via the comic delivery system monikered Randall Munroe resident at XKCD!
The post XKCD ‘1/100,000th Scale World’ appeared first on Security Boulevard.
The post XKCD ‘1/100,000th Scale World’ appeared first on Malware Devil.
Joker’s Stash, the largest dark web marketplace notorious for selling compromised payment card data, has announced plans to shut down its operations on February 15, 2021.
In a message board post on a Russian-language underground cybercrime forum, the operator of the site — who goes by the name “JokerStash” — said “it’s time for us to leave forever” and that “we will never ever open again,”
Read More
The post Joker’s Stash, The Largest Carding Marketplace, Announces Shutdown appeared first on Malware Devil.
WhatsApp said on Friday that it wouldn’t enforce its recently announced controversial data sharing policy update until May 15.
Originally set to go into effect next month on February 8, the three-month delay comes following “a lot of misinformation” about a revision to its privacy policy that allows WhatsApp to share data with Facebook, sparking widespread concerns about the exact kind of
Read More
The post WhatsApp Delays Controversial ‘Data-Sharing’ Privacy Policy Update By 3 Months appeared first on Malware Devil.
This week I started seeing some URL with /dns-query?dns in my honeypot[1][2]. The queries obviously did not look like a standard DNS queries, this got me curious and then proceeded to investigate to determine what these DNS query were trying to resolve.
But before proceeding, I have logs going back to May 2018 and reviewed the logs to see when this activity was first captured. The first time the honeypot logged something similar was in February 2020 with one long query that was different to all other queries. All the logs are targeting TCP/443 and are unencrypted.
Using base64 URL safe option in CyberChef, I was able to decode the DNS information for the 3 different queries. The first query captured in February 2020 appears to be a test (see decoded information below). The other two resolve to a URL: one as a test (www.example[.]com) and the other to Baidu search engine (www.baidu[.]com).
Sample Logs
[…]
Base64 Decoded Queries
DNS Queries by Base64 String
195.37.190[.]77
====================
39.96.138[.]251
39.96.139[.]173
39.96.139[.]223
39.96.140[.]32
47.74.84[.]52
47.241.66[.]187
54.153.67[.]242
====================
161.117.239[.]46
====================
Do you have similar obfuscated DNS queries in your logs? Please use our comment form to share them.
[1] https://github.com/DidierStevens/Beta/blob/master/tcp-honeypot.py
[2] https://www.inetsim.org/documentation.html
[3] https://gchq.github.io/CyberChef/
———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More
The post Obfuscated DNS Queries, (Fri, Jan 15th) appeared first on Malware Devil.
The U.S. National Security Agency (NSA) on Friday said DNS over HTTPS (DoH) — if configured appropriately in enterprise environments — can help prevent “numerous” initial access, command-and-control, and exfiltration techniques used by threat actors.
“DNS over Hypertext Transfer Protocol over Transport Layer Security (HTTPS), often referred to as DNS over HTTPS (DoH), encrypts DNS requests by using HTTPS to provide privacy, integrity, and ‘last mile’ source authentication with a client’s DNS resolver,” according to the NSA’s new guidance.
Proposed in 2018, DoH is a protocol for performing remote Domain Name System resolution via the HTTPS protocol.
One of the major shortcomings with current DNS lookups is that even when someone visits a site that uses HTTPS, the DNS query and its response is sent over an unencrypted connection, thus allowing third-party eavesdropping on the network to track every website a user is visiting.
Even worse, the setup is ripe for carrying out man-in-the-middle (MiTM) attacks simply by changing the DNS responses to redirect unsuspecting visitors to a malware-laced site of the adversary’s choice.
Thus by using HTTPS to encrypt the data between the DoH client and the DoH-based DNS resolver, DoH aims to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by MiTM attacks.
To that effect, the NSA recommends using only designated enterprise DNS resolvers to achieve the desired cybersecurity defense, while noting that such resolvers will be bypassed completely when a client has DoH enabled and is configured to use a DoH resolver not designated by the enterprise.
