D-Link Agrees to 10 Years of Security Audits to Settle FTC Charges

Taiwanese networking equipment manufacturer D-Link has agreed to implement a “comprehensive software security program” in order to settle a Federal Trade Commission (FTC) lawsuit alleging that the company didn’t take adequate steps to protect its consumers from hackers.

Your wireless router is the first line of defense against potential threats on the Internet.

However, sadly, most widely-used routers fail to offer necessary security features and have often found vulnerable to serious security flaws, eventually enabling remote attackers to unauthorizedly access networks and compromise the security of other devices connected to it.

In recent years, the security of wireless networks has been more of a hot topic due to cyber attacks, as well as has gained headlines after the discovery of critical vulnerabilities—such as

authentication bypass

,

remote code execution

,

hard-coded login credentials

, and information disclosure—in routers manufactured by various brands.

In 2017, the US Federal Trade Commission (FTC)

filed a lawsuit against D-Link

, one of the more popular router manufacturers, over the poor security of its wireless routers, IP cameras, and other Internet-connected devices.

According to the FTC complaint, D-Link allegedly misrepresented the security of its products to its customers, didn’t adequately test its products for well-known and easy-to-fix security flaws, and also failed to secure devices when security vulnerabilities were reported by independent security researchers.

“Defendants D-Link repeatedly have failed to take reasonable software testing and remediation measures to protect their routers and IP cameras against well known and easily preventable software security flaws,” the FTC complaint says. “In truth and in fact, Defendants did not take reasonable steps to secure their products from unauthorized access.”

In 2015, D-Link also accidentally published its

private code signing keys

on the Internet that could have allowed hackers to sign their malware and evade detection.

On Tuesday, the FTC published [

PDF

] an “amicable” settlement which says D-Link is required to follow proper security planning, threat modeling, vulnerability testing, and remediation before its routers and IP cameras hit the market.

The deal also makes it mandatory for the company to monitor its products for security flaws, automatically update firmware, and set up a system to accept vulnerability reports from security researchers.

Besides this, D-Link has also agreed to go through security audits of its software security program every other year for the next 10 years from a third-party, independent firm, an assessor approved by the FTC.

In a press release, D-Link

claims

the FTC has not found the company liable for any alleged violations, but ironically the company has reached an amicable resolution with the FTC, as mentioned above.

The FTC settled

similar charges with ASUS

over the security of its routers in 2016, when the company agreed to undergo independent security audits every 2 years for the next 20 years.

Read the Full Article here: >The Hacker News [ THN ]

China’s Border Guards Secretly Installing Spyware App on Tourists’ Phones

Chinese authorities are secretly installing surveillance apps on smartphones of foreigners at border crossings in the Xinjiang region who are entering from neighboring Kyrgyzstan, an international investigation revealed.

Xinjiang (XUAR) is an autonomous territory and home to many Muslim ethnic minority groups where China is known to be conducting massive surveillance operations, especially on the activities of Uighurs, a Muslim Turkic minority group of about 8 million people.

The Chinese government has blamed the Muslim Turkic minority group for Islamic extremism and deadly attacks on Chinese targets.

According to a joint investigation by

New York Times

, the Guardian, Süddeutsche Zeitung and more, the surveillance app has been designed to instantly extract emails, texts, calendar entries, call records, contacts and insecurely uploads them to a local server set-up at the check-point only.

This suggests that the spyware app has not been designed to continuously and remotely track people while in China. In fact, in the majority of cases, the report says the surveillance app is uninstalled before the phone is returned to its owner.

The spyware, called

Feng Cai

(蜂采) or 

BXAQ

, also scans infected Android devices for over 73,000 pre-defined files related to Islamic extremist groups, including ISIS recruitment fliers, bomb-making instructions, and images of executions.

Besides this, it also looks for segments from the Quran, portions of an Arabic dictionary and information on the Dalai Lama, and for some bizarre reason, the list also includes a song from a Japanese grindcore band called Unholy Grace.

The app can directly be installed on Android phones, but for tourists, journalists, and other foreigners, using Apple devices, the border guards reportedly connect their phones to a hardware-based device that is believed to install similar spyware.

