliance on medical devices also pose problems for healthcare cybersecurity, including ransomware. Medical devices can include devices such as ventilators, monitors, pumps, electrocardiographs, lasers, medical apps, and diagnostic imaging systems. Many of the devices are wireless (including medical infusion pumps or IVs) and send communications and update software over open airwaves. This opens up threat vectors that could be exploited remotely. The Department of Homeland Security (ICS-CERT) and the Food and Drug Administration (FDA) have issued warnings on the potential of device vulnerabilities. As connectivity and proliferation of devices such as telemedicine, smart beds, wearables, and portal medical technologies encompassing the Internet of Things (IoT) expands into healthcare, so does the digital risk. One path forward to mitigate cyber gaps is enhanced collaboration between manufacturers and medical providers to ensure production of upgraded hardened devices with software packages with cybersecurity features to counter newer and more sophisticated hacker threats. Also, access management of these devices need to be strengthened and enforced th]]> 2016-10-06T13:00:00+00:00 http://feeds.feedblitz.com/~/207890590/0/alienvault-blogs~Safeguarding-Patients-and-Data-In-The-Evolving-Healthcare-Cybersecurity-Landscape www.secnews.physaphae.fr/article.php?IdArticle=172427 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC CVE-2014-4114 (“Windows OLE Remote Code Execution Vulnerability”) Installation: Black Energy (various versions) Command and Control: Various European Hosting Providers Action: Theft of Intellectual Property It’s important to note that each attack phase is different for the various threat actors and/or groups – Script Kiddies, Criminals, Nation States, Corporate Espionage, Malicious Insiders, Hacktivists, etc. – and the techniques used in each phase likely differ for each cyber kill chain. The overarching goal is to turn what we know into relevant potential attack paths that can be mimicked in order to understand the blind spots within your network. So how can we do this? As established above, getting into a network is the attacker’s first step. At this point there is no irrecoverable damage – although it does constitute a security breach. Now is your opportunity to minimize the impact with a clear understanding your adversary’s behavior. To move through your network – both laterally and hierarchi]]> 2016-10-05T13:00:00+00:00 http://feeds.feedblitz.com/~/207392136/0/alienvault-blogs~Strengthening-Your-Defense-Against-the-Inevitable-Compromise www.secnews.physaphae.fr/article.php?IdArticle=166970 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC NCSAM), our focus is on knowing your assets. Often-times when speaking with businesses, you ask if they know what their assets are and you get one of two common reactions: those whose eyebrows shoot up and admit they have no clue; or those who understand what their assets are and have a ‘gut feel’ as to what the important ones are. I tried this myself at home by guessing how many internet-connected devices I had and how much physical storage I had. My guess was that I had in the region of 12 internet-connected devices and about 10TB of storage capacity. In reality, after scouring through my items, I discovered I had 32 internet connected devices with a total capacity of just under 17TB of data! Bear in mind, these are just my own devices in my own home. It becomes much harder for larger organizations to work out what all of their assets are and where all of their data is. Before embarking on a security plan, it’s important for businesses to understand their assets and identify the most valuable ones that are worth protecting, while also bearing in mind that priorities change over time. Just as a young, single person may say their beloved sports car is their most valuable asset, once married, their partner may become their most valued asset. Maybe having children will change their priorities – until the kids get older and move out, never to return. At this point, the garden might become the most valued asset, a place to spend hours pruning plants and wondering why no-one mentioned the joys of gardening 30 years ago. It certainly would have saved you from the trouble of marriage, kids, or cars. The point is that at any time, it’s important to understand what’s most valuable to the business and then deploy security controls to protect and monitor it. That will ensure that your time and effort is spent protecting your most important assets, and—in the event a breach does occur—that the company can detect and respond to it quickly. This is a better approach than waiting to read about it many months later in the news.      