Friday, 30 June 2017

Defeating pass-the-hash attacks with two-factor authentication

Implementing two-factor authentication for remote access is a great way to keep attackers out of your network.  Users' credentials are floating all around the internet.  But attackers can still get in your network through malware and other tools.  In the past, we described how two-factor authentication can be used at each stage of an attack to make detection easier and execution much harder:

  • Implementing two-factor authentication for remote access will make intrusion much more difficult.
  • Implementing two-factor authentication for privileged accounts will make escalation much more difficult.
  • Implementing two-factor authentication at your outbound proxy will make exfiltration much more difficult.

The PCI Council is now requiring two-factor authentication for non-console administrative access. To see how easy the pass-the-hash attack is and to show how WiKID can mitigate it, we present the tale of two domain administrators. One uses a static password, the other uses the WiKID Native Active Directory 2FA protocol.

In our lab we setup two boxes: a windows domain server using Server 2012 and a PC running windows 10.  On the Win 10 box, download two tools:  Mimikatz and PStools.  We will use mimikatz to grab the hash and psexec to pass it to the AD server to get a console on it. 

Note that you will need to turn off Windows Defender as it will remove and quarantine Mimikatz.  Right click on the appropriate mimikatz.exe and choose Run as Administrator.  You need to be a local admin for the tool to work. 

run mimikatz as admin

Next, check that you have the appropropiate privileges by running:


We do:

privlege::debug command

Let's have our two domain admins login to the box to do a bit of work.  The first domain admin logs in with their static AD password because, really, what's the point? The network is small and the users are pretty smart. Then our much more sophisticated domain admin logs in with a one-time passcode from their WiKID server, which has been setup to provide 2FA for AD logins, because he really likes to sleep well at night and knows that attackers are clever with many motivations.  That these two admins on working on the same computer and network in very different ways is just an example of really bad script development.

2FA for windows logins

Note a few things:

  • The AD protocol supports complex one-time passwords that meet AD complexity requirements.
  • The password lifetime can be configured in the domain settings too. This setting is key as it is an attack window.
  • This is the PC client pictured, in real life you would likely use a smart phone software token.

Next, we use this mimikatz command to grab the hashes of these two admins:


This is what we get:

getting pass-the-hash credentials


more creds for pass-the-hash

Note the NTLM hashes - that's what we will use. 

Now, we will use Mimikatz's pash-the-hash command to escalate our privilege to domain admin.  First, we try the admin that used the static password.

sekurlsa::pth /user:sysadmin / /ntlm:0a53c1165654e555ed5992963d097495

This command gives us a dos prompt that shows my user hasn't changed:

user prompt with hash

  but in fact, the user has the administrator's ticket.  We can use psexec to prove this

psexec.exe \\ cmd.exe


Hash passed successfully

You can see that we are now sysadmin on the domain server.  The attack was successful! 

Now, let's try the same with the domain admin that used the WiKID password to login.

sekurlsa::pth /user:nowen_admin / ntlm:f2ef29069c481dfaec8ce0590b4fa46d

 We get our DOS prompt with our username once again:

user prompt in dos

 Now, let's see if the hash will work.  We run the same command:

psexec.exe \\ cmd.exe

Pass-the-hash thwarted!

 It fails!  Of course it does.  The password is changed after the expiration of the "one-time password" and the hash is no longer valid.  Note that it's not really a one-time password.  The WiKID server writes a random password to AD and sends it to the token as well.  Once the password expires, the WiKID server over-writes the password in AD with another random complex string that no one knows.  Thus, there is a window where an attacker can still use the hash - the lifetime of the password, which can be configured in the WiKID domain to whatever you want. It also means that you can setup an alert in your SIEM for both unsuccessful pass-the-hash attacks (a la "honey tokens") and multiple successful logins within the password expiration.

The WiKID server is free for up to 5 users.  So, even if you don't use two-factor authentication for remote access, a company with 5 or fewer domain admins could use this for free.  That's a lot of companies.




from Defeating pass-the-hash attacks with two-factor authentication

Over 90% of cyber security experts believe the UK’s political landscape has been manipulated by fake news

 DomainTools, the leader in domain name and DNS-based cyber threat intelligence, today announced the results of a survey which found that 91% of cyber security professionals believe that the UK’s political landscape has been manipulated by fake news. When asked if they thought that they had personally been affected by fake news, 61% agreed that they had. When asked who they felt is the most susceptible to fake news, the majority agreed that their children are most susceptible (28%) followed by their parents (26%), grandparents (25%) and colleagues and friends (21%).

Tim Helming, Director of Product Management at DomainTools said, “A very high majority of cyber security professionals – some of the most cyber savvy people you will meet – said that the UK and even they themselves have been affected by fake news. This means that the majority feel that they are affected by fake news directly or indirectly. It is starkly clear that fake news is a significant phenomenon that needs to be properly understood and tackled.”

“There are good reasons to do a bit of due diligence when deciding which sources to trust,” said Helming. “Looking at information such as domain Whois (registration) records can be illuminating: most established news organizations are quite up-front in their registration records about who they are. By comparison, fake news sites are often quite secretive about their ownership or origins. Going beyond the content of a site and learning more about the source itself can be an important way to combat the influence of fake news.”

Notes to editor:

–        The survey of 301 information security professionals was conducted at Infosecurity Europe 2017 conference which took place June 6-8, 2017, at the Olympia Conference Centre in London.

–        The full findings of the survey are available upon request.

About DomainTools

DomainTools helps security analysts turn threat data into threat intelligence. We take indicators from your network, including domains and IPs, and connect them with nearly every active domain on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure. Fortune 1000 companies, global government agencies, and leading security solution vendors use the DomainTools platform as a critical ingredient in their threat investigation and mitigation work. Learn more about how to connect the dots on malicious activity at or follow us on Twitter: @domaintools.

The post Over 90% of cyber security experts believe the UK’s political landscape has been manipulated by fake news appeared first on IT SECURITY GURU.

from Over 90% of cyber security experts believe the UK’s political landscape has been manipulated by fake news

Petya ransomware attack: How UK businesses can stay protected online

  • The recent Petya attack hit companies across Europe and the US
  • Ebuyer offers businesses across the UK tips on how to protect themselves from online ransomware

Yesterday (27th June, 2017), businesses and organisations across Europe and the US were hit by a large-scale cyber attack, known as Petya, leaving them unable to access systems and data.


Petya is a form of ransomware, meaning it is a computer virus which encrypts files and keeps them encrypted until the hacker receives payment. Petya takes advantage of vulnerabilities in old Microsoft Windows systems, leaving anyone without the latest version in jeopardy.


So far, Petya has infected high-profile victims including advertising giant WPP, French construction materials company Saint-Gobain and Russian steel and oil firms Evraz and Rosneft. The attack was first reported in Ukraine, where the government, banks, state power utility and Kiev’s airport and metro system were all affected.


With this in mind, shares five ways businesses can protect themselves against online ransomware:


IT managers and directors should be taking regular steps to ensure their network is secure and all security software is up to date.


Gateway security (a machine through which data packets flow) should be employed and next-generation firewalls installed to allow for deep-packet inspection – a form of computer network packet filtering that examines data as it passes an inspection point. This will help identify hidden threats passing into your network.

Implement internal monitoring and endpoint protection; a method of protecting corporate networks when accessed via remote devices such as laptops or other wireless and mobile devices. This will prevent malicious files from gaining access to the network by human error.

It is essential that a reliable and thoroughly tested backup solution be put in place. This should be segregated from the rest of the network to prevent malware from spreading to it once infected.

Ensure systems are up to date and supported for exploit patches.

New data protection laws are coming into play in May 2018 which will replace the current Data Protection Act (DPA) with the General Data Protection Regulation (GDPR).

Businesses need to ensure that their systems are fully protected in order to minimise the risk of breaches. Protecting malware from gaining access is also essential for any company which relies on its network or software to run its service.


Paul Lyon, IT Director at Ebuyer, said: “The cyber attacks on such large companies and the resulting fallout have once again brought into focus the importance of security both at home and in the office. Ransomware has been around for some time but this is by far the most high-profile attack.