According to researchers at German cybersecurity firm Cure53, who analyzed [

PDF

] a sample of the surveillance app, the names that appear in Feng Cai app’s source code suggest that the app was developed by a unit of FiberHome, a Chinese telecom manufacturer that is partly owned by the government.

“The app is very simple in terms of its user interface, with just three available functions: Scan, Upload, and Uninstall,” the researchers said.

However, it remains unclear how long the collected information on travelers is stored on the Chinese server, or how the government uses it.

“The Chinese government, both in law and practice, often conflates peaceful religious activities with terrorism,” Maya Wang, a Chinese researcher at Human Rights Watch, told NY Times. “You can see in Xinjiang, privacy is a gateway right: Once you lose your right to privacy, you’re going to be afraid of practicing your religion, speaking what’s on your mind or even thinking your thoughts.”

It’s not the first time when Chinese authorities have been caught using spyware to keep tabs on people in the Xinjiang region, as this kind of intensive surveillance is very common in that region. However, it’s the first time when tourists are believed to have been the primary target.

In 2017, Chinese authorities had

forced Xinjiang residents

as well into installing a similar spyware app, called

Jingwang

, on their mobile devices that was intended to prevent them from accessing terrorist information.

Read the Full Article here: >The Hacker News [ THN ]

The art and science of password hashing

The recent FlipBoard breach shines a spotlight again on password security and the need for organizations to be more vigilant. Password storage is a critical area where companies must take steps to ensure they don’t leave themselves and their customer data vulnerable.

Storing passwords in plaintext is recognized as a major cybersecurity blunder. Despite this, many companies, including Facebook and Google, have committed this faux pas. When hackers gain access to a plaintext password database, they then have access to all the user accounts in that system, but often, due to the reuse of passwords, it can create a breach domino effect for other organizations.

Why password hashing is essential

Password hashing, where companies encode passwords using a mathematical algorithm, has long been touted as the answer to this problem. Hashing is a one-way cryptographic transformation on a password, turning it into another string, called the hashed password.

When a user chooses a new password, the password is passed through a chosen hash algorithm that performs a mathematical transformation on it, creating a hash value. This hash value is typically represented in hexadecimal format.

This hash is the only thing that is stored for the user’s password. Since the hash algorithm only works in one direction, it’s infeasible to back out the original password using just the hash value (there are other ways to deduce the original password from the hash, but more on that in a minute).

The general idea is that storing hashes rather than plaintext password significantly reduces the possibility that a hacker could retrieve all of the passwords in the system—even if they gain access to the database.

Later when the user logs in and we must verify that the user entered the correct password, the same process is performed again: the entered password is hashed using the same algorithm and the hash is compared to the stored one. If they match, the user is allowed access.

It’s critical to understand the different approaches to password hashing as all hashing algorithms are not created equal.

Hashing 101

Hashing algorithms take an input of any length and return an output of fixed length. This output will look nothing like the original password. While it may seem like the algorithm is pumping out a random number, it is actually a deterministic process. A mathematical formula and hashing table decide which symbols in the input data will become which symbols in the output data. Hackers cannot directly turn a hashed value into the password, but they can determine what the password is if they continually generate hashes from passwords until they find one that matches. This is referred to as a brute-force attack.

With enough time and access to hashing tables, a hacker could reverse engineer a password, which is where salting comes in. For example, they will know the hashes for the most common passwords such as “Password1” or “qwerty,” by using a rainbow table which displays common passwords and their corresponding hashes. This means that, without any additional security, if you input the same password you would see the same output every time.

To protect passwords further, some random characters, called salts, are added to the end of the user’s password, therefore producing a completely different hashing output.

Hashing algorithms

SHA-256 hash – With cryptographic hashing algorithms, similar inputs produce vastly different outputs. Using the SHA-256 hash generator creates an entirely different hashed output even if only one character is changed. This makes it much more difficult for hackers to reverse engineer the input values from the output values. As a result, SHA-256 is the hashing algorithm with Bitcoin cryptocurrency.

