Perhaps the most meaningless term in information security is though leader . I know what it is supposed to mean, but many people who consider themselves information security thought leaders are anything but that. Nonetheless, if there is anyone who is a thought leader in the true sense of the term, it’s Bruce Schneier. Schneier has written on near every aspect of information security. From cryptography, data collection, privacy, spying, and much more.

In his latest work: Click Here to Kill Everybody: Security and Survival in a Hyper-connected World (W. W. Norton 978-0393608885), Schneier takes on the Internet of Things and smart devices. The premise of the book is that with so many smart devices now in use and more coming on the market, devices that can literally kill people, more needs to be done to ensure the security of these devices. He makes that point that everything is a computer now. A smartphone is not a telephone; rather it is a computer that makes telephone calls, and a lot more. With the IoT, everything from thermostats, cars, to pacemakers and more will be computers.

As to the term IoT, Schneier writes that it is really more than just the Internet of Things. It is really Internet + Things. Or more accurately, Internet + Things + Us. He ends up using the term Internet+ throughout the book. It is the us element which is different here. As these devices in the past which were more peripheral, now have the power, if misused, to one day kill us.

The first part of the book deals with the issues of security in an interconnected world. For those who are regular readers of Schneier’s blog or his previous books, a lot of part 1 will be a review.

But an important point he makes in part 1, which set the tone of the overall tone, is that many of the world’s most valuable companies, you’ll find a number of them that engage in surveillance capitalism. From Google, Facebook, Amazon, to Microsoft, eBay and more. Apple is the exception, as it makes money only via hardware and software. And that is why its prices are higher than the competition.

Part 2 starts off on a rather disheartening note that the security of Internet+ looks pretty bleak, and that it won’t get better anytime soon. Schneier though provides ten high-level design principles to improve the privacy and security of Internet+, in addition to 7 principles to secure data. None of the suggestions are new or radical, which emphasizes that many older security fundamentals are not being implemented in Internet+ devices. That alone should be a significant cause for concern.

Schneier does make some radical suggestions, including the need to start disconnecting systems. This might be heresy in today’s hyper-connected world, but a connected device is a device that can be attacked. If you can’t secure a complex system (and Internet+ is inherently complex), then you may not want to design a system where everything is connected. That is likely easier said than done, but does indicate the level of insecurity within Internet+.

Schenier wrote the book on encryption (literally), and emphasizes the importance of trying to encrypt as much as possible. Given he knows so much about encryption, he also is pragmatic enough to know that encryption is not a panacea. While the data might be encrypted, there are still attacks against authentication systems, which can render that encrypted data into plaintext rather quickly. And encryption still doesn’t stop government attacks where they may be able to hack the underlying hardware.

Schneier thinks regulation can go a long way in security Internet+, but notes there is little meaningful regulation that has come out to date.

Aside from the clickbait title, this book shows Schneier at his pragmatic best. He understands the problems (including the technical, ethical, business and pollical aspects) in depth, and suggests realistic solutions to deal with the security challenges of Internet+. He writes that it is important that the technology community get involved in the politics and policy process of Internet+, as it’s imperative that those making the policy understand the technology. And as the recent Facebook hearings shows: Congress still doesn’t really get technology.

At 225 pages, Schneier makes a strong case for security around Internet+. He notes that security is not enough of an impetus to force manufacturers to change their insecure ways, and that regulation is not always the most effective method. It’s up to consumers to a large part to demand better security.

Products are getting more connected and the underlying security issues more complex. Schneier reiterates that complexity is the worst enemy of security. Internet+ brings on some pretty complex scenarios, and the security controls that Schneier feels are fundamental, are simply not implemented yet. While we are years away from an app where someone can click to kill a person, Click Here to Kill Everybody: Security and Survival in a Hyper-connected World makes the case that unless something is done, rather quickly, that horror scenario will be a script-kiddie exercise in a short while.

A fascinating and timely read, this book is another information security wake-up call from Schneier, to a world that is in a deep sleep about information security, privacy and risk.

The Arlo line was something of a surprise hit for Netgear, causing the networking company to spin it off into its own business earlier this year. The Arlo ecosystem is one of the most robust in the smart security camera space, and now it’s getting something it had never had before: 4K.

The new Arlo Ultra shoots in ultra high definition, with HDR image processing. At $400, it seems like ― and likely is ― overkill for most users. Do you need a 4K security camera? Almost certainly not. But there are some instances when getting the extra granular detail ultra high def affords could come in handy.

