Νέα Ασφάλειας

Online Trust Alliance spells out best practices for testing, purchasing, networking and updating IoT devices to make them and the enterprise more secure.

Here’s a handy list of tips that can help you avoid the most common mistakes that business IT pros make when bringing IoT devices onto enterprise networks. The list centers on awareness and minimizing access to less-secure devices. Having a strong understanding of what devices are actually on the network, what they’re allowed to do, and how secure they are at the outset is key to a successful IoT security strategy.

  • Every password on every device should be updated from the default, and any device that has an unchangeable default password shouldn’t be used at all. Permissions need to be as minimal as possible to allow devices to function.
  • Everything that goes on your network, as well as any associated back-end or cloud services that work with it, needs to be carefully researched before it’s put into production.
  • It’s a good idea to have a separate network, behind a firewall and under careful monitoring, for IoT devices whenever possible. This helps keep potentially insecure devices away from core networks and resources.
  • Don’t use features you don’t need – the OTA gives the example of a smart TV used for display only, which means you can definitely deactivate its microphone and even its connectivity.
  • Look for the physical compromise – anything with a hardware “factory reset” switch, open port or default password is vulnerable.
  • Gizmos that connect automatically to open Wi-Fi networks are a bad idea. Make sure they don’t do that.
  • If you can’t block all incoming traffic to your IoT devices, make sure that there aren’t open software ports that a malefactor could use to control them.
  • Encryption is a great thing. If there’s any way you can get your IoT devices to send and receive their data using encryption, do it.
  • Updates are also a good and great thing – whether you’ve got to manually check every month or your devices update on their own, make sure they’re getting patches. Don’t use equipment that can’t get updates.
  • Underlining the above, don’t use products that are no longer supported by their manufacturers or that can no longer be secured.

 

The information contained in this website is for general information purposes only. The information is gathered from Computer World while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

The U.S. National Counterintelligence and Security Center (NCSC) has started to distribute informative materials ranging from brochures to videos to privately held companies around the country promoting increased awareness of rising cybersecurity threats from nation-state actors.

“Make no mistake, American companies are squarely in the cross-hairs of well-financed nation-state actors, who are routinely breaching private sector networks, stealing proprietary data, and compromising supply chains,” stated NCSC Director William Evanina.

Evanina also said that “The attacks are persistent, aggressive, and cost our nation jobs, economic advantage, and hundreds of billions of dollars.”

The campaign provides detailed info on the growing threat from foreign state hackers

NCSC is an Office of the Director of National Intelligence center, and it is designed to provide counterintelligence and security expertise in several areas, ranging from insider threat and supply chain risk management to personnel security.

To fight against this growing threat, NCSC decided to provide the U.S. private sector with the information it needs to understand and defend against cyber intrusions initiated by foreign governments.

 

Private sector also warned of rising foreign threat in December

This follows a statement made by Bill Priestap, Assistant Director, Counterintelligence Division of the FBI before the Senate Judiciary Committee in December 2018:

Many American businesses are just now starting to understand the new environment in which they are operating. The continued proliferation of cyber hacking tools and human intelligence capabilities means that this environment will only become more hostile and more treacherous for our companies. Our businesses face competitors in the form of aforeign enterprises assisted or directed by extremely capable intelligence and security services.

The materials distributed by the NCSC to raise awareness among private sector companies are part of a campaign dubbed “Know the Risk, Raise Your Shield.”

Moreover, the disseminated materials cover a wide range of subjects, from supply chain risks, spear-phishing, and social engineering, to economic espionage, social media deception, foreign travel risks, and mobile device safety.

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

A massive malware outbreak that last week infected nearly half a million computers with cryptocurrency mining malware in just a few hours was caused by a backdoored version of popular BitTorrent client called MediaGet.

Dubbed Dofoil (also known as Smoke Loader), the malware was found dropping a cryptocurrency miner program as payload on infected Windows computers that mine Electroneum digital coins for attackers using victims’ CPU cycles. Dofoil campaign that hit PCs in Russia, Turkey, and Ukraine on 6th March was discovered by Microsoft Windows Defender research department and blocked the attack before it could have done any severe damages.

