Category: Detect

In today's world, cybersecurity is an ever-growing concern for businesses. With the rising threat of cyber threats and data breaches, it can be difficult for companies to keep up with the latest security technologies and stay ahead of the curve. Managed Security Services Providers (MSSPs) provide comprehensive security solutions to clients. They offer various services, from monitoring and threat intelligence to incident response. MSSPs are ideal for businesses looking for an all-in-one security solution tailored to their specific needs. MSSPs offer a wide range of services to help protect businesses from cyber threats. Here are some initiatives that MSSPs should consider when looking to help customers in 2023.

Making Zero Trust attainable

As the global landscape continues to test our resiliency, staying focused on a security-first mindset is critical. Organizations must consider the most significant risks and take a proactive approach to address cyber risk concerns. This means assessing the current state of their cybersecurity, understanding their attack surface, and rethinking their security strategy with a Zero Trust model. By taking a risk-based approach to vulnerability management, implementing cloud security measures, and developing third-party risk management solutions, organizations can ensure they are prepared to adapt to the ever-changing digital landscape and remain resilient in the face of cyber threats.

The traditional perimeter as we know it is no longer viable due to the shift to remote and hybrid working. To keep our networks secure, Zero Trust architecture is essential. Zero Trust reduces the risk of security breaches by authenticating and authorizing every person and system before granting access. Nowadays, the security industry is figuring out how to apply Zero Trust practically. Established companies are using the term Zero Trust in their product portfolios to capitalize on the opportunity. Ultimately, Zero Trust will become more prominent with measurable results.

Risk-Based vulnerability management

Managing vulnerabilities inside your environment are challenging. New attack vectors for threat actors to breach your network are identified daily. Organizationally, the attack surface is constantly changing due to IT device and platform lifecycle issues, changing operational priorities, and the adoption of emerging technologies. With every change comes the risk that a new flaw or configuration issue will provide a threat actor with the final link in their attack chain, resulting in an impact on your users, operations, and customers.

Your network is expanding in the traditional sense and with the ever-increasing role of endpoints, devices, and the Internet of Things. Each year you see the amount of data multiply exponentially, the threat of attacks become more sophisticated, and the challenge of minimizing risk and optimizing operations grow more challenging. It can feel like a never-ending battle, yet identifying, prioritizing, and managing vulnerabilities through remediation is not only possible—it can be simple.

Vulnerability management is an established function of information security, but with technology configurations constantly evolving and cloud and container infrastructure expanding, the complexities of vulnerability management persist. Today's best vulnerability management platforms have been designed with visibility, remediation automation, and improved vulnerability prioritization.

Vulnerability and patch management are essential for any organization, as is the need for risk reduction. With the right risk reduction strategy, organizations can improve their cyber resilience and reduce their risk. To help ensure that organizations keep their IT infrastructure up-to-date and secure, they should focus on strengthening the fundamentals of vulnerability and patch management, risk reduction, and Managed Extended Detection and Response (MXDR). By implementing these strategies, organizations can reduce risk and improve security posture.

Security Mesh, Zero Trust, and SASE (Secure Access Service Edge)

These are three technology trends converging to allow organizations to consolidate and optimize their Zero Trust initiatives. Security Mesh provides a cloud-based fabric that enables organizations to connect to users, applications, and data in a secure and unified fashion. Zero Trust is a security model that eliminates the concept of trust assumptions based on internal network boundaries.

And SASE is a cloud-delivered service that combines network and security functions, including secure access, cloud security, and network security, into a single integrated solution. These technologies can be used together to reduce complexity and help organizations to implement their Zero Trust strategies quickly and effectively. By consolidating and optimizing Zero Trust initiatives, organizations can gain the security, agility, and scalability needed to accelerate their digital transformation.

The biggest challenge for SASE adoption is the split decision between networking and security components. While the two technologies have their strengths and weaknesses, their integration is the most critical factor for successful SASE deployments. Enterprises need to evaluate both solutions' performance, scalability, scalability, reliability, and cost to determine which is best suited for their needs. Additionally, at the same time, they need to consider the synergies between both solutions to make sure that the combination of them will yield the best results. The primary benefit of SASE is the integration of networking and security services, which simplifies the provisioning and maintenance of both solutions.

Additionally, the service provider can offer more tailored solutions to its customers, allowing them to customize their SASE deployments to meet their specific needs. This makes the solution more attractive to enterprises and increases the likelihood of adoption. Ultimately, the split decision between networking and security components is a challenge that SASE must overcome to remain relevant in the future. Enterprises need to weigh both solutions' pros and cons and ensure they invest in the right technologies. By doing so, they can ensure that they get the most out of their SASE deployments and guarantee that their solutions remain up-to-date and secure.

Cyber Resilience

As MSSPs look to offer a Cyber Resilience service that leverages expertise to enhance protection, detection, and response capabilities while driving an organization's ability to recover in the event of a malicious attack rapidly. MSSPs can help shift an organization's model from reactive to proactive, helping the team prepare for potential cyberattacks by implementing a resilience model. This end-to-end service capability helps reduces risk holistically and supports an organization's ability to identify, protect, detect, respond, and recover from malicious activity. Cyber Resilience service is a customized strategy to enhance your current people, processes, and technology based on comprehensive strategic and tactical evaluations across an enterprise.

The post Building blocks for Cyber resilience:  MSSPs can lead the way appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.  

Most, if not all, industries are evolving on a digital level heading into 2023 as we take the journey to edge computing. But the automotive industry is experiencing technological innovation on another level. A rise in the production of connected vehicles, new autonomous features, and software that enables cars to self-park and self-drive are great examples of the digital evolution taking the automotive industry by storm. 

According to the AT&T 2022 Cybersecurity Insights (CSI) Report, 75% of organizations plan to implement edge security changes to help mitigate the kind of risks that affect cars, trucks, fleets, and other connected vehicles and their makers. And for a good reason.