That price also gets you a free one-year subscription to Arlo’s Smart Premier service (worth $120), along with the Arlo SmartHub for connecting to home Wifi.

Beyond that, the Ultra also sports a 180-degree field of view and a built-in LED spotlight to get a better shot of dark views that night vision car offer. There are dual-mics on board as well, for two-way communications with active noise cancelation built in for clearer conversations.

The system will arrive in Q1 of next year.

Marriott-owned Starwood Hotels data breach

Another day, another data breach. Marriott-owned Starwood, the largest hotel chain in the world, confirmed that its Starwood Hotels database, which includes information on about 500 million hotel guests, has been stolen in a breach. While specific details remain unknown, the company, in a statement filed with US regulators , said that the “unauthorized access” was detected on or before September 10, but may have dated as far back as 2014. “Marriott reported this incident to law enforcement and continues to support their investigation,” the statement reads.

Over 325 million records in the database contained names, birthdates, physical addresses, email addresses, passport numbers, travel info, and Starwood rewards info. The hotel chain has started informing customers of the breach in the U.S., Canada, and the U.K. Since the breach falls under the European-wide GDPR rules, Starwood, if found to be in breach of the rules, could face substantial financial penalties.

“Hotel chains have been a target of cybercriminals for years due to the valuable information they collect from their customers,” explains Luis Corrons, Avast security evangelist. “If you’ve stayed at a Starwood Hotel property in the past, you should take action ― inform your bank or credit card provider, and be vigilant about monitoring all accounts for any unknown transactions. Also, change the password for your Starwood account, and any other account where you may have used that same password.” If you were involved in any data breach, follow these steps to protect yourself .

Bitcoin backdoor

The cryptocurrency exchange Bitpay warned customers this week that hackers have created a backdoor to the system, leading to possible digital coin theft. The company’s Copay app relies on an open-source code library to function, and the developer of that particular open-source module had relinquished control of the code to another user. The new code owner injected malware into the open-source module and was able to steal keys to Bitpay accounts over time. Account holders using the Copay app versions 5.0.2 through 5.1.0 are at risk, and Bitpay is advising them to move their Bitcoin to another wallet without delay. Meanwhile, the exchange stated that they will be releasing Copay version 5.2.0 very shortly, which will be a security update.

“This is yet another example of a supply chain attack,” comments Luis Corrons, Avast security evangelist, “where as a user, even if you take all precautions, you can still end up with malware in your system.”

57 million personal records leaked

During a routine security audit of unprotected servers, cybersecurity researchers stumbled upon an open ElasticSearch server storing the names, email addresses, physical addresses, IP addresses, and phone numbers of almost 57 million US citizens. The server also contained an index of almost 26 million business entries, listing company details, revenue numbers, employee info, NAICS codes, SIC codes, and more. The researchers did their own detective work , deducing that the owner of the neglected server is Canadian firm Data & Leads. When reached for comment, the firm did not respond, taking their website offline shortly thereafter. The leaked info has been turned over to user-friendly database Have I Been Pwned , where anyone can check if their data has been compromised.

The data-farmer in the Dell

All Dell.com customers were prompted to reset their passwords in reaction to a breach that occurred November 9th this year. The company does not share many additional details in their official statement except to say that names, email addresses, and hashed passwords were potentially compromised, and that “there is no indication that any credit card or other sensitive customer information was targeted.” Some cybersecurity experts take issue with the statement , however, arguing that email addresses and passwords are indeed sensitive info. Questions, such as why it took 19 days for the company to disclose the breach to its customers, are still being investigated as the story unfolds.

“If there is any user from the European Union among the affected,” notes Corrons, “waiting 19 days would mean a violation of the GDPR and Dell would have to face a fine . GDPR gives companies a maximum of 72 hours to communicate the data breach.”

When a RAT becomes a worm

Cybersecurity researchers have discovered a fileless variant of the commonly used remote access tool njRAT. The new version of the malware has the ability to spread like a worm, finding its way onto removable drives, where it can stow away to infect more machines. Also going by the names BLANDABINDI and njw0rm , the RAT grants remote access of the infected machine to whoever is sitting at the C&C (command and control server). It’s a remote backdoor, capable of being used to spy on, steal from, and generally control the host system. The advanced malware serves as a reminder that cyberattack strategies are always evolving, as should all users’ cybersecurity.

Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all of your devices with award-winning free antivirus . Safeguard your privacy and encrypt your online connection with

According to the 2018 Security Priorities study from IDG, 28% of IT professionals and leaders say that external cyber threats force them to redirect time and focus away from more strategic tasks. Claim your free analyst report today , before the offer expires .

What's it about?

That same study found also found that the average number of open positions in their organizations is 3.4, which means already overburdened security teams already face an avalanche of alerts from an array of tools without the resources to sift through the noise.

Read this Executive Brief from CSO, Closing the Cybersecurity Gap: 3 Keys to an Analytics-Driven Security, to learn how you can improve your security posture and gain real bottom-line benefits.

Download your copy to learn how to: Eliminating data silos and centralizing data Automating processes and orchestrating security workflows Integrating and optimizing security within IT organizational structures How to get this free resource:

Complete and verifiable information is required in order to receive it. If you have previously made use of these free offers , you will not need to re-register. While supplies last! Please ensure you read the terms and conditions to claim this offer.

>> Free report: Closing the Cybersecurity Gap: 3 Keys to an Analytics-Driven Security <<

Offered by Splunk, view their other free resources . Limited time offer.

Not for you?

That's OK, there are other free eBooks on offer you can check out here , but be aware that these are all time-limited offers. If you are uncomfortable sharing your details with a third-party sponsor, we understand. Or via ourpreferred partner:

Private Internet Access VPN service is discounting their subscription plans right now, get in on the action here https://t.co/R16yqXJuGQ #PIA #VPNs pic.twitter.com/WdjK5hGNEe

― Neowin (@NeowinFeed) November 8, 2018

How can I disable these posts? Click here .

Disclosure: A valid email address is required to fulfill your request. Complete and verifiable information is required in order to receive this offer. By submitting a request, your information is subject to TradePub.coms Privacy Policy .

Cyberattacks are a global epidemic today. They target organizations, critical infrastructure, and governments around the world with timely, sophisticated attacks. Examples of this include ransomware attacks like Petya and WannaCry . These put some of the world’s most critical functions on hold for a while.

Another example was the Equifax data breach that affected about 143 million Americans. With the persistence of these attacks many people believe that by 2021 cybercrime will cause $6 trillion in damages.

What’s Behind Cybercriminal Activity Today

Most cybercriminals are motivated by monetary rewards. With ransomware attacks cybercriminals target critical infrastructure and healthcare organizations, holding their data captive until they’re paid. There are also some cyber attackers who will steal your personally identifiable information (PII) which includes things like financial records. Many cyber attackers will sell this information on the dark web where buyers use it for things like identity theft and tax fraud. Clearly these things have long-term effects since personal information isn’t easy to change. It’s also difficult to track its misuse after a breach.

There’s no end to these attacks and breaches in sight. In fact, CSO Online says that people are finally starting to realize that nobody is immune to modern cyberattacks today. However, there’s a lot that can be done to protect critical resources and market sectors. This is why new regulations across Europe, Asia, the UK, and the US are being implemented. These will ensure that there are proper security measures to protect your valuable data.

Recent Cybersecurity Regulations

Financial service firms that operate on a global basis need to be aware of new cybersecurity regulations and how they affect them. This is the only way they can navigate through data rules and remain compliant with them -- especially when conducting business across the borders. Today compliance is something that you can’t overlook since the punishment for noncompliance typically includes large fines. With this in mind, here are some of the most recently proposed or implemented cybersecurity regulations in the financial services sector:

China is placing additional requirements on network and system security in hopes of better aligning with industry and global cybersecurity standards. It directly impacts the financial services sector since this is a critical information infrastructure (CII) -- a sector wherein a data breach would compromise national security or public welfare. Under this law authorities must have access to data when requested. Financial services firms must also demonstrate that their IT infrastructure meets certain specifications and can pass standard cybersecurity tests and certifications. They must also store any data they collect regarding Chinese citizens on servers within the country’s borders -- it can’t be moved abroad without permission. Failure to comply and implement any necessary cybersecurity measures can result in criminal charges and fines of up to 1 million yuan (just over $150,000 USD). Singapore is working on a new cybersecurity bill that still needs to pass through their parliament. It’s like China’s cybersecurity law in that it’ll have greater visibility and authority regarding how data is used, processed, and stored. The bill requires financial services to report any cyber incidents or modifications of system design or security to the Commissioner of Cybersecurity. Lack of compliance can result in fines of up to $100,000 or up to 10 years imprisonment. The European Union is aiming to put European citizens back in charge of their data. Under this law consumers must now actively consent to businesses who want to process their data and they can also withdraw their consent at any time or request their data be transferred to other organizations. The bill also offers the "Right to be Forgotten," which means citizens can ask for their data be completely erased or not be processed at all. This doesn’t only apply to organizations in Europe, but it also applies to all organizations that process and store data on European citizens regardless of where they’re physically located. Noncompliance can result in fines of 10 million -- 20 million or 2 percent -- 4 percent of worldwide annual turnover, whichever is higher based on the degree of their infringement. The United Kingdom will also participate in the European Union’s law even though they’re leaving the European Union behind. However, they’re making some minor changes in how they address journalists and scientific researchers. The United States is also becoming increasingly focused on cybersecurity at both the state and national level. The New York Department of Financial Services’ (DFS) 23 NYCRR 500 cybersecurity regulation makes it so that New York’s banks have 72 hours in which they must report any cyber incidents that could compromise data including disruptions by ransomware or DDoS attacks. Banks are also required to have a robust cybersecurity plan in place and employ someone who oversees its processes and maintenance. Maintaining Compliance Around the World

There are heavy financial and business consequences any time there’s a lack of compliance with these new regulations. Financial service firms need to review each of these new regulations to ensure compliance and how their organization will be affected. They also need to take time to understand that the use of open source antivirus can keep your data safe from any kind of breach. Of course, it’s important to understand that each law requires financial organizations to take different cybersecurity measures, but these measures will be valuable for everyone.

Conducting a cyber threat assessment (CTA) gives financial service firms an in-depth look at the security protocol they already have in place. They’ll also see in what areas they’re at risk. This gives them the chance to make adjustments to security and demonstrate to the regulating bodies that they’re making security and compliance priority.

Today it’s important for financial services firms to take an architectural approach to security. This provides them with greater data visibility across distributed environments. Regulations are continuing to also grow. These require data to be made available to consumers and regulating bodies in a timely fashion. The combination of these things is integral to compliance. IT and security infrastructure need to adapt and change to keep up with all these things making data visibility key today.

Peter Davidson works as a senior business associate helping brands and start ups to make efficient business decisions and plan proper business strategies. He is a big gadget freak who loves to share his views on latest technologies and applications.

The country’s largest highway concessionaire PLUS organised a Hackathon aimed at producing innovative and creative applications. ― Bernama pic

KUALA LUMPUR, Nov 30 ― A total of 80 hackers from 20 teams are competing for a cumulative prize of up to RM30,000 in the PLUS Hackathon 2018 programme.

The competition organised by PLUS Malaysia Berhad for the very first time is aimed at creating and producing innovative and creative applications or products for the country’s largest highway concessionaire.

PLUS Chief Innovation and Technology Officer Shamsul Izhan Abdul Majid said the programme was in line with the company’s goal of providing a smarter and high-tech highway travel experience to customers.

He said the programme would also provide opportunities for participants to share ideas on creating or developing innovative applications, including unique prototypes to help PLUS provide smarter, safer, and cost-effective highway services in the future.

“The team which is successful in creating a product, prototype or interesting and practical application will be given the opportunity to collaborate and become PLUS’ smart partner,” he said during the launch of the programme, here today.

Themed #hackingthehighway, the 24-hour non-stop competition which began today is being participated by experts in digital application creation, computer software, graphic designers, project managers, and other related fields. ― Bernama

Another year at AWS re:Invent has come and gone. As usual it was a jam packed show full of exciting announcements, great keynotes, sessions, and interesting conversations. In case you couldn’t make it to Vegas this year or could use a summary of what you missed while you were running between sessions, here are some of the highlights from our week in the desert.

IoT, Machine Learning, and Hybrid

The week started off with a heavy focus on AWS’ increasing support for IoT, including announcements of new features like AWS IoT SiteWise , AWS IoT Device Tester , and AWS IoT Events , among others. From there the focus shifted to machine learning with a lot of discussions around AWS SageMaker, Amazon Elastic Inference, and the new AWS Inferentia processor which is designed to lower the cost of machine learning processes. Many at the show were buzzing about the announcement of AWS DeepRacer , a 1/18th scale “race car” that is meant to help developers get started with reinforcement learning and the accompanying time trials at the MGM Grand Garden Arena.