“Cybercrime is a growing industry and criminals are becoming significantly more sophisticated and their attacks more destructive. New threats are constantly being developed. Businesses of all sizes, as well as the ordinary home user, are vulnerable to attacks and should always be on their guard.”


To find out more about ransomware and how you can protect yourself, please visit:

The post Petya ransomware attack: How UK businesses can stay protected online appeared first on IT SECURITY GURU.

from Petya ransomware attack: How UK businesses can stay protected online

The costs of VPNs: It’s not the printer…it’s the ink

While today’s printer manufacturers might make a little money on their hardware, it’s the ink that brings in the big profits. The same concept applies to razors and razorblades. It turns out it’s also true for something as ubiquitous and seemingly well understood as the virtual private network (VPN).


Today, practically every company has a VPN, and most enterprises have many. Just like the printers and the razors, many companies may think of the VPN appliance, often included in the firewall, as representing the solution in its entirety. But even if you consider the client-side agents, you’ll still only be scratching the surface of the VPN’s reach and its costs.


Designed for performance


Part of the problem lies in the fundamental task that VPNs were designed to perform –connecting  users to protected networks in order to access the private, internal applications housed there. There are a number of issues packed into that statement. The first issue is getting the user to the data centre that will offer the best performance. If your enterprise is operating at scale, that usually means regionally dispersed data centres.


But what if a data centre goes down or becomes overloaded? That requires a global server load balancer (GSLB). One could argue that the need for a GSLB is not only due to the VPN, but the fact is that regional data centres often don’t work well without them, but they certainly front the large deployments required for VPN access. That’s not all.


Tackling VPN barriers


The biggest issue with VPNs stems from the fact that just like any other internet-facing device, they must be listening for an inbound request. Just like any other outward-facing device, the VPN is vulnerable to Distributed Denial of Service (DDoS) attacks, so many security-minded enterprises place DDoS protection in front of the VPN.  With these come firewalls. Many enterprises sandwich their VPN between external firewalls, which takes all the traffic from the internet, and an internal firewall to manage access control lists, allowing the enterprise to employ another set of load balancers for the resources themselves.


Just like any stack of disparate appliances, each device views the world through the lens of its specific purpose. This means that each data centre must be synched with all the others, multiplying the effort required to maintain a consistent user experience. These problems only grow as your applications move to the cloud.


Maintaining VPNs


There are costs outside the data centre as well. The operating costs for deploying and maintaining VPNs can be considerable. Managing the access control lists in the firewalls, for example, has been difficult enough to keep enterprises from realising the goal of network segmentation, despite acknowledging the need to do so. Not only was there downtime associated with getting users up and running, but there was a very real price tag for the associated helpdesk costs. SSL VPNs (Secure Sockets Layer virtual private networks) solved some problems, but many enterprises have returned to a simpler IPsec model to ensure application connectivity.


The largest potential costs, however, come from the security risks posed by users themselves, who are being placed on the data centre network to get application access. Most users don’t understand the implications of such access, and unless they are actually in IT, it’s not reasonable to expect that they ever will. Most are completely unaware of damage that could be done if their VPN password fell into the wrong hands.


Can VPN actually be secured?


Theoretically, VPNs can be secured and enterprises have spent vast sums over the years attempting to do so. Though in practicality, the rise in press-worthy data breaches that can be directly traced to VPN use, says no.


As the specification evolves, it may appear to require that the enterprise walk away from an infrastructure investment that has already been made. Such investment may be perceived as a “sunk” cost, making a new option seem unrealistically costly. In reality, the price tags associated with operating VPNs is often much higher than they appear on the surface. In comparing the solutions, it may be useful to bear in mind the additional hardware required to secure what is essentially an open Internet port in the form of a VPN. When debating the pros and cons of VPNs, operating costs should be considered, particularly as users proliferate and applications move to the cloud.


Of course, as we’ve seen from many high profile cases in the last few years, the cost of a security breach given well-documented VPN vectors must be acknowledged. In other words, it’s not just the cost of the printer; one must factor in the ongoing cost of the ink.

The post The costs of VPNs: It’s not the printer…it’s the ink appeared first on IT SECURITY GURU.

from The costs of VPNs: It’s not the printer…it’s the ink

Rebuffing Ransomware: Common Sense Advice from CompTIA

The Petya ransomware attack – the second major global cyberattack in two months – left a trail of locked computers and compromised networks in some 65 countries around the world.

Like the WannaCry attack in May, Petya this week exposed weaknesses in cybersecurity defenses. It also reinforces the notion that it’s a case of when, not if, your organisation will become the target of an attack. But the high likelihood that an attack is coming doesn’t necessarily mean that dire consequences are inevitable.

“There is no 100-percent foolproof strategy for blocking cyberattacks, short of swearing off computers, email and the Internet,” said Randy Gross, CIO of CompTIA, a non-profit association for the technology industry. “But there are steps that can and should be taken to heighten defenses, starting with making sure that all systems are up to date.”

“Installing vendor patches in a timely manner and having an update plan in place for all client machines is a good start,” advised Robert Rohrman, CompTIA’s senior director of information services infrastructure.

Far too many computers still run outdated operating systems like Windows XP and Server 2003 and simply do not have the proper security protocols in place to prevent ransomware attacks, according to Rohrman. Even devices with newer operating systems can be vulnerable if security patches and software updates are delayed or ignored.

“A globally managed update system for clients and server/hosted resources is the best way to gain visualisation into an enterprise,” Rohrman said. He suggested IT managers have a system or program in place that provides a global view of the in-house systems and security situation so patches and fixes can be installed on multiple computers from one console.

But patching isn’t the only action you can take to defend against ransomware. The regular backup of data, stored off the primary computer, is another critical task.

“You can depend on your own backup more than a vendor patch because you have control over the backup,” explained James Stanger, CompTIA’s senior director for product development.

“Vendors can’t always get you the latest patch in time, which means that your systems could still be susceptible to zero-day attacks,” he continued. “Your system may have all of the updates the vendor has given, but an exploitable problem still exists.”

Stanger added that when you know your data is backed up, you’re less likely to feel pressured to pay a ransom because you already have what the cybercriminal is holding hostage.

Finally, it’s critical for everyone in the organisation – from the receptionist at the front desk to the IT technician in the back office, and from the CEO in the corner office to the account manager on the road – to learn and use good cybersecurity hygiene. Anyone who touches a PC, laptop, smartphone or tablet is a potential target of ransomware or other cyber threats, but threats can be lessened and security awareness heightened through regular education and training.

“Companies consistently repot that human error is the primary cause of security breaches,” said Seth Robinson, senior director, technology analysis, CompTIA. “People don’t know, or are ignoring some of the basic security practices. The encouraging news is that we’re seeing a growing realisation among companies that their workforce needs to be educated about technology in general, and about security, specifically.”

The types of training offered run the gamut, according to the recent CompTIA report “The Evolution of  Security Skills.” In the survey of 350 U.S. businesses, about half said they perform employee security training on an ongoing basis. Also:

  • 58 percent include security instruction as part of their new employee orientation
  • 46 percent conduct random security audits
  • 35 percent use “live fire” hands-on labs

“In a rapidly changing environment, simple one-time efforts such as new employee orientation or posting security policies for review will have low efficacy,” Robinson said. “Organisations are starting to understand that security training is needed for all jobs and that some oversight is needed to develop a security-aware culture.”

“Too often security is perceived as an inconvenience by users,” said Rohrman. “Many people talk a great game in security, but when it comes to taking the additional safeguards that security requires, many users will resist and opt for the easy, convenient way without regard to the potential consequences.”

The cost of a single data breach is estimated at $3.62 million, according to the Ponemon Institute’s “2016 Cost of Data Breach.” Ransomware attacks – which cost companies an estimated $1 billion in 2016 – could approach $5 billion this year, market researcher Cybersecurity Ventures reports.

The clear answer for organisations is to create, implement and enforce robust security practices and policies; and to explain and train those policies to their employees to ensure maximum buy-in and compliance.