At the time when Windows Defender researchers detected this attack, they did not mention how the malware was delivered to such a massive audience in just 12 hours. However, after investigation Microsoft revealed that the attackers targeted the update mechanism of MediaGet BitTorrent software to push its trojanized version (mediaget.exe) to users’ computers.

A signed mediaget.exe downloads an update.exe program and runs it on the machine to install a new mediaget.exe. The new mediaget.exe program has the same functionality as the original but with additional backdoor capability,” the Microsoft researchers explain in their blog.

Researchers believe MediaGet that signed update.exe is likely to be a victim of the supply chain attack, similar to CCleaner bug that infected over 2.3 million users with the backdoored version of the software in September 2017.

 

Also, in this case, the attackers signed the poisoned update.exe with a different certificate and successfully passed the validation required by the legitimate MediaGet.

The dropped update.exe is a packaged InnoSetup SFX which has an embedded trojanized mediaget.exe, update.exe. When run, it drops a trojanized unsigned version of mediaget.exe.”

Once updated, the malicious BitTorrent software with additional backdoor functionality randomly connects to one (out of four) of its command-and-control (C&C) servers hosted on decentralized Namecoin network infrastructure and listens for new commands.

It then immediately downloads CoinMiner component from its C&C server, and start using victims’ computers mine cryptocurrencies for the attackers.

Using C&C servers, attackers can also command infected systems to download and install additional malware from a remote URL.

The researchers found that the trojanized BitTorrent client, detected by Windows Defender AV as Trojan:Win32/Modimer.A, has 98% similarity to the original MediaGet binary.

Microsoft says behavior monitoring and AI-based machine learning techniques used by its Windows Defender Antivirus software have played an important role to detect and block this massive malware campaign.

 

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Orangeworm was first spotted in January 2015, it appears to be focused on the healthcare industry, 40% of the targets belong to this industry. The hackers also targeted including IT (15%), manufacturing (15%), logistics (8%), and agriculture (8%) industries, but in all the cases the victims are part of the supply chain for healthcare entities.

Most of the victims are located in the United States (17%), followed by Saudi Arabia and India, anyway Orangeworm hit organization in many countries including Philippines, Hungary, United Kingdom, Turkey, Germany, Poland, Hong Kong, Sweden, Canada, France.

Orangeworm targeted a small number of victims in 2016 and 2017, but infections most affected large international corporations in several countries.

The hackers use a custom backdoor tracked as Trojan.Kwampirs to remotely control infected machine on the compromised network.

Initially, the backdoor is used as a reconnaissance tool, if compromised machine contains data of interest the backdoor “aggressively” spread among other systems with open network shares.

 

The experts observed attackers run a wide range of commands within the compromised systems:

The Kwampirs backdoor was discovered by Symantec on machines hosting software used for high-tech imaging devices, such as MRI and X-Ray machines. It was also discovered on devices used to assist patients in completing consent forms.

Experts highlighted that the methods used by Kwampirs to propagate over the target network are particularly “noisy,” this suggests Orangeworm is not overly concerned with being discovered.

At the time of the report, the experts still haven’t determined the real motivation of the attackers or their origin, but even if they are conducting cyber espionage there is no evidence that the operation is backed by a nation-state actor.

Experts noted that the actors behind Orangeworm do not appear to be concerned about their activities being detected.

 

The information contained in this website is for general information purposes only. The information is gathered from Security Affairs while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Denial of Service attacks have been a hazard for web sites since the earliest days of the World Wide Web.

Although the average speeds and network capacities for the earliest users of Internet service were nowhere near as high as they are today, it was still possible to generate enormous volumes of traffic and direct them at servers that were totally unprepared for the onslaught.

Today, due to innovative and often fast-reacting defensive measures, it is possible to mitigate most of the damage from what is now more accurately referred to as a “distributed denial of service” attack or DDoS. The purpose of a denial of service is to overload a web server or other service with so much unauthorized traffic that legitimate users can’t make use of it. The distributed nature of the attack means that traffic is not directed to the target server from one source. Rather it is coordinated across many sources so blocking one attacking web address is insufficient to stop the attack entirely.