Related StoriesDefault Credentials Considered HarmfulRansomware Raises th]]> 2016-10-04T13:00:00+00:00 http://feeds.feedblitz.com/~/206928616/0/alienvault-blogs~Knowing-Your-Assets-Tip-Tuesday-for-NCSAM www.secnews.physaphae.fr/article.php?IdArticle=161995 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC censor Brian Krebs and the similar attack on OVH - these botnets only exist because default credentials were implemented on devices, in flagrant violation of best-practices when building appliances. Worse, this disastrous consequence is entirely preventable - there is no need, with modern computing architectures, for this to happen at all. If you, as a consumer, have a choice between a device that has default credentials and one that uses another method (like that described below) to generate credentials, choose the latter - because it may be possible to coerce a device that comes with default creds into a factory reset where those creds become available to the attacker. If you build a device that has default credentials, then you are contributing to the catastrophic failure of informational infrastructure that is enabled by these botnets. These defaults are not obscure - they can be easily found online  by anyone who cares to look. Yes, it is true that end users should change credentials - that would be appropriate behavior. However, by giving them default credentials, you are enabling them to make the wrong choice, designing the system such that it can fail in a predictable fashion. If you give a choice between a right behavior and a wrong one, then your design is destined to fail at large scale. Design so that the only choices are right ones. In order to avoid contributing to disastrous, censorship-enabling criminal botnets, do not ship devices with default credentials - instead, build a "firstboot" script into them, so that the very first thing that happens when the end-user starts the device is an (uncredentialed) setup procedure that includes credential generation as a part of its function. This way, you design the system in such a way that it cannot fail in a widespread, insecure state that default credentials allow. "Credentials" here doesn't necessarily mean a username and password - it can include generating certificates or keys that link a specific controlling device (say, an app on a smartphone) to the device being controlled. A simple way to do it for Lnux-based appliances, for instance, is to put a script in the /etc/init.d directory that first checks for the existence of a "has completed setup" file, performs setup activities, and then writes the "has completed setup" file so future boots complete normally. If you need to redo setup, it can be re-triggered by removing the "has completed setup" file - or changing the contents, as appropriate. One acceptable variation is for the appliance to generate a long, complex credential at the time it is first booted and to make this credential available to a person with access to the hardware - e.g. a long, randomly generated password shown only on the console (like Alienvault does) or a random number used as a PIN to synch an app (similar to the Chromecast) - and use that only for a single authentication, demanding an immediate generation of proper credentials immediately afterwards. There are similar ]]> 2016-10-02T04:51:00+00:00 http://feeds.feedblitz.com/~/206094370/0/alienvault-blogs~Default-Credentials-Considered-Harmful www.secnews.physaphae.fr/article.php?IdArticle=153789 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC A five person gang potentially behind the Yahoo breach. A list of wifi hacking apps for your android An investment bank held to ransom. Docker and Microsoft announce a partnership. Challenges to mobile application security And Brian Kreb’s being DDoS’d by an IoT powered botnet.       ]]> 2016-09-30T13:50:00+00:00 http://feeds.feedblitz.com/~/205218694/0/alienvault-blogs~Alien-Eye-in-the-Sky-Friday-th-September-Video-Blog www.secnews.physaphae.fr/article.php?IdArticle=148034 False None Yahoo None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Many years ago one of my dad’s friend’s house got burgled. He was single and didn’t have a lot of possessions. After rummaging through the place, they ended up only taking an old radio. My dad, being a natural optimist comforted his friend by encouragingly remarking how that old radio was probably worth next to nothing. His friend pointed out that while the radio itself may have had little value, it would cost him a lot of money to replace it with a new one. It’s not always as easy or straightforward to establish the value of items, and data in particular is particularly difficult to value. One of the main reasons is that the value is hardly ever static, rather it changes on an ongoing basis. For example, timing can change the value of data. A press release announcing a new product is highly confidential and valuable information – until the day that it is made public. After which, the objective shifts from keeping the data secret, to