The post Rebuffing Ransomware: Common Sense Advice from CompTIA appeared first on IT SECURITY GURU.

from Rebuffing Ransomware: Common Sense Advice from CompTIA

8Tracks Breach Exposes Millions of Accounts

Internet radio service 8tracks was hacked this week and personal details associated with a reported 18 million user accounts compromised. In a blog post, the firm’s founder and CEO, David Porter, claimed that no financial data, phone numbers or postal addresses were exposed, but email addresses and encrypted passwords were. “Passwords on 8tracks are hashed and salted, meaning that even we can’t tell you what your password is by looking at the database,” he continued.

View Full Story

ORIGINAL SOURCE: Infosecurity Magazine

The post 8Tracks Breach Exposes Millions of Accounts appeared first on IT SECURITY GURU.

from 8Tracks Breach Exposes Millions of Accounts

Lloyd’s: Businesses Need To Take A Long-Term View Of Cyber Attacks

It’s no longer enough for organisations to just focus on the immediate impacts. Businesses are failing to take into account the long-term impacts of falling victim to a cyber attack, according to a report from Lloyd’s of London. The report, created in conjunction with KPMG and law firm DAC Beachcroft, suggests that European businesses are currently underestimating the “slow-burn” effects of cyber attacks by only focusing on the immediate damage.

View Full Story


The post Lloyd’s: Businesses Need To Take A Long-Term View Of Cyber Attacks appeared first on IT SECURITY GURU.

from Lloyd’s: Businesses Need To Take A Long-Term View Of Cyber Attacks

No surprise as only half of local authorities are prepared for a cyber attack

Just over half (53%) of local authorities across the UK are prepared to deal with a cyber attack according to research by PwC. While the latest PwC Global CEO survey found that 76% of UK CEOs are concerned about cyber threats, only 35% of local authority leaders are confident that their staff are well equipped to deal with cyber threats.  Demonstrating how real those threats are, almost all (97%) of UK CEOs surveyed say they are currently addressing cyber breaches affecting business information or critical systems.

View Full Story

ORIGINAL SOURCE: Information Age

The post No surprise as only half of local authorities are prepared for a cyber attack appeared first on IT SECURITY GURU.

from No surprise as only half of local authorities are prepared for a cyber attack


Developers with Canonical pushed out a handful of patches for the Linux-based operating system Ubuntu this week, including one that resolves a bug that could have let an attacker cause a denial of service or execute arbitrary code with a TCP payload. Chris Coulson, a software and electronics engineer with the company, discovered the vulnerability, an out-of-bounds write (CVE-2017-9445) in Ubuntu’s systemd-resolved system service. The service-an init system used in Linux distributions–is a network name resolution manager and helps provide network name resolution to local apps.

View Full Story




Report: 70% of brits unable to tell fact from fiction, share fake news

Raj Samani, chief scientist and fellow at McAfee, said that 18 percent of UK respondents were warned by their employer about the dangers of fake news or manipulated data. Given the heightened awareness of fake news in recent months, you’d think more Brits would be able to tell the difference between fake and real news, but that isn’t the case according to new research by McAfee.

View Full Story


The post Report: 70% of brits unable to tell fact from fiction, share fake news appeared first on IT SECURITY GURU.

from Report: 70% of brits unable to tell fact from fiction, share fake news

Thursday, 29 June 2017

Deep Root Analytics Is in Deep Trouble With Voter Data Breach

Cybersecurity experts speculate that in our current state, up to 70% of cyber attacks, including breaches, go undetected in a given year. Part of identifying and stopping breaches is knowing what kind of information cybercriminals are after, and election season creates hotbeds of public information that are prime targets for a breach.

The companies that house this information are, of course, responsible for keeping your data protected, but things don’t always go according to plan. Case in point: During the 2016 election season, GOP analytics firm Deep Root Analytics left the door wide open for crooks to access 198 million Americans’ voting information.

Politicians Prosper, Voters Are Exposed

Deep Root was hired to gather the information to support what would become the successful 2016 GOP presidential campaign. It included names, birthdays, phone numbers, voting information and even home addresses.

The company stored all this information on a database which researcher Chris Vickery discovered was misconfigured. The error meant there was no access protection for the database. Anyone with an internet connection could view and potentially steal the personal information of nearly 2 million Americans.

The database also included modelled positions, strategic information used by the GOP to market its campaign to voters. Had a major retailer allowed this type of information about their customers to get out, it probably would have been all over the news. Thankfully, it appears that while the door was left open, there were no nefarious attempts to access the data made during the 12 days it was unprotected.

Deep Root Responds to the Breach

With the number of cybersecurity issues surrounding the 2016 election year already staggering, Deep Root has taken a transparent stance toward the information leak. In a statement, the company encourages voters to monitor their accounts for fraudulent activity. They also attempt to temper the blow by pointing out that much of this info is public domain in some states.

Presumably, not all of Deep Root’s customers are political parties, and the field of data analytics is growing rapidly. In a business setting, critical analysis of data not unlike what Deep Root gathered can help businesses decrease operating costs by 60 percent or more. That’s a service you can charge for, and chances are Deep Root doesn’t want to forfeit any more customers than it has to in the wake of such a major error.

To remedy the exposed database, Deep Root updated access settings to the information, adding the layers of security that should have been in place to begin with.

White Hat Probing Uncovered the Error

While it might sting a little now, Deep Root is fortunate that consultancy firm UpGuard was around to point out the issue. Had it been left unattended to, there’s no telling where the information could wind up. Probably on the dark web, just like the Yahoo account information that has been up for sale there for half a year now.

Chris Vickery, the man who located the flaw in Deep Root’s system, is just one of many researchers engaged in locating and reporting these types of errors every day. While you might not hear about them, they play a critical role in ensuring the security of your data.

Google’s Project Zero is one such operation, a dedicated department of the 800-pound internet gorilla focused solely on uncovering vulnerabilities and thinking like cybercriminals. Their goal is to find the flaws before bad guys get there, and oftentimes they do. When an issue is found, the Project Zero coders report it to the organization responsible so they can apply a patch or remove the vulnerability.

Is Privacy a Reasonable Expectation Anymore?

Can the efforts of these good-guy hackers ever fully curtail the leak of information that has been gushing out of the internet since, well, probably before we even know?

Maybe not, but through careful regulation and fastidious maintenance, we can patch the easy holes. Deep Root got lucky — it committed a blatant error and wasn’t punished for it.

Just like burglary, data breaches are nearly always a crime of opportunity. If you leave the front door wide open, you had better expect someone to come waltzing in.

The post Deep Root Analytics Is in Deep Trouble With Voter Data Breach appeared first on IT SECURITY GURU.

from Deep Root Analytics Is in Deep Trouble With Voter Data Breach

Community Led Threat Prevention

Community based threat detection and prevention has been a fundamental principle in Anti-Virus and Intrusion Detection Systems for years.  Pooling the information and experience of multiple organisations to rapidly identify emerging threats, this collaborative approach enables security companies to quickly create a patch and disseminate it globally to minimise a hacker’s opportunity with that specific attack vector.

This model is now being extended to voice security in a bid to combat the escalating threats, including toll fraud, telephony denial of service and voice mail hacking attacks, leveraging the cloud based Session Border Controller (SBC) and community collaboration to deliver rapid protection against emerging global events.

Paul German, CEO, VoipSec, explains why community led threat detection and prevention is fast becoming a critical component of the VoIP security model.

Stronger Together

Security is not static; and the concept of ‘working together we are stronger’ is well proven. The ability to pool information and experience has proved key in the fight against a continuously evolving threat landscape. The difference today is that the threat landscape increasingly includes voice.  With the huge growth in companies adopting Voice over IP (VoIP) and Unified Communications (UC) to drive down costs and improve productivity, the inherent insecurity of standard deployments has driven an explosion in telephony denial of service attacks, voice mail hacking and toll fraud.

