CCleaner bundled Avast Free Antivirus to its installer

Avast Free Antivirus comes together with CCleaner in not the most appropriate way

Avast purchased Piriform in the middle of 2017, and it may have led to poor choices made today. Even though CCleaner is a successful system optimization tool for over a decade, it faced a significant downturn once its servers were compromised with the malicious variant of the product^[1].

It may be the reason why researchers have spotted that the security company offers Avast Free Antivirus bundled with the CCleaner installer^[2]. Despite the fact that it is a widely used marketing method, consumers tend to find it highly inappropriate since potentially unwanted programs (PUPs) are also distributed via the same way.

However, by combining CCleaner and Avast Free Antivirus together, many computer users might bring their system security to another level. Sadly, the chosen distribution method seems to deteriorate the safety services both companies provide^[3].

Bundling — method employed not only by Avast but also by shady developers of adware programs


This distribution technique is widely beloved by the contrivers of the potentially unwanted programs (PUPs)^[4]. It is quite ironic since the Avast products should protect you from them. Maybe that is the reason why so many experts and consumers contradict with this tactic employed by the security company.

Bundling brings the ability for developers to increase the rate of distribution. However, the computer users are not notified about the additional installation of the Avast Free Antivirus and lose their ability to choose whether they want it or not.

Therefore, if you have recently downloaded CCleaner, note that the Avast Free Antivirus might also be stealthily infiltrated on your system.

Besides, it becomes quite hard to determine the origins of the application offered in the software-bundles and many people might recognize it as an adware program. It may lead to a significant decrease in the consumer trust which the company has earned over the years.

Learn how to avoid the secret installation for the Avast Free Antivirus

You can protect your system from unwanted programs by following a few simple steps each time you download a new application.^[5] In this case, once you launch the CCleaner installer, choose Custom or Advanced settings and unmark the pre-selected “Get Avast Free Antivirus now” box.

Note that you should avoid opting for Quick or Recommended installation since it does not disclose the necessary information to prevent the infiltration of the adware and other unwanted programs.


Source:  2-spyware 

Terdot is back: Zeus virus spin-off now steals social media

Updated version of Terdot trojan emerged
Spotted in the middle of 2016 Terdot virus,^[1] a variant of infamous Zeus Trojan,^[2] is back. Even though it started as a banking trojan, now it returned with a new strategy. The trojan was noticed stealing social media and email data. This feature makes trojan standout from other cyber threats.

The recently emerged updated version of Terdot is designed to steal information from Facebook, Twitter, Google Plus and YouTube. The virus might also use social networks to spread further by posting malicious links to download malware on the devices.

However, the interesting fact is that it does not target VKontakte – the biggest social media platform in Russia. It allows assuming that authors of the malware might be located in Russia or Eastern Europe.^[3]

Additionally, this cyber threat might monitor email activity. Malware reported of targeting email services, such as Microsoft live.com login page, Yahoo Mail, and Gmail.

The features of the Terdot virus

Terdot started as a banking trojan that used man-in-the-middle attacks to compromise websites and steal victim’s credentials. The banking malware mostly targeted Canada,^[4] the United States, the United Kingdom, Germany, and Australia.

PCFinancial,

Desjardins,

BMO,

Royal Bank,

the Toronto Dominion bank,

Banque Nationale, Scotiabank,

CIBC and Tangerine Bank.

The majority of phishing emails are spread with the help of Sundown Exploit Kit. The malicious emails include fake PDF document or icon that hides JavaScript code. As soon as users click it, they activate malware download process. The advanced payload delivery mechanism is created to protect it from obstacles or failures. Thus, the malicious program is designed to succeed and hard to remove.

The trojan also injects itself into web browser processes. It mostly targets Mozilla Firefox and Internet Explorer browsers. When it settles in the browsers and injects malicious codes, it starts data tracking activities to steal sensitive information. All the stolen data is sent to Command & Control server.

The complexity of the trojan might warn about new era of data-stealing trojans

Security experts warn that Terdot malware has automatic update feature that allows developers to execute new tasks using the same trojan. It means that the program might be updated anytime and become more destructive.

Financial institutions and banks are advised to prepare for better customers' accounts monitoring in order to spot suspicious or unusual activities that might be caused by cyber criminals. Banking trojans can steal credentials silently and empty bank accounts without being noticed.

To protect customers from losing their money, targeted companies should give necessary information and support that would help people to avoid financial loss.

The trojan uses a two-vector attack by sending phishing emails and using man-in-the-middle proxy. While companies should obtain multivector detection solution system^[5] to increase the security; users should not only check the compromised websites that include fake security certificates but learn how to detect phishing emails as well.

Source:  2-Spyware 

Malicious apps were detected on the Google Play store

According to the Android experts, eight malicious apps were spotted on the Google Play store that were developed to infiltrate a multi-stage malware on the devices. Despite the excellent ability to circumvent antivirus systems, the bogus programs were identified as Android/TrojanDropper.Agent.BKY by the professional security software.

Luckily, none of these harmful applications received more than several hundred downloads and were removed from the Android app store immediately. However, those who suffered from the attack were mainly located in Netherlands and reached the final stage of the malware^[1].

Malicious program passes through 4 phases to load a banking Trojan

Researchers from ESET^[2] explain that the malware is able to hide itself since it doesn’t ask any suspicious permissions to gain administrative rights at first and impersonates a legitimate activity that the app is supposed to perform.

After the installation, the malicious app stealthily decrypts and executes malware payloads in a 4-stage process. This activity is invisible to the users because they are deluded by the regular app procedures. Usually, they offer system optimization or other innocent services.

The first phase decrypts and executes a second-stage payload as mentioned above, which contains an URL that is hardcoded. Shortly after, it downloads a third-stage payload that disguises under a well-known app such as Adobe Flash Player or its update.

To confuse the victims even more, it delays the request to install the application for several minutes. If the user permits the installation of the app, it drops a final payload and takes over the administrative rights of the device.

According to our research, the final phase launches a banking Trojan that displays fake log-in pop-ups that steal usernames, passwords, and other credentials of the victims^[3].

Bogus applications show links to the infamous Android virus

The term Android virus^[4] is used to describe a group of malicious apps that are designed to either steal personal information or encrypt data and demand a ransom. This attack is not an exception since it possesses similar distribution techniques as other phone threats which are attributed to the Android malware.

Be aware that you should carefully introspect applications you attempt to download since hackers manage to create new methods used to hide the presence of the malware. This multi-stage infection might inspire other criminals to examine possible system vulnerabilities^[5] and use them to deliver new bogus programs to the Google Play store.



Source:  2-spyware 

MICROSOFT PATCHES 17-YEAR-OLD OFFICE BUG

Microsoft on Tuesday patched a 17-year-old remote code execution bug found in an Office executable called Microsoft Equation Editor. The vulnerability (CVE-2017-11882) was patched as part of Microsoft’s November Patch Tuesday release of 53 fixes.


While Microsoft rates the vulnerability only as “Important” in severity, researchers at Embedi who found the bug, call it “extremely dangerous.