getting it in front of as many eyes as possible. Different audiences will also perceive data to have different value, even within the same organization. Recently in Austria, an 18-year-old sued her parents for posting over 500 baby images of her on Facebook. Many times, when someone becomes famous, or a celebrity, they will go through and scrub their history. This isn’t necessarily because there’s anything illegal, but because coming into the limelight puts a different perspective on things. Ex-partners, favorite vacation spots, embarrassing events, all can play into the hands of media, or more unsavory characters. When it comes to a business, they need to exercise the same vigilance across its data. Examining the value of the data, not just in that point in time, but across a timeline that takes into account various events that may occur. Minutes from meetings may seem uninteresting, or even boring, but that doesn’t diminish their value. Internal emails that include in-jokes, may be seen as friendly banter, but in different context could be seen as harassment. Companies need to evaluate how conclusions could be inferred from indirect sources. A prime example is the Washington Pizza Index. The bigger the crisis and the more time that government staffers hole up in their offices, the more pizza they eat. Finally, one needs to be mindful of the ‘chemistry of data’ whereby seemingly inert elements of data can be pieced together to form something more valuable than the sum of its parts. Organizations need to be aware of what data is hazardous to them and under what circumstances. Where possible, this should be imparted into the risk appetite of the organization and described independently of the technology stack. If this can be done, companies will be closer to understanding the value of their data, protect the most vital aspects, and minimise the chances of being held to ransom.     ]]> 2016-09-29T13:00:00+00:00 http://feeds.feedblitz.com/~/204694660/0/alienvault-blogs~Ransomware-Raises-the-Question-Establishing-the-Value-of-Data www.secnews.physaphae.fr/article.php?IdArticle=143828 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC study, which researched security practices in over 400 large organizations, found that average companies only test their half of the mobile apps they develop. Around 50% of these organizations were found to devote zero budgets towards mobile application security. “Building security into mobile apps is not top of mind for companies, giving hackers the opportunity to easily reverse engineer apps, jailbreak mobile devices and tap into confidential data, Industries need to think about security at the same level on which highly efficient, collaborative cyber criminals are planning attacks. To help companies adopt smart mobile strategies, we've tapped the deep security expertise of IBM Security Trustee, bringing what we've learned from protecting the most sensitive data of complex organizations - such as top global banks - and applying it to mobile.” said Caleb Barlow, Vice President of Mobile Management and Security at IBM. Attackers are taking advantage of insecure popular mobile applications, networks and more to break into highly confidential data on mobile devices. Furthermore, they’re also tapping mobile devices as a gateway to an organization’s broader, highly confidential internal network. In research by Ponemon institute, they found some major security flaws in the ways which most organizations build and deploy mobile applications for their customers. Lack of security testing in the process of developing different mobile applications has made security difficult to achieve. Most of the organizations studied in the research are working with highly sensitive data, and include financial services, health and pharmaceutical, the public sector, entertainment and retail industries. Each organization spends $34 million annually on average for mobile app development. However, only 5% of this budget is spent on ensuring that mobile apps are secure against cyber attacks before they are made available to users. Almost half of the organizations devote no budget for security. Ponemon Research Why Is Mobile Application Security Difficult to Achieve? According to the research, the majority of organizations state that the security of their apps is often put at risk because of customer demand or need, whereas “Rush to Release” is the primary reason why mobile apps contain vulnerable code. And this is the few companies that actually do scan for vulnerabilities before deploying apps in the market. The main reason behind the lack of mobile application security is the lack of security testing, possibility of data leakage from applications, and malware-infected devices and apps. The Ponemon research states that 65% organizations release apps with security risk because of customer requirements and pressure to release