Horizon3.ai Intros NodeZero App For Splunkbase & Offers Free Trial

Posted in Commentary with tags on June 23, 2022 by itnerd

Horizon3.ai introduced the NodeZero app for Splunk, available via Splunkbase. It enables Splunk environments to leverage NodeZero and the attacker’s perspective to improve the effectiveness of Splunk deployments and ensure they’re logging the right data to get the most out of Splunk. 

The NodeZero app for Splunk can automate data pulls from NodeZero APIs which are then ingested into the Splunk Cloud Platform. The app will integrate with the Splunk user experience to help users: 

  • Find, fix, and verify logging blind spots
  • Decide where to increase and decrease logging based on the criticality of the host
  • Take inventory of assets and reconcile the attacker’s perspective of your cyber terrain

Splunk administrators are often under pressure to maximize their license value – it’s often impossible to log everything, so it’s hard to know if they are expending resources appropriately to ensure they’re logging the right data. NodeZero can help identify where logging is most needed, so that the organization’s resources are deployed for maximum impact.

NodeZero maintains an action log of every command it has executed during a pentest. The NodeZero App for Splunk offers insights to identify blind spots in logging and create a fast feedback loop to find, fix, and verify missing data by using the action log to highlight what should have been detected when particular exploits were executed.

Identifying critical hosts: Not all hosts are critical. Some are important enough to log everything, while others may not have access to data or critical systems and thus have less requirements for logging. NodeZero is able to identify risk on specific hosts with context. For ExampleA “low” criticality server in the CMDB might have enabled an attack path where NodeZero ultimately achieved Domain Admin – NodeZero would dynamically reclassify this host as CRITICAL risk based on the proven attack path and impact during a pentest operation. It lets organizations leverage the attacker’s perspective provided by NodeZero to inform their Splunk logging strategy.

Revealing “ghost hosts” & shadow IT: NodeZero inventories every reachable host within the organization’s environment during a pentest. This can often easily reveal a blind spot: are all those hosts seen in Splunk Cloud Platform? Often organizations will find hosts they didn’t know existed, were unaware had been added, or even rogue devices that aren’t known to anyone (shadow IT). The app lets users reconcile NodeZero-discovered hosts with existing IT assets in Splunk – marrying the traditional and the attacker’s perspectives to achieve greater insight.

Horizon3.ai is also offering a free trial of the NodeZero App for Splunk.

Leave a comment »

Huawei Showcases The Next Generation Of Cutting-Edge Products

Posted in Commentary with tags on June 23, 2022 by itnerd

Today, Huawei presented its key strategic areas of focus during this challenging time and announced new, cutting-edge products including 16-inch laptops MateBook D 16 & 16s and the latest addition to the audio family of devices, the FreeBuds Pro 2. Huawei also launched the lightest foldable smartphone Mate Xs 2. 

HUAWEI FreeBuds Pro 2: World’s first Hi-Res Dual Sound System TWS

In the Audio category, Huawei has launched a device that will please all fans of crystal-clear music and voice – FreeBuds Pro 2. The new earbuds stand out with exquisite sound quality achieved thanks to their Dual Sound System. Adopting the integrated two digital-to-analogue converters (DAC) chips and a quad-magnet dynamic driver with advanced digital frequency crossover technology, allowing the device to distinguish between high and low frequencies, coupled with LDAC High-Resolution codec, the HUAWEI FreeBuds Pro 2 bring the purest sound quality in the industry. Equipped with the industry’s first Triple MIC ANC TWS system that is able to provide 15%  more noise reduction capabilities as compared to the previous model. In certain scenarios, a maximum of 47dB noise reduction depth can be achieved. HUAWEI FreeBuds Pro 2 is also equipped with three dynamic audio listening optimization algorithms which are able to detect changes in volume, differences in ear canal structure and changes in wearing status in real-time. The new earbuds also support Huawei’s All-Scenario Seamless AI Life approach thanks to easy connectivity with any smartphone operating system and great usability in all daily scenarios.

