DEF CON 28 Safe Mode IoT Village – Barak Sternberg’s ‘Hacking Smart Devices For Fun And Profit’

Many thanks to DEF CON and Conference Speakers for publishing their outstanding presentations; of which, originally appeared at the organization’s DEFCON 28 SAFE MODE Conference, and on the DEF CON YouTube channel. Enjoy!

Permalink

The post DEF CON 28 Safe Mode IoT Village – Barak Sternberg’s ‘Hacking Smart Devices For Fun And Profit’ appeared first on Security Boulevard.

Read More

The post DEF CON 28 Safe Mode IoT Village – Barak Sternberg’s ‘Hacking Smart Devices For Fun And Profit’ appeared first on Malware Devil.

https://malwaredevil.com/2021/01/15/def-con-28-safe-mode-iot-village-barak-sternbergs-hacking-smart-devices-for-fun-and-profit/?utm_source=rss&utm_medium=rss&utm_campaign=def-con-28-safe-mode-iot-village-barak-sternbergs-hacking-smart-devices-for-fun-and-profit

Security as Code: Why It’s Important and What You Need to Know

Software is becoming an increasingly pivotal part of modern business and society. In turn, consumers have come to expect instant gratification. This has driven businesses to concentrate on innovation and speed to market. Businesses that can???t keep up with the hyper-competitive market of speed-to-value are falling behind.

But with rapid software deliveries comes increased risk. Businesses are shortening time to market, which, for many, has meant moving from a waterfall approach to a DevOps approach. Security in this model can???t be a gate at the end of the development process, but rather needs to be part of the development process, or ???security as code.??? Security as code is when you move security into the development stage and automate security scans at every code commit. It helps to ensure that security scans aren???t missed, and it shortens deployment times. As the world continues to prioritize speed, security as code will be increasingly critical.

What are the implications of security in the development phase?

By moving security to the development phase and making security scans the responsibility of the developers, it???s not uncommon for developers to raise concerns. They are oftentimes concerned that security scans will add extra work and slow down deployments. But with security as code, you can ease those concerns because the security scans are integrated and automated into the developer???s existing tools and processes. This means there is no interruption to the developer???s day-to-day activities.

That said, it???s still important to provide developers with security training to prevent flaws and aid remediation. According to the Modern Application and Development Security report by Enterprise Strategy Group, 35 percent of organizations reported that less than half of their development teams participate in formal security training. Without this knowledge, flaws will be identified from scans, but they will not be properly remediated, leaving applications vulnerable to attack.

At Veracode, we offer in-person, virtual, and hands-on training to get developers up to speed on securing code and remediating security flaws. With our hands-on training, Veracode Security Labs, developers can work on securing real-world code vulnerabilities in the language of their choice while receiving real-time feedback.

We also encourage organizations to implement a security champions program. Security champions are elected or self-nominated developers with an interest in learning more about security. They receive a higher level of security training than other developers so that they can be the voice of security on their scrum team. They???re essentially the conduit between security professionals and developers.

For a security champions program to be successful, the ???champions??? need to be invited to security meetings ??? including sprint planning ??? on a consistent basis. By including them in these meetings, they can help get their scrum team on board with security initiatives. The program should also be engaging and rewarding for participants. If developers feel like the program is a waste of time, they won???t attend security meetings and they won???t encourage other developers to join.

Data around security as code

Security as code isn???t just presumed to be effective, it is proven effective. According to findings from our recent State of Software Security (SOSS) report, scanning for security via API cuts the time to remediate 50 percent of security flaws by six days. And the faster you remediate security flaws, the fewer opportunities there are for a cyberattack.

The Modern Application and Development Security report also establishes the importance of automating and integrating security scans, citing it as the number one element of effective application security programs.

The bottom line is that speed-to-market is only going to increase, and security as code is ??? and will continue to be ??? the way of the future. To learn more about the current security landscape and recent trends, check out our State of Software Security report.ﾂ?

ﾂ?

The post Security as Code: Why It’s Important and What You Need to Know appeared first on Security Boulevard.

Read More

The post Security as Code: Why It’s Important and What You Need to Know appeared first on Malware Devil.

https://malwaredevil.com/2021/01/15/security-as-code-why-its-important-and-what-you-need-to-know/?utm_source=rss&utm_medium=rss&utm_campaign=security-as-code-why-its-important-and-what-you-need-to-know

Looking Back at 2020

2020 felt more like a maintenance year in the SSL/TLS ecosystem. Other than the certificate validity period changing from 825-days…

The post Looking Back at 2020 appeared first on Entrust Blog.

The post Looking Back at 2020 appeared first on Security Boulevard.