quickly. Ponemon Research Research revealed that there will be an increase in the incidence of malware infected mobile apps in the next 12 months. Because of this, around 60% of the organ]]> 2016-09-28T13:00:00+00:00 http://feeds.feedblitz.com/~/204209472/0/alienvault-blogs~Mobile-Application-Security-Challenges www.secnews.physaphae.fr/article.php?IdArticle=138787 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AlienVault USM for Security Engineers training class not too long ago. He's based on the east coast of the USA. Though we offer classes in the Eastern US time zone, he chose to take our live online class in Central European Time. Why? He's the only security engineer at his organization. He needed the training, but couldn't afford to be away from his normal duties during regular office hours for a full week. As it happens, that delegate reported that he had a great experience in the class. So why is this a problem? If we looked only at the scores on the post-class evaluations, we could have seen his high scores and just moved on. However, that would have represented a lost opportunity to listen, learn, and improve what we offer. Instead, we took this as a challenge. Because of our focus on continuously improving the customer experience, we wanted to see if there was a way to let our delegates get a good night’s sleep! Our Customer Experience Journey Organizations have now recognized the need to be disciplined and systematic in driving change to improve the customer experience. We all know how to do a "diving catch" to save an individual customer's situation. In addition to that, we need organized approaches that make the next customer more likely to encounter positive experiences with our products, services, partners, and employees. At AlienVault, we've applied these principles in many areas, including our training business. Using this customer’s story as an example, here’s how we approach the process of learning from our customers to improve. 1. Measure, Listen, and Observe We measure satisfaction with our training classes in the typical ways. That includes asking customers if they're "likely to recommend" our class. Most are, but not all. We reach out to those who had a less positive experience when we can, often learning things that we can do better. In addition to measuring (what are the class scores?) and listening (what were the student comments? what did the instructor say about the class?), we have learned to dig deeper. We ask questions and follow up with all those involved (including the delegate, the instructor, and the salesperson) to see if there are important lessons learned from asking “Why?” 2. Find the Root Cause I spoke to the salesperson who sold the training seat to our east coast delegate. He said that the customer's schedule of 3:00 am classes wasn't typical, but the issue is very common. He said that he's sometimes unable to include a training seat with a new sale, even when he knows that it would be in the customer's interest to take the training, only because the customer can't devote an entire work week to training. I talked to others in sales who confirmed this feedback. We know that our product is broad and comprehensive, so a security engineer needs the full class. We can’t compromise on content. Instead, we have to be creative in delivery. Putting this together, we concluded that we'd found our root cause issue. Our customers who need training need all 5 days, but many don't have the time to attend a traditional 5-day class in normal working hours. My team and I concluded that we can improve the customer experience--with our product, and with our training--if we can find a way to accommodate this need. 3. Fix the Root Cause]]> 2016-09-27T13:00:00+00:00 http://feeds.feedblitz.com/~/203675460/0/alienvault-blogs~Maximizing-the-Customer-Experience-for-Training-Organizations www.secnews.physaphae.fr/article.php?IdArticle=133665 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC blog@advancedpersistentsecurity.net This blog aims to provide you with some analysis about Powershell going open source. This is from the perspective of a user that has no inside information from Microsoft. Disclaimer: I am in no way, shape, or form - past or present, compensated to endorse any software mentioned throughout this blog post. Background and Implications In a seemingly strange move, Microsoft has released its Powershell scripting language as an open source package and it is now available for Linux. View the press release for it here. This comes shortly after Bash was made available in Windows 10. This is not the first time that Microsoft open sourced some of their software, but Powershell is not the same as the .NET framework or the Javascript engine for Edge and Internet Explorer. In listening to several podcasts and speaking with industry professionals, I believe that Powershell has been growing