In a report released Tuesday (PDF) by Embedi, researchers argue the vulnerability is a threat because all version of Microsoft Office for the past 17 years are vulnerable and that the CVE “works with all the Microsoft Windows versions (including Microsoft Windows 10 Creators Update).”


The Microsoft Equation Editor is installed by default with the Office suite. The application is used to insert and edit complex equations as Object Linking and Embedding (OLE) items in Microsoft Word documents.


The origins of Equation Editor date back to November 2000 when it was compiled. Since then, it has been part of Office 2000 through Office 2003. Researchers said in 2007 the component was replaced with a newer version. But, the old Equation Editor was left in Office to support files that utilized the old OLE-based (EQNEDT32.EXE) equations.


Further analysis by Embedi revealed that the EQNEDT32.EXE was unsafe because when executed, it ran outside of Office and didn’t benefit from many of the Microsoft Windows 10 and Office security features such as Control Flow Guard.


“The component is an OutProc COM server executed in a separate address space. This means that security mechanisms and policies of the office processes (e.g. WINWORD.EXE, EXCEL.EXE, etc.) do not affect exploitation of the vulnerability in any way, which provides an attacker with a wide array of possibilities,” Embedi wrote in its technical write-up.

Embedi researchers discovered the error using Microsoft’s own BinScope tool, which identified EQNEDT32.EXE as a vulnerable executable. BinScope works by analyzing files to see if they pass standards set by Microsoft’s Security Development Lifecycle, a core element of Microsoft’s Trustworthy Computing.

Embedi exploited this vulnerability using two buffer overflows that relied on several OLEs. “By inserting several OLEs that exploited the described vulnerability, it was possible to execute an arbitrary sequence of commands (e.g. to download an arbitrary file from the Internet and execute it),” researchers said.

Microsoft describes the CVE-2017-11882 as a Microsoft Office memory corruption vulnerability. “Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office or Microsoft WordPad software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file,” Microsoft wrote.

As part of its research, Embedi created a proof-of-concept exploit that attacks all versions of Office dating back to 2000, including Office 365, running on Windows 7, Windows 8.1, and the Windows 10 Creators Update. In a video below, Embedi shows three different attacks on Office and Windows versions (Office 2010 on Windows 7, Office 2013 on Windows 8.1, and Office 2016 on Windows 10).

Along with downloading the patch to fix Equation Editor, Embedi is recommending companies disable EQNEDT32.EXE in the Windows registry to prevent further exploitation.

“Because the component has numerous security issues and the vulnerabilities it contains can be easily exploited, the best option for a user to ensure security is to disable registering of the component in Windows registry,” researchers wrote.

Source:  Threatpost 

CISCO WARNS OF CRITICAL FLAW IN VOICE OS-BASED PRODUCTS

Cisco Systems issued a security advisory warning customers key products tied to its Cisco Voice Operating System software platform were vulnerable to an attack where an unauthenticated, remote hacker could gain unauthorized and elevated access to impacted devices.

The Cisco Security Bulletin is rated Critical and was issued Wednesday. It is tied to a vulnerability (CVE-2017-12337) in its Voice Operating System software which is used in flagship products such as its Cisco Unified Communications Manager, which brings together voice, video, telepresence, messaging and presence. Cisco Unified Communications Manager was previously known as CallManager.

Cisco lists 12 products affected by the bug including versions of its Cisco Prime License Manager, Cisco SocialMiner, Cisco Emergency Responder and Cisco MediaSense.

“The vulnerability occurs when a refresh upgrade or Prime Collaboration Deployment (PCD) 

migration is performed on an affected device. When a refresh upgrade or PCD migration is completed successfully, an engineering flag remains enabled and could allow root access to the device with a known password,” Cisco wrote in its bulletin.

Cisco said that attackers that manage to access the impacted devices over SSH File Transfer Protocol (SFTP) while still vulnerable, could gain root access to the device at that time. “This access could allow the attacker to compromise the affected system completely,” Cisco wrote.

SFTP enables secure file transfer capabilities between networked hosts and is sometimes referred to as Secure File Transfer Protocol.

“If the vulnerable device is subsequently upgraded using the standard upgrade method to an Engineering Special Release, service update, or a new major release of the affected product, this vulnerability is remediated by that action,” according to Cisco.

Researchers also note “Engineering Special Releases that are installed as COP files, as opposed to the standard upgrade method, do not remediate this vulnerability.”

Cisco said a software update fixes the bug, and that no workaround to the vulnerability is available at this time.

The U.S. Department of Homeland Security also issued a warning via US-CERT of the vulnerability on Wednesday.



 Source:  Threatpost 

PHISHING BIGGEST THREAT TO GOOGLE ACCOUNT SECURITY

Last year may have been mostly about ransomware, but it’s difficult to forget the billion or so passwords that were spilled in high-profile breaches and credential leaks.

Google and researchers from the University of California Berkeley attempted to ease some of that pain, and teamed up to analyze how cybercriminals operating underground markets for stolen credentials steal, use and monetize this date.

Looking at black market activity from March 2016 to March 2017 and its impact on exclusively Google accounts, the researchers said they wanted to know how the multitude of keyloggers, phishing kits and available data from publicly known breaches for sale can be turned around to learn valid email credentials and in turn control over a user’s online identity.

The news isn’t good.

In a paper presented at the recent Conference on Computer and Communications Security, Google said that between 7 percent and 25 percent of exposed passwords matched a victim’s Google account. Overall, Google and UC Berkeley estimates there are 1.9 billion usernames and passwords cultivated from breaches that are being traded on the black market. Tack on to that another 12.4 million victims of phishing kits and another 788,000 victims of commercial keyloggers and the climate is dire.

“We observe a remarkable lack of external pressure on bad actors, with phishing kit playbooks and keylogger capabilities remaining largely unchanged since the mid-2000s,” the researchers wrote.

Of the black markets tracked in this research, Google said there are 25,000 tools for phishing and keyloggers at attackers’ disposal. Even though attackers are failing to access Google accounts three out of four times, it’s not for a lack of effort.

“Because a password alone is rarely sufficient for gaining access to a Google account, increasingly sophisticated attackers also try to collect sensitive data that we may request when verifying an account holder’s identity,” Google said in a blog postaccompanying the report. “We found 82 percent of blackhat phishing tools and 74 percent of keyloggers attempted to collect a user’s IP address and location, while another 18 percent of tools collected phone numbers and device make and model.

“By ranking the relative risk to users, we found that phishing posed the greatest threat, followed by keyloggers, and finally third-party breaches,” Google said.

Phishing remains one of the most successful phenomena in security, despite more than a decade of education and examples of successful attacks based on the technique.

“Hijackers also have varying success at emulating the historical login behavior and device profile of targeted accounts. We find victims of phishing are 400x more likely to be successfully hijacked compared to a random Google user,” the researchers wrote. “In comparison, this rate falls to 10x for data breach victims and roughly 40x for keylogger victims. This discrepancy results from phishing kits actively stealing risk profile information to impersonate a victim, with 83 percent of phishing kits collecting geolocations, 18 percent phone numbers, and 16 percent User-Agent data.”