HUAWEI Mate Xs 2: Huawei’s lightest and flattest foldable smartphone

The HUAWEI Mate Xs 2 is Huawei’s brand-new flagship foldable smartphone with outward folding design and ultra-light, ultra-slim body, marks a milestone in the Huawei’s history, as of this premiere the company owns the most complete portfolio of foldable smartphones, including models with an inner and outer display, and flip phones. When unfolded, the Mate Xs 2’s screen becomes as flat and smooth as a mirror, bringing users a more immersive foldable experience, perfect for both entertainment and work. The smartphone is also equipped with other flagship features, such as a 50MP True-Chroma Camera that supports HUAWEI XD Optics, taking mobile photography to new heights. The new device also dispels the concerns about the unreliable battery in foldable smartphones, boasting a 4600mAh battery, with 66W HUAWEI SuperCharge for ultra-fast charging on the go.

HUAWEI Matebook D 16 & 16s: 16-inch laptop with a traditional 15.6-inch body size for work, study and play

Those of us who work remotely, but miss the traditional office setup with a large monitor, will be pleasantly surprised by the latest additions to Huawei’s laptop portfolio. The company has noticed the consumers’ need for more workspace on their screens, combined with a post-pandemic desire for more flexibility at work, and launched a new product line with a 16-inch FullView display. The HUAWEI MateBook D16 and 16s feature a 16-inch vast display that offers ample space for work and makes managing many tasks at once easy. The MateBook lineup is powered by the 12th Gen Intel® Core™ H- Series Processor with TDP of up to 40W, dual channel RAM and a high-speed solid-state drive, which handles multitasking and complex usage scenarios flawlessly and efficiently, such as data analysis, code compilation, opening multiple webpages, charts, or PowerPoints, allowing users to view content more easily on a larger and taller display area, without the need to compromise on other aspects such as high performance. Moreover, with the D 16 & 16s models, Huawei makes seamless cross-device experiences even more streamlined with multi-device file management and AI search to further enable device collaboration and allow easy file transmission between PC, smartphone, and tablet, breaking the barriers of data sharing between devices. What’s more, users can be productive on the move thanks to the HUAWEI MateBook D 16 & 16s high portability thanks to their light metallic body of weight similar to traditional 15.6-inch laptops.

Availability

HUAWEI FreeBuds Pro 2 and Selected MateBook 16” laptops will be available in Canada soon.

HUAWEI Mate Xs 2 is not available in Canada. 

Leave a comment »

Guest Post: Blockchain.com, Luno, And Cardano Are The Top-Most Phished Crypto Projects Says Atlas VPN

Posted in Commentary with tags on June 23, 2022 by itnerd

Even with the crypto market experiencing a crash, crypto scams are still going strong. Phishing scams, in particular, are favored among cybercriminals.

According to the data analyzed by the Atlas VPN team, based on the information provided by the CheckPhish URL scanner tool by Bolster, Blockchain is the most commonly phished crypto project, with 662 phishing websites in the last 90 days. 

Blockchain is followed by cryptocurrency wallet Luno and proof-of-stake blockchain platform Cardano with 277 and 191 phishing pages, respectively.

The data features detected cryptocurrency phishing website numbers in the last 90 days till June 22nd, 2022. 

The next top-most phished crypto brand is Poloniex. The crypto exchange has had 72 phishing websites using its brand in the past three months.

Meanwhile,  NFT marketplace Magic Eden and yet another crypto exchange, Bittrex, share the fifth and the sixth spots on the list with 67 and 65 phishing websites each.

The rest of the top ten includes the largest cryptocurrency exchange Binance with 59 phishing websites,  crypto investing service Apex Crypto with 23 phishing websites, open-source cryptocurrency wallet software MyEtherWallet with 21, as well as Bitcoin wallet service Electrum and Australian cryptocurrency assets exchange BTC Markets each with 16 phishing websites.