in popularity. Powershell has been used for both automation and post-exploitation for security professionals alike, it is had been ignored for too long. Soon enough, we will see Powershell scripts connecting to remote hosts using SSH (Secure Shell). Motivations Microsoft Branded Tux the Penguin (The Linux mascot) To be completely transparent and honest, I have no inside knowledge of this. I surmise that there are a few reasons as to why Microsoft is becoming more open in terms of the source code of their products. Here is my analysis: With the growth of the public cloud environment, Microsoft has more cloud and legacy competitors. This is in terms of platforms and operating systems. Microsoft seems to be focusing more on growing Azure and less on locking people into the Windows operating system. Azure is cross platform. This is depicted by the Microsoft branded Tux the Penguin I got as swag at Great Wide Open 2016 Atlanta. This makes having a language that works universally beneficial to Microsoft Engineers and employees working with Azure. Python is a very popular and possibly more popular in terms of a cross-platform scripting and programming language. Perl is in some cases - namely the past, again - my opinion. Microsoft needs to compete. This attempts to begin to accomplish this. This can help to change the public image of Microsoft and their business model. I am not sure that it will make the proverbial hearts of Linux and Macintosh using Windows haters grow two sizes, but it is definitely a start. Positive Outcomes It never hurts to have a different scripting language. Especially if you are not the only one to be able to understand and contribute to it. Even more so if you are more comfortable with Powershell from working with it in a previous role, perhaps as a Windows Administrator. It could be more valuable to you than Python - given you did not use it heavily as a pen tester. This will also allow pen testers the ability to rarely ha]]> 2016-09-26T13:00:00+00:00 http://feeds.feedblitz.com/~/203134286/0/alienvault-blogs~Implications-of-Powershell-Going-Open-Source www.secnews.physaphae.fr/article.php?IdArticle=128058 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC A roundup of the week’s news, commentary, and observations. This week has ended with news of what appears to yet again be the biggest hack ever. But you’re probably tired of reading about it everywhere, so I’ll keep quiet about it. A detailed account by Wired on how it made the move from plain old HTTP to the shiny HTTPS. I like real-life tech stories, and this is well-written, as you’d expect from Wired. Tied in with this weeks tweetchat on 3rd party and supply chain risks. Uber, Square, Airbnb, and others form cybersecurity coalition for vetting vendors. I like the idea in principle – to save duplication of effort and standardize on some aspects. Guest blogger Bob Covello asks, “did you really lock that door?” Do you need an InfoSec Reading List? Jayme Hancock has done a lot of the heavy lifting for you and presented a comprehensive list here. We revisit threat intelligence trends and adaptions in a report based on a survey we conducted at Blackhat 2016.      Related StoriesDid You Really Lock that Door?End of Summer InfoSec Reading List for 2016The Alien Eye in the Sky - Friday 16th September ]]> 2016-09-23T14:18:00+00:00 http://feeds.feedblitz.com/~/201625872/0/alienvault-blogs~Alien-Eye-in-the-Sky-Friday-rd-September www.secnews.physaphae.fr/article.php?IdArticle=116482 False None Uber None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Ghost in the Wires, by Kevin Mitnick. Kevin, of course is one of the notorious early hackers whose exploits are brilliant and quite entertaining. If you have not already done so, add that book to your reading list. This post however is not a book review. I was reminded of Kevin’s book the other evening when my son went dashing to the door in the middle of the night to make sure that he locked it. Normally, like all teenagers, he just eventually goes to sleep. However, this time, the memory of the horror movie he was watching prior to going to bed startled him enough to make him double check that door. We have all experienced that, haven’t we? THE KILLER IS IN THE HOUSE! What was it about that event that reminded me of Mitnick’s book? A lot of Mitnick’s exploits began with bypassing physical security mechanisms. Early in the book, he describes how one of his “pen testers” would pop a ceiling tile to gain access to an office through the dropped-ceiling that is so common in many of the office buildings today. Fortunately, most data center architects are wise to this trick and they build their surrounding walls from floor to the concrete ceiling, not the drop ceiling. During a recent data center walk-through, an auditor asked me to open a ceiling tile to prove that this was the case. (Auditors clearly have