These automotive features and advancements have offered cybercriminals an array of new opportunities when it comes to cyberattacks. There are several ways that threat actors are targeting the automotive industry, including tried and true methods and new attack vectors. 

In this article, you’ll learn about the top 8 cybersecurity threats facing the automotive industry heading into 2023 and what the industry can do to prevent threats. 

Automotive Cybersecurity threats

As autos increasingly come with connectivity features, remote threats are more likely. A recent report revealed that 82% of attacks against the automotive industry (including consumer vehicles, manufacturers, and dealerships) were carried out remotely. Plus, half of all vehicle thefts involved keyless entry. 

Automakers, dealers, and consumers play a role in automotive cybersecurity. But as the industry continues to adopt connected technologies, it will become increasingly important that organizations take a proactive approach to cybersecurity. 

When it comes to automotive threats, there are countless methods that hackers use to steal vehicles and driver information and cause problems with the vehicle’s functioning. 

Let’s explore the top 8 cybersecurity threats facing the automotive industry this year.

Keyless car theft

As one of the most prominent threats, keyless car theft is a major concern for the automotive industry. Key fobs today give car owners the ability to lock and unlock their doors by standing near their vehicle and even start their car without the need for a physical key. 

Autos enabled with keyless start and keyless entry are prone to man-in-the-middle attacks that can intercept the data connection between the car and the key fob itself. Hackers take advantage of these systems to bypass authentication protocols by tricking the components into thinking they are in proximity. Then the attacker can open the door and start the vehicle without triggering any alarms. 

EV charging station exploitation

Electric vehicles are becoming more popular as the globe transitions to environmental technologies. Charging stations allow EV owners to charge their vehicles in convenient locations such as public parking lots, parks, and even their own garages. 

When you charge an EV at a charging station, data transfers between the car, the charging station, and the company that owns the device. This data chain presents many ways threat actors can exploit an EV charging station. Malware, fraud, remote manipulation, and even disabling charging stations are all examples of ways hackers take advantage of EV infrastructure. 

Infotainment system attacks

Modern cars require over 100 million lines of code to operate. Most of that code goes into the vehicle’s firmware and software that allows navigation, USB, CarPlay, SOS functions, and more. These infotainment systems also provide criminals an open door to an automobile’s ECU, endangering lives and compromising control of the vehicle. 

There are many code vulnerabilities that manufacturers need to look out for, and as infotainment systems continue to become more complex and sophisticated, there will be even more vulnerabilities to uncover. 

Brute force network attack

Another common attack type that affects the automotive industry is the good old-fashioned brute force network attack. Many of the threats that face connected and automated vehicles and businesses in the automotive industry are similar to common cloud security threats, but that doesn’t make them any less damaging.

Brute force attacks are tried and true cyberattacks that target a network with the goal of cracking credentials. In the automotive industry, the brute force attack can have far-reaching impacts. Manufacturers, dealers, and owners can all become victims of this type of attack. When credentials become compromised, entire systems can easily become the target of sophisticated attacks that can end in faulty firmware, large-scale data leaks, and vehicle theft. 

Phishing attacks

Another way that hackers can obtain the credentials to enter a target network is through social engineering attacks such as phishing. The attacker will send automotive company employees an email where they pose as a trusted sender, complete with official-looking HTML and signature. Sometimes the attacker will ask for the credentials outright, but usually, attackers will place a link with malicious code in the email. 

When the receiver clicks the link, the malicious code is executed, and the cybercriminal can roam freely in the target system, access sensitive data, and perform further attacks from the inside. 

Compromised aftermarket devices

Insurance dongles, smartphones, and other third-party connected devices also pose a cybersecurity threat to the automotive industry. These aftermarket devices are connected directly to vehicle systems, offering hackers another way to launch an attack. 

This threat also leaves much to consider for those that want to buy a used car. Many people choose to sell or trade used cars through car dealerships, where consumers can find a deal on a previously owned vehicle. Connected devices can leave malware and backdoors in the auto’s system, putting the next owner at risk, too. 

Ransomware

Ransomware is one of the most pervasive threats in tech today. Unfortunately, the automotive industry is no exception. Ransomware is a significant threat to the vehicle industry, including OEMs, consumers, and dealers. 

A threat actor can hold an organization’s data hostage in exchange for a significant ransom. Without the right credit protection services, automotive businesses can find themselves in financial trouble. These attacks affect IT systems and operations and can cause expensive shutdowns.

Automotive supply chain attacks

The auto industry utilizes a complex supply chain to source the components that are used to build new vehicles, perform repairs, and provide services. This supply chain presents a huge risk to the industry, as each connected endpoint is a vulnerability waiting to happen. 

But supply chain attacks can trickle down to consumers as well. Updates containing malicious code can be pushed to connected cars, bad actors can compromise firmware, and malware can put supplier operations to a complete halt. 

How the industry can keep automotives secure

Cybersecurity should be a central goal throughout the automotive lifecycle. But it’s also important that automakers improve their cybersecurity expertise to monitor connected and automated vehicles on the road. 

The National Highway Traffic Safety Administration (NHTSA) recently released its recommended cybersecurity best practices for modern vehicles to help strengthen the underlying data architecture of vehicles and protect against potential attacks.

They say that the automotive industry should follow the cybersecurity framework from the National Institute of Standards and Technology (NIST) that focuses on five key functions: identify, protect, detect, respond, and recover. The NHTSA recommendations for vehicles are based on the NIST framework but written specifically for the automotive industry. 

And finally, the Federal Trade Commission (FTC) has also established regulations for connected and automated vehicles. Under the new Safeguards Rule, dealers are expected to meet cybersecurity compliance for their organizations and vehicles by June 2023. 

