Author: Gilbertine Onfroi

Tips for protecting your information and privacy against cybersecurity threats

This post is authored by Steven Meyers, security operations principal, Microsoft Cyber Defense Operations Center.

Introducing a new video on best practices from the Microsoft Cyber Defense Operations Center

In 2016, 4.2+ billion records were stolen by hackers. The number of cyberattacks and breaches in 2017 have risen 30 percent.

The business sector leads in the number of records compromised so far, with more than 7.5 million exposed records in 420 reported incidents. These cybercrimes are often intended for financial gain, such as opening a fraudulent credit card or accessing a company’s financial records. Today, a growing market exists in the dark web for selling credentials and sensitive information to other cybercriminals.

To help Protect your information and privacy against cyberthreats, the Microsoft Cyber Defense Operations Center has published a series of best practices videos that will help consumers, businesses and organizations enable a safer online environment. This video shares some of the policies and practices that can be used to better protect information and privacy inside and outside of your operational perimeters.

Protection starts with classifying information and then putting appropriate protections in place based on its value. Some information is meant to be public, some data is sensitive but not highly valued to outside entities, but some data is mission critical and/or could cause tremendous financial hardship if shared externally.

Cybersecurity technologies and policies such as multifactor authentication, the principles of least privilege access, just-in-time-and just-enough administrator access, and Microsoft’s cybersecurity products and services can help safeguard access to data and applications.

Some cybersecurity tips discussed include:

  • Classifying emails and data according to their level of sensitivity
  • Employing multifactor authentication for access to sensitive information
  • Only providing administrator access to individuals for the time needed to complete a task
  • Restricting access to only the information needed for the task
  • Keeping your software up-to-date

Please take a few minutes to watch the video and share it with your colleagues, friends and family. We all need to be diligent in the face of this growing and ever-more sophisticated threat.

Also, be sure to watch part one of the video series, Protecting your identity from cybersecurity threats. Check back next week for our third video, Protecting your devices from cybersecurity threats.

Additional resources:

from Microsoft Secure Blog Staff

BSides Athens 2017 Wrap-Up

The second edition of BSides Athens was planned this Saturday. I already attended the first edition (my wrap-up is here) and I was happy to be accepted as a speaker for the second time!  This edition moved to a new location which was great. Good wireless, air conditioning and food. The day was based on three tracks: the first two for regular talks and the third one for the CTP and workshops. The “boss”, Grigorios Fragkos introduced the 2nd edition. This one gave more attention to a charity program called “the smile of the child” which helps Greek kids to remain in touch with the new technologies. A specific project is called “ODYSSEAS” and is based on a truck that travels across Greek to educate kids to technologies like mobile phones, social networks, … The BSides Athens donated to this project. A very nice initiative that was presented by Stefanos Alevizos who received a slot of a few minutes to describe the program (content in Greek only).


The keynote was assigned to Dave Lewis who presented “The Unbearable Lightness of Failure”. The main fact explained by Dave is that we fail but…we learn from our mistakes! In other words, “failure is an acceptable teaching tool“. The keynote was based on many facts like signs. We receive signs everywhere and we must understand how to interpret them or the famous Friedrich Nietzsche’s quote: “That which does not kill us makes us stronger“. We are facing failures all the time. The last good example is the Wannacry bad story which should never happen but… You know the story! Another important message is that we don’t have to be afraid t fail. We also have to share as much as possible not only good stories but also bad stories. Sharing is a key! Participate in blogs, social networks, podcasts. Break out of your silo! Dave is a renowned speaker and delivered a really good keynote!

Then talks were split across the two main rooms. For the first one, I decided to attend the Thanissis Diogos’s presentation about “Operation Grand Mars“. In January 20167, Trustwave published an article which described this attack. Thanassis came back on this story with more details. After a quick recap about what is incident management, he reviewed all the fact related to the operation and gave some tips to improve abnormal activities on your network. It started with an alert generated by a workstation and, three days later, the same message came from a domain controller. Definitively not good! The entry point was infected via a malicious Word document / Javascript. Then a payload was download from Google docs which is, for most of our organization, a trustworthy service. Then he explained how persistence was achieved (via autorun, scheduled tasks) and also lateral movements. The pass-the-hash attack was used. Another tip from Thanissis: if you see local admin accounts used for network logon, this is definitively suspicious! Good review of the attack with some good tips for blue teams.