MD5 (Message Digest Algorithm) – MD5 is a cryptographic algorithm that will always produce an output of 128 bits (typically expressed as a 32 digit hexadecimal number) no matter the length of the input. It was one of the most widely used hashing algorithms but is now no longer recommended. MD5 is not collision resistant, meaning it’s possible to produce the same hash with different inputs, which makes it a poor cryptographic hashing function.

MD5’s downfall when it comes to passwords was that it was too fast and too popular. As a result, brute force attacks are more likely to be successful due to the thousands of inputs tested, and the popularity of the function makes it attractive to hackers. Today you can find the input to a MD5 hash in seconds by Googling it. Since many businesses already use MD5, they have taken to adding salt to it, creating a salted MD5 output.

MD5Crypt – MD5Crypt added extra functionality to MD5 to make it more resistant to brute force attacks. However, in 2012, the author of MD5Crypt, Poul-Hennin Kamp, declared it as insecure due to the speed of modern hardware.

SHA-1 – SHA-1 suffers from many of the same problems as MD5; it’s very fast, it’s also experienced collision attacks, and is now considered unsafe. Faster computations result in faster brute force attacks, making SHA-1 inherently insecure for storing passwords.

BCrypt – Unlike SHA-1 and MD5, Bcrypt is intentionally slow, which is a good thing when it comes to password security as it limits the attacker’s ability to perform successful brute force attacks. A key aspect of hashing is that it should be a one-way form of encryption. It should be easy to go from the input to the output, but infeasible to find the input from the output. This slowed down hashing function makes cracking the hashes more impervious because it is time-consuming and uses a lot of computing power.

Companies must remain vigilant so that their customer data is not vulnerable. With hashing, there are many different options available; however, it’s vital to recognize that not all hashing algorithms are equal. Some can be cracked with very little time and effort, others require a lot more energy and time to crack.

Hashing is a critical component of password security, but it requires a nuanced approach to protect customer data. Organizations must ensure that their password hashing strategy utilizes robust, modern algorithms that make it almost impossible for hackers to reverse the hashing and read passwords in plain text. By taking a proactive approach companies can reduce the risk of breaches and hackers gaining access to valuable customer data.

Read the Full Article here: >Help Net Security – News

AppTrana — Website Security Solution That Actually Works

Data loss and theft continues to rise, and hardly a day goes by without significant data breaches hit the headlines.

In January 2019 alone, 1.76 billion records were leaked, and according to IBM’s Data Breach study, the average cost of each lost or stolen record has reached about $148.

Most of these data leaks are because of malicious attacks, where exploitation of web application vulnerabilities is one of the most common cyber attack vectors.

An application security breach is a problem facing one and all, and no matter what’s the size of your company, your web applications are prone to cyber attacks.

Hackers breach sites for a variety of reasons—some do it for fame, some to get competitive information, whereas some do it just for financial gains. No matter what the reason is, the cost of a security breach is always higher than the cost of protection, leading to loss of data, substantial financial losses, and most importantly, loss of customers’ trust.

If you are a small or mid-size company beginning to make your mark, such data breaches can be fatal.

What is more worrisome is that the cost of a data breach and extent of breaches are growing exponentially year on year, and all these points that the existing solutions are ineffective.

When it comes to application security—WAF (Web Application Firewall) is one of the best-known defences.

While most of the existing solutions fail to protect your organization from such attacks, as they take “one size fits all cookie-cutter” approach, WAF generally comes with standard out of the box rules without understanding specific application needs.

Perils of such an approach are:

  • There is very little understanding of the application context and vulnerabilities specific to the application that hackers can exploit are left unprotected. As the saying goes, security is as good as the weakest link.
  • Most scanners are ineffective when it comes to single page JavaScript-based heavy sites. Moreover, gaps in business logic vulnerabilities can only be found through pen-testing. Results imported from such scanners are at first inadequate, and most often, protection posture is not accurately identified by WAF.
  • Out of box rules are good in an ideal scenario. But as in life, applications in the real world are far from ideal, leading to a lot of false positives and false negatives, making the solution ineffective.
  • Proper implementation of WAF requires tuning of standard rules to meet application-specific needs, but unfortunately, this needs a lot of expertise and time, which are not easy to find.