According to the Communications Fraud Control Association (CFCA) $4.4 billion has been lost due to PBX hacking, while the US Department of Homeland Security’s Cyber Security Division has recently announced it is funding two research projects designed to harden defenses following recent Telephony Denial of Service (TDoS) attacks on 911 emergency call centres, financial services companies and a host of other critical service providers and essential organisations.

It is becoming increasingly apparent that the frequency of this voice related activity will only increase all the while voice security models remain outdated and static. Given the growing complexity hackers face to break through multi-layered security systems to gain access to personal data, the contrasting ease with which a telephony denial of service attack can be launched on an unsecured or inadequately secured voice network is stark. It is no wonder these incidents are on the rise – and organisations are enduring the devastating consequences.

Cloud based SBCs

Traditional models for protecting the voice network were based on hardware devices – an ‘install once’ Session Border Controller (SBC) that simply could not protect an organisation against continually evolving threats.  More recently, that model has shifted towards software based SBCs that can be upgraded in response to new security risks.  It is, however, the evolution towards cloud based SBC deployments that now enables the adoption of this community led voice security model.

This cloud based SBC deployment facilitates the adoption of community led intelligence on two fronts.  Firstly, working together a community of organisations sharing breach information radically extends the number of touch points into hacking events, transforming understanding and insight into the ways in which hackers are looking to compromise companies. Secondly, each hacking attempt to compromise a specific customer environment creates a fingerprint which can then be used by the security vendor to create a security patch or update that will actively immunise every other user of the cloud based SBC from being compromised with the same attack fingerprint.

This combination of routine product updates with shared intelligence ensures an attack on a single organisation can be quickly transformed into a patch or update that protects every business from the new risk.  

Understanding Threats

This model is particularly effective against the typical security threats now affecting voice networks – telephony denial of service and voicemail hacking.  When a hacker compromises a call centre and consumes all lines to prevent any in-bound or out-bound calls the implication on an organisation’s business is devastating. From the negative customer experience to the multi-million pound demands from hackers to unlock the lines, the business cost of one of these attacks can be very significant.

Each telephony denial of service attack will include specific attributes that will form the fingerprint. Taking a sample of that event – including what services the hacker is trying to access, the number called to or from, the digits being pressed when on the line – will enable the creation of a patch or update that can be shared with all users of the SBC, to ensure no other organisations are exposed to this specific breach attack.

A similar model applies to preventing wide exposure to voicemail hacking, a process that enables hackers to accept and make international collect calls – at huge cost to the compromised business. In addition to specific voicemail protection modules provided as part of a cloud based SBC to identify breach attempts, lock down the voice network and alert the organisation, the SBC will log rogue numbers identified across the cloud based network, rapidly creating a database of blacklisted numbers that can be deployed by all organisations to further protect against voicemail hacking attempts.

Prioritise and Evolve

This community model is particularly effective in highlighting and combatting global attacks.  An organisation operating single site security policies could be unaware that attacks are being launched simultaneously against multiple locations. With a global, cloud based SBC approach, the company will be made immediately aware of the scale of the global attack and therefore able to enforce policies that protect the entire environment against breach.

The ability to prioritise activity is also key. Every threat will be profiled and organisations have the option as to how frequently updates are made.  For example, most will opt to be immediately protected from critical risks, while high or medium risk updates could be made weekly, and low risks just once a month. In addition, the community model supports continual assessment of past threats by using validation techniques to track activity. If a specific fingerprint is not seen again, and the patch is no longer required, it can be removed from the SBC or replaced by a different approach, such as diverting any calls from a previously blocked number to a security desk.


It is this depth of security intelligence that is transformative. With growing consensus that the burden facing organisations attempting to fight security issues individually is simply too high, it is clear that joining a specific community of companies willing to work together is a far more effective approach to locking down a business against new threats affecting voice and UC.

Combining this community led collaboration with the ability to rapidly disseminate patches and update via a cloud based SBC will enable organisations to lock down the business against escalating VoIP security threats.

The post Community Led Threat Prevention appeared first on IT SECURITY GURU.

from Community Led Threat Prevention

New report from CREST highlights the need to improve cyber security in Industrial Control Systems

There is a pressing need to improve cyber security in Industrial Control System (ICS) environments to avoid future breaches that could impact critical national infrastructure concludes CREST, the not-for-profit accreditation body representing the technical information security industry, in its latest position paper, ‘Industrial Control Systems: Technical Security Assurance’.  The report highlights a number of challenges and suggests that more technical security testing has a significant role to play in ensuring higher levels of security assurance are met.


The report draws on the diverse views of the Industrial Control Systems and technical security communities and proposes a model for gaining greater assurance in ICS environments. It was based on the findings of a research project – which looked to set out the main challenges and possible solutions for protecting Industrial Control Systems, many of which are based on legacy technologies.


One of the key findings in the report is the absence of periodic standards-based technical security testing that is commonplace in many other industries. Because of this, ICS environment owners and operators have no objective way of knowing whether cyber risk is being adequately managed and at present there is no definitive standard for testing ICS environments that is mandated by regulatory bodies. The fact that ICS environments are rapidly changing also leads to a higher degree of exposure.


“ICS environment owners require assurances that risk is being identified, assessed and evaluated. Above all else they need to know that there are appropriate measures in place to manage and mitigate risk,” explained Ian Glover, president of CREST. “Research on the project has helped to identify the high-level characteristics of a practical technical security testing approach and organisations should consider how this could add value and protection. It is clear that ICS environments are more sensitive than conventional IT environments and any penetration testing of systems needs to be planned and undertaken with a high degree of trust, skill and caution.”


“This position paper is supporting the work CREST is doing in many parts of the critical national infrastructure in the roll out of intelligence led penetration testing,” added Glover.


The UK National Cyber Security Centre (NCSC), commented. “We believe this paper provides a valuable contribution to the current thinking on this challenging topic and we look forward to working with CREST, as well as ICS operators and the cyber security industry in order to make the UK the safest place to live and do business online.”


The position paper is for organisations in both the private and public sector and is mainly targeted at IT managers, information security managers and technical security testing specialists. It will also be of interest to process engineers, safety specialists, business managers, procurement specialists and IT auditors.


CREST is now looking to expand on this initial ICS research to develop detailed guidance material that can be used by specialist to help secure ICS environments and in particular those that make up the Critical National Infrastructure. You can look at the full report here:

The post New report from CREST highlights the need to improve cyber security in Industrial Control Systems appeared first on IT SECURITY GURU.

from New report from CREST highlights the need to improve cyber security in Industrial Control Systems

Neuroscience and security: your thoughts are safe (for now)

A Canadian researcher called Melanie Segado explained to us the extent to which your brain activity could be used for malicious purposes, to find out, for example, what you’re thinking or to guess your PIN. Melanie, who is finishing her doctorate in neuroscience in Montreal and is co-founder of the NeurotechX community, differentiated the techniques that are used for measuring brain activity, which allows for the interpretation of the signals that emitted due to stimuli. She and other researchers in the field are trying to determine the capabilities and limitations of this technology in the context of security.

View Full Story


The post Neuroscience and security: your thoughts are safe (for now) appeared first on IT SECURITY GURU.

from Neuroscience and security: your thoughts are safe (for now)

Nothing is safe from a hacker, even a toy, smart TV or fitness tracker

New research from SWNS Digital has revealed the full extent to which dishonest individuals can invade people’s privacy by way of a few clicks of the mouse. The survey, conducted by consumer security specialist, BullGuard, included responses from 2,000 UK smart device owners. Aside from smartphones, tablets and PCs, respondents own three internet-connected devices on average, including locks, pet trackers and webcams.

View Full Story


The post Nothing is safe from a hacker, even a toy, smart TV or fitness tracker appeared first on IT SECURITY GURU.

from Nothing is safe from a hacker, even a toy, smart TV or fitness tracker

NATO decides cyber attacks could trigger collective defence clause

North Atlantic alliance is moving cyber into the domain of the military, alongside land, sea, and air capabilities. Article 5 of the North Atlantic Treaty which states an attack on one NATO member is considered an attack on all, is being extended into the realm of cyber warfare. Speaking to journalists on Wednesday, NATO Secretary General Jens Stoltenberg said the collective defence articles could be invoked in the face of a cyber attack.