Backing this up, the researchers found more than 4,000 phishing kits used in active attacks during the period of time studied compared to 52 keyloggers. Phishing kits are packages of all-in-one tools for creating and configuring content used in these attacks, including email and website creation. These kits generally are used to collect a victim’s username and password, but also geolocation information and a lot more. The credentials are forwarded to the attacker over SMPT, FTP or uploading them to a website. Most phishing kits—and keyloggers—are configured to steal Gmail credentials, the study said. Yahoo webmail users, however, were the biggest victims of credential leaks. Yahoo has reported that at one time all of its 3 billion users’ data has been exposed to attackers.

Google said it has already used this data to reinforce the security of Gmail.

“Our findings illustrate the global reach of the underground economy surrounding credential theft and the need to educate users about password managers and unphishable two-factor authentication as a potential solution,” the researchers wrote.


Source:  threatpost 

Malware forecast for 2018: More ransomware, Android & Mac viruses

Get to know the malware forecast for 2018

A recent analysis by SophosLabs reveals the top security threats of 2017 which are likely to grow in 2018. This year, we have seen a rise in malicious cryptocurrency miners, at least three major global ransomware outbreaks (WannaCry, Petya, Bad Rabbit^[1]), numerous malware variants on Google Play Store, and series of security vulnerabilities in Windows OS software.


2017 showed us that cybercrime economy is growing so rapidly that it actually gets hard for inexperienced computer users to keep up with the latest tricks the crooks use. Nowadays, it is essential to install the latest updates and avoid any online content that looks at least a bit suspicious.


If you want to stay safe on the Internet in 2018, be aware of these critical threats of 2018. Also, it is vital to stay in the know by following the latest malware trends and especially malware distribution techniques. We also suggest you not to delay any software updates suggested by your computer or mobile operating system provider.


Having the latest copies of the operating system as well as software installed on your device helps to prevent cybercriminals from taking advantage of security vulnerabilities found in earlier versions.


Key malware trends of 2018


1. Ransomware


While in the first quarter of 2017 Cerber and Locky dominated as the most dangerous ransomware viruses, their names faded into insignificance after WannaCry, NotPetya/ExPetr, and Bad Rabbit ransomware outbreaks.


According to SophosLabs statistics, Cerber still remains one of the most prolific file-encrypting malware family which takes 44.2% of the ransomware landscape. The global cyber attack of May 2017 pushed Cerber out of the first place and guaranteed the first position for WannaCry ransomware virus, which scored 45.3% of all spotted ransomware variants in clients’ computers.


The success of WannaCry relies on the EternalBlue exploit^[2] that allowed distribution of the ransomware using a vulnerability in Server Message Block (SMB) used by Windows computers.


The subsequent ransomware outbreak in June 2017 brought NotPetya/ExPetr virus known as a similar copy of the previously-known Petya ransomware. The malware developers also took advantage of the EternalBlue exploit to address a security flaw in SMB protocols and distribute the ransomware rapidly.


Finally, the third ransomware outbreak introduced Bad Rabbit ransomware which is believed to be an updated variant of the NotPetya wiper virus. The malware mainly affected Russia and Ukraine as it was distributed via dozens of compromised websites pushing fake Adobe Flash Player update.


Besides, security experts point out that the growth of the ransomware threat is directly influenced by ransomware-as-a-service. Cybercriminals have recently realized that they could turn their illegal activities into a well-paying business by allowing other criminals use their virtual extortion tools or boost their distribution across the globe.


Therefore, nowadays scammers do not even have to know how to code – they can join ransomware affiliate schemes and start generating revenue right away.


2. Android virus


In 2017, Google Play Store failed to prove that it can fix its security systems and protect its users from malicious applications. We’ve seen numerous cases of malware on the official Android app store, and while all of the dangerous apps were taken down rapidly, they still managed to infect thousands of devices worldwide. Some of the compromised applications even contained malicious Monero-mining scripts.^[3]


However, even more, severe malware hides in applications downloaded from shady Internet sources. DoubleLocker ransomware, LokiBot, GhostClicker, and Sockbot are just a few of examples that target Android OS users daily.


Probably the most worrying fact is that out of all 10 million shady Android apps processed by SophosLabs, the majority (77%) turned out to be malicious. The remaining 23% are potentially unwanted applications.


3. Malware that targets Mac OS X


For many years people used to believe that Macs are not vulnerable to malware. However, despite that Macs are less popular than Windows computers, cybercriminals already started creating malware and spyware for this operating system as well. So far, the only good thing is that at the moment there are more potentially unwanted applications and spyware variants than severe malware for Macs. However, it doesn’t mean that hackers won’t create critical viruses for OS X users in the future.


Researchers report that the most active annoyances for Mac users are Advanced Mac Cleaner, TuneUpMyMac, Genieo^[4], and SpiGot software. Speaking of more dangerous viruses, we must mention Mac ransomware such as MacRansom and MacSpy.


4. Windows threats


Finally, the fourth key threat is vulnerabilities in Microsoft Windows. Researchers share a list of the most exploited vulnerabilities in 2017:


CVE-2017-0199 (36%)^[4];


CVE-2012-0158 (32%);


CVE-2016-7193 (10%);


CVE-2015-1641 (7%);


CVE-2011-0611 (4%);


Others (11%).


The majority of the vulnerabilities are critical as they allow cybercriminals to execute code on victim’s computer remotely. To put it simply, hackers can take advantage of these weaknesses and use them to install malicious programs on the unprotected system.


Protecting your computer from malware in 2018


Computer users are advised to follow these general security tips to avoid rampageous malware variants in 2018:


Keep all your programs up-to-date. However, remember that you must install software updates from official software developers’ sites only. For instance, fake updates of well-known software such as Flash Player can infect your PC with malware like Bad Rabbit.


Keep track of the latest Microsoft security patches and install the updates as soon as they become available.


Use a security software with a real-time protection feature.


Create a data backup.


Never open email attachments if you do not know the sender personally or if you did not expect to receive a message from him/her.


Never enable Macros function^[5] in Microsoft Office documents you receive unless you are 100% that the file is safe. We highly recommend scanning such files with a security software first.

Source:  2-spyware 

Black Friday 2017: 6 main tips to avoid scams

Common scam strategies and tips to avoid getting deceived

Black Friday is the anticipated event not only for consumers, but it is a perfect occasion for online fraudsters to manifest their crafty deception strategies. Shopping scam fever does not only occur at this time of the year but before big year events: Christmas and New Year, as well. Therefore, arming up with the knowledge about scam prevention might be a wise decision.

Check Facebook offer information on an official service provider site

Online racketeers find Facebook a perfect haven for their felonies. Unfortunately, past cases reveal that the community still does not learn from their mistakes.

Fake airplane tickets can be called annual Facebook shopping scam. This year one of them involved Delta, AirAsia or Emirates Airlines companies.^[1] Free flight ticket giveaways turned out not only to be a surprise for customers but for the very companies as well.