The gateway, which is used to forward the query to external authoritative DNS servers in the event the enterprise DNS resolver does not have the DNS response cached, should be designed to block DNS, DoH, and DNS over TLS (DoT) requests to external resolvers and DNS servers that are not from the enterprise resolver, the agency added.
Although DoH protects DNS transactions from unauthorized modification, the NSA cautioned of a “false sense of security.”
“DoH does not guarantee protection from cyber threat actors and their ability to see where a client is going on the web,” it said. “DoH is specifically designed to encrypt only the DNS transaction between the client and resolver, not any other traffic that happens after the query is satisfied.”
“Enterprises that allow DoH without a strategic and thorough approach can end up interfering with network monitoring tools, preventing them from detecting malicious threat activity inside the network, and allowing cyber threat actors and malware to bypass the designated enterprise DNS resolvers.”
What’s more, the encryption does nothing to prevent the DNS provider from seeing both the lookup requests as well as the IP address of the client making them, effectively undermining privacy protections and making it possible for a DNS provider to create detailed profiles based on users’ browsing habits.
Oblivious DNS-over-HTTPS (ODoH), announced last month by engineers at Apple, Cloudflare, and Fastly, aims to address this issue. It prevents the DoH resolver from knowing which client requested what domain names bypassing all requests via a proxy that separates the IP addresses from the queries, “so that no single entity can see both at the same time.”
Put differently, this means the proxy does not know the contents of queries and responses, and the resolver does not know the IP addresses of the clients.
Secondly, the use of DoH also doesn’t negate the possibility that resolvers that communicate with malicious servers upstream could still be susceptible to DNS cache poisoning.
“DNSSEC should be used to protect the upstream responses, but the DoH resolver may not validate DNSSEC,” the NSA said. “Enterprises that do not realize which parts of the DNS process are vulnerable could fall into a false sense of security.”
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
The post NSA Suggests Enterprises Use ‘Designated’ DNS-over-HTTPS’ Resolvers appeared first on Malware Devil.
Joker’s Stash, the largest dark web marketplace notorious for selling compromised payment card data, has announced plans to shut down its operations on February 15, 2021.
In a message board post on a Russian-language underground cybercrime forum, the operator of the site — who goes by the name “JokerStash” — said “it’s time for us to leave forever” and that “we will never ever open again,” according to twin reports from cybersecurity firms Gemini Advisory and Intel471.
“Joker goes on a well-deserved retirement. Joker’s Stash is closing,” the post read. “When we opened years ago, nobody knew us. Today we are one of the largest cards/dumps marketplace[s].”
The exact reason for the shut down is still unclear.
Joker’s Stash, since its origins in 2014, emerged as one of the biggest players in the underground payment card economy over the years, with over $1 billion generated in revenues.
The news of the imminent shutdown comes weeks after the US Federal Bureau of Investigation (FBI) and Interpol allegedly seized proxy servers used in connection with Blockchain-based domains belonging to the site last month, briefly disrupting its operations.
Adding to the mounting troubles was a “severe decline” in the volume of stolen data posted on the site, leading to complaints from clients about the poor quality of the payment card data.
Then in late October, the site’s routine activities also suffered after the actor who allegedly runs the site claimed to have contracted COVID-19 and had been spending more than one week in a hospital.
Gemini Advisory pointed to Bitcoin’s recent spike as another reason that may have led to the website’s demise.
Bitcoin hit a record high of $40,000 last week, lifting the total value of the cryptocurrency market above $1 trillion for the first time ever.
“JokerStash was an early advocate of Bitcoin and claims to keep all proceeds in this cryptocurrency,” the researchers said. “This actor was already likely to be among the wealthiest cybercriminals, and the spike may have multiplied their fortune, earning them enough money to retire.”
Joker’s Stash’s shut down isn’t the end of the road, however, as vendors are expected to transition to other dark web marketplaces to advertise their services.
The site’s administrator had a few parting words of advice for cybercriminals.
“We are also want to wish all young and mature ones cyber-gangsters not to lose themselves in the pursuit of easy money (sic),” the post concluded. “Remember, that even all the money in the world will never make you happy and that all the most truly valuable things in this life are free.”
