https://youtu.be/_dj_90TnVbo
•Implement perimeter blocks for known threat indicators:◦Email server or email security gateway filters for email indicators ◦Web proxy and firewall filters for websites or Internet Protocol (IP) addresses linked in the emails or used by related malware ◦DNS server blocks (blackhole) or redirects (sinkhole) for known related domains and hostnames •Remove malicious emails from targeted user mailboxes based on email indicators (e.g., using Microsoft ExMerge). •Identify recipients and possible infected systems:◦Search email server logs for applicable sender, subject, attachments, etc. (to identify users that may have deleted the email and were not identified in purge of mailboxes) ◦Search applicable web proxy, DNS, firewall or IDS logs for activity the malicious link clicked. ◦Search applicable web proxy, DNS, firewall or IDS logs for activity to any associated command and control (C2) domains or IP addresses associated with the malware. ◦Review anti-virus (AV) logs for alerts associated with the malware. AV products should be configured to be in quarantine mode. It is important to note that the absence of AV alerts or a clean AV scan should not be taken as conclusive evidence a system is not infected. ◦Scan systems for host-level indicators of the related malware (e.g., YARA signatures) •For systems that may be infected:◦Capture live memory of potentially infected systems for analysis ◦Take forensic images of potentially infected systems for analysis ◦Isolate systems to a virtual local area network (VLAN) segmented form the production agency network (e.g., an Internet-only segment) •Report incidents, with as much detail as possible, to the NCCIC. Educate Your Users Organizations should remind users that they play a critical role in protecting their organizations form cyber threats. Users should: •Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. Be particularly wary of compressed or ZIP file attachments. •Avoid clicking directly on website links in emails; attempts to verify web addresses independently (e.g., contact your organization’s helpdesk or sear the Internet for the main website of the organization or topic mentioned in the email). •Report any suspicious emails to the information technology (IT) helpdesk or security office immediately. Basic Cyber Hygiene Practicing basic cyber hygiene would address or mitigate the vast majority of security breaches handled by today’s security practitioners: •Privilege control (i.e., minimize administrative or superuser privileges) •Application whitelisting / software execution control (by file or location) •System application patching (e.g., operating system vulnerabilities, third-party vendor applications) •Security software updating (e.g., AV definitions, IDS/IPS signatures and filters) •Network segmentation (e.g., separate administrative networks from business-critical networks with physical controls and virtual local area networks) •Multi-factor authentication (e.g., one-time password tokens, personal identity verification (PIV cards) Anti-privacy unkillable super-cookies spreading around the world – study - from the Register.co.uk8/23/2015 At least nine telcos around the world are using so-called super-cookies to secretly monitor citizens' online behavior, according to a new study.
A super-cookie is a token unique to each subscriber that is injected into every HTTP request made through a telco's cellphone networks. They can't be stripped by the user: every time a subscriber visits a website from his or her smartphone, the telco's system places the super-cookie in the HTTP headers, so that the site's servers can identify the visitor. This super-cookie allows ad networks and media publishers to follow people across the internet even if they clear their cookies. It allows the networks to build up profiles on users' habits, and pitch them targeted advertising, while the telcos take a cut. When it emerged that Verizon and AT&T in the US were using this technology it caused a storm. AT&T dropped the super-cookies, and Verizon eventually switched to an opt-out approach: if you switched them off, the headers went away. Now a six-month investigation by digital rights group Access has shown that telcos overseas are using the same super-cookie techniques. Access set up a website called Amibeingtracked.com, and monitored visits from 180,000 netizens on their phones. The group found that 15.3 per cent of visitors had the tracking headers installed from cellphone owners in Canada, China, India, Mexico, Morocco, the Netherlands, Peru, Spain, the US, and Venezuela. Verizon, AT&T, Bell Canada, Bharti Airtel, Cricket, Telefonica de España, Viettel Peru S.a.c., Vodafone NL, and Vodafone Spain all used the technology, although AT&T dropped off the charts when it withdrew the system. Verizon is still on the charts because people are opted-in by default. By far the largest number of people being monitored were in the US, with the Access engine finding over 23,000 unstrippable headers from phone users in the Land of the Free. Spain was the next most tracked nation – with just over 3,000 cases – and the other countries had fewer than a thousand cases each. The samples collected by the website showed a great degree of variance in what data was being collected and transferred using the technique. Telcos are increasingly encrypting the header information, but some still send data in clear text, including the phone number of the user in three cases. "Not all carriers track their users, and those that respect user privacy deserve our support," the report [PDF] concludes. "Telecommunications companies occupy a central role in providing access to the internet, enhancing the communications capabilities of billions of people. By delivering open access, networks, and services, telcos can serve not just as internet service providers, but also as 'freedom providers.'" The only way to stop the header from reporting back is to limit your web browsing to HTTPS sites only, but that's going to prove rather limiting. Alternatively, switch to a telco that doesn't use the technology, although that may become harder over time as well. ® Sponsored: Go beyond APM with real-time IT operations analytics Privileged accounts are still easy to compromise Posted on 17 August 2015. A Thycotic survey of 201 Black Hat USA 2015 attendees found that a majority (75%) have not seen a fundamental change in the level of difficulty in compromising privileged account credentials, despite an overall increase in IT security spending over the past two years.
Among other topics, the survey also asked hackers how often they come across privileged account credentials in unprotected files like spreadsheets. Only 6 percent of respondents said they had never seen this, meaning 94% find privileged credentials in unprotected files at least some of the time. Other key findings from the survey include:
“Perhaps not surprising to those in the cybersecurity industry, it is apparent that for all the new defensive solutions that have been introduced, we still haven’t cracked the code on how best to protect mission-critical data and company secrets, and in fact, in some cases we’re only adding additional layers of complexity which provide attackers more attack vectors to use to break in,” said Nathan Wenzler, senior technology evangelist at Thycotic. “It’s also clear from the data that even some of the most basic security practices are still not being enforced well enough by organizations and privileged login credentials are constantly left vulnerable to intruders.” http://thenextweb.com/insider/2015/08/21/how-hackers-tempt-you-to-open-that-email/
https://www.infosecindustry.com/
https://www.schneier.com/blog/archives/2015/08/shooting_down_d.html?utm_source=twitterfeed&utm_medium=twitter
I am not going write a thesis here but will share a few things from the weekend. If you install Win 10 and don't select "express Install" you will be guided through 13 pages of configuration settings. Microsoft are being transparent with the data that is being captured. I found it very interesting to see what data and to what extent the data was used to "improve my user experience".
If you went for the express install there is a little bit of code at GitHub that will help disable some of the tracking without too much of your involvement. https://github.com/10se1ucgo/DisableWinTracking. There is a browser extension you can add into Chrome or Firefox that purports to block third party tracking. https://www.eff.org/privacybadger. IE is not supported currently. Today
Your browser fingerprint appears to be unique among the 5,595,111 tested so far. Currently, we estimate that your browser has a fingerprint that conveys at least 22.42 bits of identifying information. The measurements we used to obtain this result are listed below. You can read more about our methodology, statistical results, and some defenses against fingerprinting in this article. https://panopticlick.eff.org/browser-uniqueness.pdf A great overview of the Black hat briefings | topic coverage. https://www.blackhat.com/us-15/briefings.html
https://www.privacytools.io/
|