My next choice was to move to the second track to follow Konstantinos Kosmidis‘s talk about machine learning (a hot topic today in many conferences!). I’m not a big fan of these technologies but I was interested in the abstract. The talk was a classic one: after an introduction to machine learning (that we already use every day with technologies like the Google face recognition, self-driving card or voice-recognition), why not apply this technique to malware detection. The goal is to: detect, classify but, more important, to improve the algorithm! After reviewing some pro & con, Konstantinos explained the technique he used in his research to convert malware samples into images. But, more interesting, he explained a technique based on steganography to attack this algorithm. The speaker was a little bit stressed but the idea looks interesting. If you’re interested, have a look at his Github repository.

Back to the first track to follow Professor Andrew Blyth with “The Role of Professionalism and Standards in Penetration Testing“. The penetration testing landscape changed considerably in the last years. We switched to script kiddies search for juicy vulnerabilities to professional services. The problem is that today some pentest projects are required not to detect security issues and improve but just for … compliance requirements. You know the “checked-case” syndrome. Also, the business evolves and is requesting more insurance. The coming GDP European regulation will increase the demand in penetration tests.  But, a real pentest is not a Nessus scan with a new logo as explained Andrew! We need professionalism. In the second part of the talk, Andrew reviewed some standards that involve pentests: iCAST, CBEST, PCI, OWASP, OSSTMM.

After a nice lunch with Greek food, back to talks with the one of Andreas Ntakas and Emmanouil Gavriil about “Detecting and Deceiving the Unknown with Illicium”. They are working for one of the sponsors and presented the tool developed by their company: Illicium. After the introduction, my feeling was that it’s a new honeypot with extended features.  Not only, they are interesting stuff but, IMHO, it was a commercial presentation. I’d expect a demo. Also, the tool looks nice but is dedicated to organization that already reached a mature security level. Indeed, before defeating the attacker, the first step is to properly implement basic controls like… patching! What some organizations still don’t do today!

The next presentation was “I Thought I Saw a |-|4><0.-” by Thomas V. Fisher.  Many interesting tips were provided by Thomas like:

  • Understand and define “normal” activities on your network to better detect what is “abnormal”.
  • Log everything!
  • Know your business
  • Keep in mind that the classic cyber kill-chain is not always followed by attackers (they don’t follow rules)
  • The danger is to try to detect malicious stuff based on… assumptions!

The model presented by Thomas was based on 4 A’s: Assess, Analyze, Articulate and Adapt! A very nice talk with plenty of tips!

The next slot was assigned to Ioannis Stais who presented his framework called LightBulb. The idea is to build a framework to help in bypassing common WAF’s (web application firewalls). Ioannis explained first how common WAF’s are working and why they could be bypassed. Instead of testing all possible combinations (brute-force), LightBuld relies on the following process:

  • Formalize the knowledge in code injection attacks variations.
  • Expand the knowledge
  • Cross check for vulnerabilities

Note that LightBulb is available also as a BurpSuipe extension! The code is available here.

Then, Anna Stylianou presented “Car hacking – a real security threat or a media hype?“. The last events that I attended also had a talk about cars but they focused more on abusing the remote control to open doors. Today, it focuses on ECU (“Engine Control Unit”) that are present in modern cars. Today a car might have >100 ECU’s and >100 millions lines of code which means a great attack surface! They are many tools available to attack a car via its CAN bus, even the Metasploit framework can be used to pentest cars today! The talk was not dedicated to a specific attack or tools but was more a recap of the risks that cars manufacturers are facing today. Indeed, threats changed:

  • theft from the car (breaking a window)
  • theft of the cat
  • but today: theft the use of the car (ransomware)

Some infosec gurus also predict that autonomous cars will be used as lethal weapons! As cars can be seen as computers on wheels, the potential attacks are the same: spoofing, tampering, repudiation, disclosure, DoS or privilege escalation issues.