At that time, fraudsters attempted to wheedle out users by using infected websites. In order to avoid getting scammed, check the official websites of the companies to verify the information. If you tend to purchase goods from Facebook Marketplace, make the purchase and exchange of the product at the same time.^[2]

Beware of shopping scam messages on social apps

As Facebook virus^[3] reveals the number of users, who take the same bait twice, you might also expect similar felonies on social apps. Recently, UK users were targeted with a new ASDA scam^[4]. The latter is a popular supermarket retailer in the country.

WhatsApp users got messages suggesting them to visit http://www.asda.com/mycoupon. The message also contained grammar mistakes which suggested the deceptive origin. The latter page does not exist. Nonetheless, marketers foisted Javascript in the link redirecting users to counterfeited pages asking for personal information.

Avoid installing fake iPhone or Android shopping apps

If you are a pro-app user, you might certainly have one or two app which helps you find proper deals. Note that finding one might be a difficult task as well. There are tons of fake applications. Such software may not only bother you with frustrating adware pop-ups but may infect you with the mobile version of ransomware or another sort of infection.

While Google Play is struggling to ward off crypto-coin miners, iPhone users should not let their guard down as well. There has been a trend of counterfeited apps plaguing App store as well. Besides nagging users with commercial notifications, they also target your personal and credit card information.^[5]

Use secure internet connection

Whether you intend to purchase goods or services from a specific website, pay attention whether it has SSL certificate. i.e., “https” indicator in front of the site URL name. It is one of the key signs of a reliable site. Naturally, you should also look for other indicators: explicit privacy policy, terms of use and contact credentials.

Choose verified payment platform

Cyber felons tend to offer their own payment domains. Likewise, it is always a better solution to opt for Paypal or other reliable payment platforms, which provide money transfer and return guarantee in case of a dispute or technical difficulties.

Avoid opening failed packaged delivery email attachments

Spam emails are urging you to review the invoice or failed package delivery attachments is often a common trick used by ransomware developers. Such messages may contain grammar mistakes and typos.

On the other hand, some felons also this method. They may load users with refund offers. Unlike in real cases, such message will contain little information and instead urge you to review the attachment. Note that a proper email attachment always includes a screenshot of the content.




Source:  2-Spyware 

Encryption is a Costume to Hide Threats on the Internet

It is the time of the year where adults and children alike put on costumes and go out to gather candy or create mischief. The costumes are scary or cute, but always achieve the goal of obfuscating the individual and hiding their true identity and intent. The person wearing the costume does not express their goal until they are interacting with their target.

Encryption of content on the internet serves the same purpose. People and devices are surfing the internet and accessing applications owned by different businesses. These businesses do not know the intent of the user connecting to their application unless they are using various IT security inspection solutions such as next-generation firewalls (NGFW), intrusion prevention systems (IPS), and web application firewalls (WAF). Encryption of the content makes it impossible for these security solutions to inspect the traffic for malicious behavior unless they have the ability to decrypt the connection to expose the clear-text information within the payload.


Trick or treat?


Encrypted content makes it hard to determine who the user is. It is even harder to determine the intent of the user. Encryption makes everyone look similar when surveying the field. Many of the identifying keys that security solutions use are hidden within the encrypted payload.


This makes it essential for businesses to use technologies that can unencrypt the content to discover the real purpose of the user. Decryption removes the costume to reveal the person’s true goal. Once the content is decrypted, the existing security solutions can do their job to identify the potential threats.

Don’t throw out the good with the bad


Not all encrypted connections hide malicious intent. There are good reasons to use encryption as well. People want privacy to protect their personal information such as medical or financial records. Encryption provides data integrity to ensure that the information received is exactly what was sent.


A proper solution is needed to address the positive and negative goals of encryption, alike. We need to inspect the encrypted traffic for the malicious content while protecting the information of the legitimate users. Most of the costumed people are friendly and looking for treats, but we need to be able to identify and stop the few people that may want to throw eggs at your house or worse.


The solution is not unlike the security checkpoints at the airport. A universal system to decrypt the traffic at one centralized location can decrypt the content, perform an initial triage analysis and then steer the traffic to the different security solutions as unencrypted data. Once the security solutions have performed their task, the content is re-encrypted and sent on to its destination.


Encryption is agnostic


Encryption has neither good nor bad intent. It is designed to hide the intent of the content that is being obfuscated. The technology is doing the same job the holiday costumes are performing for the people. There is a reason the content is encrypted, and it is up to the business to determine the intent whether the user is looking for that trick or treat.


Source:  radware blog 

Data Center Application Layer Attacks

This post originally appeared on the Cisco blog: Data Center Application Layer Attacks 


There have been a number of articles written on data center outages and their business costs of lost productivity, infrastructure damage, loss of brand reputation and goodwill in the marketplace, and litigation costs.  Data center outages can occur from a number of factors such as such as component quality issues, power supply disturbances, or human error. Even turning systems off for routine maintenance could lead to a potentially costly incident to the business.  However a multiyear Ponemon study, “Cost of Data Center Outages” found that the fastest growing cause of data center outages was cybercrime.


The negative impact from cybercrime is not only the data theft, regulatory fines, or litigation costs but also the downtime of critical systems. Businesses rely on their data center availability to drive employee productivity, engage with their customers, and generate revenue. The Cisco 2017 Security Capabilities Benchmark Study found that outages due to security breaches often have a lasting impact. According to the benchmark study, 45 percent of the outages lasted from 1 to 8 hours; 15 percent lasted 9 to 16 hours, and 11 percent lasted 17 to 24 hours. Forty-one percent of these outages affected between 11 percent and 30 percent of systems.

Attackers can leverage a number of techniques to attack the data center; from sophisticated malware to a rise in DDoS (distributed denial of service) attacks targeting the application layer. In those application layer DDoS attacks, web servers, application servers, or online services are targeted and flooded with just enough traffic to knock them offline. They target applications in a way that they appear to be actual requests from users. Since they can be smaller than traditional volumetric DDoS attacks they may go unnoticed by security solutions until it is too late.

To protect against application-layer DDoS attacks, Cisco integrated comprehensive, behavioral DDoS mitigation from Radware into its Firepower 4100 Series and 9300 next generation firewall (NGFW) appliances.  Radware’s Virtual DefensePro capabilities add application layer DDoS protection to Firepower’s tightly integrated, multi-layered threat protection including application firewalling, next generation intrusion prevention (NGIPS), and advanced malware protection (AMP).  Context and intelligence is shared among security functions to accelerate threat detection and response and maximize your security investment.


Integrating Radware DDoS to Firepower NGFW protects data center resources to better function in a DDoS attack and prevent sensitive information from being compromised. Firepower NGFW resiliency is improved in a DDoS attack, allowing it to better distinguish between legitimate and illegitimate traffic. Firewalls by design track stateful connections and may become easily overwhelmed by DDoS attack traffic.  Many attackers target the firewall directly in DDoS attacks, trying to cripple it to leave the network unprotected so this layer of resiliency can be important.


For more information on Cisco Firepower NGFW’s, please visit:  https://www.cisco.com/go/ngfw


Source:  radware blog 

WhatsApp officially launches unsend feature to delete messages

Earlier this week, WhatsApp updated its FAQ page with instructions on how people can use its new unsend feature that lets users purge the embarrassing messages they sent before their intended recipient has had a chance to read them. But unfortunately, most users still didn’t have access to the new functionality.