Read More

The post Looking Back at 2020 appeared first on Malware Devil.

https://malwaredevil.com/2021/01/15/looking-back-at-2020/?utm_source=rss&utm_medium=rss&utm_campaign=looking-back-at-2020

Crypto is easy, right?

I recently read “The Code Book” by Simon Singh and found it a fascinating history told through the prism of…

The post Crypto is easy, right? appeared first on Entrust Blog.

The post Crypto is easy, right? appeared first on Security Boulevard.

Read More

The post Crypto is easy, right? appeared first on Malware Devil.

https://malwaredevil.com/2021/01/15/crypto-is-easy-right/?utm_source=rss&utm_medium=rss&utm_campaign=crypto-is-easy-right

The Joy of Tech® ‘Search And Rescue!’

via the Comic Noggins of Nitrozac and Snaggy at The Joy of Tech®!

Permalink

The post The Joy of Tech® ‘Search And Rescue!’ appeared first on Security Boulevard.

Read More

The post The Joy of Tech® ‘Search And Rescue!’ appeared first on Malware Devil.

https://malwaredevil.com/2021/01/15/the-joy-of-tech-search-and-rescue/?utm_source=rss&utm_medium=rss&utm_campaign=the-joy-of-tech-search-and-rescue

‘Chimera’ Threat Group Abuses Microsoft & Google Cloud Services

Researchers detail a new threat group targeting cloud services to achieve goals aligning with Chinese interests.

The post ‘Chimera’ Threat Group Abuses Microsoft & Google Cloud Services appeared first on Malware Devil.

https://malwaredevil.com/2021/01/14/chimera-threat-group-abuses-microsoft-google-cloud-services/?utm_source=rss&utm_medium=rss&utm_campaign=chimera-threat-group-abuses-microsoft-google-cloud-services

Facebook: Malicious Chrome Extension Developers Scraped Profile Data

Facebook has sued two Chrome devs for scraping user profile data – including names, user IDs and more.
Read More

The post Facebook: Malicious Chrome Extension Developers Scraped Profile Data appeared first on Malware Devil.

https://malwaredevil.com/2021/01/14/facebook-malicious-chrome-extension-developers-scraped-profile-data/?utm_source=rss&utm_medium=rss&utm_campaign=facebook-malicious-chrome-extension-developers-scraped-profile-data

Europol announces bust of “world’s biggest” dark web marketplace

Dark web servers are hard to find – but not impossible.
Read More

The post Europol announces bust of “world’s biggest” dark web marketplace appeared first on Malware Devil.

https://malwaredevil.com/2021/01/14/europol-announces-bust-of-worlds-biggest-dark-web-marketplace/?utm_source=rss&utm_medium=rss&utm_campaign=europol-announces-bust-of-worlds-biggest-dark-web-marketplace

Businesses Struggle with Cloud Availability as Attackers Take Aim

Researchers find organizations struggle with availability for cloud applications as government officials warn of cloud-focused cyberattacks.

The post Businesses Struggle with Cloud Availability as Attackers Take Aim appeared first on Malware Devil.

https://malwaredevil.com/2021/01/14/businesses-struggle-with-cloud-availability-as-attackers-take-aim/?utm_source=rss&utm_medium=rss&utm_campaign=businesses-struggle-with-cloud-availability-as-attackers-take-aim

🔴 LIVE: Paul’s Security Weekly #680

This week, first we welcome Ryan Noon, CEO of Material Security, then we are joined by Jon Gorenflo, the Founder of Fundamental Security, and we wrap up the show with the Security News!

→Full Show Notes: https://securityweekly.com/psw680
→Join the Security Weekly Discord Server: https://discord.gg/pqSwWm4
→Visit our website: https://www.securityweekly.com
→Follow us on Twitter: https://www.twitter.com/securityweekly

The post 🔴 LIVE: Paul’s Security Weekly #680 appeared first on Malware Devil.

https://malwaredevil.com/2021/01/14/%f0%9f%94%b4-live-pauls-security-weekly-680-3/?utm_source=rss&utm_medium=rss&utm_campaign=%25f0%259f%2594%25b4-live-pauls-security-weekly-680-3

🔴 LIVE: Paul’s Security Weekly #680

This week, first we welcome Ryan Noon, CEO of Material Security, then we are joined by Jon Gorenflo, the Founder of Fundamental Security, and we wrap up the show with the Security News!