All this leads to bad implementation of website security, and right vulnerabilities remain undetectable, where WAF is more often deployed in monitor mode in fear of FP’s.

AppTrana is Indusface’s revolutionary solution that has been built specifically to address such shortcomings in existing cloud security solutions.

AppTrana

provides a completely managed, highly reliable, extremely affordable SaaS solution for securing web applications.

With AppTrana, organizations can get:

  • Protection within minutes with zero downtime during the entire transition,
  • Access to highly scalable PCI compliant, infrastructure for their web application security that is scalable to terabytes of data seamlessly with no configuration required from the customer side,
  • Ability to detect vulnerabilities, protect them instantly through virtual patches created by experts and get round the clock visibility to risk posture through integrated AppTrana portal,
  • Get round-the-clock, experts monitored protection for the site against sophisticated DDOS attacks, and
  • Integrated CDN ensures that customers are not forced to choose between speed and security.

Using AppTrana, organizations can concentrate on business without worrying about security, speed, and availability of their website.

The Approach

Indusface approaches the problem of application security differently from traditional vendors.

With AppTrana, organizations can identify the vulnerabilities in the application through its automated and premium (manual penetration testing done by experts) scans. This guarantees that an organization understands the risk posture of their application upfront.

AppTrana’s advance scanner works seamlessly with new-age JS-based heavy sites and is built bottom-up with the integration of WAF in mind, providing it with the ability to learn from WAF traffic insights as well as feeding back the vulnerability status to WAF for protection.

AppTrana enables organizations to provide immediate website protection through virtual patching with its WAF module.

For this, AppTrana provides:

  • Advance Rules – Rules which are written by security experts and that comes with zero false-positive guarantees.
  • Premium Rules – Complex rules for enhanced protection, which may possibly generate some FPs based on particular application design and behavior. These are applied in log mode, monitored and tuned to ensure 0 FP for an application before being put in block mode.
  • Custom Rules – Application-specific rules written by security experts with zero false-positive guarantees based on customer request.

With this approach, AppTrana ensures that security is tuned to meet specific application needs guaranteeing zero false positives.

Also, AppTrana provides around the clock monitoring and expert support to mitigate sophisticated application DDOS attacks, ensuring the availability of your site.

Typical customer journey looks like follows:

With the tightly integrated WAF and Scanner modules, AppTrana ensures that there is constant learning, which is shared across both, improving the efficacy of detection and protection.

For example, deep learning in WAF allows AppTrana to provide a context of application to the scanner that ensures better crawling and detection.

Such integration provides AppTrana unfair advantage that allows Indusface to provide superior protection to its customers.

Plans

You can choose any of the below-listed plans to start the AppTrana Journey.

  • Basic Plan – Free for life. Get started by Identifying Risk Posture of your site through AppTrana’s automated scanner.
  • Advance Plan – At $99/month with 14 days free trial. Get started with immediate protection to the vulnerabilities detected.
  • Premium Plan – At $399/month get complete AppTrana Protection. It comes with one premium scan for every 12 months and unlimited custom rules.

Getting Started

If your organization is interested, you can sign up for AppTrana protection at any point at apptrana.com, and entire onboarding can be done with zero downtime.

You will be requested to provide the domain you would like to protect and then would be asked to verify the configuration; you can choose to enable CDN now or can do the same from settings page later.

Next, you would be requested to provide your SSL certificate, which is required to decrypt and monitor https traffic for attacks. Indusface assures the certificate is encrypted, stored securely, and no one in the company has direct access to customer certificates.

Alternately, your organization can choose to use LetsEncrypt free certificate in which case AppTrana will automatically generate the certificate for the domain, and the organization need not provide any certificate.

Your organization can also choose to buy an Entrust certificate from Indusface.

That’s it, now you will be asked to make CNAME change to have traffic diverted to AppTrana infrastructure and onboarding will be completed, and protection will start immediately.