Ruta Cizinauskaite, the cybersecurity researcher and writer at Atlas VPN, shares her thoughts on crypto phishing scams: “Brand impersonation is a common tacting among cybercriminals as people are more likely to trust the brands they know with their money or information. To lure in their victims, scammers develop counterfeit websites using legitimate brand names, similar-looking URLs or appearances. Crypto scams, in particular, are very lucrative to cybercriminals as cryptocurrency payments are irreversible, uncontrolled by central authorities, and many newcomers are not very knowledgeable in how crypto works.

To read the full article, head over to: https://atlasvpn.com/blog/blockchain-com-luno-and-cardano-are-the-top-most-phished-crypto-projects

Leave a comment »

Overwhelming SecOps Adaptation Challenges And Funding Expectations For Mission-Critical SOC Modernization: Anvilogic

Posted in Commentary with tags on June 23, 2022 by itnerd

Anvilogic has published a report on the movement toward modernization within enterprise SOCs responsible for threat detection at organizations, showing that SecOps teams are reaching a breaking point. 

New strategies are needed to overcome intertwined, cyclical challenges and increase efficiencies and intelligence while enhancing security postures. The data uncovers challenges driving change in security operations and priorities to address a growing attack surface and threat landscape complexity.

It also reveals improving detection engineering, and the shortcomings of current approaches are top of mind for security strategists and forward-looking data on the payoff expected from transforming a SOC and if the organization will fund the changes required. You can have a look at the report here.

Leave a comment »

New Phishing Attack Exploits Real Quickbooks Email Domain Using Dark Web Double Spear Techniques: Avanan

Posted in Commentary with tags on June 23, 2022 by itnerd

Avanan has released its newest attack brief that reveals its cybersecurity researchers have observed a new phishing campaign in which hackers are creating email accounts using legitimate QuickBooks domains to send malicious invoices via requesting payments directly from the service. 

In this attack, the hacker spoofed brands including Norton and Office 365 in the body of the message. Between built-in legitimacy of actual Quickbooks email to what hackers on the dark web call a double spear, this new attack represents a particularly deceptive and compelling phishing campaign by manipulating the victims into calling a number and paying an invoice to harvest not only credentials but also their telephone numbers for future attacks, whether it’s via text message or WhatsApp.   

Avanan’s new research analyzes how hackers leverage legitimate and popular websites to get into inboxes and steal credentials and money. You can read the report here.

Leave a comment »

Adobe Acrobat Blocks Anti-Virus Tools From Scanning PDFs…. WTF?

Posted in Commentary on June 23, 2022 by itnerd

From the “what the hell were they thinking department comes this story about security researchers discovering that Adobe Acrobat is trying to block security software from having visibility into the PDF files it opens via blocking what are called DLL injections. Which if you guess that this creates a security risk for the users, you get a gold star:

The outcome of Adobe blocking dll injections of security modules could potentially be catastrophic. When a security product is not injected into a process, this basically disables any visibility it may have on the process and hinders detection and prevention capabilities inside the process and inside every created child processes. Actions performed by the Adobe processes and processes created by it would essentially be much harder to monitor, as will be determining context. It would be easy enough for a threat actor to add a command in the ‘OpenAction’ section of a pdf, which can then execute PowerShell, which could for example, download the next stage malware and execute it reflectively. Any of these actions would not be detected if the security product hooks are missing.  

We contacted Adobe for comment, and they answered that this is due to “incompatibility with Adobe Acrobat’s usage of CEF, a Chromium based engine with a restricted sandbox design, and may cause stability issues” 

Now Adobe claims to be working with anti-virus vendors to address this. But the fact that we are even having this discussion in 2022 is mind blowing. Because virus payloads via PDF files have been a thing among threat actors for years. And Adobe has effectively created a scenario for however long it lasts where threat actors can launch attacks on a massive scale.

Adobe gets a #EpicFail for this one.

Leave a comment »

For QNAP, The Hits Keep Coming As Yet Another Security Issue Disclosed

Posted in Commentary with tags on June 23, 2022 by itnerd

Seriously, QNAP can’t catch a break when it comes to security issues related to their NAS devices. Days after announcing this security flaw, comes a brand new one:

A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx config. If exploited, the vulnerability allows attackers to gain remote code execution. 