View Full Story


The post NATO decides cyber attacks could trigger collective defence clause appeared first on IT SECURITY GURU.

from NATO decides cyber attacks could trigger collective defence clause

Top cloud challenges: Security, compliance, and cost control

A new Fugue survey, fielded to over 300 IT operations professionals, executives, and developers, found that most respondents believe that the cloud is not living up to expectations because of compliance and security concerns, unexpected downstream costs, and the glut of cloud management tools available in the market.

View full story

ORIGINAL SOURCE: Help Net Security

The post Top cloud challenges: Security, compliance, and cost control appeared first on IT SECURITY GURU.

from Top cloud challenges: Security, compliance, and cost control

Surprise! NotPetya Is a Cyber-Weapon. It’s Not Ransomware

The NotPetya ransomware that encrypted and locked thousands of computers across the globe yesterday and today is, in reality, a disk wiper meant to sabotage and destroy computers, and not ransomware. This is the conclusion of two separate reports coming from Comae Technologies and Kaspersky Lab experts. Experts say that NotPetya — also known as Petya, Petna, ExPetr — operates like a ransomware, but clues hidden in its source code reveal that users will never be able to recover their files.

View Full Story

ORIGINAL SOURCE: BleepingComputer

The post Surprise! NotPetya Is a Cyber-Weapon. It’s Not Ransomware appeared first on IT SECURITY GURU.

from Surprise! NotPetya Is a Cyber-Weapon. It’s Not Ransomware

Wednesday, 28 June 2017

The Ransomware called NotPetya – Cyber Experts have their say

Tuesday’s global cyber attack caused havoc and disruption to all manners of businesses. Many within the cyber industry are debating whether the ransomware used was actually a strain of Petya or was it something completely new. With it first being detected in Ukraine, where companies updating a mechanism within an accounting program that had connections to the Ukrainian government, the malware was able to seed itself and affect systems within the government, industrial enterprises, banks, airports and transportation services.  It spread fast and caused havoc to systems at major European and American corporations with British advertising giant WPP, Danish shipping behemoth Maesk and Merck & Co the American pharmaceutical corporation among those that were hit. Cyber Security experts have offered their advice and insight around Petya or NotPetya with many saying attitudes towards cyber security need to change:

Javvad Malik, security Advocate at AlienVault:

It appears to be a new ransomware campaign impacting multiple countries and some major businesses with some manufacturing reportedly stopped. The ransomware appears to be a Petya variant that may be spreading via EternalBlue; although this is not confirmed yet. Further information is being collated at

Andrew Clarke, EMEA Director at One Identity:

The best advice to all is it is time to act now – make cyber security the number 1 item on the agenda at the next board meeting – and resolve to take proactive action to strengthen your cyber defences.    What we are seeing in the continuing battle against the cyber threats is a massive escalation that will impact anyone who is not taking this seriously and has proactively analysed, reviewed and acted upon advice for their own environments. The phrase ransomware is entering every day conversation and many people are familiar with the consequences of its impact.  The overnight escalation of a global ransomware attack serves to re-enforce the need for all of us to step up our game regarding cyber security – both at a personal level as well as a corporate level

Robery Lipovksy, Researcher at ESET:

ESET researchers have located the point from which this global epidemic has all started. Attackers have successfully compromised the accounting software M.E.Doc, popular across various industries in Ukraine, including financial institutions. Several of them executed a trojanized update of M.E.Doc, which allowed attackers to launch the massive ransomware campaign today which spread across the whole country and to the whole world. M.E.Doc has today released a warning on their website: on our investigation, it appears the attack was launched in the morning hours of June 27, Ukrainian time.

Lee Munson, Security Researcher at

When businesses around the world woke up to the WannaCry ransomware recently, they must have thought their worst nightmares had come true. That a kill switch was found, and the damage done relatively small, was extremely fortunate but it should have painted a powerful picture of what could happen should another ransomware attack come marching over the hill. That Petya has caught major organisations unaware, including financial companies that are usually among the most secure types of business, is therefore a massive shock and a huge cause for concern. Most businesses will have learned the value of maintaining regular backups and the implementation of technical security controls to create restore points and block ransomware at the point of entry. Petya, however, highlights how staff awareness may still be an issue, giving an in to attacks of this kind, and perhaps highlights how patch management may still be lagging way behind where it needs to be.

Paul Edon, Director at Tripwire:

Tuesdays cyber-attacks that caused disruption to Ukrainian Banks, Ukrenergo Power Distribution and other Ukrainian commercial business appears to have gained initial entry via a phishing attack and then spread across systems by means of the EternalBlue exploit. Phishing attacks are common-place and currently represent the most successful entry point leading to a successful breach.  Foundational Controls such as Email and Web filtering combined with comprehensive workforce education will greatly reduce the success of these attacks. Email and Web filtering can recognise and block malicious URL access and quarantining suspicious attachments. Workforce education will help users identify phishing email, deter them from clicking on unknown or unexpected attachments, discourage the access of unknown URL’s, and assist staff in recognising unusual system activity. EternalBlue exploits a known vulnerability within the Microsoft Server Message Block (SMB v1) protocol, which allows attackers to execute arbitrary code using specially crafted packets. Microsoft originally released a patch for supported Microsoft Operating Systems in mid-March 2017.  After the WannaCry ransomware attacks which also used EternalBlue to traverse networks Microsoft released a further patch for legacy operating systems such as Windows XP and Windows Server 2003.  Patch Management is a Foundational Control that forms an important part of the technical security strategy. If for reasons of legacy or critical operations these patches cannot be deployed then it is crucial that organisations assess the risk accordingly and use further mitigating controls to monitor and protect those systems.

The post The Ransomware called NotPetya – Cyber Experts have their say appeared first on IT SECURITY GURU.

from The Ransomware called NotPetya – Cyber Experts have their say

MP Cyber Attack Further Proof That Weak Passwords Are The Biggest Threat To Data Security

Leading Identity and Access Management specialists My1Login says that weak passwords and poor ID management are likely to have contributed to the MP email cyber attack at the weekend.

Parliament was hit by a “sustained and determined” cyber-attack last Friday, with hackers attempting to gain access to MPs’ and their staffers’ email accounts. Both houses of parliament were targeted in an attack that sought to gain access to accounts protected by weak passwords.

My1Login CEO, Mike Newman, comments: “The full facts are still to come out, but this was a determined attack to exploit weak passwords. Most passwords are very easy to break by hackers as there is a commonality to them world-wide. Moreover, people don’t take enough precautions to safeguard their passwords; they write them down; save them to their computer or make them extremely weak so they are easy to remember. This has to change.”

He added: “In my opinion, the only way to safeguard data, especially when it comes to matters of national security, is to eliminate end-users having to manage passwords altogether. Our Single Sign-On technology removes the need for end-users to manage or even know passwords, protecting against weak password use and ensuring data is kept secure”.

My1Login has recently been cited as a global leader in Identity Management by CB Insights, the highly respected analyst and technology sector research group,. The company was also recently approved for the G-Cloud 9 digital framework to supply cloud services to the UK public sector.

Over 1,000 companies currently rely My1Login’s solution which eliminates cyber security vulnerabilities by removing the need for employees to manage multiple passwords. It provides next generation Identity and Access Management solutions for enterprise and eliminates the need for passwords in business by providing Single Sign-On that works with all applications, across all devices. The service works with cloud, mobile and thick-client legacy applications, which enables them to fully address Single Sign-On challenges even in the most complex of enterprise environments where apps are often a mix of cloud, mobile and legacy systems such as mainframes.


For more information please email or visit


The post MP Cyber Attack Further Proof That Weak Passwords Are The Biggest Threat To Data Security appeared first on IT SECURITY GURU.

from MP Cyber Attack Further Proof That Weak Passwords Are The Biggest Threat To Data Security

Mobile Ransomware: An Evolving Threat for Developed Markets

Mobile ransomware actors are focusing their attacks on wealthy countries. Developed markets not only have a higher level of income, but also a more advanced and more widely used mobile and e-payment infrastructure. According to Kaspersky Lab’s annual ransomware report for 2016-2017, this is appealing to criminals because it means they can transfer their ransom in just a couple of taps or clicks.

