According to a newly unsealed indictment, two Chinese nationals working with the Chinese ministry of state security have been charged with hacking a number of U.S. government agencies and corporations. The court filing indicates that Zhu Hua and Zhang Jianguo, members of Advanced Persistent Threat 10 (APT10), used phishing techniques in order to steal intellectual property, confidential business data, and technological information between 2006 and 2018.
With the slew of terms that exist in the world of application security, it can be difficult to keep them all straight. “Flaws,” “vulnerabilities,” and “exploits” are just a few that are likely on your radar, but what do they mean? If you’ve used these words interchangeably in the past, you’re not alone. They’re easy to confuse with one another, likely because there’s a relationship between all of these terms, however, their distinction is real.
For a CEO who insists his electric vehicle startup doesn’t want to be Tesla, Rivian founder RJ Scaringe can sound a lot like Elon Musk.
More posts by this contributor
A cyberattack has the power to paralyze cellular communications; alter or erase information in computerized systems; prevent access to computer servers; and directly harm a country’s economy and security by attacking its electricity networks or banking system.
Authorities in the United States this week brought criminal hacking charges against three men as part of an unprecedented, international takedown targeting 15 different “booter” or “stresser” sites — attack-for-hire services that helped paying customers launch tens of thousands of digital sieges capable of knocking Web sites and entire network providers offline.
My training submission has been accepted at the BruCON Spring Training session in April 2019. This training is intended for Blue Team members and system/security engineers who would like to take advantage of the OSSEC integration capabilities with other tools and increase the visibility of their infrastructure behaviour.
Ah, online quizzes. Many of us know that they can be somewhat dodgy and nonsense, really—but that doesn’t stop us from clicking the “Start quiz” button anyway. Besides, you have time to kill, and there are only three questions to answer, right?
Posted by Vikrant Nanda and René Mayrhofer, Android Security & Privacy Team
As hacking events have increased in number and severity, we in the cybersecurity community have united around common strategies that all organizations can implement to reduce their risk. Universal best practices provide organizations with many useful tools to protect their businesses. But what often gets overlooked in these discussions are the unique security challenges that each industry faces, and the tailored solutions required to address those issues. This is an area of interest to me, and lately I’ve been fascinated by the path that the insurance industry is carving out when it comes to cybersecurity. Today, I’ll discuss recent activity by the U.S. insurance industry and the ramifications and impact of these initiatives. In future weeks, I’ll offer my insights into how other industries are confronting rising security and compliance risks.
Users of Microsoft’s Windows operating system have grown accustomed to a regular, predictable cadence for patches—on the first Tuesday of every month.
Meet Jimmy. Jimmy is an employee in your company. He Does Things With Computers (official title).
Last Wednesday, as Jimmy got out of his car after parking in the company-owned parking lot, he saw something on the ground.
That “something” is a 512GB USB flash drive!
Jimmy picks up the drive, whistling along to himself as he enters the office and settles down in his cubicle. At which point he plugs in his new, free USB flash drive. Without knowing it, Jimmy has just allowed a targeted malware into your company’s network.
Next up, we have Zee, who has been working on an important new account. She has a presentation coming up after the holidays and wants to make a final few tweaks while she’s away from the office on vacation. On the Friday before she leaves, she plugs in her corporate-approved USB flash drive and copies over the presentation files, including the client’s information about their yet-to-be-registered patent ideas.
On Saturday at the airport, as she’s digging around in her bag for her plane tickets, she accidentally drops the USB drive with the Peterson account’s files. She doesn’t tell you – she doesn’t even realize she’s lost the drive.
A less-than-honest person swoops by and picks up the drive.
On Tuesday, you hear from the Peterson account – they’ve decided to go with another company that hasn’t had their files stolen and sold across the dark web.
These are pretty scary scenarios – but they are possible. So, how do you protect against these and similar attacks?
Windows Defender ATP to the rescue
Knowing that removable device usage is a concern for enterprise customers in both of these types of scenarios we’ve worked on how removable devices can be protected with Windows Defender Advanced Threat Protection (Windows Defender ATP):
We recommend a layered approach for device control security, which incorporates multiple avenues of protection, including each of the above. In future blogs we’ll also talk about recent malware infections that use USB drives to spread, and dive deeper into how data loss prevention should be a part of your device control strategy.
Prevent users from using removable devices (partially/fully)
We know, unfortunately, that people will plug in devices with unknown history (and that there are also attackers out there who directly attempt to control devices without relying on social engineering). These devices could be the source of malware infections that use USB and other removable devices to get initial access to a system or network.
This vector of attack falls under social engineering – in this case, appealing to our weakness for “shiny things”: when we see a “free” item we’re inclined to take it, even if we don’t need it – it becomes shiny and exciting and precioussssess and we wantssesss it.
To help protect against these attacks, you can prevent any removable device from being seen and interacted with by blocking users from using any removable device on the machine.