This changes today. The Facebook subsidiary has announced in a new blog postthat it has begun rolling out the unsend feature to all of its users worldwide. “This feature is rolling out for users around the world on the latest versions of iPhone, Android, Windows Phone as well as desktop,” the post read.


Here is what you can expect:

To access ‘Delete for everyone,’ make sure you’ve updated to the latest version on WhatsApp. Another thing to keep in mind is that using the feature won’t work unless “[b]oth you and the message recipient” are running the app’s latest iteration.


To give you some context, though ‘Delete for everyone’ is only making its way to the official release now, WhatsApp has been testing the feature since at least June.


To avoid sending a message you will regret (thinking you could unsend it whenever you want), it might be worth catching a peek at all the particularities of using ‘Delete for everyone.’




Source:  TNW 

Web Attacks Spike in Financial Industry

Web application compromise beats human error as the top data breach cause, putting finance companies at risk for larger attacks, according to a new study.

Web application compromise has topped human error as the most common type of data breach for finance companies. This shift gives the financial sector reason to be worried about broader, and more dangerous cyberattacks, acccording to a recent report from BitSight. 

BitSight investigated types of data breaches targeting finance companies over the past three years. After massive cyber attacks hit major corporations in 2017, researchers wanted to learn the growth and impact of different attack types.

What they discovered was a fundamental shift in the types of attacks hitting the sector.

"One of the first things we were interested in was a significant increase in Web application compromise as the type of breach most prevalent within the finance industry," says BitSight data analyst Ryan Heitsmith

When BitSight says a breach is caused by "human error," Heitsmith explains, it's referring to one-off events in which an employee erroneously emailed personal or financial data to the wrong person. These incidents are typically smaller, and easier to contain, than web-based attacks, he says.

Back in 2015, more than half (51%) of breach events were caused by human error, 13% were caused by privilege abuse, and 8% were caused by Web applications. In 2016, human error caused 35% of breach events, followed by DoS (14%), and Web applications (11%).

This year had a significant uptick in Web application compromise, which accounted for 33% of breach events among finance companies in 2017. Human error fell in second, at 21% of events. Heitsmith says there could be a few reasons behind the shift. Better employee education, for one, could be driving the decrease in human error. More detailed reporting is another factor.

"Over the years we've been collecting data breach events at a large scale. We've seen reporting get a lot better, and stricter mandatory breach reporting requirements," he explains. More intense scrutiny in the press has also driven a broader understanding of the threat landscape, he notes.

Web application compromise, or any incident in which a Web application was the attack vector, encompasses a range of incidents including SQL injection attacks or a hacker who bypasses employee authentication to gain access into the company

This year, researchers also saw the threat landscape shift from events primarily caused by internal actors, to those caused by actors outside the company. Researchers note that while internal actors were sometimes malicious, some were making silly mistakes. Not all attacks were intentional or widespread, according to researchers who observe that external actors intentionally seek data through a variety of different exploits.

"What's interesting is these events tend to be larger in significance due to the large number of records lost as a result of data breaches," says Heitsmith of Web application compromise. "Human error incidents are smaller, maybe one to a couple of records, though some might be larger. But in Web applications, the median record count is a lot larger than any of the other breaches we look at within the finance industry."

There is a two-pronged approach to how finance companies can monitor for Web application compromise, he continues. The first is to ensure all Web applications are properly configured and invest in proper Web application security. The second is to use continuous monitoring platforms to keep an eye on third parties, which Heitsmith says is a weak spot in finance.

The spike in Web application compromise shouldn't diminish the focus on human error, which at 21%, is still a large problem. Mandatory employee training, to provide awareness around common exploits and problems like phishing, says Heitsmith, is as important as Web monitoring.

Source:  Darkreading 

cybersecurity firm discovers severe security vulnerability in LG smart products

Check Point Software Technologies discovered a serious security vulnerability in LG smart products that exposed millions of homes to hackers from around the world. By exploiting the vulnerability, the hackers spied on homeowners and were able to figure out when the houses were empty. According to Check Point, the issue was discovered in July and fixed after two months.

The Israeli cybersecurity giant Check Point Software Technologies revealed Thursday that a severe security vulnerability in LG smart products has been discovered. Hackers have exploited the vulnerability in order to control the devices and surveil the millions of homes where the products are used, making it easier for burglars to spy on homeowners and know when the home is empty. The issue was discovered in July and fixed after two months.

According to Check Point, the security issue was found in the mobile app SmartThinkQ and the LG cloud platform. When hackers gain access to LG user accounts, they can control all the smart electronic devices that are connected to the accounts, such as vacuum cleaners, refrigerators, ovens, washing machines, dryers and air conditioning units.

If an account is linked to an LG Hom-Bot robotic vacuum cleaner, the hackers can monitor the movements and actions of the homeowners through the device’s camera, which streams a live feed to the smartphone using the app. The hackers can also interfere with refrigerator data, change air-conditioning settings and turn on stoves and ovens that are connected to the hacked accounts.

Source:  Jerusalem online 

DUHK Attack Lets Hackers Recover Encryption Key Used in VPNs & Web Sessions

DUHK — Don't Use Hard-coded Keys — is a new 'non-trivial' cryptographic implementation vulnerability that could allow attackers to recover encryption keys that secure VPN connections and web browsing sessions.

DUHK is the third crypto-related vulnerability reported this month after KRACK Wi-Fi attack and ROCA factorization attack.

The vulnerability affects products from dozens of vendors, including Fortinet, Cisco, TechGuard, whose devices rely on ANSI X9.31 RNG — an outdated pseudorandom number generation algorithm — 'in conjunction with a hard-coded seed key.'

Before getting removed from the list of FIPS-approved pseudorandom number generation algorithms in January 2016, ANSI X9.31 RNG was included into various cryptographic standards over the last three decades.

Pseudorandom number generators (PRNGs) don’t generate random numbers at all. Instead, it is a deterministic algorithm that produces a sequence of bits based on initial secret values called a seed and the current state. It always generates the same sequence of bits for when used with same initial values.

Some vendors store this 'secret' seed value hard-coded into the source code of their products, leaving it vulnerable to firmware reverse-engineering.

Discovered by cryptography researchers — Shaanan Cohney, Nadia Heninger, and Matthew Green — DUHK, a 'state recovery attack,' allows man-in-the-middle attackers, who already know the seed value, to recover the current state value after observing some outputs.

Using both values in hand, attackers can then use them to re-calculate the encryption keys, allowing them to recover encrypted data that could 'include sensitive business data, login credentials, credit card data and other confidential content.'

"In order to demonstrate the practicality of this attack, we develop a full passive decryption attack against FortiGate VPN gateway products using FortiOS version 4." researchers said.

"Our scans found at least 23,000 devices with a publicly visible IPv4 address running a vulnerable version of FortiOS."

Here below you can check a partial list (tested by researchers) of affected devices from various vendors:

The security researchers have released a brief blog post and technical researcher paper on a dedicated website for DUHK attack.