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
The post Joker’s Stash, The Largest Carding Marketplace, Announces Shutdown appeared first on Malware Devil.
White Papers
Video
Current Issue
2020: The Year in SecurityDownload this Tech Digest for a look at the biggest security stories that – so far – have shaped a very strange and stressful year.
Flash Poll
Twitter Feed
Bug Report
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct …
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a…
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u…
CVE-2021-21246
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar…
The post NSA Appoints Rob Joyce as Cyber Director appeared first on Malware Devil.
Expert panel awards dubious honors to 2021 Consumer Electronics Show’s biggest flops, including security and privacy failures.
Read More
The post Tractors, Pod Ice Cream and Lipstick Awarded CES 2021 Worst in Show appeared first on Malware Devil.
To combat phishing, do not permit loading of remote images in your email client’s preferences settiings.
via Zeljka Zorz, Managing Editor, Help Net Security comes a well-crafted, on-target post, detailing the real danger with loading remote images in email messages (rather than directly embedded). Be careful out there!
‘At the moment, this new approach to delivering images in phishing emails is quite popular and obviously rather successful, but as email security vendors find ways to counter these tricks, cyber criminals will have to change tack once more – and so the arms race continues.’ – via Zeljka Zorz, Managing Editor, Help Net Security
The post The Remote Phish: No Strings Attached appeared first on Security Boulevard.
The post The Remote Phish: No Strings Attached appeared first on Malware Devil.
Starting Feb. 9, Microsoft will enable Domain Controller “enforcement mode” by default to address CVE-2020-1472.
Read More
The post Microsoft Implements Windows Zerologon Flaw ‘Enforcement Mode’ appeared first on Malware Devil.
Joyce has long worked in US cybersecurity leadership, most recently serving as the NSA’s top representative in the UK.
The post NSA Appoints Rob Joyce as Cyber Director appeared first on Malware Devil.
Joyce has long worked in US cybersecurity leadership, most recently serving as the NSA’s top representative in the UK.
The post NSA Appoints Rob Joyce as Cyber Director appeared first on Malware Devil.
The post 2021-01-15 – Emotet infection from Epoch 1 botnet appeared first on Malware Devil.
The post 2021-01-12 thru 2021-01-14 – Six items of malspam received by my admin email appeared first on Malware Devil.
Druva Cloud Platform’s simplified interface, comprehensive offering, security integrations and ability to minimize data risk help the company secure the prestigious recognition SUNNYVALE, Calif. ‒ January 15, 2021 ‒ Druva Inc., the leader in Cloud Data Protection and Management, today announced Druva inSync
has been recognized as a Cyber Catalyst℠ designated solution. Created by Marsh, the unique program brings together..
The post Druva Receives Cyber Catalyst Designation for Outstanding Product Security and Ability to Combat Ransomware appeared first on Security Boulevard.
The post Druva Receives Cyber Catalyst Designation for Outstanding Product Security and Ability to Combat Ransomware appeared first on Malware Devil.
How are cybercriminals stealing business data? Very easily using tools like ransomware. Does that put your business at risk? Yes. Here’s how to mitigate it quickly and affordably.
The post How Are Cybercriminals Stealing Business Data? appeared first on Security Boulevard.
The post How Are Cybercriminals Stealing Business Data? appeared first on Malware Devil.
As remote work has become the norm for many enterprises, organizations are struggling with the troubling reality of rising insider threats. Whether the results are from careless or negligent employees or malicious insiders, it’s crucial to arm your organization with…
The post Code42 and LogRhythm Partner to Protect Against Insider Threats appeared first on LogRhythm.
The post Code42 and LogRhythm Partner to Protect Against Insider Threats appeared first on Security Boulevard.
The post Code42 and LogRhythm Partner to Protect Against Insider Threats appeared first on Malware Devil.
Google revealed a novel, complex, well-engineered campaign of targeted attacks. But there are more questions than answers.
The post Revealed: Sophisticated ‘Watering Hole’ Attack – But By Whom? appeared first on Security Boulevard.
The post Revealed: Sophisticated ‘Watering Hole’ Attack – But By Whom? appeared first on Malware Devil.