The Journey

Customers journey starts from the point they make their DNS change. Once the protection starts, a few things happen:

  • The sites get immediate protection with Advance Rules that are fine-tuned to ensure any FP’s. DDOS Protection also gets enabled.
  • A request is sent to Indusface’s Managed service team to monitor traffic.
  • Automated Scan of the site starts that helps AppTrana identify the risk posture of the website. Scan generally takes a few hours to complete depending on the complexity of the site. If the customer wants to do an authenticated scan, then they could provide it from the settings page.
  • Once the scan is complete, customers would get a risk profile mail, which will tell them how many vulnerabilities were found that matters. Customers can view further details by logging to the portal.
  • This page provides all the vulnerabilities that have been detected and their protection status, based on which customers can take further action like requesting custom rule, where the request goes to Indusface managed service team and would create specific rules for the site.
  • Customers can also get their manual Pen-Testing audit done. They can request for the same from the detect page. If it is asked for, Indusface’s security experts would reach out to the customers and understand their needs and do a manual audit to find vulnerabilities that automated scanners cannot. It generally takes 3-4 weeks for the experts to complete the audit and publish the report. Once the report is published, the vulnerabilities found will show up in the detect page, and the customers can request for a custom rule as needed.
  • Meanwhile, the company’s managed service team will monitor the traffic for 14 days and move the site to Premium rules after making necessary adjustments.

Once the site is moved to the Premium rules, Manual penetration testing is done, and all vulnerabilities are protected, the onboarding journey is complete, and the site is completely secured.

As you can see, the entire journey is managed by Indusface team as promised, and there is very little activity that is expected from the customers’ except requesting certain action based on their needs.

Continuous Monitoring

Now, the site moves to a continuous monitoring state. Rules are fine-tuned by Indusface’s Managed Service team continuously based on need. Additional rules are added continuously by Indusface team without any action required from the customers.

Customers are encouraged to start automated scans at least once a month to be up to date on their Risk profile.

Even if changes are not made to site as new signatures are added continuously to the scanner, there is a high probability that new vulnerabilities may be found. Customer can monitor the effectiveness of rules from Protect page.

Being a completely managed solution, Indusface team is always on standby 24*7 to help its customers thwart any sophisticated Layer 7 DDOS attacks as the need arises.

Conclusion

If you are an SME or MSE and are looking for an application security solution that works, then you need not look further.

With a tightly integrated scanner, WAF, and CDN modules, AppTrana is one of the effective solutions in the industry that can guarantee comprehensive protections.

The features explained here are just the tip of the iceberg. We would strongly urge you to sign up for a free trial and explore AppTrana’s capabilities firsthand.

Start with

AppTrana free trial

now, and for additional information, check out the

whitepaper section

.

Read the Full Article here: >The Hacker News [ THN ]

Google Releases Basic Homomorphic Encryption Tool

Google has released an open-source cryptographic tool: Private Join and Compute. From a Wired article:

Private Join and Compute uses a 1970s methodology known as "commutative encryption" to allow data in the data sets to be encrypted with multiple keys, without it mattering which order the keys are used in. This is helpful for multiparty computation, where you need to apply and later peel away multiple layers of encryption without affecting the computations performed on the encrypted data. Crucially, Private Join and Compute also uses methods first developed in the ’90s that enable a system to combine two encrypted data sets, determine what they have in common, and then perform mathematical computations directly on this encrypted, unreadable data through a technique called homomorphic encryption.

True homomorphic encryption isn’t possible, and my guess is that it will never be feasible for most applications. But limited application tricks like this have been around for decades, and sometimes they’re useful.

Boing Boing article.

Read the Full Article here: >Schneier on Security: Cybercrime Paper

Offensive Security launches OffSec Flex, a new cybersecurity training program for enterprises

Offensive Security, the leading provider of hands-on cybersecurity training and certification, announced OffSec Flex, a new program for enterprises designed to simplify the cybersecurity training process and allow organizations to invest more in cybersecurity skills development.

Organizations can now use OffSec Flex to purchase blocks of Offensive Security’s industry-leading practical, hands-on training, certification and virtual lab offerings, allowing them to proactively increase and enhance the level of cybersecurity talent available within their organizations.

With Offensive Security’s hands-on courses, labs and exams readily available, organizations are able to offer educational opportunities to new hires and non-security team members alike, improving their security posture and equipping their employees with the adversarial mindset necessary to protect modern enterprises from today’s threats.