As these attacks have grown in sophistication and power, the measures available to combat them have advanced as well. With adequate planning and a proper understanding of the threat, many of the largest sites on the web have reached a point where they are well defended against all but the most unusually intense events.

The chances of any one site being targeted are low, but if you run a mission-critical service online, whether it is web-based or runs on its own protocol, you should at least be aware of the potential for denial of service attacks and prepare yourself and your organization to combat them. Here are some things to consider.

Know Your Traffic Patterns

There are three primary “loads” on a web or network server. Your analytics software should be able to track one. Your network security should be able to, at minimum, track the other two. The first is volume, which is a measure of how many and what kind of network connections are being made to your server. By and large, this number shouldn’t deviate more than a few percentage points in any given day. If it does, your monitoring software or IT staff should be alerted and prepared to determine causes.

The second load is CPU utilization. For a standard web server, processor utilization should rarely climb above sixty percent. While high CPU load isn’t technically a denial of service attack, when combined with a strategically organized surge of network traffic, CPU load can create cascade effects through all your network services and degrade other devices like failover servers and anti-virus services running elsewhere on your network.

Third is storage. A full disk can not only cause degradation of services but can also cause operating systems and other software to malfunction. On some kinds of servers, a strategically timed series of large uploads combined with one or more other attack vectors can not only degrade services, but cut them off entirely.

The longer your server is running, the more data you will have regarding the normal ranges for all these loads. You can then set up your monitoring and analytics to alert IT staff in the event any of them move out of normal ranges.

Here are some of the most popular and effective ways to defend against and prevent distributed denial of service attacks.

1. Know If It’s Happening

Use the data provided by your monitoring and analytics. Be particularly careful to notice any deviation from your rolling 30 and 90 day patterns for network load, CPU utilization and storage. Occasionally a slow increase in one will precede a spike in one or more of the others. Set up alerts in your monitoring and security systems to notify key personnel in the event of any anomalies. For one-off testing, you can use a speed test tool like Dotcom-Tools in order to spot check website performance issues that could be related to DDoS.

2. Failover and Provisioning

If your services are commercial in nature, you should have enough network capacity available at any given time to endure a minimum 200% temporary increase in traffic. This is called “provisioning” and it is a service that most network operations centers can provide at minimal cost. Under no circumstances should your server be running without a cloned backup ready to take over operations in the event the front-line machine goes off-line. This is known as fail over protection and it is particularly important in the event of a denial of service attack, especially if your network operations staff needs to hotfix or spin up new security on the fly.

3. Reinforce at the Router

While not a permanent solution to a DDoS attack, your router can buy you some time in the early phases of the build-up to an attack. Truly massive targeted attacks often require some time to reach full capacity. These minutes are crucial, as they can be the difference between an ability to get back on-line quickly and having your systems down for extended periods. There are several ways your router can help. For example, setting lower timeouts on certain kinds of connections, reducing thresholds on UDP and SYN packet floods and identifying remote IP ranges to block can buy you anywhere from ten to thirty minutes of up-time in some cases. Even that much time can often make all the difference.

4. UDP Phantom Zone

Unless your servers have a very good reason for receiving or sending UDP traffic, your best option is to simply ask your upstream providers to drop the packets at their routers. Some of the most popular DDoS strategies use NTP and UDP amplification which can overwhelm many networks with relatively minimal hardware. However, if your network sends all UDP traffic to the phantom zone, your servers will never see it.

5. Geographically Distributed Servers

One of the best ways to avoid a distributed attack is to have a distributed server network, according to Web Hosting Buddy. The fewer points of failure your system has, the more vulnerable it is. However, if a DDoS attack only affects a localized geographic area, your network operations can distribute legitimate traffic to other servers on your network automatically and isolate the attacker before the unauthorized traffic has a chance to cause any trouble.

There are commercial companies, naturally, that can provide all these services for high reliability web sites and web services. Although most sites likely don’t need industrial strength denial of service defense, it is something to consider as your traffic grows and your network’s importance increases.

 

The information contained in this website is for general information purposes only. The information is gathered from Hackers Online Club while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.