Source:  thehackernews 

Bad Rabbit: New Ransomware Attack Rapidly Spreading Across Europe

A new widespread ransomware attack is spreading like wildfire around Europe and has already affected over 200 major organisations, primarily in Russia, Ukraine, Turkey and Germany, in the past few hours.

Dubbed "Bad Rabbit," is reportedly a new Petya-like targeted ransomware attack against corporate networks, demanding 0.05 bitcoin (~ $285) as ransom from victims to unlock their systems.

According to an initial analysis provided by the Kaspersky, the ransomware was distributed via drive-by download attacks, using fake Adobe Flash players installer to lure victims' in to install malware unwittingly.

"No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer. We’ve detected a number of compromised websites, all of which were news or media websites." Kaspersky Lab said.

However, security researchers at ESET have detectedBad Rabbit malware as 'Win32/Diskcoder.D' — a new variant of Petya ransomware, also known as Petrwrap, NotPetya, exPetr and GoldenEye.

Bad Rabbit ransomware uses DiskCryptor, an open source full drive encryption software, to encrypt files on infected computers with RSA 2048 keys.

ESET believes the new wave of ransomware attack is not using EternalBlue exploit — the leaked SMB vulnerability which was used by WannaCry and Petya ransomware to spread through networks.

Instead it first scans internal network for open SMB shares, tries a hardcoded list of commonly used credentials to drop malware, and also uses Mimikatzpost-exploitation tool to extract credentials from the affected systems.

The ransom note, shown above, asks victims to log into a Tor onion website to make the payment, which displays a countdown of 40 hours before the price of decryption goes up.

The affected organisations include Russian news agencies Interfax and Fontanka, payment systems on the Kiev Metro, Odessa International Airport and the Ministry of Infrastructure of Ukraine.

Researchers are still analyzing Bad Rabbit ransomware to check if there is a way to decrypt computers without paying ransomware and how to stop it from spreading further.

How to Protect Yourself from Ransomware Attacks?

Kaspersky suggest to disable WMI service to prevent the malware from spreading over your network.

Most ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs.

So, you should always exercise caution when opening uninvited documents sent over an email and clicking on links inside those documents unless verifying the source to safeguard against such ransomware infection.

Also, never download any app from third-party sources, and read reviews even before installing apps from official stores.

To always have a tight grip on your valuable data, keep a good backup routine in place that makes their copies to an external storage device that isn't always connected to your PC.

Make sure that you run a good and effective anti-virus security suite on your system, and keep it up-to-date.

Source:  the hackernews 

BoundHook' Technique Enables Attacker Persistence on Windows Systems

CyberArk shows how attackers can leverage Intel's MPX technology to burrow deeper into a compromised Windows system.

Security researchers at CyberArk have developed a technique showing how attackers can exploit a feature in the Memory Protection Extension (MPX) technology on modern Intel chips to steal data from Windows 10 systems and to remain completely undetected on them.

CyberArk's new BoundHook technique is similar to the GhostHook method that the company revealed earlier this year in that it is a post-exploitation technique. In other words, for BoundHook to work, an attacker would need to already have privileged access on a Windows 10 system.

Microsoft itself, for that reason, has refused to categorize the issue as a vulnerability that merits a security patch. "The technique described in this marketing report does not represent a security vulnerability and requires a machine to already be compromised to potentially work," the company said in a statement. "We encourage customers to always keep their systems updated for the best protection."

Intel's MPX technology, introduced with the chipmaker's Skylake line in 2015, is designed to protect applications against buffer overflows, out-of-bounds access, and other memory errors and attacks. Applications running on Windows 10 systems use the feature as protection against buffer overflow attacks.

CyberArk's BoundHook technique uses a boundary check instruction in MPX to hook processes on a system, and to essentially change its behavior. "The BoundHook technique allows you to run your own code inside foreign processes and change its normal behavior, without leaving any traces inside these foreign processes," says Doron Naim, senior security researcher at CyberArk.

Hooking is about changing the behavior of certain functions in the operating system or application software on a system, he says. As one example, he points to the key input function. "If an attacker were able to hook this function, they would be able to sniff and steal your keystrokes."

Typically, to do hooking you have to write hooking code inside a target process, he says. With BoundHook, the code is not used to execute the hook itself but to cause an error, like a boundary exception error in the process. From there an attacker can take complete control of the thread execution, Naim notes. "If you control the thread execution, you can do anything you want by the name of the target process. For example, if it's Word.exe, you can steal credentials or send information to the Internet through this process." Most antivirus tools are not equipped to detect the malicious activity that is enabled via BoundHook, according to CyberArk.

While Microsoft has downplayed BoundHook just as it did with GhostHook, Naim insists CyberArk's latest technique indeed poses a threat. "The first thing to note is that this technique is most likely to be used by nation-state attackers, or very well financed criminal organizations that are looking for infiltrations that last."

In the current threat environment, gaining administrative privileges on an endpoint system is something that administrators should assume even the most basic attacker can accomplish, he says. In most cases, all it takes is for a single individual to click on the wrong link or fall for a phishing scam.

Techniques such as the one that CyberArk demonstrated this week are important because they show how attackers can improve their dwell-time on a compromised network, Naim notes. "Techniques like this are incredibly powerful in helping attackers disappear after the initial infection point — allowing them to build in backdoors and plan their attacks in de facto stealth mode."


Source:  Darkreading 

How to download and install the Windows 10 Fall Creators Update right now

The much-anticipated Windows 10 Fall Creators Update has now been released, and here’s how you can download and install it right now.

The Fall Creators Update is a major package of new and improved features for Windows 10, and it’s completely free. It brings support for Windows Mixed Reality headsets, as well as improved privacy features, better accessibility options and a new interface.

As with previous updates, Microsoft will be performing a roll-out release for the Windows 10 Fall Creators Update, which means you may have to wait until the update is available for your device – so read on to take matters into your own hands, as we show you how to download and install the Windows 10 Fall Creators Update.

How to download and install the Windows 10 Fall Creators Update using the Update Assistant

You can now officially download the final version of Windows 10 Fall Creators Update using Microsoft's Update Assistant.

To do this, head to the Windows 10 Update Assistant webpage and click 'Update now'.

The tool will download, then check for the latest version of Windows 10, which includes the Fall Creators Update.

Once downloaded, run it, then select 'Update Now'. The tool will do the rest. Your PC will restart a few times – so save any work first – and then your PC will be updated with the Fall Creators Update, while all your files and settings will remain where they were.

How to download and install the Windows 10 Fall Creators Update using a fresh install


If you want to install the Windows 10 Fall Creators Update as a fresh install on your machine you’ll need to download the ISO file with the Fall Creators Update included.


Before you do this, make sure you've backed up all your important information and documents. Check out our list of the best free backup software for advice.


Microsoft has made the process of downloading and installing the Windows 10 Fall Creators Update using a fresh install very easy. Just go to the Download Windows 10 web page, and below where it says ‘Create Windows 10 installation media’, click the ‘Download tool now’ button.


You’ll also need a blank DVD or a USB stick to add the installation files to. Be warned this process wipes any data on the drives, so make sure the drive doesn’t have any important data on it. Also, make sure the USB stick has at least 5GB of space spare.