“Cybersecurity training is not just for security professionals anymore,” said Kerry Ancheta, VP of Worldwide Sales, Offensive Security.

“Increasingly we see organizations recommend pentest training courses for their software development or application security teams in order to improve their understanding for how their systems and applications are attacked.

“With the OffSec Flex program, it will now be easier for organizations to access more training options, offering cyber skills growth opportunities to more employees to better defend IT systems from sophisticated attackers outside of their companies.”

Cybersecurity spending reached new heights in 2019. Gartner estimates that it will reach $124 billion by the end of the year1. Yet, while organizations are increasingly willing to spend on cybersecurity solutions, security incidents continue at an alarming rate.

Over 1.9 billion records were exposed during the first quarter of 2019, an increase of almost 30 percent2. Despite increasing their cyber spend, most organizations are unable to close the cybersecurity skills gap due to a lack of available training options.

With the launch of OffSec Flex, Offensive Security simplifies the allocation and use of training budgets, making it significantly easier for organizations to invest in cybersecurity skills.

Once an organization sets its training budget, it can pre-purchase a block of Offensive Security training from across its range of offerings. It is then able to utilize that training time as needed throughout the year while extending its budget through Flex Bonus Funds, contributed by Offensive Security.

Offensive Security not only provides some of the industry’s most sought-after training courses and certifications, including the Penetration Testing with Kali Linux (PWK) course and the Offensive Security Certified Professional (OSCP) along with the Advance Web Attacks and Exploitations (AWAE) course and the Offensive Security Web Expert (OSWE).

The company’s rigorous training programs force students to develop adversarial mindsets and persistent work habits, demanding that they think like attackers and try harder to earn the industry’s most sought-after certifications.

Read the Full Article here: >Help Net Security – News

How to Audit Microsoft Exchange 2013 and 2016 with CIS and DISA Guidance

Tenable Research Release Highlights are posted for significant new releases or updates to existing plugins or audit files that are important for early customer notification. Here, we discuss new audit guidance for Microsoft Exchange.

Tenable Research Release Highlights

Microsoft Exchange remains one of the most widely adopted email and calendar solutions. Establishing a secure baseline configuration for Exchange, based on industry leading guidance, is essential but the complexity in deployments can present a challenge. The Center for Internet Security (CIS) and Defense Information Systems Agency (DISA) have issued guidance on hardening and auditing these deployments. Tenable released plugin enhancements and audits to help customers implement this guidance on July 1. 

CIS Benchmarks for Microsoft Exchange

DISA STIGs for Microsoft Exchange

Usage Overview

Tenable customers can audit an MS Exchange server with all of the same check types as in our Windows Compliance Plugin, as well as with a new check type, AUDIT_EXCHANGE. This new check type leverages the Exchange-specific cmdlets suggested for use in the audit steps of DISA and CIS recommendations.

The following is an example check using AUDIT_EXCHANGE:

Adding CIS Benchmark and DISA STIG - Audits for MS Exchange 2013 and 2016

The powershell_args tag contains the core of the audit functionality, with the plugin itself connecting and exposing Exchange specific cmdlets. As a result, the EMS/Exchange cmdlet import is seamless to the user, who can instead focus on writing good powershell.

How to get started

A byproduct of the session setup and cmdlet import is that we need to work with powershell credential objects. In order to avoid unintended disclosure of credential information via powershell logs, users are required to use a pregenerated encrypted password string for each target of the audit as part of what we require in the Exchange Auditing scan setup.

Password/Secure String Generation

In order to generate an encrypted password for use with our Exchange audits, run the following powershell while logged in on the target with the account that will be used for scanning:

Read-Host -AsSecureString | ConvertFrom-SecureString

While logged into the account you’ll be using to scan, type in the password for the account. The output will look like this:

01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ad58de852cc4646b0d9dfa96c67f2100000000002000000000003660000c0000000100

00000d8b09ba7e13918c19d776cc7dfcac82a0000000004800000a0000000100000003654a47ae8a4da017657d57f0706989e180000004acd2fe799

0e1243ed84c380e5d0e8a95a01f12f5662574714000000e5b4783976f1ad76065cf6f91a3b1bebbcf4b169

Read-Host -AsSecureString | ConvertFrom-SecureString

Reminder: An encrypted password is required for each target being scanned. 