Final thoughts

Automotive manufacturers, sellers, consumers, suppliers, repairers, and all others in the industry play a critical role in improving the security of connected vehicles in 2023 and beyond. Learn more about how to defend your network from critical incidents. 

The post The top 8 Cybersecurity threats facing the automotive industry heading into 2023 appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Recent trends show that car dealerships are becoming a prime target for cyber-attacks, partly due to the rise in autonomous and connected vehicles. This is in addition to more traditional attacks such as phishing. Therefore, car dealerships are urged to take measures to improve their cybersecurity. 

Throughout this article, we will focus on how to protect your car dealership from cyber-attacks, from technological solutions to raising staff awareness, and more. 

Why are car dealerships being targeted by cybercriminals?

Car dealerships collect a significant amount of data which is often stored on-site. This data includes things such as names, addresses, email addresses, phone numbers, and perhaps more importantly, financial information such as bank details and social security numbers. Gaining access to this database can be very lucrative for criminals. 

According to the Second Annual Global State of Cybersecurity Report by CDK Global in late 2022, 15% of all auto dealerships surveyed sustained a cyberattack that year, with 85% of the incidents occurring due to phishing specifically. The report also found that as customers move to a more mobile environment, dealerships will need to secure their desktops and mobile devices to protect against potential cyberattacks.

A cybercriminal’s life is made much easier if a car dealership uses outdated IT infrastructure and lacks sufficient processes in terms of protecting employee login details. 

How are car dealerships vulnerable to cybersecurity attacks?

Before we discuss how to protect your car dealership from a cyber-attack, it is important to know what makes a car dealership vulnerable, and what sort of attacks it could be subjected to. 

• Open Wi-Fi Networks – Many car dealerships have open Wi-Fi networks for their customers to use freely. However, this provides an opportunity for hackers who can potentially access other areas of the network that store sensitive data.
   
• Malware – Malware is possibly the most likely form of cyber-attack, targeting individuals within your organization with malicious email attachments that execute software onto the victim’s device. This software can then grant the attacker remote access to the system.
   
• Phishing – Phishing emails are much more sophisticated than they used to be, appearing much more legitimate, and targeting individuals within the company. If an email seems suspicious or is from an unknown contact, then it is advised to avoid clicking any links.
   
• User error – Unfortunately, anyone working for the car dealership, even the owner, could pose a risk to security. Perhaps using lazy passwords, or not storing log-in details in a safe place. This is why cyber security training is now becoming mandatory at most businesses. 

The consequences of cyber-attacks on car dealerships

If a small-to-medium-sized car dealership is the victim of a cyber-attack, then it can have a much bigger impact than just a short-term financial loss. Some smaller businesses that suffer a data breach may go out of business after such an event, losing the trust of their customer base, and failing to recover from the financial impact.

Research suggests that most consumers would not purchase a car from a dealership that has had a security breach in the past. Failing to prevent a cyber-attack and a criminal from gaining access to customer information is extremely detrimental to a business’s public image. 

How to protect your car dealership from cyber-attacks

Regardless of whether you already have security measures in place, it is always advised to assess how they can be improved and constantly be on the lookout for vulnerabilities within the organization. 

In this section, we will discuss how to improve cybersecurity within a car dealership, breaking down the process into three key stages. 

Stage one – Implementing foundational security

Establishing strong foundational security is key to the long-term protection of your business. When creating your foundational security strategy you should focus on seven main areas.

1. User permissions 

Ensure administrative access is only provided to users who need it as granting unnecessary permissions to standard users creates numerous vulnerabilities. Ensure that only the IT administrator can install new software and access secure areas. 

2. Multi-factor authentication 

Multi-factor authentication means more than just a traditional username and password system. Once the log-in details have been entered, users will also need to enter a PIN that can be randomly generated on their mobile phone, or issued periodically by the administrator.

For added protection, you could also implement a zero-trust strategy. 

3. Data backup recovery processes

The effects of ransomware attacks can be sometimes avoided if important files are regularly backed up, such as each morning. Once stored, there should also be procedures in place to quickly restore this data to minimize any downtime. 

4. Firewalls and other security software

Many car dealerships continue to use older firewall software and outdated security services. Newer, next-generation firewalls offer much more protection, securing even the deepest areas of the network while being more effective at identifying threats. 

5. Endpoint protection 

The endpoint refers to a user’s mobile device or computer that may be targeted by attacks such as phishing emails. Endpoint protection can help secure these devices, identifying malware and preventing it from spreading to other parts of the network.

As part of modernization efforts, some businesses are choosing to protect their phone systems by using a cloud solution.

6. Email gateways

Similar to the above, email and web scanning software is essential to protect data and business operations. This can identify threats and warn the user to prevent them from opening malicious links or opening suspicious attachments. 

7. Email training

Many businesses test their workforce by sending fake phishing emails to see how employees respond. If the correct actions are not taken, then the individual can be given cyber security training to raise their awareness so that they take appropriate action in the future. 

Stage two – security processes

Once all of the above has been assessed and the necessary course of action has been taken, it is time to think about the critical security processes that need to be implemented. These are vulnerability management, incident response, and training. 

1. Vulnerability management 

Firstly, an inventory of your assets (software and devices) needs to take place so you know what needs to be protected. Once this has been done, all software should be checked to determine if it has been patched with the latest update. 

Finally, vulnerability scans should be run on a monthly or quarterly basis. This can be done via penetration testing or an internal network scan. 

2. Incident response

Policies should be drafted in the case of an incident or data breach so the correct course of action can be taken in terms of contacting the necessary parties. Numerous people should also be trained to respond to an incident should a key individual, such as the IT manager not be present. 

Network analysis needs to take place immediately after an incident, whether this is in-house or externally. This is necessary for insurance purposes.