trust issues.) One thing that auditors have never checked is the exiting procedure, and this is something that I have seen overlooked by the most seasoned data center employees. Next time you see your sysadmin or any other authorized data center employee exiting a secured area, observe what they do. Does your staff simply leave the secured area, relying on that satisfying *click* sound of the door-locking mechanism as the door closes behind them, or do they stop and check to make sure that door is actually locked? A simple push is all it takes to make sure that door is secure. Incidentally, does the door to your data center pull open from the outside? If it does, then it, indicates that the hinges are on the outside, resulting in an improperly installed door with an easily defeated locking mechanism. Data center? What data center? In our new “everything in the cloud” cyber world, most data centers have been reduced to a small room with some networking equipment. In a sense, many of the “server rooms” of the pre-cloud era have taken a dramatic step further back in time, resembling more of a storage closet setup reminiscent of the early days of network computing. These down-sized infrastructure rooms create a new problem; the rooms are devalued since the belief is that the important data is not stored there. However, for most small to medium sized businesses, that room represents the single point of failure in an office environment. How is the door to that now glorified broom closet secured? Is the staff that enters that space authorized and trained in physical security protocol? What is the possibility of that non-technical employee actively checking the door security after it closes? With so many of us distracted by the threat of nation state actors and all the perils of remote cyber-attacks, it is easy to overlook a simple step in physical security that could make us sleep just a bit easier each night.  ]]> 2016-09-21T13:00:00+00:00 http://feeds.feedblitz.com/~/200516044/0/alienvault-blogs~Did-You-Really-Lock-that-Door www.secnews.physaphae.fr/article.php?IdArticle=105118 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Click here to read the full report. Below is a fun Infographic, which summarizes the results:       ]]> 2016-09-20T13:00:00+00:00 http://feeds.feedblitz.com/~/200021550/0/alienvault-blogs~Blackhat-Threat-Intelligence-D%c3%a9j%c3%a0-vu www.secnews.physaphae.fr/article.php?IdArticle=99240 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC I have a serious thirst for InfoSec knowledge. However, like anybody else in this field, I tend to stay within the domains that interest me most - or that I find myself working in most often. After a recent conversation with a friend I found myself deep-diving into a whitepaper on Apple iOS Security implementation and was both floored and fascinated. This was so far out of my wheelhouse I’d have never thought to seek it out on my own, let alone devote hours to reading and debating its points. It made me wonder -- what else am I missing out on by being myopic in my research? So, I turned to Twitter. I interact with a great many security experts every day, and wondered what they’re reading that I am not. I made the following plea: Let's try something. Reply w/your favorite Infosec article, paper, or howto. Just one. Spread some knowledge and some cool reading materials — Jayme (@highmeh) August 13, 2016 And boy did I ever get a response. From technical articles, to book recommendations, to videos and whitepapers, Twitter responded in force. I’d like to share some of the great recommendations I’ve got - though admittedly, I’m still working my way through them all. Credit is given to both author and submitters, where available. “Pentest Bookmarks,“ by kurobats. Submitted by @xpirabit An enormous list of Penetration Testing resources; from blogs and people to follow, to privilege escalation articles, to tools and how-tos. This is a great resource for anyone on the red-side of security. “How to Milk a Computer Science Education for Offensive Security Skills,” by Cobalt Strike. Submitted by @xpirabit Traditional schools teach Computer Science - but how does that translate into the Offensive Security roles that interest you? The author gives his advice on making the most of your college education. “The Power of Believing That You Can Improve,” by Carol Dweck. Submitted by @haydnjohnson A great TED Talk on growing your capacity to problem solve and understand problems that at face value seem too difficult to overcome. “nmap: Documentation and Manuals,” by Fyodor. Submitted by @TryCatchHCF In Information Security, nmap is our bread and butter. But there is much more behind the scenes to what it can do for you - from scripts, to very granular scans, the documentation beyond “nmap --help” is well worth a glance. “AVLeak: Fingerprinting Antivirus Emulators through Black-Box