→Full Show Notes: https://securityweekly.com/psw680
→Join the Security Weekly Discord Server: https://discord.gg/pqSwWm4
→Visit our website: https://www.securityweekly.com
→Follow us on Twitter: https://www.twitter.com/securityweekly

The post 🔴 LIVE: Paul’s Security Weekly #680 appeared first on Malware Devil.

https://malwaredevil.com/2021/01/14/%f0%9f%94%b4-live-pauls-security-weekly-680-2/?utm_source=rss&utm_medium=rss&utm_campaign=%25f0%259f%2594%25b4-live-pauls-security-weekly-680-2

🔴 LIVE: Paul’s Security Weekly #680

This week, first we welcome Ryan Noon, CEO of Material Security, then we are joined by Jon Gorenflo, the Founder of Fundamental Security, and we wrap up the show with the Security News!

→Full Show Notes: https://securityweekly.com/psw680
→Join the Security Weekly Discord Server: https://discord.gg/pqSwWm4
→Visit our website: https://www.securityweekly.com
→Follow us on Twitter: https://www.twitter.com/securityweekly

The post 🔴 LIVE: Paul’s Security Weekly #680 appeared first on Malware Devil.

https://malwaredevil.com/2021/01/14/%f0%9f%94%b4-live-pauls-security-weekly-680/?utm_source=rss&utm_medium=rss&utm_campaign=%25f0%259f%2594%25b4-live-pauls-security-weekly-680

NSA Recommends Using Only ‘Designated’ DNS Resolvers

Agency provides guidelines on securely deploying DNS over HTTPS, aka DoH.

The post NSA Recommends Using Only ‘Designated’ DNS Resolvers appeared first on Malware Devil.

https://malwaredevil.com/2021/01/14/nsa-recommends-using-only-designated-dns-resolvers/?utm_source=rss&utm_medium=rss&utm_campaign=nsa-recommends-using-only-designated-dns-resolvers

Assessing Enterprise Firmware Security Risk in 2021

Download the PDF > Five questions to evaluate and improve your firmware security posture In a year of historic challenges, 2020 saw firmware and hardware issues become one of the most active areas of enterprise security. APT and ransomware threat actors targeted enterprise VPNs en masse, the widespread BootHole vulnerability put virtually all Windows and […]

The post Assessing Enterprise Firmware Security Risk in 2021 appeared first on Security Boulevard.

Read More

The post Assessing Enterprise Firmware Security Risk in 2021 appeared first on Malware Devil.

https://malwaredevil.com/2021/01/14/assessing-enterprise-firmware-security-risk-in-2021/?utm_source=rss&utm_medium=rss&utm_campaign=assessing-enterprise-firmware-security-risk-in-2021

Cybercriminals want your cloud services accounts, CISA warns

On January 13 the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about several recent successful cyberattacks on various organizations’ cloud services.

What methods did the attackers use?

In the initial phase, the victims were targeted by phishing emails trying to capture the credentials of a cloud service account. Once the attackers had stolen a set of valid credentials, they logged into the compromised account and used it to send phishing emails to other accounts within the organization. Those phishing emails used links to what appeared to be existing files on the organization’s file hosting service.

In some cases, threat actors modified victims’ email rules. On one user’s account an existing rule was set up to forward mail to their personal account. The threat actors updated the rule to forward all email to their own accounts. In other cases, the attackers created new rules that forwarded mails containing certain keywords to their own accounts.

As an alternative to the phishing attempts, attackers also used brute force attacks on some accounts.

Perhaps most eye-catching of all though, in some cases multi-factor authentication (MFA) logins were defeated by re-using browser cookies. These attacks are called “pass-the-cookie” attacks and rely on the fact that web applications use cookies to authenticate logged-in users.

Once a user has passed an MFA procedure, a cookie is created and stored in a user’s browser. Browsers use the cookie to authenticate each subsequent request, to spare visitors from having to log in over and over again in the same session. If an attacker can capture an authentication cookie from a logged-in user they can bypass the login process completely, including MFA checks.

Who is behind these attacks on cloud services?

Even though the attacks that CISA noticed had some overlap in the tactics they used, it is unlikely that they were all done by the same group. While some were clear attempts at a business email compromise (BEC) attack, there could be other groups active that are after different targets.

Countermeasures

Educate users on cybersecurity in general and point out the extra risks that are involved in working from home (WFH). For these specific attacks, extra training to recognize phishing certainly wouldn’t hurt.

Use a VPN to access an organization’s resources, such as its file hosting service. The temptation to leave these resources openly accessible for remote employees is understandable, but dangerous.

Sanitize email forwarding rules or at least let the original receiver of the mail be notified when a forwarding rule has been applied. If there are rules against forwarding mails outside of the environment (and maybe there should be) it should not be too hard to block them.

Use MFA to access all sensitive resources. (It’s important to note that although the CISA report mentions a successful attack where MFA was bypassed, it also mentions unsuccessful attacks that were defeated by MFA.)