3. Training

Cybersecurity and Acceptable Use policies need to be created so everyone knows what needs to be done in the event of a breach and what their responsibilities are. This can be combined with thorough security training to increase awareness. 

Stage three – ongoing security activities

To ensure your business is protected at all times, it is vital that your IT team is on top of things and you do not rest on automated tasks and policies. 

Key activities include:

• Using an encrypted email solution
• Employing a VPN for remote workers to encrypt the connection
• Mobile device security, management, and protection 
• On-going monitoring, risk assessments, and sticking to best practices

Protecting your car dealerships from Cyber-attacks – summary

According to October, 2022 research from CDK Global, car dealerships are being targeted by cybercriminals who see them as an opportunity to steal sensitive information and financial details. This can be done in multiple ways including phishing scams and malware.

To tackle this, car dealerships should focus on three key areas: the business’ foundational security, implementing security processes, and performing key security activities on an ongoing basis.

The post How to protect your car dealership from cyber-attacks appeared first on Cybersecurity Insiders.

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers. 

Executive summary

Since mid-June 2022, AT&T Managed Extended Detection and Response (MXDR) Security Operations Center (SOC) observed an enormous number of attacks from Mirai botnet-C2 attempting to gain access to SSH servers instead of Telnet.

Due to the various tactics, techniques, and procedures (TTP) observed, this attack has been associated with RapperBot botnet (Mirai variants.) RapperBot’s goal is still undefined.

According to the analysis that was published by FortiGuard Labs, while the majority of Mirai variants can naturally brute force Telnet servers that use default or weak passwords, RapperBot in particular scans and attempts to brute force SSH servers that are designed to require password authentication.

A large part of the malware is executing an SSH 2.0 client which is able to connect and brute force any SSH server using Diffie-Hellman key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR. A unique characteristic of brute forcing in RapperBot is the use of SSH-2.0-HELLOWORLD in order to identify itself to the targeted SSH server during the SSH Protocol Exchange phase.

One of the malicious Mirai botnet IP addresses had allowed network traffic with an asset in an organization over SSH port 22. After some data transferring, the session closed with the client-reset action. The MXDR SOC team quickly identified and recommended mitigation steps to prevent lateral movement and the attacker going further.

Initial alarm review

Indicators of Compromise (IOC)

The alarm initiated with the multiple Open Threat Exchange (OTX)  pulses (Miraibotnet-C2- CDIR Drop List) and an OTX indicator of a known malicious IP. There was network traffic between the known malicious IP and a public IP of an internal asset in an organization. The network traffic was over SSH port 22, and the security system (firewall) action was a deny. The security system (firewall) deny action was evidence of the auto-mitigation. In this case, auto-mitigation means the attack is prevented by firewall rules and threat intelligence by denying the connection from malicious IP.

However, further analysis of the events showed that the traffic was allowed from the malicious IP to another internal asset. In addition to this, there were signs of data transfer from source IP with “sentbyte=1560, rcvdbyte=2773, sentpkt=15, rcvdpkt=13”

** Risk mitigation in Cybersecurity is the reduction of the overall risk/impact of cyber-attacks. Detection, prevention, and remediation are three components of risk mitigation in cybersecurity.

Expanded investigation

Events search

After checking events associated with the alarm, the team always checks the environmental security to see if the malware had further penetrated the environment or attempted any lateral movement.

The team searched events by pivoting on the indicator IP, filtering the past 90 days of events, and the security system (firewall) allowed action types. It was determined that there were a few connections from malicious IP to different internal assets with the client-rst, server-rst, timeout, and closed events.

Client-rst – Session reset by client, Server-rst – Session reset by server

These are usually session end reasons that show who is sending TCP (Transmission Control Protocol) reset and the session terminates – so this does not mean that a security system (firewall) is blocking the traffic. It means after a session is started between client-to-server, it is terminated by (client or server), depending on who sent the TCP reset. Session-end results can be found in traffic logs.

The team suspected that the system might be compromised because the session was reset from the client side (which is the adversary side.) It was then observed that the session was closed (terminated) with a large amount of packet transmissions.

Event deep dive

After further examination of the allowed connections, the malicious IP showed traffic with the customer security system (firewall) over SSH port 22. SSH port 22 uses a TCP connection. Therefore, before transferring data  it needs to establish a reliable connection with the 3-way handshakes.

In order to handshake the header (first two packets), TCP uses approximately 24 bytes and for normal transmission of packet about 20 bytes. Establishing a reliable connection with 3-way handshake needs just three packets to be transmitted. Establishing a connection: ~ 128-136 bytes.

Another observation is that the sent and received bytes with the packet size are indicators of data transferring due to the packets and bytes being bigger than normal packets and bytes of TCP 3-way handshake. This is believed to be an indication of a payload or compromised credentials.

Rapperbots work like an SSH brute-forcing campaign. After it has gained access on a device, it sends its architecture to the C2 server – the device’s IP, and the credentials used. Then the adversary tries to load the main payload binary on the compromised device via binary downloader or software like ftpget, wget, curl, or tftp, that is installed on the device.

Reviewing for additional indicators

At this point, the attacker tried to get “Initial Access (tactic)” into the network by using “Exploit Public Facing Application” technique based on the Mitre Att&ck Framework.

Exploit Public Facing Application is a technique which is used by adversaries to take advantage of vulnerabilities/weaknesses in a program or internet facing computer to gain Initial access to a network. In this case, even though there was evidence of data transfer, evidence of payload or lateral movement activity were not seen.

Response

Building the investigation

An investigation was created by following the incident response process. The investigation included identifying the incident, finding the root cause of the incident and Indicators of compromise. Then we made recommendations to the customer on mitigation/remediation steps. We communicated with the customer to ensure necessary actions are executed. Recommended mitigation steps were:

• Blocking the malicious IP
• Disabling SSH password authentication (if possible)
• Changing passwords to stronger passwords for the device.