Testing,” by Blackthorne/Bulazel/Fasano/Biernat/Yener of Rensselaer Polytechnic Institute. Submitted by @hexacorn Discusses techniques that can be used to fingerprint Antivirus Emulators without reverse-engineering. Discusses classification of fingerprints, defensive implications, and future research opportunities. &]]> 2016-09-19T13:00:00+00:00 http://feeds.feedblitz.com/~/199501096/0/alienvault-blogs~End-of-Summer-InfoSec-Reading-List-for www.secnews.physaphae.fr/article.php?IdArticle=92793 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Security issues of WiFi – How it Works. This is pretty cool – USBe – air-gap cover-channel via electromagnetic emission from USB. (PDF). There’s also a video showing it in action. Little Flocker beta is out. It’s a product similar to Little Snitch, but for file access instead of network connections. Looks like an interesting tool that could be put to good use. Another great post from the AlienVault blog was a post by Dmitry Shulinin on how to use OSSIM / USM active lists with Python scripts The employee badge that monitors where you are and who you are talking to. Umm yeah, totally a cool thing and like “fitbit for your career”. Nothing creepy about this at all.      Related StoriesFree and Commercial Tools to Implement the Center for Internet Security (CIS) Security Controls, Part 17: Data ProtectionSecurity Issues of WiFi - How it WorksThe Alien Eye in the Sky - Friday 9th September ]]> 2016-09-16T16:14:00+00:00 http://feeds.feedblitz.com/~/198063436/0/alienvault-blogs~The-Alien-Eye-in-the-Sky-Friday-th-September www.secnews.physaphae.fr/article.php?IdArticle=76737 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Fig. 1 – Active lists concept In the following few pages I will explain my idea of implementing the functionality of active lists with the help of a python script, three correlation directives and policies and a custom plugin. In the following tutorial I am using active lists for tracking user logons and logoffs. But active lists can also be used for tracking IP addresses showing suspicious activity or infected with malware or any other values (filenames, port numbers, anything.) 1. Workflow Here is how the active lists in my lab environment work (lab environment shown on figure 3): 1) User “root” logs into the server 192.168.2.30 using SSH; 2) The policy “Add to logged users list on BCKP” fires using the directive “User logon on BCKP” and launches the script active_list_manager.py in the following manner: active_list_manager_py add logins_list $USERNAME as a result, a file is created with the name “logins_list” and the username is added to this file; 3) A user logs in via SSH to the server 192.168.10.2; 4) The policy “Check logged users list on MAIL” fires using the directive “User logon on MAIL” and launches the script active_list_manager.py in the following manner: active_list_manager_py check logins_list $USERNAME If a user is found in the logins_list the script generates a syslog message like this: Sep 6 15:40:25 siem active_list_log: Match |List:logins_list |Value:root 5) This log message is picked up by the custom plugin “active_list_monitor” and an event shows up in the OSSIM/USM interface like this: Fig. 2 – Active list match event So we can create an alert to fire on this type of event; 6) The user, who was logged in to 192.168.2.30 (on step 1) logs out 192.168.2.30; 7) The policy “Remove user from logged users list on BCKP” fires using the directive “User logout from BCKP” and launches the script active_list_manager.py in the following manner: active_list_manager_py del logins_list $USERNAME as a r]]> 2016-09-14T13:00:00+00:00 http://feeds.feedblitz.com/~/196771878/0/alienvault-blogs~How-to-Use-OSSIM-USM-Active-Lists-with-Python-Scripts www.secnews.physaphae.fr/article.php?IdArticle=63544 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Part 1 - we looked at Inventory of Authorized and Unauthorized Devices. Part 2 - we looked at Inventory of Authorized and Unauthorized Software. Part 3 - we looked at Secure Configurations. Part 4 - we looked at Continuous Vulnerability Assessment and Remediation. Part 5 - we looked at Malware Defenses. Part 6 - we looked at Application Security. Part 7 - we looked at Wireless Access Control. Part 8/9 – we looked at Data Recovery and Security Training. Part 10/11 - we looked at Secure Configurations for Network Devices such as Firewalls, Routers, and Switches and Limitation and Control of Network Ports, Protocols and Services. Part 12 - we looked at Controlled Use of Administrative Privileges Part 13 - we looked at Boundary Defense Part 14 - we looked at Maintenance, Monitoring and Analysis of Audit Logs Part 15 - We looked at Controlled Access Based on the Need to Know. ]]> 2016-09-13T13:00:00+00:00 http://feeds.feedblitz.com/~/196176696/0/alienvault-blogs~Free-and-Commercial-Tools-to-Implement-the-Center-for-Internet-Security-CIS-Security-Controls-Part-Data-Protection