Ensure resources are only be accessible to people authorized to use them, and enable logging so you can review who has used their access.

Set the lifespan of authentication cookies to a sensible time. Find a balance between keeping session duration short, without annoying legitimate users and “allowing” attackers to use stale cookies to get access.

Verify that all cloud-based virtual machine instances with a public IP do not have open Remote Desktop Protocol (RDP) ports. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.

IOCs

The CISA report also links to a downloadable copy of IOCs for those that are interested.

The post Cybercriminals want your cloud services accounts, CISA warns appeared first on Malwarebytes Labs.

The post Cybercriminals want your cloud services accounts, CISA warns appeared first on Malware Devil.

https://malwaredevil.com/2021/01/14/cybercriminals-want-your-cloud-services-accounts-cisa-warns/?utm_source=rss&utm_medium=rss&utm_campaign=cybercriminals-want-your-cloud-services-accounts-cisa-warns

Antigena Email and Enterprise Immune System Designated Marsh Cyber Catalysts 2020

San Francisco, Thursday, January 14, 2021 – Darktrace, the world’s leading cyber AI company, has today announced that two of its core products have been designated as Marsh ‘Cyber Catalyst’ solutions. The program brings together leading cyber insurers to identify solutions they believe most effective in reducing cyber risk. Darktrace’s core AI threat detection technology, the Enterprise Immune..

The post Antigena Email and Enterprise Immune System Designated Marsh Cyber Catalysts 2020 appeared first on Security Boulevard.

Read More

The post Antigena Email and Enterprise Immune System Designated Marsh Cyber Catalysts 2020 appeared first on Malware Devil.

https://malwaredevil.com/2021/01/14/antigena-email-and-enterprise-immune-system-designated-marsh-cyber-catalysts-2020/?utm_source=rss&utm_medium=rss&utm_campaign=antigena-email-and-enterprise-immune-system-designated-marsh-cyber-catalysts-2020

Postcards From The Rus

Reuters reporter Christopher Bing has reported a new ‘probe’ instantiated by the United States Federal Bureau of Investigation targeting a Rus-linked postcard (of-all-things) sent to FireEye, Inc. Chief Executive Officer Kevin Mandia after the information and cyber security consulting company unearthed the now known to be widespread attack on SolarWinds systems management products in both the private and public sectors.

‘The postcard carries FireEye’s logo, is addressed to CEO Kevin Mandia, and calls into question the ability of the Milpitas, California-based firm to accurately attribute cyber operations to the Russian government. People familiar with Mandia’s postcard summarized its content to Reuters. It shows a cartoon with the text: “Hey look Russians” and “Putin did it!” ‘ – via Christopher Bing, reporting at Reuters

The post Postcards From The Rus appeared first on Security Boulevard.

Read More

The post Postcards From The Rus appeared first on Malware Devil.

https://malwaredevil.com/2021/01/14/postcards-from-the-rus/?utm_source=rss&utm_medium=rss&utm_campaign=postcards-from-the-rus

Florida Ethics Officer Charged with Cyberstalking

Judge bars former Tallahassee city ethics officer from internet-connected devices after her arrest for cyberstalking.
Read More

The post Florida Ethics Officer Charged with Cyberstalking appeared first on Malware Devil.

https://malwaredevil.com/2021/01/14/florida-ethics-officer-charged-with-cyberstalking-2/?utm_source=rss&utm_medium=rss&utm_campaign=florida-ethics-officer-charged-with-cyberstalking-2

Florida Ethics Officer Charged with Cyberstalking

Judge bars former Tallahassee city ethics officer from internet-connected devices after her arrest for cyberstalking.
Read More

The post Florida Ethics Officer Charged with Cyberstalking appeared first on Malware Devil.

https://malwaredevil.com/2021/01/14/florida-ethics-officer-charged-with-cyberstalking/?utm_source=rss&utm_medium=rss&utm_campaign=florida-ethics-officer-charged-with-cyberstalking

How to Set Up an Open Source Strategy

Open source components have become the basic building blocks of software applications, comprising 60%-80% of the software projects. As open source usage has established itself as an industry standard and the default choice of software production, software development organizations are required to set up an open source strategy. 

Gone are the days when the standard practice was to choose open source components seemingly at random with no regard for checking for security vulnerabilities or open source licenses. There was no deep-dive into dependencies, no strings attached. This left organizations open to both security vulnerabilities and non-compliant usage of open source components. 

Development teams today are under orders to create a strategy for their open source usage to keep their products secure and compliant. They need to build an open source strategy that addresses all aspects of open source usage, from selecting components, integration with their proprietary code, to bug detection and license management. 