Incident response is an organizationed approach and process to manage cybersecurity breaches/incidents or cyberattacks. It includes multiple steps:

• Identifying an incident/attack
• Minimizing damage
• Eradicating the root cause
• Minimizing recovery cost and time
• Learning lessons from the incident
• Taking preventative action

According to the analysis that was published by FortiGuard Labs, Rapperbot developers improved their code to maintain persistence, which differentiates it from other Mirai variants. Even after rebooting infected assets or removing malware, intruders can continuously access infected assets via SSH. Therefore, rebooting the device or removing malware Is not a permanent mitigation option.

The Rapperbot’s primary threat is brute forcing the credentials of SSH. By disabling SSH password authentication (if possible), or changing passwords to stronger passwords for the device, the Rapperbot mitigation can easily be done.

Customer interaction

The customer wanted to be kept in the loop and informed if the attack continues.

Limitations and opportunities

Limitations

In this investigation, MXDR was unable able to see inside the transmitted packets. As a result of the lack of visibility into the network flows in the environment, MXDR has limited access to the customer environment. However, MXDR suspected the data transfer could include the main payload binary on the compromised device.

The post Stories from the SOC – RapperBot, Mirai Botnet – C2, CDIR Drop over SSH appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

A smart device is any device connected to the internet and can be controlled by a computer or smartphone. This includes devices such as home appliances, security cameras, thermostats, doorbells, lighting systems, and other connected gadgets.

Smart devices are becoming increasingly popular due to the convenience they offer. However, with this convenience comes a greater risk to your privacy.

When people talk about smart devices, what they are referring to more broadly is the internet of things (IoT) and its ability to connect all your devices together. This means that all the data collected by each device can be accessed and shared with other connected devices, potentially exposing personal information about you and your home life.

Here are 9 ways in which smart devices can compromise your privacy.

1. Location tracking

Many smart devices track and store users’ locations, which can be used to build detailed profiles of their activities. This data can then be sold to third parties without the user’s knowledge or consent.

This has become a major problem with smart devices such as fitness trackers and smartphones. If you’re not careful, your device could be sharing more data than you think. You might be under the impression that you’re in control of the data it collects, but this is not always the case.

2. Insecure Wi-Fi connections

Many smart devices use Wi-Fi to connect to the internet. This means it can be vulnerable to hackers if proper security protocols are not in place. Hackers can access your device, view sensitive data such as passwords, and even take control of it.

There have been instances of hackers hijacking smart devices via Wi-Fi connections and using them to launch cyber-attacks. This is especially true if you travel with smart devices like phones or laptops, as they may be connecting to unsecured Wi-Fi networks.

3. Vulnerable webcams

Smart devices often come with built-in cameras and microphones, which can be hacked into to gain access to audio and video recordings of the user. This has been a major issue in recent years with reports of “webcam hacking” becoming increasingly common.

It is increasingly common for people to have cameras in their doorbells, in their baby monitors, and even in their TVs. All of these can be hacked into if the user doesn’t take proper security measures.

For example, there have been instances where hackers have hijacked security cameras and used them to spy on unsuspecting users in their homes. This is an extreme case of a privacy violation that can be prevented with proper security measures.

4. Poorly secured cloud databases

Many smart devices store data such as pictures and videos in the cloud, meaning they are accessible from any device. However, this also leaves them vulnerable to hacking.

If the cloud service that stores your data is not properly secured, hackers can gain access to it and view, copy, or delete sensitive information. This could be anything from your banking details to private photos of you and your family.

5. Third-party app permissions

Many smart devices have a range of third-party apps that users can download. However, these apps often require access to certain permissions to work.

For example, an app might need permission to access your contacts or your location data. This means it can collect and share this information with other companies without the user’s knowledge or consent.

It’s important to read through the terms and conditions carefully before downloading any app, as it may be collecting more data than you think.

6. Data breaches

Smart devices often store data on servers located off-site. This means that if those servers are hacked, your data could be exposed to malicious actors. It is important to make sure your device is regularly updated with the latest security patches and that you are aware of any data breaches that could affect it.

As more and more people adopt smart tech, there is an increased risk of data breaches. Both companies and individuals must take extra steps to ensure the security of their customers’ data, or else they face serious consequences.

7. Unsecured Bluetooth connections

Many smart devices make use of Bluetooth technology to connect to other devices wirelessly. While this is convenient, it also leaves the device vulnerable to hackers. If a hacker can access your Bluetooth connection, they can gain access to the data stored on the device.

It is important to keep your Bluetooth connection secure by regularly changing the password and only pairing devices you trust. Additionally, it’s a good idea to periodically scan for any unauthorized connections.

8. Data mining

Many smart devices collect data about users’ habits and activities, which can then be used for targeted advertising or other commercial purposes. This means your device might be collecting more information about you than you realize.

It’s important to be aware of what data your device is collecting and who it is being shared with. You can also adjust the settings on your device to limit the amount of data that is being collected. Even if it's just for commercial purposes, you should know and be able to control what data is being collected.

9. Voice commands

Smart devices often come with voice-activated assistants such as Alexa and Google Home. These are designed to make our lives easier, but they can also be used to gather sensitive information about your home life.

When you speak to a voice assistant, your voice is stored on the company’s servers and could potentially be accessed by other parties without your knowledge or consent. What's more, a lot of people find it creepy that these devices can actually listen to what you are saying even if you are not giving direct commands to the smart device, which can be a huge privacy concern.

Conclusion

Smart devices can be a great addition to any home, but it is important to keep in mind the potential risks associated with them. From unsecured cloud storage and third-party app permissions to data mining and voice commands, there are many ways that these devices could compromise your privacy. By being aware of these potential risks and taking the necessary steps to protect your data, you can help ensure that your privacy remains safe.