After creating the string from the instructions, make sure to select the audit under the Windows category and populate the secure string variable (separating multiple targets with commas). The plugin will determine which string to use on which target. Add your usual credential information on the credential tab and save the policy.

How to Audit Microsoft Exchange 2013 and 2016 with CIS and DISA Guidance

Once the configuration is saved, run the scan and review the results. 

Example Scan output

How to Audit Microsoft Exchange 2013 and 2016 with CIS and DISA Guidance

Below is a closer view of one of the results. This page shows:

  • Pass/fail status
  • Remediation steps, if necessary
  • Individual results from the systems scanned

How to Audit Microsoft Exchange 2013 and 2016 with CIS and DISA Guidance

Summary

Auditing an Exchange Environment with Tenable.io and Nessus requires a little bit of extra setup but allows for a secure and automated method for evaluating your organization’s compliance. Exposing Exchange specific cmdlets allows for much more accurate auditing of the environment, with a direct correlation to industry guidance. At Tenable, we regularly update our policy compliance audits to match the newest versions by CIS and DISA to ensure our customers are able to keep pace with the latest best practices.

Follow Tenable Research Release Highlights on the Tenable Community.

Read the Full Article here: >Tenable Network Security

What is and what is not working for security operations teams in securing cloud data

Security professionals continue to face a number of major challenges as more organizations move legacy IT operations to cloud infrastructure and applications, and traditional security tools often fall short, according to Delta Risk.

cloud data security concerns

The research, produced by Cybersecurity Insiders, clearly shows that organizations must assess their cloud security posture and strategies on a regular basis and have a well-developed incident response plan that includes cloud applications and infrastructure.

Among the findings:

  • The top cloud security concern is data loss and leakage (64 percent).
  • Unauthorized access through misuse of employee credentials and improper access controls (42 percent) takes the number one spot in this year’s survey as the single biggest perceived vulnerability to cloud security, tied with insecure interfaces and APIs (42 percent). This is followed by cloud misconfigurations (40 percent).
  • Most respondents (54 percent) say cloud environments are at higher risk of security breaches than traditional on-premises environments – a 5 percent increase from last year.

cloud data security concerns

“The 2019 Cloud Security Report highlights the fact that IT and security professionals have to take the lead in securing their cloud data, systems, and services under the shared responsibility model,” said Holger Schulze, CEO and Founder of Cybersecurity Insiders.

cloud data security concerns

“The 2019 research supports what we hear from organizations about their challenges with effectively monitoring cloud applications and infrastructure,” said Tempy Wright, Vice President of Marketing at Delta Risk. “High-profile data breaches in the past year have driven increased concerns about the security of cloud environments, and we see this reflected in the survey results.”

Read the Full Article here: >Help Net Security – News

Slurp – Amazon AWS S3 Bucket Enumerator

Slurp is a blackbox/whitebox S3 bucket enumerator written in Go that can use a permutations list to scan from an external perspective or an AWS API to scan internally.

Slurp - Amazon AWS S3 Bucket Enumerator

There are two modes that this tool operates at; blackbox and whitebox mode. Whitebox mode (or internal) is significantly faster than blackbox (external) mode.

Blackbox (external)

In this mode, you are using the permutations list to conduct scans. It will return false positives and there is NO WAY to link the buckets to an actual AWS account.

Whitebox (internal)

In this mode, you are using the AWS API with credentials on a specific account that you own to see what is open. This method pulls all S3 buckets and checks Policy/ACL permissions. Your credentials should be in ~/.aws/credentials.