One of the announcements that will surely have a lasting impact was the introduction of AWS Outposts . A clear indication that AWS is ramping up its focus on the enterprise and fully embracing hybrid cloud, AWS Outposts brings AWS infrastructure on-prem with VMware Cloud on AWS Outposts or an AWS native variant that lets users leverage the same APIs and control planes used in AWS cloud, on-prem.

Security and DevOps

Finally we get to the areas we’re most excited about at Threat Stack ― DevOps and security! In the first of many new features and services that will help DevOps and security teams, AWS Firecracker was announced on Monday. Firecracker is an open source virtualization tool written in the Rust programming language that will help AWS users create, manage, and secure multi-tenant containers. The open source community will also benefit from this contribution and be confident of success given that Firecracker has been in production as the virtualization backbone for AWS Fargate and AWS Lambda services.

Later in the week AWS also announced the addition of container products in AWS Marketplace , the much anticipated AWS Security Hub , a user governance baselining tool in AWS Control Tower , and many other features and services that will be a boon for SecOps teams. All of these announcements show an understanding that organizations are struggling to secure and manage their cloud infrastructure, partly because of the sheer number of services and features available. We are looking forward to continuing our work with AWS as we help our customers achieve complete security observability within their cloud infrastructure.

Speaking of security observability, Threat Stack customer, Chris Murdock, Security Architect at Conga , gave a great talk on “Security Observability: Democratizing Security in the Cloud.” In this session, Chris discussed how Conga extends visibility into next-gen infrastructure by building measurement directly into systems, factoring in security-related KPIs and OKRs. The outcome for customers of any size is that they are able to securely scale their infrastructure while continuing to enable innovation at the speed of business. Make sure you check back for the recording so you can learn how Conga does this.

Next Up

While many of us are still recovering from re:Invent (another great re:Play after-party featuring the return of Skrillex may have something to do with it), we wanted to close with one last exciting announcement coming out of this year’s show: AWS re:Inforce 2019 , an entire show dedicated to AWS security is taking place in Boston on June 25 and 26, 2019. Make sure to mark your calendars, and we’ll see everyone in Boston in a few short months!

Book a Demo

If you missed out on the show this year or didn’t get a chance to stop by our booth, book a demo today to learn how you can achieve complete security observability within your AWS infrastructure.

JASK is modernizing security operations with products and services to reduce organizational risk and improve human efficiency.

They are empowering the SOC analyst to focus on investigative and response work, rather than the onerous data ingestion, normalization, parsing, and alert discrimination that is required to simply determine what is important and take action.

About Greg Fitzgerald

Greg Fitzgerald ( @bsafer ) serves as the Chief Marketing Officer at JASK ( @jasklabs ), where he is responsible for the global strategy and execution of the company’s go-to-market functions to drive brand, demand and expansion for the company’s artificial intelligence-driven platform.

Fitzgerald brings more than 25 years of technology leadership experience to JASK, most recently serving as Chief Operating Officer of Javelin Networks. Prior to that, he was a Founding Executive Member and CMO at Cylance.

About Matt Stephenson

Insecurity Podcast host Matt Stephenson ( @packmatt73 ) leads the Security Technology team at Cylance, which puts him in front of crowds, cameras, and microphones all over the world. He is the regular host of the InSecurity Podcast and host of CylanceTV .

Twenty years of work with the world’s largest security, storage, and recovery companies has introduced Stephenson to some of the most fascinating people in the industry. He wants to get those stories told so that others can learn from what has come before.

(This article was first published on R Programming DataScience+ , and kindly contributed toR-bloggers)

Categories

Advanced Modeling

Tags

Data Management Linear Regression R Programming

We have previously added a set of company identity-agnostic predictors , such as the number of drivers a company employs, or the number of vehicles in the fleet with a hydraulic lift, and so on. we took this approach, rather than having each company as a unique predictor, so that the addition of a new contractor would not (necessarily) confuse our model.

I understand that this means company history, specific vehicle history, and so on, are not included. Nevertheless, we want to see how much information is in the new predictors.