For CVE-2019-11043, there are some prerequisites that need to be met, which are:

  1. nginx is running, and
  2. php-fpm is running.

As QTS, QuTS hero or QuTScloud does not have nginx installed by default, QNAP NAS are not affected by this vulnerability in the default state. If nginx is installed by the user and running, then the update should be applied as soon as possible to mitigate associated risks.

So in English, if you run some non-default software on your QNAP NAS, you could get pwned. Some fixes are already out, but there are more fixes to come. To be honest, I see this vulnerability as an edge case. But given QNAP’s recent history of security issues, it will put the NAS vendor on even more scrutiny than it is now.

Leave a comment »

Auto Parts Maker Nichirin Pwned By Ransomware

Posted in Commentary with tags on June 22, 2022 by itnerd

Japanese automotive hose maker Nichirin has been hit by a ransomware attack forcing it to shut down its computerized production controls, as reported by Reuters:

“We are investigating what impact this may have on our customers, and we will promptly disclose any necessary information,” the company said.

Nichirin also posted a warning on its website about possible spoof emails that appeared to be from the company and asked recipients not to open any attached files.

Darren Williams, CEO of BlackFog has offered some perspective on this:

“We continue to see threat actors targeting manufacturers in the automotive, infrastructure and government sectors. Cyber criminals continue to target organizations with older infrastructure, lack of investment in cyber security in terms of both product and personnel. These industries continue to outpace the rest of the market in terms of attacks. It should serve as a reminder that even the smallest contributors to the supply chain must do their part to defend against cyberattacks.”

Additionally, the UK has decided not to impose regulations on the cyber security profession after an 8-week consultation conducted by the Department for Digital, Culture, Media and Sport. The UK Cyber Security Council will its planned chartered standards, as the Government monitors its adoption. In response, an expert with GoodAccess has offered commentary.

Artur Kane, VP of Product of GoodAccess also offers some perspective:

“According to Forbes, there are nearly 465,000 unfilled cyber jobs across the US. At the same time, the number of cyber-attacks has never been so high in history. While society becomes more digitized and wars move more often to cybersecurity space, those nations who want to be relevant must support their digitalization notions with strong security legislation. The lack of unfilled jobs must be supported through investments in education, but without clear directives on what skills, roles and frameworks, graduates rarely leave school being fully prepared for their new jobs. Leaving much of work on recruiting and requalifying employees on organizations and inherently slowing down the whole process and raising costs. Also, the diversity in approaches leads to varying quality and leaves some organization more vulnerable. The UK’s Embedding Standards and Pathways Across the Cyber Profession by 2025 has the potential of filling those gaps. With the decision to postpone its enforcement the UK government heard the voices of organizations, which is a good thing in democratic society, but on the other hand we’ve learnt in history that for big changes to make impact, more swift adoption is required. With GDPR, being controversial, not ideally communicated and left quite big space for speculative understanding of some standards, we are now all thankful for this directive to exist. Yes, companies struggled at the beginning to adopt those standards, but by enforcing it and leaving a protective period when fines were waived, companies felt the urgency and acted swiftly towards full adoption. Postponing the enforcement of the Embedding Standards might be a generous thing but will inherently compromise the speed at which UK solves one of most crucial problems of fully digital and globally competitive country.”

You can see how crippling an attack like this can be. Thus every company needs to make sure that their defences are in tip top shape and that they have the people required to fight this sort of battle if they have to, or make sure that they are in a position never to have to fight this sort of battle.

Leave a comment »

Bill C-11 Passes…. Why This Is A Incredibly Dumb Idea From The Canadian Government

Posted in Commentary with tags on June 22, 2022 by itnerd

Last night, Canada’s parliament approved legislation that targets what video and audio-sharing platforms like YouTube and TikTok can broadcast to a Canadian audience via bill C-11. In short, this is what the bill purports to do (via the Wikipedia link):

The bill seeks to amend the Broadcasting Act to account for the increased prominence of internet video and digital media, and to prioritize the “needs and interests” of Canadians, and the inclusion and involvement of Canadians of diverse backgrounds in broadcast programming. It adds undertakings that conduct “broadcasting” over the internet to the regulatory scope of the Canadian Radio-television and Telecommunications Commission (CRTC), which would give the CRTC the power to regulate almost all audiovisual content distributed via online platforms (including monetized content on social media services). This can include compelling them to make use of Canadian talent, mandating that they make contributions to the Canada Media Fund to support the production of Canadian content, and improve the discoverability of Canadian content on their platforms. 