If you don’t have a spare drive, check out our list of the best USB flash drives 2017.


You’ll need to know if you have a 64-bit or 32-bit processor to download and install the correct version. If you have a recent PC it’s most likely to have a 64-bit processor.


Download and install the tool, then open it up and agree to the license terms. On the ‘What do you want to do?’ page, select ‘Create installation media for another PC’ then click ‘Next’. Select the language, edition and 32-bit or 64-bit version, then select either ‘USB flash drive’ or ‘ISO file’, depending on whether you’re installing from a USB drive or from a DVD (select ISO file for this).


Once the tool has formatted and created the installation drive, you can restart your PC, boot from the drive and install the Windows 10 Fall Creators Update from scratch. Our How to install Windows 10 guide will show you how.  


You’ll now have Windows 10 Fall Creators Update installed and ready to go on your PC!


Source:  techradar 

Secure Wifi Hijacked by KRACK Vulns in WPA2

 All modern WiFi access points and devices that have implemented the protocol vulnerable to attacks that allow decryption, traffic hijacking other attacks. Second, unrelated crypto vulnerability also found in RSA code library in TPM chips.

Researchers at Belgium's University of Leuven have uncovered as many as 10 critical vulnerabilities in the Wi-Fi Protected Access II (WPA2) protocol used to secure WiFi networks.

The vulnerabilities are present on both client and access point implementations of the protocol and give attackers a way to decrypt data packets, inject malware into a data stream and hijack secure connections via so-called key reinstallation attacks (KRACKs).

(The disclosure of the WPA2 flaws is the second one in recent days involving a crypto standard.  Last week, Google, Microsoft and others warned about a bug in several Infineon trusted platform module (TPM) firmware versions that gives attackers a way to recover the private part of RSA keys generated by the TPM using only the corresponding public key. Nearly all Chrome OS devices that include an Infineon TPM chip are affected, and although large-scale attacks are not possible, a practical exploit already exists for targeted attacks.)  

The KRACK attacks work on all modern wireless networks using the WPA2 protocol and any device that supports WiFi is most likely impacted, the researchers said in a technical paper that they will present at the upcoming Black Hat Europe security conference. However the flaws are not easy to exploit and require attackers to be in close proximity to a victim, thereby making the flaws somewhat less severe of a threat despite their ubiquity.

"Vulnerabilities that focus on issues with network protocols across many devices makes the threat landscape of this vulnerability very large," says Richard Rushing, CISO of Motorola Mobility and a speaker at Dark Reading's upcoming INsecurity security conference in November.

But as with all Wifi threats, physical proximity is required for the vulnerabilities to be exploitable, he says. "Most wireless IDS and IPS should be able to see this attack, and take preventative actions," Rushing said. "In many cases there are other Wifi man-in-the-middle attacks that can be just as successful given a user WiFi configuration." 

Meanwhile, US-CERT described the KRACK vulnerabilities as existing in the WPA2 standard itself thereby putting all correct implementations of the protocol at risk of attack. An attacker within range of a modern access point and client can use the vulnerabilities to carry out a range of malicious actions. Depending on the encryption protocols being used by the WiFi network, the "attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames," US-CERT said. The advisory listed close to 150 vendors whose products are impacted by the vulnerabilities.

In the technical paper and a blog, researchers Mathy Vanhoef and Frank Piessens from the University of Leuven demonstrated a proof-of-concept key reinstallation attack that takes advantage of the WPA2 vulnerabilities to decrypt encrypted data.

The attack is targeted at the four-way handshake that takes place when a client device wants to join a protected WiFi network. The handshake is designed to ensure that both the client and the access point have the correct credentials to communicate with each other.  The manner in which the third handshake takes place essentially gives attackers an opportunity to force resets of a cryptographic nonce counter used by the encryption protocol so data packets can be decrypted, replayed or forged, according to the two researchers.

The key reinstallation attack against the 4-way handshake is the most widespread and practically impactful attack currently possible against the WPA2 vulnerabilities, Vanhoef and Piessens said in the paper. "First, during our own research we found that most clients were affected by it. Second, adversaries can use this attack to decrypt packets sent by clients, allowing them to intercept sensitive information such as passwords or cookies." The manner in which WPA-2 has been implemented on devices running Linux and Android 6.0 and above make them particularly vulnerable to key reinstallation attacks, they said.

Organizations – corporate enterprises, businesses, schools and universities, retail shops and restaurants, government agencies – that have deployed Wi-Fi networks using WPA2 encryption are affected. When mobile users connect to these Wi-Fi networks with smartphones, tablets, laptops and other devices, they are also exposed to these vulnerabilities. Both the 802.1x (EAP) and PSK (password)-based networks are affected.

Hemant Chaskar, CISO and vice president of technology, at Mojo Networks says corporate enterprises, businesses, schools and universities, retail shops restaurants, government agencies and any organization that has deployed Wi-Fi networks using WPA2 encryption are affected.  "When mobile users connect to these Wi-Fi networks with smartphones, tablets, laptops and other devices, they are also exposed to these vulnerabilities. Both the 802.1x (EAP) and PSK (password)-based networks are affected," he says.

Nine of the 10 vulnerabilities require attackers to be relatively sophisticated, he says. In order to exploit these flaws an attacker would need to use a MAC spoofing access point as a Man-in-the-Middle to manipulate data flowing between the client device and the real access point. "For the remaining, a practical exploit can be launched using a sniffer that can listen to and replay the frames over the wireless medium. So, it requires less attacker sophistication. "The main risk from all of them is replay of packets into the client or access point," Choskar says. "Another potential arising out of these exploits is the presence of packets in the air that are decryption-prone."

Gaurav Banga, founder and CEO of Balbix said the newly vulnerabilities, while present in a lot of products, should not be a cause of widespread panic. For one thing, it requires a sophisticated attacker and physical proximity in order to exploit. There has also been no sign of any exploit code in the wild so far and patches are available or will soon be available. "With iOS and Windows, the attack is quite difficult to pull off. Many of the security questions are around Android, since it is rarely patched," he says.

Users and organizations can mitigate the risk by using VPN over WiFi, avoiding websites that do not use HTTPS and updating their devices as soon as patches are released, he says.


Source:  Darkreading 

Wi-Fi security has been breached, say researchers

At 8AM Monday morning Eastern Time, researchers plan to reveal details of a new exploit called KRACK that takes advantage of vulnerabilities in Wi-Fi security to let attackers eavesdrop on traffic between computers and wireless access points. The exploit, as noted by Ars Technica, takes advantage of several key management vulnerabilities in the WPA2 security protocol, the popular authentication scheme used to protect personal and enterprise Wi-Fi networks.

So yeah, this looks bad.

The United States Computer Emergency Readiness Team issued the following warning in response to the exploit:

US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.

It's not yet clear how easy it will be to hijack and eavesdrop on targeted Wi-Fi networks, but we expect all to be revealed later on today through the website krackattacks.com, before the vulnerabilities are formally presented on November 1st in a talk titled Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 at a security conferencein Dallas.