Data exploration <code>in_csv <- "../output/intermediate/ii_times.csv" ii_times <- read_csv(in_csv) %>% filter(reported_before_resolved == 1) %>% #we kept these flags for exploration, but they are troublesome for our real prediction. If we know a case has already been resolved, our model looks better than it is at predicting delays. mutate(reported_before_resolved = NULL) #first we look at the correlation of the predictors with the time_delayed: corrr_analysis <- ii_times %>% select(-Busbreakdown_ID) %>% correlate() %>% focus(time_delayed) %>% rename(feature = rowname) %>% arrange(desc(abs(time_delayed))) %>% mutate(feature = as_factor(feature)) corrr_analysis %>% print(n=61)</code> <em>## # A tibble: 45 x 2 ## feature time_delayed ## <fct> <dbl> ## 1 Boro_Bronx -0.166 ## 2 vehicle_total_max_riders -0.159 ## 3 vehicle_total_with_attendants 0.159 ## 4 vehicle_total_reg_seats -0.157 ## 5 drivers_total_attendant 0.147 ## 6 Has_Contractor_Notified_Parents 0.140 ## 7 service_type_d2d 0.140 ## 8 Number_Of_Students_On_The_Bus -0.139 ## 9 Boro_Manhattan 0.125 ## 10 Boro_StatenIsland -0.106 ## 11 Reason_HeavyTraffic -0.106 ## 12 vehicle_total_with_lifts 0.106 ## 13 Reason_MechanicalProblem 0.100 ## 14 vehicle_total_ambulatory_seats -0.0960 ## 15 drivers_staff_servSchool 0.0716 ## 16 rush_min_from_peak 0.0648 ## 17 Reason_FlatTire 0.0582 ## 18 Boro_Queens 0.0550 ## 19 Reason_Accident 0.0503 ## 20 drivers_num_servPreK -0.0478 ## 21 Reason_DelayedbySchool -0.0471 ## 22 drivers_staff_servPreK -0.0468 ## 23 School_Age 0.0441 ## 24 drivers_numServ_prek -0.0425 ## 25 Boro_Westchester 0.0400 ## 26 drivers_numServ_school 0.0390 ## 27 rush_within -0.0385 ## 28 Reason_WontStart 0.0383 ## 29 Boro_Brooklyn 0.0378 ## 30 Reason_WeatherConditions 0.0367 ## 31 Boro_NassauCounty 0.0345 ## 32 Has_Contractor_Notified_Schools 0.0334 ## 33 Boro_NewJersey 0.0265 ## 34 time_am -0.0257 ## 35 rush_between 0.0254 ## 36 Active_Vehicles -0.0164 ## 37 rush_outside 0.0152 ## 38 Reason_ProblemRun 0.0115 ## 39 Have_You_Alerted_OPT -0.0113 ## 40 Reason_LatereturnfromFieldTrip 0.0109 ## 41 drivers_total_driver -0.00878 ## 42 Boro_RocklandCounty 0.00809 ## 43 Boro_Connecticut -0.00787 ## 44 vehicle_total_disabled_seats 0.00572 ## 45 drivers_num_servSchool -0.00182 </dbl> </fct></em> #NR: there are some NAs here. I need to have a look at them. These are the no-information columns. corrr_analysis %>% filter(!is.na(time_delayed)) %>% ggplot(aes(x = time_delayed, y = fct_reorder(feature, desc(time_delayed)))) + geom_point() + # Positive Correlations - Contribute to churn geom_segment(aes(xend = 0, yend = feature), color = magma(4)[[3]], data = corrr_analysis %>% filter(time_delayed > 0)) + geom_point(color = magma(4)[[3]], data = corrr_analysis %>% filter(time_delayed > 0)) + # Negative Correlations - Prevent churn geom_segment(aes(xend = 0, yend = feature), color = magma(4)[[1]], data = corrr_analysis %>% filter(time_delayed < 0)) + geom_point(color = magma(4)[[1]], data = corrr_analysis %>% filter(time_delayed < 0)) + # Vertical lines geom_vline(xintercept = 0, color = plasma(3)[[2]], size = 1, linetype = 2) + geom_vline(xintercept = -0.25, color = plasma(3)[[2]], size = 1, linetype = 2) + geom_vline(xintercept = 0.25, color = plasma(3)[[2]], size = 1, linetype = 2) + # Aesthetics theme_bw() + labs(title = "Delay Correlation Analysis", subtitle = paste("Positive => delay", "; negative => reduce delay"), x = "delay correlation", y = "Feature") + theme(text=element_text(family="Arial", size=16), axis.text.y = element_text(size=7))