The Importance of Adopting an Open Source Strategy

The choice to invest in an open source strategy is primarily a business one and its logic extends from other fields of business development wherein a similar rise in formalization, standardization, and documentation is already underway.

Once a company reaches a critical mass of activity, it can easily fall into an endless stream of oversights, loopholes, and casualties. It is then that companies begin to feel the need for a strategy; a “think first” approach to efficiency, profitability, and growth prospects. 

Looking at the dollars and cents of remediation efforts, organizations do the math to understand that it is more cost-effective to set up an open source strategy that will keep them on the right side of security and compliance than it is to repair damage once it is already hit.  

The Open Source Program Office 

Companies across all industries are ushering in ‘Open Source Programs Offices’ that implement an organizational strategy to ensure open source components are used securely and compliantly by all teams.  

Gartner 2020 Magic Quadrant for Application Security Testing Download Free
Report

The central nervous system of open source usage within a company, these hubs establish an open source strategy that implements policies surrounding code selection, component adoption and usage, and auditing practices. Open Source Offices train new developers on the company’s open source strategy and ensure open source security and license policies are followed. 

Such offices have been popping up at an increasing rate, and many enterprises are choosing to scout out open source leaders to head up these teams. They are utilizing these open source strategy superstars to manage their policy on a team level, operating on a local basis instead of corporate-wide.

Open Source Strategy: Key Considerations Along the Way

These are a few of the steps that need to be put in motion when planning your organization’s open source strategy.

#1 Establishing an Open Source Office 

Where, under which department, should the Open Source Office sit? Who will the Chief Open Source Officer report to? 

This is not simply a chain of command question, but rather a question that requires an examination and mapping of the company’s focus. Software companies will want to have the Office under their R&D departments, whereas companies with extensive intellectual property portfolios may want to place the office under their legal departments.  

Once the decision involving the Open Source Office is made, it sets the tone for the open source strategy that will follow. It is here that rules and guidelines for working with open source are formulated and distributed company-wide. 

#2 Formulating an Open Source Strategy

How will your strategy address open source security and license compliance? You will need to decide which open source licenses you are willing to use in your products and which should be prevented from entering your code. The quantity of code, with multiple licenses, requires that you use automated solutions to enforce your policies, ensuring that those licenses that you do not want developers to use will be banned from entering your system.

Similarly, you will need to put in place security restrictions, setting your governance policies to allow open source components that are deemed acceptable for use without additional review, whereas others may need a team leader to sign off on a potentially risky component. In more severe instances, you can use automation to block risky open source components from entering the product, even failing the build if need be to keep the code base safe.

Another strategy wrinkle that needs to be ironed out before incorporating open source components is a company’s open source reporting policy. As a vendor servicing clients, any company selling a product that contains open source elements must provide due diligence, in the form of an attribution report, to its customers. Rules of disclosure will require that a company provide its clients with a package name, version, original download URL, license obligations, included dependencies and developer’s point of contact for every piece of open source used in their software. 

#3 Implementing an Open Source Strategy 

Establishing an open source strategy begins with understanding that open source management has its particular set of challenges that are separate from those of proprietary and even third-party commercial code. 

While most rely on the National Vulnerability Database (NVD) for security updates, often important information will be posted first to a variety of other security advisories or issue trackers. To ensure that developers are using updated and secure open source components, organizations must integrate the right tools for identifying the components in your development environment or products, and matching them with the distributed information sources regarding which ones have known vulnerabilities that pose a risk to your products. 

Only Software Composition Analysis (SCA) tools bring the automated solutions to aggregate all of the relevant information, identify and monitor open source components at scale, issue alerts when new concerns arise, and run at the speed of DevSecOps.

Open Source Strategy: A Plan of Action

Establishing an open source strategy begins with a milestone event: carving out a place in the corporation for open source management. This step must be taken with the understanding that open source security and license compliance have their particular set of challenges that are unique to those of proprietary code and even third-party commercial contribution.

Purposeful adoption of open source should be part of a corporation’s larger governance strategy as far as it pertains to security and licensing of third-party and open source contributions. It is up to the open source experts in the company to put together a strategy for open source automation, documentation, vulnerability detection, remediation, and licensing compliance. 

 

The post How to Set Up an Open Source Strategy appeared first on Security Boulevard.

Read More

The post How to Set Up an Open Source Strategy appeared first on Malware Devil.

https://malwaredevil.com/2021/01/14/how-to-set-up-an-open-source-strategy/?utm_source=rss&utm_medium=rss&utm_campaign=how-to-set-up-an-open-source-strategy