www.secnews.physaphae.fr/article.php?IdArticle=59479 False None APT 17 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC blog@advancedpersistentsecurity.net This blog aims to tell you Most of What You Need to Know about Wi-Fi. This is from both a personal and a commercial perspective meaning that it can be applied in both settings. Disclaimer: I am in no way, shape, or form - past or present, compensated to endorse any solutions or software mentioned throughout this blog post. Most of What You Need to Know: Wi-Fi - The Beginning We are always connected to the internet. We use cellular phones, tablets, laptops, gaming systems, and cars to do so. While some of them use wires and others use proprietary communications methods (albeit wireless), we are going to focus on Wi-Fi and Wi-Fi security issues. This is a point of awareness that I think is lacking and I hope to use this blog to educate more people about Wi-Fi security problems. What is Wi-Fi? Wi-Fi is a play on Hi-Fi (High Fidelity) which is the quality of sound. While it is not a direct pun (all wireless is purely wireless or wired; there is no quality of wirelessness), it is wireless and uses Radio Frequency (RF) instead of Wires (Copper) or Fiber Optics (Light). The international organization, Institute of Electrical and Electronics Engineers (IEEE; commonly called I-Triple E) maintains this standard alongside many others in various standards committees. The LAN/MAN Standards committee (802) oversees this and a few others including: Ethernet, Token Ring, and Bluetooth. Within 802.11, the IEEE work group for Wireless LAN, new standards come about over time with the advances with the ability to broadcast data using RF. Technically 802.11a is completely different that 802.11g in terms of standards, they are interoperable standards. 802.11g was a revision and consolidation to 802.11a and 802.11b. This was replaced by 802.11n and later 802.11ac. There is an 802.11ad, but it is on a different frequency range and is less common. Below is a list of the various 802.11 protocols over time and their maximum speed and frequencies. Note: the maximum speeds can vary on implementation, bandwidth, channel size, and environmental factors. The values below relate to the rated specifications of the standards. 802.11a Frequency: 5.0 GHz Typical Maximum Speed: 54 Mbps 802.11b Frequency: 2.4 GHz Typical Maximum Speed: 11 Mbps 802.11g Frequency: 2.4 GHz Typical Maximum Speed: 54 Mbps 802.11n Frequency: 2.4 GHz or 5.0 GHz Typical Maximum Speed: 600 Mbps 802.11ac Frequency: 5.0 GHz Typical Maximum Speed: 6 Gbps How does Wi-Fi work? In a traditional and most simplistic sense, it is a means for communication on a network (without wires) using Radio Frequency. Data is passed and encoded/decoded using the 802.11 standards compliant antennae and routers discussed above. While radio process data in the Kilohertz (KHz) and Megahertz (MHz) ranges, Wi-Fi processes data in the Gigahertz (GHz) range, namely the 2.4 and 5 GHz ranges (as of right now). So as opposed to wired networks, anyone can "touch" your communications media. This can lead to some issues in security. Keep reading to find out more. Before We Discuss Wi-Fi]]> 2016-09-12T13:00:00+00:00 http://feeds.feedblitz.com/~/195628414/0/alienvault-blogs~Security-Issues-of-WiFi-How-it-Works www.secnews.physaphae.fr/article.php?IdArticle=54427 False Guideline None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC The ICO has a report on UK data incident trends. Healthcare is by far the worst sector with 232 incidents. In second place is local government with 62. The most common data security incident type was ‘data posted or faxed to incorrect recipient’. The most common Cyber Incident type was ‘cyber security misconfiguration’. Changing Business, and Risks of the Supply Chain. Does your company adapt its posture as the risks change? Roger Thonton, AlienVault CTO was interviewed by Dark Reading on five key questions on Threat Detection. Does this take employee monitoring too far? Do employees have a right to privacy when in the workplace? The employee badge that monitors where you are and who you are talking to. A nice article on Pokemon Go – hacking, and personal moral dilemmas.      Related StoriesResist the RansomChanging Business, and Risks of the Supply Chain5 Key Questions on Threat Detection Answered by Roger Thornton, AlienVault CTO ]]> 2016-09-09T13:46:00+00:00 http://feeds.feedblitz.com/~/194040642/0/alienvault-blogs~The-Alien-Eye-in-the-Sky-Friday-th-September www.secnews.physaphae.fr/article.php?IdArticle=36811 False None None None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2016-09-08T13:00:00+00:00 http://feeds.feedblitz.com/~/193433498/0/alienvault-blogs~Changing-Business-and-Risks-of-the-Supply-Chain www.secnews.physaphae.fr/article.php?IdArticle=31322 False None None None