To help refine how you can use this feature, with Windows Defender ATP you can block only certain, defined external devices from being used on certain machines or by certain users.
You can use device hardware IDs to lock out (or enable) specific device types and device manufacturers. You’ll need to do some manual configuration with a DeviceInstallation policy that uses the IDs you specify, which you can read about at our documentation site. This way you can be more targeted, without blocking employees that need to use USB drives.
If allowing removable devices in your organization, it is recommended that you whitelist known good devices. For example if your company buys only from a handful of device manufactures, you can whitelist or allow only these device manufactures.
Protect against malware infections that use USB devices to spread
After reducing which removable devices can be used in your company, you can also make sure that allowable removable storage drives that are connected are protected by Windows Defender Antivirus.
First, ensure that real-time scanning for USB devices is enabled, and then make sure to enable the exploit guard attack surface reduction rule that can block untrusted and unsigned files on the removable device as soon as it’s connected.
If the device has direct memory access (DMA) capability (typically Thunderbolt devices) it can potentially be allowed to bypass the login and lockscreen.
You can prevent this situation by blocking devices from having DMA until a user logs on.
This can be done in Intune by creating a Device Restrictions policy and setting the Direct Memory Access toggle to Block under the General settings category (as in the following screenshot), or with the DmaGuard MDM CSP policy.
View the device control support documentation for other Windows Defender scanning option (including scheduled scans and starting scans after a removable device is mounted) as well as other DMA protections.
Control how users can use removable devices (DLP)
Another angle that can be used within this range of defenses is data loss prevention (DLP). DLP seeks to prevent unintentional (and intentional) loss or theft of sensitive, company information. A DLP solution should include a holistic approach across multiple vectors or places where information can be improperly shared. Some of the DLP solutions we offer are:The two parts of DLP that are most relevant to removable devices is the use of BitLocker (in particular, BitLocker to-go) and Windows Information Protection.
We’ll be publishing a blog in the new year that talks more about DLP solutions, but in this blog we’re going to focus on BitLocker and WIP as potential protections against the scenarios we started with.
You can require that files written to removable media is Bitlocker protected through Intune configuration settings.
When you attempt to plug in a device that has been encrypted with BitLocker, any files added to the device are automatically encrypted. If someone then tries to access those files on that removable drive by plugging it into another, untrusted computer, they will be prompted to decrypt the removable drive. They won’t be able to do this without a recovery key, password, or smart card, which only company employees have.
With Windows Information Protection, users are prevented from copying sensitive information, and from running files that belong to unknown or untrusted apps. This means users that try to copy sensitive or confidential-marked materials will be prevented from doing so, and will be notified depending on the level of enforcement.
Use advanced hunting queries to view and identify suspicious removable device activity
On the flipside, however, it can be hard to know which actual devices you should block, and when and what users to prevent using removable devices, so you can deploy the protections above in specific Active Directory or Intune groups to restrict the controls to certain groups.
For example, you may have employees that should never need to use removable devices because their work is sensitive and shouldn’t be shared. However, you don’t want to prevent your creative, sales, and marketing teams from being able to easily share content briefs with external groups.
Going beyond these tactics though, you can use advanced hunting in Windows Defender ATP to identify users, machines, and types of devices that are being used suspiciously, as in the following example:
MiscEvents | where ActionType == "PnpDeviceConnected" | extend ParsedFields=parse_json(AdditionalFields) | project ClassName=tostring(ParsedFields.ClassName), DeviceDescription=tostring(ParsedFields.DeviceDescription), DeviceId=tostring(ParsedFields.DeviceId), VendorIds=tostring(ParsedFields.VendorIds), MachineId, ComputerName, EventTime | where ClassName contains "drive" or ClassName contains "usb"
A subreddit dedicated to hacking and hackers. What we are about: constructive collaboration and learning about exploits, industry standards, grey and white hat hacking, new hardware and software hacking technology, sharing ideas and suggestions for small business and personal security.
For a third time in four months, a security researcher announces a zero-day vulnerability in Microsoft Windows and provides exploit code that allows reading into unauthorized locations.
Join us for this webinar series starting on Wednesday January 16th at 1:00 EST
Learn the basics of post-exploitation from advanced infosec professionals
Join Carlos Perez (@darkoperator) as he shares some of the post-exploitation methodology used by TrustedSec security consultants performed during actual attack simulations. Each of the four individual webinars will focus on specific aspects that will build upon each other to give a complete picture of the post-exploitation process. New tools will also be released during each individual webinar.
Nothing in life is truly free. If you’re not paying to use a social platform in dollars, then you’re almost definitely paying for it with your personal data—a truism that’s never been more clear than this year, as damning reports around Facebook’s data sharing practices revealed how the platform abused its privacy privileges.
A security researcher with Twitter alias SandboxEscaper today released proof-of-concept (PoC) exploit for a new zero-day vulnerability affecting Microsoft’s Windows operating system.