Not long ago, we helped MSPs pick the right remote monitoring and management (RMM) platform for them, and make it an essential part of their service toolkit. As you may recall, an RMM is a tool that helps MSPs do the work. And what better way to track the work—and other elements associated with it—than to have professional service automation (PSA) software do it for you?
A PSA is, essentially, an all-in-one tool that helps MSPs manage an array of tasks, such as project management, collaboration, invoicing, ticketing, resource planning, and reporting and data analysis (to name a few), of every client project, throughout its lifecycle. It keeps all data and processes about a project available and linked in one place, so MSPs can see the big picture and waste no time making decisions or adjustments as needed. Some may think and liken PSA software to Enterprise Resource Planning (ERP) software for MSPs.
Many MSPs are realizing that they have little time and patience to waste on tedious and time-consuming tasks when they could have been doing more productive things. If you’re an organization that is just breaking into the MSP world, or already have years of experience, “Do we really need a PSA?” should no longer be the question you ask.
A PSA is not just a nice-to-have anymore. It has become an integral and critical platform that MSPs must have to scale effectively and profitably. What you should be asking instead is “Which PSA is right for my business?”
Gone are the days when PSAs were akin to helpdesk software. They have evolved beyond merely managing support tickets and tasks. The modern-day PSA’s kit can offer (but is not limited to) the following benefits:
Know that each PSA in the market right now offers different solutions and bundles, and that MSPs could be impacted by them differently as well.
Of course, not every benefit above is what MPSs would want.
Not all MSPs, for example, want a suite that automatically applies patches to the system, because they would rather do some rigorous testing themselves first, before deployment. Picking the right PSA eventually boils down to what your organization needs, what you want to automate and/or improve on, and what best fits into your business practices and processes.
Before MSPs can take a deep dive into implementing a PSA suite, they must realize that this is no easy feat. It is a time-consuming, disruptive, and sometimes expensive task to undertake. But patience and perseverance have their rewards. Here are three simple questions MSPs should ask when deciding which PSA to pick.
While a PSA houses all of an MSP’s data under one virtual roof and boasts an assortment of other tools for their employees to use, it’s not the only system the business uses. An MSP could have its own bespoke customer relationship management (CRM) tool or use other systems from third parties, too, such as an accounting, data backup and recovery, RMM, and, of course, endpoint security software. Make sure that the PSA of your choice can achieve deep integrations with the tools you rely on.
Every organization’s goal is to grow its customer base, making it especially important for MSPs to have a PSA that can scale with its growth. Pick a PSA that has been designed and built with scalability in mind, so it can cope with these “growing pains”.
On an additional note, you will want to know how the cost of the PSA will change as your business grows. Make sure that it’ll still be within a reasonable budget and sustainable in the long run.
One of the main reasons for using a PSA is to bridge those gaps that are inherently found in disparate systems used by different departments in an organization. A good PSA should be able to eradicate siloed data by tracking, recording, and reporting everything. This way, employees are expected to perform tasks efficiently and in a timely manner, clients are provisioned with the best resources to get issues resolved quickly, and bills are issued accurately.
A PSA can also help MSPs handle unforeseen hurdles, such as customer security issues, or delays in project deliveries. Your choice of PSA should be capable of not only collecting and keeping data from different departments but also processing, analyzing, and presenting it to your users in a way that shows trends, reveals problem points, and forecasts needs, so that you can make improvements, create plans months ahead, and effectively respond to security threats.
Of all the different assets MSPs must manage efficiently in order to be profitable and remain competitive, the most important is time. And what better way to manage time than to automate important but mundane daily tasks, so employees can make better use of their time and provide a higher level of security to customers. That said, the choice of investing or not investing in a PSA is no longer up for debate for MSPs. The benefits of having one as part of your toolkit just far outweighs the costs and initial challenges that naturally come with change. At the end of the day, you’ll be glad you went for one.
The post MSPs, have you picked the right PSA for you yet? appeared first on Malwarebytes Labs.
The post MSPs, have you picked the right PSA for you yet? appeared first on Malware Devil.
In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...