The next slot was assigned to me. I presented “Unity Makes Strength” and explained how to improve interconnections between our security tools/applications. The last talk was performed by Theo Papadopoulos: A “Shortcut” to Red Teaming. He explained how .LNK files can be a nice way to compromize your victim’s computer. I like the “love equation”: Word + Powershell = Love. Step by step, Theo explained how to build a malicious document with a link file, how to avoid mistakes and how to increase chances to get the victim infected. I like the persistence method based on assigning a popular hot-key (like CTRL-V) to shortcut on the desktop. Windows will trigger the malicious script attached to the shortcut and them… execute it (in this case, paste the clipboard content). Evil!

The day ended with the CTF winners announce and many information about the next edition of BSides Athens. They already have plenty of ideas! It’s now time for some off-days across Greece with the family…

[The post BSides Athens 2017 Wrap-Up has been first published on /dev/random]

from Xavier

“Hacker Village – At the #SecAwareSummit”

Editor’s Note: Taylor Lobbis a security community manager for developers within Adobe. Heis one of the speakers for the upcoming Security Awareness Summit 2/3 Aug in Nashville, TN. Below hegives an overview on hisupcoming talk onbuilding a Hacker Village. I am a manager of security and privacy engineering for Adobe. One of our core goals &hellip; Continue reading Hacker Village – At the #SecAwareSummit

from lspitzner

[SANS ISC] Obfuscating without XOR

I published the following diary on isc.sans.org: “Obfuscating without XOR“.

Malicious files are generated and spread over the wild Internet daily (read: “hourly”). The goal of the attackers is to use files that are:

  • not know by signature-based solutions
  • not easy to read for the human eye

That’s why many obfuscation techniques exist to lure automated tools and security analysts… [Read more]

[The post [SANS ISC] Obfuscating without XOR has been first published on /dev/random]

from Xavier

Tips for securing your identity against cybersecurity threats

This post is authored by Simon Pope, Principal Security Group Manager, Microsoft Security Response Center.

Introducing new video on best practices from the Microsoft Cyber Defense Operations Center

Ask any CISO or cybersecurity professional about their greatest security challenge, and it’s a good chance the answer will be “the actions of our people.”

While virtually all employees, contractors, and partners have the best of intentions, the fact is that protecting their online credentials, identifying and avoiding phishing scams, and evading cybercriminals is getting more difficult each day. More of our time each day is spent online, and as more financial transactions and social activities are conducted online, adversaries are becoming ever-more sophisticated in their cyberattacks.

Microsoft faces these same threats, and we have made deep investments in training our people to be more aware and diligent in the face of such dangers. Our cybersecurity success depends on our customers’ trust in our products and services, and their confidence that they can be safe on the internet. To help keep our customers and the global online community safe, we want to share some of our Cyber Defense Operations Center’s best practices for Securing your identity against cybersecurity threats in this video.

In this video, we discuss some best practices around securing your identity, such as avoiding social engineering scams that trick people into giving up their most sensitive secrets, recognizing phishing emails that falsely represent legitimate communications, and how to spot false impersonations of your trusted colleagues or friends. We also discuss some of the types of information you don’t want to share broadly (i.e. credentials, financial information and passwords), and tips for protecting your sensitive data.

Some cybersecurity tips that we discuss include:

  • Be vigilant against phishing emails
  • Be cautious when sharing sensitive information
  • Don’t automatically trust emails from people you know, it may not be from them
  • Keep your software up-to-date

Please take a few minutes to watch the video and share it with your colleagues, friends and family. We all need to be diligent in the face of this growing and ever-more sophisticated threat. And check back next week for our second video on Protecting your devices from cybersecurity threats, and in two weeks, we will share more on Protecting your information and data from cybersecurity threats on the Microsoft Secure blog.

Additional resources:

from Microsoft Secure Blog Staff