Kaspersky Lab has continued its tradition of reporting on ransomware threats with its second annual study into the issue. The report covers the full two-year period, which, for comparison reasons, has been divided into two parts of 12 months each: from April 2015 to March 2016 and from April 2016 to March 2017. We’ve chosen these particular timescales because they witnessed several significant changes in the ransomware threat landscape.

Mobile ransomware activity skyrocketed in the first quarter of 2017 with 218,625 mobile Trojan-Ransomware installation packages – 3.5 times more than in the previous quarter. Activity then fell to the average level of the observed two year period. Despite a small relief, the mobile threat landscape is still arousing anxiety, as criminals target nations with developed financial and payment infrastructures that can be easily compromised.

In the period of 2015-2016 Germany was the country with the highest percentage of mobile users attacked with mobile ransomware (almost 23 per cent), as a proportion of users attacked with any kind of mobile malware. It was followed by Canada (almost 20 per cent), the UK and the US – exceeding 15 per cent.

This changed in 2016-2017 with the US shifting from fourth to first position (almost 19 per cent). Canada and Germany retained their top-3 ranking with almost 19 per cent and over 15 per cent  respectively, leaving the UK ranking at fourth place with more than 13 per cent.

The rise in the United States occurred largely due to attacks from the Svpeng and Fusob malware families, the first of which is mainly targeting America. As for Fusob, this malware family was initially focused on Germany, but since Q1 2017 America has topped its list of targets with 28 per cent of attacks.

“These geographical changes in the mobile ransomware landscape could be a sign of the trend to spread attacks to rich, unprepared, vulnerable or yet unreached regions. This obviously means that users, especially in these countries, should be extremely cautious when surfing the web,” notes Roman Unuchek, security expert at Kaspersky Lab.

Other key findings from the 2017 Kaspersky Security Network (KSN) report include:  

  • The total number of users who encountered ransomware between April 2016 and March 2017 rose by 11.4 per cent compared to the previous 12 months (April 2015 to March 2016) – from 2,315,931 to 2,581,026 users around the world;
  • The proportion of users who encountered ransomware at least once out of the total number of users who encountered malware fell by almost 0.8 percentage points, from 4.34 per cent in 2015-2016 to 3.88 per cent in 2016-2017;
  • Among those who encountered ransomware, the proportion that encountered cryptors rose by 13.6 percentage points, from 31 per cent in 2015-2016 to 44.6 per cent in 2016-2017;
  • The number of users attacked with cryptors almost doubled, from 718,536 in 2015-2016 to 1,152,299 in 2016-2017;
  • The number of users attacked with mobile ransomware fell by 4.62 per cent from 136,532 users in 2015-2016 to 130,232.
  • The top 10 countries with the biggest share of users attacked with PC ransomware as a proportion of all users attacked with any kind of malware in 2016-2017 are: Turkey (almost 8 per cent), Vietnam (around 7.5 per cent), India (over 7 per cent), Italy (around 6.6 per cent), Bangladesh (more than 6 per cent), Japan (almost 6 per cent), Iran (almost 6 per cent), Spain (almost 6 per cent), Algeria (almost 4 per cent), and China (almost 3.8 per cent). This is very different list compared to 2015-2016 as Turkey, Bangladesh, Japan, Iran, and Spain have since entered the list, all exceeding 5 per cent.

To reduce the risk of infection, users are advised to:

  • Back up data regularly.
  • Use a reliable security solution, and remember to keep key features – such as System Watcher – switched on.
  • Always keep software updated on all the devices you use.
  • Treat email attachments, or messages from people you don’t know, with caution. If in doubt, don’t open it.
  • If you’re a business, you should also educate your employees and IT teams; keep sensitive data separate; restrict access; and back up everything, always.
  • If you are unlucky enough to fall victim to an encryptor, don’t panic. Use a clean system to check our No More Ransom site; you may well find a decryption tool that can help you get your files back.
  • The latest versions of Kaspersky Lab products for smaller companies have been enhanced with anti-cryptomalware functionality. In addition, a free anti-ransomware tool has been made available for all businesses to download and use, regardless of the security solution they have installed.
  • Last, but not least, remember that ransomware is a criminal offence. Report it to your local law enforcement agency.

For help and advice on dealing with ransomware visit No More Ransom. Check out No Ransom to find the latest decryptors, ransomware removal tools, and information about ransomware protection.

Read the full version of the Kaspersky Lab’s Malware Report on

The post Mobile Ransomware: An Evolving Threat for Developed Markets appeared first on IT SECURITY GURU.

from Mobile Ransomware: An Evolving Threat for Developed Markets

New Research Shows Cybersecurity Battleground Shifting to Linux and Web Servers

WatchGuard®’s latest quarterly Internet Security Report reveals that despite an overall drop in malware detection, Linux malware made up more than 36 percent of the top threats identified in Q1 2017. The increased presence of Linux/Exploit, Linux/Downloader and Linux/Flooder attacks highlights the need to protect Linux-based IoT devices and Linux servers from the internet with layered defences.

Other key findings from the Q1 2017 report include:


  • The cybersecurity battleground is shifting toward web servers. In Q1, drive-by downloads and browser-based attacks were predominant. Furthermore, 82 percent of the top network attacks targeted web servers or other web-based services. Users should strengthen web server defences by hardening permissions, limiting resource exposure, and patching server software.


  • Legacy Antivirus (AV) continues to miss new malware at a higher rate. AV solutions missed 38 percent of the total threats WatchGuard caught in Q1, compared to 30 percent in Q4 2016. The growing number of new or zero-day malware now evading traditional AV highlights the weaknesses of signature-based detection solutions and the need for services that can detect and deter advanced persistent threats.


  • Attackers still exploit the Android StageFright flaw. This exploit first gained notoriety in 2015 and is proving its longevity as the first mobile-specific threat to hit WatchGuard Threat Lab’s top 10 attacks list this year. At a minimum, Android users should regularly upgrade their operating systems to prevent mobile attacks like StageFright.


  • Threat actors take a break from hacking the holidays. Overall, threat volume decreased 52% in Q1 2017 compared to Q4 2016. We believe the drop in malware detections can be attributed to the absence of seasonal malware campaigns associated with various Q4 holidays, which increased overall malware instances during that period.


“This new Firebox Feed data allows us to feel the pulse of the latest network attacks and malware trends in order to identify patterns that influence the constantly evolving threat landscape,” said Corey Nachreiner, chief technology officer at WatchGuard Technologies. “The Q1 report findings continue to reinforce the importance and effectiveness of basic security policies, layered defences and advanced malware prevention. We urge readers to examine the report’s key takeways and best practices, and bring them to the forefront of information security efforts within their organisations.”

WatchGuard’s Internet Security Report explores the latest computer and network security threats affecting small to midsize businesses (SMBs) and distributed enterprises. It is designed to offer educational insights, research and security recommendations to help readers better protect themselves and their organisations against modern threat actors.

The WatchGuard Report is based on anonymised Firebox Feed data from more than 26,500 active WatchGuard UTM appliances worldwide, representing a small portion of the overall install base. These appliances blocked more than 7 million malware variants in Q1, representing an average of 266 samples blocked by each individual device. WatchGuard appliances also blocked more than 2.5 million network attacks in Q1, which equates to 156 attacks blocked per device. The complete report includes a breakdown of the quarter’s top malware and attack trends, an analysis of the CIA Vault 7 leaks and key defensive learnings for readers. The report also features a new research project from the WatchGuard Threat Lab, which focuses on a new vulnerability in a popular IoT camera.