Source:  the verge 

Single Sign-On (SSO) for Cloud and On Premise Apps

If you have signed into Gmail and noticed that you were also able to access Google portfolio apps such as Google Maps, YouTube, Google Play, Google Photos and other Google applications, you are already using SSO! The user logs in once to a Google account, and has access to other Google applications.




Single Sign-On happens when a user logs into one application and then is able to sign into other applications automatically, without being prompted for passwords, regardless of the domain they are in or the technology they are using. SSO makes use of a federation service or login page that orchestrates the user credentials between multiple applications. In the above example, this service is Google Accounts.

SSO reduces password fatigue for users having to remember a password for each application. SSO also streamlines security by centralizing provisioning and maintaining the same security rules across applications. Unlike in the past, a user’s access may be easily revoked across all applications when an employee leaves.

However, as applications are web-enabled and delivered through cloud or on premise deployments, we can assume that application-specific cyber-attacks will continue.
Securing these applications is a complex task, in terms of provisioning and maintenance, but especially in terms of securing access. Authenticating users by having them provide their identity, and challenging them to verify their identity are some of the aspects of securing access

Balancing convenience with caution – Multi-Factor Authentication (MFA)

As single sign-on provides access to many applications once a user is authenticated; this convenience also increases the impact in case the user credentials are compromised.

According to Wikipedia, “Multi-factor authentication (MFA) is a method of access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are).”

The more commonly used form of MFA is a two-factor authentication (2FA). An example that many of us are familiar with is using the password as the first factor and providing the second factor such as a PIN through a token generator such as RSA SecurID, one time password (OTP) or once received through a phone call, SMS message, or an email.

There are other variations, especially when a user is not personally known to the organization. For example, credit companies extract information from the user’s credit file and present them as challenge questions, and use them as one of the factors, before granting access to sensitive credit information.

Conclusion

SSO is great for convenience, but the fact remains that some hackers would want that user credential since it represents access to restricted information and money. MFA adds a layer of security to application access, making it more difficult to hack.


Source:  radware 

Protecting the Multi-CDN Part II: Approaches for Securing the Multi-CDN

Bringing back your security from the ‘edge’ of the CDN has many advantages – particularly in multi-CDN deployment scenarios. We take a look at the various deployment models for creating a centralized security protection layer, and when each should be considered.

In the the first of this series, we discussed some of the unique security challenges that can arise from adopting a multi-CDN strategy – namely inconsistent protection among different CDNs and the lack of centralized reporting.

Many of these problems arise from fact that CDN security is done at the ‘edge,’ i.e., security policies are ultimately propagated and executed at the points-of-presence (PoPs) of the CDN. And when ingress traffic originates from disparate CDNs that don’t talk to each other – as is the case in multi-CDN – the result can be gaps in protection and reduced transparency.

A security barrier between you and the multi-CDN

One potential solution in such cases is to bring back security from the edge and create a separate – and centralized – layer of security between the origin server and incoming traffic. As a result, ingress traffic – even from multiple CDNs – will all pass through a central focal point, which will make it possible to apply uniform security policies on all traffic.

There are several advantages to this technique, compared to the traditional CDN approach of ‘edge security’:

Decouples cost and security. When deploying a multi-CDN solution (or even a standalone CDN), cost is one of the most important factors that determines which CDNs are chosen to begin with, and how traffic is routed. However, the cheapest CDN may not always be the one with the best security – or even any security at all. Decoupling cost and security, therefore, makes sense so as to make sure that traffic cost considerations do not interfere with the quality of protection.

A single, unified security policy. As we pointed out in the previous installment, different CDN vendors offer different security features with different technologies and different policies. A unified security layer that aggregates all traffics ensures that there are no security gaps between different vendors, and that all traffic is subjected to the same rigorous inspection.

A single pane of glass for all traffic. Using a multi-CDN solution frequently means splitting management and reporting across disparate management consoles with disparate configurations. This is key when it comes to security, where attacks can come from multiple vectors and from multiple sources. Centralizing security within a single layer ensures full security visibility and reporting, regardless of traffic origin.

On the cloud or on-prem?

A key consideration in consolidating security layers is to decide whether these should run in the data center (on-prem) as a hardware appliance, or whether this should be in the cloud.

There are advantages and drawbacks to each approach, and each organization can decide differently depending on their specific context and configuration.

Premise-based security

The greatest advantage of on-premise security solutions is the high degree of control they afford organizations, and ability to configure it to any type of internal network topology. In addition, on-premise solutions tend to have near-zero latencyperformance, meaning that the speed of business is not impacted.

The flip side of using hardware-based solutions is that they tend to have higher cost compared to cloud solutions, and require high, upfront capital expenditure. Moreover, the higher degree of control comes with higher management overhead. Finally, they have limited capacitycompared to cloud-based solutions.

Premise-based security is best for organizations that have physical data centers (as opposed to cloud-based), who prefer the higher degree of control that comes along with it, and whose applications are sensitive to latency.

Cloud-based security

Perhaps the most noticeable advantage of cloud-based infrastructure is lower cost compared to hardware-based solutions, coupled with lower management overhead. This is one of the primary drivers which have led application developers to increasingly move their infrastructure to the cloud. In addition, cloud services have higher capacity and are therefore able to absorb larger attacks, such as volumetric DDoS attacks. Finally, if your applications are already running in the cloud, then it makes sense for your security to run on the cloud, as well.

The drawbacks of cloud deployments are the mirror image of the advantages of hardware-based solutions, namely minor additional latency(although usually not much) to application performance, a lower degree of control over hardware managed by outside vendors, and compliance barriers in certain regulated industries such as healthcare and finance.

This is best for customers with existing cloud applications, as well as those who are not sensitive to the minor additional latency.

Hybrid security model

Hybrid security deployments are arguably the most robust of application security strategies. In a nutshell, hybrid security models involve usage of both on-prem and cloud-based defense layers, enabling organizations to adapt their security deployment to their particular network topology. Indeed – as more companies begin moving infrastructure to the cloud – even Gartner saysthat hybrid cloud deployments will soon be the most common usage type.

Hybrid deployments provide the greatest degree of flexibility, allowing organizations to protect applications wherever they are deployed. Moreover, they also retain a high degree of control for organizations. Hybrid deployments also resolve the capacity-vs-control tradeoff by allowing organizations to put in place cloud-based defense mechanisms that can be activated on-demand when hardware capacity isn’t sufficient.

It is usually most suited for larger organizations with complex network topologies, multiple data centers, or applications that are split between cloud and on-prem. Ultimately, the decision of whether to implement a hybrid model is highly dependent on the particulars of your network configuration and needs.

Choosing the right deployment for you

As we’ve seen, multi-CDN strategies can create some fairly complex security challenges that arise from multiple traffic origins, coupled with fact that CDN security is usually executed at the edge of the network. The solution, therefore, is to bring back security from the edge and into a centralized security layer that applies a uniform security policy to all traffic.

Whether such solutions should be implemented as premise-based, cloud-based, or hybrid solutions is dependent on the particulars of each organization’s network configuration and applications.

Part III of this series takes a broader look at CDN security, and how taking security out of the ‘edge’ can enhance application defenses in general.

Source:  radware