The post 9 Ways smart devices can compromise your privacy appeared first on Cybersecurity Insiders.

NTDLL.dll API hooking is a technique used by anti-malware engines to detect and flag suspicious processes on Windows by monitoring APIs that are known to be abused by threat actors. The method involves using assembly instructions to invoke the necessary Windows API function to allocate memory and inject arbitrary shellcode into that location via process hollowing. GuLoader's “redundant code injection mechanism” is designed to avoid these NTDLL.dll hooks, making it more difficult for EDR solutions to detect and flag the malware.

One of the ways that GuLoader evades detection is through its use of legitimate websites and services such as C2 servers. This means that it uses websites that are not known to be malicious as a means of communicating with its command-and-control (C2) center. This can make it difficult for security researchers to identify the C2 servers being used by the malware, as they are not typically flagged as malicious.

Also, GuLoader has also been observed using JavaScript malware strain RATDispenser to drop the malware via a Base64-encoded VBScript dropper. This allows the malware to bypass security measures and gain access to infected systems.

About Perimeterwatch

The post GuLoader – a highly effective and versatile malware that can evade detection appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

The world runs on data. That has always been true, but the power of data has perhaps never been greater than it is today. We live in the great age of information — where a seemingly infinite repository of knowledge lies at our fingertips.

But data is not, of course, only to be consumed for personal use. Indeed, the greatest impact of data is on the world of business. Data is the fuel that keeps the engines of enterprise humming.

The truth, though, is that businesses, on average, use less than half the data they accumulate. The rest is lost somewhere in the ether, where it becomes so-called “dark data” that puts your customers, your employees, and your company at risk.

What Is dark data?

One of the most significant challenges in dealing with dark data is that many business managers, even at the highest level, don’t know what it is or how to manage it. That’s a problem because all companies generate tremendous amounts of dark data simply while doing business each day.

Dark data refers to information collected through ordinary business transactions that does not serve a specific business function outside of the immediate transaction. It is information that is generated through ordinary business processes and remains even after its immediate purposes have been served.

This information might include customer email or mailing addresses, phone numbers, or purchase logs.

Because the data has no real business utility, it is often left forgotten, unorganized, and insecurely stored. And this is the true threat that dark data poses, because, even when it serves no legitimate function for your business, it can readily be exploited by bad actors for various cybercrimes, from identity theft to financial fraud.

Finding and identifying dark data 

Understanding that dark data exists and is a problem is a necessary but not sufficient step in mitigating the risk. It’s also imperative that business leaders understand where to find it, how to identify it, and what to do about it.

When it comes to finding, identifying, and managing dark data, your best strategy is going to be data mapping. With data mapping, you’ll be able to determine what data is being generated, when, how, and where. Tracing the sources of your data is often the first step in determining where it goes after it has been generated.

This, in turn, enables you to locate all the once-hidden information that has been lurking around your network, particularly in the cloud. And that means you will be better able to identify which data points have eluded your cloud data management processes and related controls.

Organizing and securing dark data in the cloud

After you’ve found and accurately identified the immense repository of dark data that is likely clogging your system (and potentially costing your company millions of dollars in storage fees each year), it’s time to get organized.

As we’ve seen, dark data can pose a significant risk to your network security and undermine your data security compliance. There is a great likelihood that much of this data is sensitive or private and should be secured but isn’t.

Organizing once “dark” data means subjecting it to rigorous analysis to understand exactly where the data should fall within the scope of your company’s system governance processes. The key is to ensure, for example, that you’re protecting your once hidden data from insider threats, such as access or exploitation by employees who do not possess the appropriate permissions.

Properly organizing your hidden data is also critical for installing an added layer of protection around your company’s sensitive information. For instance, cloud data storage, though providing significant security, is by no means invulnerable.

Cloud systems are at risk of data breaches unless proper procedures are instituted to limit access and amplify security. This might include measures to optimize cloud security such as the use of multifactor authentication processes or the encryption of the most sensitive of your now-organized dark data.

The takeaway

Dark data is an omnipresent but relatively little recognized threat to businesses, workers, and consumers today. It is the inevitable result of ordinary processes of doing business, and yet many business leaders, including highly trained tech specialists, do not know what it is or how to manage it.

Dark data is information that is generated through ordinary business transactions but that has no practical business utility beyond that immediate transaction. The data that result does not disappear, however. Rather, they linger and are often forgotten until they are found and exploited for nefarious purposes by bad actors. Learning to find, identify, and organize dark data, especially when it is stored in the cloud, is critical to protecting companies and consumers against a range of threats, including financial fraud and identity theft. 

The post Identifying and securing your business’s dark data assets in the cloud appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

A radius server uses a network protocol for remote user authentication and authorization. It is a client/server protocol that allows a remote user to access a network using a shared secret (usually a password). RADIUS servers are typically located on the perimeter of a network and use port 1812 (UDP) or 1645/1813 (TCP).

RADIUS was originally developed by Livingston Enterprises, Inc. in 1991. It is now an IETF standard (RFC 2865). The following are the most important things to know about RADIUS server authentication.

•  RADIUS is a remote authentication dial-in user service

It was developed to provide centralized authentication, authorization, and accounting management for networked devices such as routers and switches.

What does dial-in refer to here? Dial-in is a type of authentication that allows a user to connect to a network remotely using a phone line or other connection. RADIUS servers are used to manage user access to a network. They can be used to control who can access the network, what services they can use, and how much bandwidth they can consume.

•  RADIUS is an alternative to TACACS and is often used in conjunction with TACACS+ for authentication and authorization

The reason for this is that RADIUS is typically used for remote access, while TACACS+ is usually used for device administration. While both protocols can be used for both purposes, RADIUS is usually the preferred protocol for remote access.