For more information, download the full report here:


The post New Research Shows Cybersecurity Battleground Shifting to Linux and Web Servers appeared first on IT SECURITY GURU.

from New Research Shows Cybersecurity Battleground Shifting to Linux and Web Servers

Met Police vulnerable to cyber attacks due to Windows XP use, GLA warned

The Greater London Authority fears the Metropolitan Police is vulnerable to cyber attacks after figures reveal more than 18,000 devices in the force still run on Windows XP. The Metropolitan Police Service (MPS) still uses Windows XP on more than 18,000 computers, putting the force at risk of cyber attacks,  the Greater London Authority (GLA) has been warned.

View Full Story

ORIGINAL SOURCE: Computer Weekly

The post Met Police vulnerable to cyber attacks due to Windows XP use, GLA warned appeared first on IT SECURITY GURU.

from Met Police vulnerable to cyber attacks due to Windows XP use, GLA warned

Organizations award hackers up to $900,000 a year in bug bounties

A new HackerOne report examines over 800 hacker-powered programs from organizations including Airbnb, GitHub, General Motors, Intel, Lufthansa, Nintendo, U.S. Department of Defense, Uber, and more. Findings are based on nearly 50,000 resolved security vulnerabilities and more than $17 million in bounties awarded.

View Full Story

ORIGINAL SOURCE: Help Net Security

The post Organizations award hackers up to $900,000 a year in bug bounties appeared first on IT SECURITY GURU.

from Organizations award hackers up to $900,000 a year in bug bounties

52% of All JavaScript npm Packages Could Have Been Hacked via Weak Credentials

Tens of thousands of developers using weak credentials to secure their npm accounts inadvertently put more than half of the npm packages (JavaScript libraries and tools) at risk of getting hijacked and used to deploy malicious code to legitimate applications that use them in their build process.

View Full Story

ORIGINAL SOURCE: Bleeping Computer

The post 52% of All JavaScript npm Packages Could Have Been Hacked via Weak Credentials appeared first on IT SECURITY GURU.

from 52% of All JavaScript npm Packages Could Have Been Hacked via Weak Credentials

Hackers threaten South Korean banks with DDoS attacks

KB Kookmin Bank, Shinhan Bank, Woori Bank, KEB Hana Bank, NH Bank and two other South Korean banks were reportedly threatened with DDoS attacks last week.  The Armada Collective hacking group has issued a ransom demand of approximately £245,700 to seven South Korean banks, threatening to launch distributed denial of service attacks against each of their organisations.

View Full Story


The post Hackers threaten South Korean banks with DDoS attacks appeared first on IT SECURITY GURU.

from Hackers threaten South Korean banks with DDoS attacks

‘Vaccine’ created for huge cyber-attack

Security researchers have discovered a “vaccine” for the huge cyber-attack that hit organisations across the world on Tuesday. The creation of a single file can stop the attack from infecting a machine. However, researchers have not been able to find a so-called kill switch that would prevent the crippling ransomware from spreading to other vulnerable computers.

View Full Story


The post ‘Vaccine’ created for huge cyber-attack appeared first on IT SECURITY GURU.

from ‘Vaccine’ created for huge cyber-attack

Tuesday, 27 June 2017

Farsight security research indicates that WannaCry-like attacks represent ‘just another day at the office’

We all remember WannaCry; the scale of the attack, spanning over 150 countries and almost a quarter of million computers. In the UK, at least, this was accompanied by a media frenzy, largely due to the highest profile victim of the attack being the National Health Service. As a highly emotional target here in the UK, WannaCry became big news as the media strived to explain what had happened to our beloved NHS. However, according to a survey conducted at Infosecurity Europe earlier this month by Farsight Security, attacks of this nature happen with alarming regularity. 49% of those surveyed indicated they had been involved in battling and preventing WannaCry style cyberattacks in the last year.

Of this 49%,  nearly three quarters (72%) said that this type of event, requiring them to work frantically to protect networks from attack, had happened three times in the last year alone.

“WannaCry made the headlines and got the general public listening, however, cybersecurity professionals actually work on incidents like this all throughout the year,” said Dr. Paul Vixie, CEO and Cofounder of Farsight Security.

Of the 49% of respondents who reported other WannaCry-like incidents that were shielded from public view, 20% said that these major security events have happened up to a staggering six times over the last year alone. It is easy to forget how common these attacks are and how hard these security professionals are working to keep our national infrastructure and our data secure.

The WannaCry ransomware attack began on Friday, May 12, 2017, and within a day was reported to have infected more than 230,000 computers in over 150 countries. The sheer scale of the attack left many cybersecurity professionals working over the weekend to make sure their systems were prepared and resilient enough to withstand the attack. The NHS was publicly known to be particularly badly hit. The WannaCry ransomware exploits a vulnerability in Microsoft Windows, for which a patch was released. However, many corporations do not automatically patch their systems due to issues that a Windows update can cause to their legacy software programs. So, despite the patch being released, not updating left hundreds of thousands of devices open to attack, and held to ransom.

Cybercriminals often create and discard thousands of domain names within minutes for phishing attacks and other methods to “fly below the radar” during cyberattacks. Today most security professionals begin a cyberinvestigation by examining a suspicious IP address or domain name. Using Farsight DNSDB, the world’s largest historical database of Passive DNS with more than 35 Billion DNS resolutions collected since 2010, users can query these domain names and related IP addresses to gain rich threat intelligence, from information when attackers entered a network to motives and methods.

The survey of 360 information security professionals was conducted at Infosecurity Europe 2017 conference which took place June 6-8, 2017, at the Olympia Conference Centre in London.

The post Farsight security research indicates that WannaCry-like attacks represent ‘just another day at the office’ appeared first on IT SECURITY GURU.

from Farsight security research indicates that WannaCry-like attacks represent ‘just another day at the office’

Stephanie Daman – The Cyber Industry has lost an inspirational soul

The CEO of Cyber Security Challenge UK, Stephanie Daman, has passed away peacefully at the age of 56 following a long battle with cancer.

Stephanie was a remarkable role-model who inspired all of those with whom she came into contact. She cared passionately about Cyber Security Challenge UK and it’s twin missions to find and nurture talented people to join the cyber security profession and promote career opportunities in cyber security generally.

She was first diagnosed days after being appointed CEO in 2012 but fought resolutely and bravely to avoid it having any impact on her ability to be both an inspirational business leader and devoted mother to her beloved daughter Katrina, aged 8.

During nearly five years at the helm of Cyber Security Challenge UK, Stephanie oversaw a step change in the number and variety of activities it undertook; nurturing it on the journey from an ambitious start-up to a well-established and mature not-for-profit company consistently punching above its weight. She introduced programmes specifically targeted at universities and schools; expanded the Challenge’s network of sponsors and supporters and even ensured that the UK is a key member of the steering committee for the European Cyber Security Challenge.

Before joining the board of Cyber Security Challenge UK, Stephanie was Head of Group Information Risk at HSBC and a founder member and creator of Get Safe Online. Always keen to play her part in the wider security community, she was an active member of both the Information Assurance Advisory Council and the Risk and Security Management Forum. Earlier in her career, Stephanie worked as a Government security official where her postings included the British Embassy in Washington DC and the Cabinet Office.

Stephanie’s hard work and dedication touched an enormous number of people across the sector – whether it was her drive to bring gender equality to the cyber security workforce; her desire for innovative approaches to solving the UK’s cyber skills deficit; or her incredible ability to generate support for new ideas that would give people the opportunities they deserved. Stephanie Daman’s infectious dynamism and resolve made things happen that truly changed peoples’ lives for the better. We will all miss her greatly.

The post Stephanie Daman – The Cyber Industry has lost an inspirational soul appeared first on IT SECURITY GURU.

from Stephanie Daman – The Cyber Industry has lost an inspirational soul

What does the GDPR mean for SMEs?

The EU General Data Protection Regulation (GDPR) comes into force in the UK in May 2018 and is anticipated to have a significant impact on businesses across the country.

The GDPR is a replacement for the Data Protection Act 1998, and will apply to all organisations that process, handle and store any personal data of EU residents.

These new regulations mean businesses are required to gain consent  for all data collected from individuals, and provide clear and comprehensive privacy notices to help these individuals understand what they are opting into. Crucially, organisations of all sizes need to be able to prove that consent was given if they want to process any form of personal data.