Alongside this, the bill also removes the seven-year term limit for CRTC-issued broadcast licenses (a regulatory process which will not apply to internet broadcasters), adds a mechanism of imposing “conditions” on broadcasters without them being bound to a license term, and introduces monetary fines for violating orders and regulations issued by the CRTC.

That all sounds good. But it isn’t good. If you’re a Canadian YouTuber like Linus Sebastian or Rene Ritchie for example, the YouTube algorithm curates and recommends videos based on feedback from users based on everything from how long a video is viewed to how quickly it is skipped. Thus if their videos are promoted by YouTube to adhere to Bill C-11 and the content isn’t a match for the viewer, the viewer might skip that video, causing the creator’s channel to drop in visibility. The bill would also regulate the types of advertising a Canadian creator’s channel can have. That would significantly limit their sources of revenue.

Creators are going to discover very quickly that the kind of content that has previously been successful on YouTube is no longer successful in a bill C-11 regulated YouTube. As a result, they will either have to change the nature of content that they make in order to make it more overtly Canadian…. Whatever that means. In short, the Canadian Government is killing the people that they’re trying to protect. The thing is that this was feedback provided to the Canadian Government in various hearings on bill C-11, and it was ignored. Which makes me wonder what the true agenda that the Canadian Government has when it comes to this bill.

Here’s another thing to consider. Canadians on platforms like YouTube punch well above their weight. Linus Sebastian has 14.6 million subscribers for example which makes him one of the top YouTube creators on the planet. There are many others who are among the top content creators, meaning YouTube, TikTok, and whatever other platforms are out there who are doing the same thing. Thus I don’t think that Canadians need the “protection” that this bill supposedly provides.

But there’s really a darker thing that should concern you about bill C-11. This bill gives the CRTC the power to regulate the pictures, podcasts and videos every Canadian posts online as ‘broadcasting’ content. So if you post a Instagram reel, the CRTC could knock on your door. Something that the CRTC admits is true. But they promise that they won’t use that power.

That falls under the category of not believable because if someone gives you power, you’re going to use it at some point.

The reason why this is the case is that this bill sets no revenue threshold on who it will target, meaning every Canadian on every platform could soon be forced to make Canadian content contributions, or potentially get into trouble if the CRTC decides that they didn’t. Which is a #Fail.

The only hope for Canadians who like things the way they are is that the Senate will step in and either shoot this bill out of the sky, or send it back to parliament for major revisions. But even if this doesn’t happen, I would keep this in mind. This bill was passed by the Liberal Party with help from the NDP and Block Quebecois. Seeing as Canada has a minority government which introduces the possibility that an election could be called at any time, I would keep that in mind the next time a federal candidate from any of those parties comes knocking at your door asking for your support. Because frankly based on how broken this bill is, they don’t deserve it.

Leave a comment »

Products Prevalent In Many Important Industries Are Home To Dozens Of Vulnerabilities

Posted in Commentary with tags on June 21, 2022 by itnerd

Security researchers have disclosed 56 new vulnerabilities in 10 operational technology (OT) vendors’ products that they say demonstrate significant “insecure-by-design” practices.

Forescout issued the OT:Icefall report today, naming products prevalent in industries such as oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and building automation.