Slurp – Amazon AWS S3 Bucket Enumerator Features

The main features of Slurp are:

  • Scan via domain(s); you can target a single domain or a list of domains
  • Scan via keyword(s); you can target a single keyword or a list of keywords
  • Scan via AWS credentials; you can target your own AWS account to see which buckets have been exposed
  • Colorized output for visual grep
  • Currently generates over 28,000 permutations per domain and keyword
  • Punycode support for internationalized domains

Usage of Slurp S3 Bucket Enumerator

Will enumerate the S3 domains for a specific target:

slurp domain <t|target> example.com

Will enumerate S3 buckets based on those 3 key words (linux, golang & python):

slurp keyword <t|target> linux,golang,python

Will perform an internal scan using the AWS API:

You can download Slurp here:

slurp.tar.gz

Or you can read more here.

Read the Full Article here: >Darknet – The Darkside

PCI SSC unveils two new validation programs for software vendors and assessors

The PCI Security Standards Council (PCI SSC) announced two new validation programs for use by payment software vendors to demonstrate that both their development practices and their payment software products address overall software security resiliency to protect payment data.

Under the Secure Software Lifecycle (Secure SLC) and Secure Software Programs, Software Security Framework Assessors will evaluate vendors and their payment software products against the PCI Secure SLC and Secure Software Standards. PCI SSC will list Secure SLC Qualified Vendors and Validated Payment Software on the PCI SSC website as a resource for merchants.

PCI SSC is introducing these programs as part of the PCI Software Security Framework (SSF), a collection of standards and programs for the secure design, development and maintenance of existing and future payment software.

The SSF expands beyond the scope of the Payment Application Data Security Standard (PA-DSS) and will replace PA-DSS, its program and List of Validated Payment Applications when PA-DSS is retired in 2022. During the interim period, the PA-DSS and SSF Programs will run in parallel, with the PA-DSS Program continuing to operate as it does now.

Secure SLC Program and Secure Software Program documentation is now available on the PCI SSC website. This includes Program Guides and FAQs, with information on the vendor and payment software validation process, and Qualification Requirements for SSF Assessors.

PCI SSC plans to start accepting applications from assessors by the end of 2019. Training will be available in early 2020, first for Payment Application Qualified Security Assessors (PA-QSA) and QSAs, and then for new assessors. Once SSF Assessors are in place, vendors can begin the validation process for their software lifecycle practices and payment software.

Secure SLC Program

  • Validation to the Secure SLC Standard illustrates that the software vendor has mature secure software lifecycle management practices in place to ensure its payment software is designed and developed to protect payment transactions and data, minimize vulnerabilities, and defend against attacks.
  • Upon successful evaluation by a Secure SLC Assessor, validated software vendors will be recognized on the PCI SSC List of Secure SLC Qualified Vendors.
  • Secure SLC Qualified Vendors will be able to self-attest to delta changes for any of their products that are listed as Validated Payment Software under the Secure Software Program.

Secure Software Program

  • Validation to the Secure Software Standard illustrates that the payment software product is designed, engineered, developed, and maintained in a manner that protects payment transactions and data, minimizes vulnerabilities, and defends against attacks.
  • Initially, this program is specific to payment software products that store, process, or transmit clear-text account data, and are commercially available and developed by the vendor for sale to multiple organizations. As new modules are added to the Secure Software Standard to address other software types, use cases and technologies, the program scope will expand to support them.
  • Upon successful evaluation by a Secure Software Assessor, validated payment software will be recognized on the PCI SSC List of Validated Payment Software, which will replace the current List of PA-DSS Validated Payment Applications when PA-DSS is retired in October 2022. Until then, PCI SSC will continue to maintain the PA-DSS Program and list, which includes honoring existing validation expiration dates and accepting new PA-DSS submissions until June 2021.

“These programs work together with the PCI Secure SLC and Secure Software Standards to help vendors address the security of both their development practices and their payment software products.

“We’re pleased to have the Secure SLC and Secure Software Programs documentation available now as the initial step towards providing the industry with validated listings of trusted payment software vendors and products under the PCI Software Security Framework,” said PCI SSC Chief Operating Officer Mauro Lance.

“In the meantime, PCI SSC recognizes that transitioning from PA-DSS to the Software Security Framework will take time, and we want to reassure PA-DSS vendors, PA-QSAs and users of PA-DSS validated payment applications that the PA-DSS Program remains open and fully supported until October 2022, with no changes to how existing PA-DSS validated applications are handled.”

Read the Full Article here: >Help Net Security – News