Ultimately, the GDPR regulations mean increased powers for European Supervisory Authorities, including the ability to impose financial penalties of up to €20 million or four percent of the business’ worldwide annual turnover, for non-compliance or breaches.

With this in mind Ebuyer, a leading provider of storage, networking and security solutions to SMBs, has created a compliance checklist to help business owners avoid the potentially disastrous consequences of a compliance failure:


  1. Begin compliance discussions now with key people in your organisation.
  2. Document the personal data your organisation holds, where it came from and who it is shared with.
  3. Review your privacy notices. Under the GDPR, you will need to clearly identify the lawful basis for processing customer data, as well as how long you will retain it for and the customer’s right to complain about how you are using it.
  4. Have a robust process in place for locating and deleting individual customers’ data, if and when requested.
  5. Be aware of the new right to “data portability”. This means individuals have the right to request their personal data in a commonly-used, machine-readable format, provided to them free of charge and within one month.
  6. Review how you seek, record and manage consent for data collection. Remember consent must be explicitly provided: assumption of consent (for instance, via pre-ticked boxes on a web form) can breach regulations.
  7. Review how you will verify individuals’ ages, and how you will obtain parental consent to process the data of under-13s if required.
  8. Reinforce your existing data breach reporting procedures to ensure your organisation can meet the new timelines.
  9. Take steps to appoint a Data Protection Officer if you are required to, and consider who should be trained in, and responsible for, GDPR compliance even if not.


Amber Smith, Head of Sales at said: “The new GDPR regulations will have a significant impact on small businesses, who will need to begin taking steps to achieve compliance as soon as possible. But it’s not just SMEs who need to begin making these changes, as the law applies to all companies regardless of size, from sole traders to multinationals.

“This year’s ransomware attacks should already have emphasised the need for businesses to invest in robust antivirus and cybersecurity measures, but in case they didn’t, hopefully the GDPR and its new penalties for non-compliance will.”

To find out more about what you need to do to ensure your business complies, please visit:

The post What does the GDPR mean for SMEs? appeared first on IT SECURITY GURU.

from What does the GDPR mean for SMEs?

Majority of cyber professionals not confident UK government can protect itself from cyberattacks

Tripwire, Inc., a leading global provider of security and compliance solutions for enterprises and industrial organisations, today announced the results of a survey of 350 information security professionals that found 69 percent are not confident in the ability of the U.K. government to protect itself from cyberattacks in 2017. The survey was conducted June 6-8, 2017, at Infosecurity Europe 2017 at the Olympia Conference Centre in London.

Additionally, when participants were asked if they thought European Union agencies like Europol and ENISA help keep the U.K. more cyber secure, 68 percent said “yes”.

“With the highly publicised investigations and speculations into election hacking across the world, it seems only logical that people will start to wonder about their own government’s cyber resiliency,” said Tim Erlin, VP at Tripwire. “The recent WannaCry outbreak in the U.K. has shown us what happens when government entities and national infrastructures are not protected from today’s cyberthreats.”

Europol director Rob Wainwright told members of Parliament last year that Britain would become a “second-tier nation” to Europol after Brexit. This, coupled with the continued indication of a “hard” Brexit, could jeopardize the U.K.’s relationship with EU bodies, including Europol and ENISA.

Erlin added, “What the results of this survey show is that seasoned cybersecurity professionals are not confident that the U.K. government is protected from hackers. They also value the relationship that the U.K. has with friends and colleagues in the EU-funded agencies. The importance of an EU-wide coordinated effort to combat cyber risk should not be forgotten during withdrawal negotiations, as these efforts are clearly valued by the U.K.’s cybersecurity community.”

About Tripwire

Tripwire is a leading provider of security, compliance and IT operations solutions for enterprises, industrial organizations, service providers and government agencies. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business context; together these solutions integrate and automate security and IT operations. Tripwire’s portfolio of enterprise-class solutions includes configuration and policy management, file integrity monitoring, vulnerability management, log management, and reporting and analytics.

Learn more at, get security news, trends and insights at, or follow us on Twitter @TripwireInc.

The post Majority of cyber professionals not confident UK government can protect itself from cyberattacks appeared first on IT SECURITY GURU.

from Majority of cyber professionals not confident UK government can protect itself from cyberattacks

Nearly half of UK office workers believe automation will have a positive impact on their organisation, finds new study

Capgemini, a global leader in consulting, technology and outsourcing services, today revealed findings of its research showing that nearly half (48%) of UK office workers are optimistic about the impact automation technologies will have on the workplace of the future. However, the cost of implementation and lack of infrastructure are big barriers to adoption for UK businesses.

Capgemini commissioned independent research company Opinium to survey over 1,000 UK office workers to explore their attitudes and expectations of cutting-edge technologies including automation, robotics, and artificial intelligence (AI), including machine learning. It found that 40% of respondents believe machine learning will have a potentially positive impact in the workplace along with robotics (32%). Only 10% of respondents felt automation would have a negative impact.


Opportunity for an automated workplace

Nearly half of respondents (47%) revealed they have given serious thought to how automation technologies can support their department with its day-to-day processes; this rises to 85% among those office workers who are responsible for finances. In addition, business owners and directors, who were also part of the research sample, believe that as much as 40% of business tasks in their organisation could be automated in the next three to five years. Tasks such as invoicing (41%), managing expense claims (28%) reporting (28%) and administration tasks (28%) were all highlighted as having the potential for automation in the near future.


As a result of increasing the use of these technologies in the workplace, office workers are starting to see the benefits these could have, including freeing up staff time to do higher value, core business tasks (27%), lowering costs (25%) and improving the accuracy of results (21%).


Lee Beardmore, Vice President and Chief Technology Officer of Capgemini’s Business Services Unit, says: “It’s really heartening to see the optimism for automation technologies among the UK’s office workers – particularly when nearly half have given serious thought to implementation in their own workplace. At present our survey estimates that around 13% of businesses in the UK are benefiting from automation, but there’s still a lot that haven’t seen anything yet. We certainly expect this figure to rise in the near future as more and more businesses realise the transformational power of technologies such as AI, robotics and automation. All of these technologies represent an opportunity for growth for businesses in every industry sector.”


Barriers to a more automated future

Although there is much optimism surrounding the benefits of automation technologies, office workers also noted a number of challenges to their organisation’s adoption, with an average of  just under a third of respondents saying that implementation costs were the main barrier across all the technologies. Interestingly, Cybersecurity is most commonly seen as an obstacle to taking up AI (17%), while there is least awareness of the potential benefits of robotics (18%) and machine learning (17%). Time needed to implement, as well as skills and expertise needed, were also in the top five reasons cited as barriers.

One of the biggest problems businesses will have to overcome is a lack of infrastructure. More than seven in 10 office workers (73%) were either not sure or knew their businesses didn’t have the infrastructure in place to adopt AI. Respondents had the most confidence in automation, but 60% still admitted they didn’t or might not have everything in place to adopt the technology.


Lee Beardmore, continues: “I would urge all businesses to not only start thinking about the potential value of automation technologies, but to also start looking at the skills and expertise they need within their organisation for future implementation, to stay competitive in the years to come. That’s why we are continuing to help in the drive to educate and support businesses when it comes to key technologies such as AI, robotics, and automation. By doing so Capgemini aims to boost the prospects of individual businesses and UK PLC’s productivity on the whole.”


Antony Walker, deputy CEO of techUK said: “This survey is a useful reminder of the positive outcomes we will see from automation. Whilst it is clear that new technologies will have a transformational impact on many jobs, it is by no means inevitable that machines will simply be used to displace humans. Dynamic economies that harness innovation to drive productivity and economic growth remain the best generators of rewarding and meaningful employment. This study suggests that many of today’s workers see real benefits in technological innovation.”

The post Nearly half of UK office workers believe automation will have a positive impact on their organisation, finds new study appeared first on IT SECURITY GURU.

from Nearly half of UK office workers believe automation will have a positive impact on their organisation, finds new study