•  A RADIUS server typically uses UDP port 1812 (or TCP port 1645/1813) to communicate with clients

RADIUS servers typically listen on UDP port 1812 (or TCP port 1645/1813). When a RADIUS client sends a request to the server, it includes the secret key in the request. The server uses this key to authenticate the client and authorize the request.

RADIUS is a client/server protocol, which means that each RADIUS client must have a corresponding RADIUS server. A RADIUS client is typically a network device such as a router or switch. A RADIUS server is a computer that runs the RADIUS software and manages user access to the network.

What this means is that for a user to be able to access the network, they must first authenticate with the RADIUS server. The RADIUS server then authorizes the user's access to the network and controls what services they can use.

•  RADIUS uses a client/server architecture

The RADIUS server is responsible for authenticating users and maintaining their account information, while the RADIUS client is typically a network device that forwards authentication requests to the server. The reason this distinction matters is that it allows the server to be centrally located and managed, while the clients can be distributed throughout the network. This architecture also makes it possible for the server to authenticate users against multiple databases, such as an LDAP server or a local file.

The implications of this are that if the server goes down, the entire network will be unavailable to users. This is why it is important to have redundant RADIUS servers in a production environment.

•  A RADIUS server can authenticate users against multiple databases

RADIUS supports multiple authentication methods, including PAP, CHAP, MS-CHAP, and EAP. PAP is the simplest authentication method and sends the username and password in clear text. CHAP encrypts the password but sends it over the network in plain text. MS-CHAP encrypts both the username and password. EAP is a more secure authentication method that uses digital certificates.

•  RADIUS uses UDP for transport

RADIUS uses UDP as its transport protocol. UDP is a connectionless protocol, which means that each packet is sent independently and does not require a connection to be established beforehand. This makes RADIUS very scalable, as it can support a large number of clients without requiring a lot of resources on the server.

It matters that RADIUS uses UDP for transport because UDP is a less reliable protocol than TCP. This means that RADIUS packets can be dropped or lost in transit. However, this is usually not a problem because RADIUS uses retransmission and error checking to ensure that packets are delivered reliably.

•  The RADIUS server must have a shared secret with the clients

The RADIUS server and clients must have a shared secret, which is used to encrypt and decrypt packets. This shared secret is typically a password or phrase that is known only to the server and clients. Without the shared secret, an attacker would not be able to read or modify the packets being exchanged between the server and clients.

•  RADIUS uses Access-Request and Access-Accept packets

When a client sends an authentication request to a RADIUS server, it does so using an Access-Request packet. The server then responds with an Access-Accept or Access-Reject packet, depending on whether the authentication was successful. If the authentication was successful, the server will also include an Access-Challenge packet, which contains a challenge that the client must answer to prove its identity.

•  RADIUS can be used for AAA

RADIUS can be used for AAA, which stands for Authentication, Authorization, and Accounting. Authentication is the process of verifying a user's identity, authorization is the process of determining what resources a user is allowed to access, and accounting is the process of tracking and billing for a user's usage.

AAA is a common security model that is used to control access to network resources.

•  RADIUS is standardized by the IETF

RADIUS is a standards-based protocol, which means that it is defined by an Internet Engineering Task Force (IETF) specification. The most recent version of the RADIUS specification is RFC 2865, which was published in June 2000.

•  RADIUS is commonly used by ISPs

RADIUS is commonly used by Internet service providers (ISPs) to authenticate and authorize users who are trying to access the internet. RADIUS is also used by corporate networks to authenticate and authorize users who are trying to access the network.

•  There are a few different RADIUS implementations

There are a few different RADIUS implementations, including FreeRADIUS, Microsoft NPS, and Cisco ACS. FreeRADIUS is the most popular open-source RADIUS server. Microsoft NPS is the RADIUS server included in Windows Server. Cisco ACS is a commercial RADIUS server from Cisco Systems.

Conclusion

These are the most important things to know about RADIUS server authentication. RADIUS is a critical part of many network security systems, and understanding how it works is essential for anyone who is responsible for managing a network.

The post RADIUS server authentication: Old but still relevant appeared first on Cybersecurity Insiders.

There is a possibility that artificial intelligence (AI) will have a significant influence, in either a good or bad direction, on cybersecurity. On the plus side, artificial intelligence (AI) can be used to automate and improve many parts of cybersecurity. AI can find and stop threats, find strange behavior, and look at network traffic, among other things. This might be a game-changer for the industry. On the other hand, artificial intelligence also creates new security holes and problems that must be fixed.

Processing massive volumes of data and seeing patterns that people would overlook are two of the primary advantages that artificial intelligence brings to the field of cybersecurity. This could be especially helpful for finding attacks like zero-day vulnerabilities and advanced persistent threats that are hard to see with standard security systems. Traditional security systems have a hard time spotting these kinds of threats. AI-driven systems can monitor network traffic in real-time and spot any strange behavior. This enables enterprises to take prompt action to thwart assaults.

AI could also be used to automate a lot of the day-to-day tasks that have to do with cybersecurity. This frees human analysts to work on more challenging and complex jobs. Because of this, businesses can make their security activities more effective and efficient. AI may be used, for instance, to monitor social media and other online sources for signs of possible danger. Some signs point to a new vulnerability or use dangerous hashtags on social media.

Still, bad things could happen when AI is used in cybersecurity. One cause for worry is the possibility that adversaries would use AI systems to carry out assaults that are both more complex and more precisely targeted. AI can, for example, make phishing emails that look real, find security holes automatically, and use them.

Another worry is that people with malicious intent might be able to take over or control AI-driven systems in some other way. If an AI system is hacked, it could use the security hole to get around security measures and get private information. This could have terrible consequences, such as confidential information theft or critical system failure.