The vulnerabilities are divided into four main categories:

  • Insecure engineering protocols
  • Weak cryptography or broken authentication schemes
  • Insecure firmware updates
  • Remote code execution (RCE) via native functionality
    • 38% allow for compromise of credentials
    • 21% allow for firmware manipulation and 
    • 14% allow remote code execution
    • 74% of have some form of security certification

I have a pair of comments on this report. The first is from Rajiv Pimplaskar, CEO, Dispersive Holdings, Inc.:

“As the report illustrates, critical infrastructure industries that utilize ICS SCADA systems and IoT devices pose appealing soft targets for threat actors as a significant percentage of the estate has vulnerabilities. Also, they tend to fall out of the purview of the IT organization’s responsibility and its cyber security program. Oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and building automation and other operations technology (OT) intensive businesses should be especially vigilant and actively secure their OT estate using zero trust strategies and leveraging next gen VPN technologies that are capable of protecting both IT and OT assets.  A key strategy is cloud obfuscation where source and destination relationships and sensitive data flows are anonymized and privatized using a smart secure communications overlay that makes it virtually impossible for a bad actor to even detect and target such vulnerable devices in the first place.”

Garret Grajek, CEO, YouAttest had this to say:   

“This is an extremely alarming but not surprising finding.  Hackers often go at known vulnerabilities in software – that’s noted and publicized. But deployment and misconfiguration errors are really the bread and butter. How the engineering pieces fit together is where the gaps usually are – and can be exploited.   This is where the man-in-the middle attacks, form hacking and hijacking of sessions occurs. Thorough pen testing through automated and manual means are a must to eliminate these errors – including thorough overview of system and admin privileges.”

The report is very much worth reading because it seriously got my attention. Which means that if you’re in any of the sectors outlined in the report, it should get your attention.

UPDATE: I have three additional comments. The first is from Ron Fabela, Co-founder and CTO of SynSaber:

“While the breadth and depth of the vulnerabilities identified in OT:ICEFALL seem like a doomsday scenario, Forescout has just outlined what many of us in the industry already know: Protocols are not secure, unauthenticated, and other ‘insecure by design’ engineering choices that were never really meant to be CVEs. Again, these are not vulnerabilities as information security would identify them, but truly ‘that’s not a bug, it’s a feature’ for industrial. Protocols were designed to not use authentication, and although there are secure options for industrial protocols, there has been slow adoption. ‘Protocol does not use authentication’ could generate thousands of CVEs across multiple vendors and business lines, because there was never meant to be authentication. But does generating thousands of CVEs, tying up vendor product security teams and asset owners, really cause a positive impact on the security of our critical infrastructure? The OT:ICEFALL report is well constructed, highly detailed, and great insight from a security perspective on legacy ICS ‘vulnerabilities,’ however, because CVE numbers are being generated, this will trigger a swell of unnecessary tracking and management of vulnerabilities with no patch and few mitigations.”

The second is from Chris Olson, CEO of The Media Trust:

“The ongoing convergence of information technology (IT) and operational technology (OT) has paved the way to an ever-expanding host of OT vulnerabilities that will continue to threaten public safety and national security for years to come. Even when OT systems are designed with cybersecurity in mind, an unsafe IT perimeter creates channels which global cyber actors can use to compromise critical infrastructure, especially when remote industrial control systems (ICS) come into play.”

“Today, geopolitical tensions and the growing possibility of cyberwarfare makes OT vulnerabilities a preoccupation for nation state actors. Following the Florida Water Supply hack, the attack on Colonial Pipeline and many similar incidents, these vulnerabilities represent a proven threat to the United States. In response, organizations throughout the public and private sector should not only be taking steps to secure OT, but also to harden their IT defenses and lock down their digital ecosystem.”

The third is from Christopher Prewitt, Chief Technology Officer of Inversion6:

IOT devices are often developed as commodity products that aren’t treated as enterprise products. The IOT software development process is immature and focus is not on security and software lifecycle, but immediate functionality and value to the consumer.

Some product developers have been improving security within their product sets for some time, but this is a long slow evolution as some products may exist within the market for more than a decade. At the time of development, there wasn’t concern for how would we maintain this software for 10 to 15 years. How would updates be provided, how would code be compiled as processors, chip sets, compilers come and go.

In some cases, you may have a computer or software that is tied to a piece of industrial or healthcare equipment that is expected to have a 10 or 20 year life. Not enough thought was given to managing the hardware and software componentry.

 

Leave a comment »

« Older Entries
Newer Entries »