Another worry is that AI-driven systems might come to the wrong conclusions or make mistakes when making decisions. For example, an AI system might mistakenly label a harmless file as malware, which could cause false positives and stop a business from running. On the other hand, an AI system can miss a real danger, resulting in a security breach.

To deal with these problems effectively, businesses must consider the risks and benefits of using AI in their cybersecurity efforts. This could mean putting in place extra security measures to protect AI systems and data and testing and updating these systems regularly to ensure they work as they should and are up to date.

Using AI raises several critical ethical questions and technological factors that need to be addressed regarding cybersecurity. For example, if artificial intelligence (AI) systems are trained on data that isn't representative of the whole population, they may have biases built in. This may result in some groups being unfairly treated. Organizations need to be aware of these problems and take steps to reduce the chances that they will have harmful effects.

It is expected that the use of artificial intelligence (AI) in cybersecurity will have a large and varied effect. AI has the potential to make security much better, but it also brings up new problems and risks that need to be handled with great care. By taking a comprehensive and proactive approach to AI and cybersecurity, organizations can ensure they are ready to control the changing threat environment and protect themselves from a wide range of threats. This strategy can protect against a wide range of attacks.

The post AI and Cybersecurity: Some observational implications of the intersection between the two appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In today's digital age, a business website is essential for success. Not only does it provide potential customers with information about your products or services, but it also allows you to connect and engage with them directly.

However, simply having a website is not enough. To ensure that your site is effective and safe, you need to make sure that it has all the necessary security features. In this article, we will discuss twelve security features that every business website must have.

1. Enable auto-update for plugins and software

One of the simplest but most effective security measures you can take, especially if you’re looking to protect your WordPress site, is to ensure that all your plugins and software are up-to-date. Outdated software is one of the most common ways that attackers gain access to websites. By keeping everything up to date, you can help to prevent vulnerabilities from being exploited.

You can usually enable auto-updates for most plugins and software from within their settings menu. For WordPress sites, there is also a plugin called Easy Updates Manager that can help you to keep everything up to date with ease.

2.  Have a strong password policy

A strong password policy is the first step to protecting your website from malicious actors. By requiring strong and unique passwords, you can make it significantly more difficult for attackers to gain access to your site. You need to ensure that your website's backend is well protected and that only authorized users have access. To do this, you should consider using a password manager to generate and store strong passwords for your site. You should not be using the same password for multiple sites.

3. Use two-factor authentication

Two-factor authentication (2FA) is an important security measure that you should consider implementing for your website. 2FA adds an extra layer of security by requiring users to provide two pieces of information before they can access your site. This could include a password and a one-time code that is generated by an app on your phone. 2FA can help to prevent attackers from gaining access to your site, even if they have your password.

4. Use a secure socket layer (SSL) certificate

An SSL certificate is a must-have for any website that wants to protect their users' information. SSL encrypts the communications between your website and your users' web browsers. This means that even if an attacker was able to intercept the communication, they would not be able to read it. SSL also provides authentication, which means you can be sure that your users are communicating with the intended website and not a fake site set up by an attacker.

Increasingly, having things like HTTPS and an SSL certificate are part of Google's ranking metrics and will help your website's SEO. If you aren't trying to protect your visitors and users (the people who give you their sensitive credit card information), they may take their business elsewhere.

5. Use a web application firewall (WAF)

A web application firewall (WAF) is a piece of software that sits between your website and the internet. It filters traffic to your site and blocks any requests that it considers to be malicious. WAFs can be very effective at stopping attacks such as SQL injection (SQLi) and cross-site scripting (XSS).

6. Use intrusion detection and prevention systems (IDPS)

Intrusion detection and prevention systems (IDPS) are designed to detect and prevent attacks on your website. IDPS systems can be either host-based or network-based. Host-based IDPSs are installed on the servers that host your website. They monitor traffic to and from the server and can detect and block attacks. Network-based IDPSs are installed on your network and monitor traffic to and from your website. Both types of IDPS can be effective at stopping attacks, but they have different strengths and weaknesses.

7. Do security logging and monitoring

Security logging and monitoring are a critical security measures for any website. By logging all activity on your site, you can track down any malicious activity and take appropriate action. You should also monitor your logs regularly to look for any unusual activity.

8. Use a secure hosting environment

A secure hosting environment is essential for any website. Your host should provide a secure server with up-to-date security patches. They should also have experience in hosting websites and be able to provide you with expert support if you need it. Things like DDoS protection and backups are also important considerations. Denial of service attacks are on the rise, and website owners need to be prepared. Your hosting provider and the measures they take to protect you make a difference.

9. Perform regular security scans

Regular security scans are a vital part of website security. Scans can help you to identify vulnerabilities on your site so that you can fix them before they are exploited by attackers. There are many different types of security scans, such as web application scans, network scans, and malware scans.

10. Perform malware scanning and remove malware

Malware is a serious threat to any website. Malicious code can be used to steal sensitive information, deface your site, or even take it offline. It's important to regularly scan your website for malware and remove any that is found.

11. Protect against spam

Spam is a major problem for many websites. It can clog up your comment sections, contact forms, and even your website's database. There are several ways to combat spam, such as using CAPTCHA codes and requiring registration for comments. Akismet is a popular WordPress plugin that does an excellent job of stopping spam.

12. Train your employees

One of the most important security measures you can take is to educate your employees about website security. They should know how to spot a phishing email, what to do if they suspect their computer has been infected with malware, and how to keep their passwords secure. You should also have a clear policy in place for what to do in the event of a security breach.

Conclusion

There are many security measures that every website should take. By implementing these measures, you can help to protect your site from attack and keep your data safe. Additionally, it's important to educate your employees about website security and have a clear policy in place for dealing with security breaches.

The post 12 ways to improve your website security appeared first on Cybersecurity Insiders.