There are already some interesting insights from these data. Drivers appear more likely to alert OPT for delays which end up shorter. Companies with a lot of ambulatory seats in their fleet suffer shorter delays. Services closer to peak hour suffer lower delays , something of a surprise. Companies with a lot of attendants and hydraulic lifts suffer longer delays. Having a high number of pre-K services disposes a company towards less delay; having a high number of school services disposes them towards more delay. And so on. We also see that there is structure from the original data, including different delays for different boroughs, and for different reasons.

One of the first questions we might ask of all these predictors is: are they correlated with each other ? If they are not, then perhaps we could, at some stage, run a naive Bayesian classification. Let's take a look at the cross-correlations between some of the predictors. We include 'time_delayed' for reference:

corrr_high <- corrr_analysis %>% mutate(feature = as.character(feature)) %>% filter(feature != "reported_before_resolved") %>% filter(abs(time_delayed) >= quantile(abs(corrr_analysis$time_delayed), 0.8) ) %>% dplyr::select(feature) %>% as.data.frame() ii_times %>% select(time_delayed, corrr_high[[1]]) %>% ggcorr(nbreaks = 8, low = "#924A51", mid = "#70A5D4", high = "#FE9F14", max_size = 20, min_size = 2, size = 3, hjust = 1, vjust = 0.5, angle = 0, layout.exp = 4)

Even in this reduced set of 'more important' predictors, we can see that many predictors correlate more strongly with each other than with the target variable (time_delayed). This seems pretty bad news for the independence assumption of naive Bayes. The data set also might be a candidate for dimensionality reduction, but at this stage I wanted to keep things as human-transparent as possible.

Building a Cubist regression model with the extra predictors

This next part is straightforward. We go through essentially the same process that we did before, but this time we are armed with the extra predictors. If these predictors are useful, our RMSE should be lower and our \(R^2\) should be higher.

<code>halfFold <- createFolds(ii_times$time_delayed, k = 5, list=TRUE) ii_small <- ii_times[halfFold[[2]],] ii_test <-ii_times[halfFold[[3]],] ii_train <- ii_times %>% anti_join(ii_test, by = "Busbreakdown_ID") rctrl_manual <- trainControl(method = "none", returnResamp = "all") rctrl_repcv <- trainControl(method = "repeatedcv", number = 2, repeats = 5, returnResamp = "all") #---There is actually a problem here. If I do not use the reported_before_resolved flag, I should remove those points from the data set. Do this and retry. #---cubist cubist_grd <- expand.grid( committees = 75, neighbors = 0 ) set.seed(849) cubist_cv <- train(time_delayed ~ . -Busbreakdown_ID, data = ii_small, method = "cubist", metric="RMSE", na.action = na.pass, trControl = rctrl_repcv, tuneGrid = cubist_grd, control = Cubist::cubistControl(unbiased = T, rules = 30, sample = 0) ) cubist_cv</code> <em>## Cubist ## ## 40665 samples ## 46 predictor ## ## No pre-processing ## Resampling: Cross-Validated (2 fold, repeated 5 times) ## Summary of sample sizes: 20333, 20332, 20333, 20332, 20331, 20334, ... ## Resampling results: ## ## RMSE Rsquared MAE ## 11.74162 0.3502251 8.273603 ## ## Tuning parameter 'committees' was held constant at a value of 75 ## ## Tuning parameter 'neighbors' was held constant at a value of 0 </em> <code>#comm75, rules30: 0.355, RMSE 11.72 cubist_cv$finalModel$splits %>% glimpse</code> <em>## Observations: 8,341 ## Variables: 8 ## $ committee <dbl> 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, ... ## $ rule <dbl> 1, 1, 1, 1, 2, 2, 2, 3, 3, 3, 3, 3, 4, 4, 4, 4, 4, ... ## $ variable <fct> Number_Of_Students_On_The_Bus, vehicle_total_with_l... ## $ dir <fct> >, <=, <=, <=, >, <=, >, >, >, <=, >, <=, >, <=, >,... ## $ value <dbl> 4, 4, 225, 5449, 0, 389, 601, 7, 131, 5449, 4, 82, ... ## $ category <fct> , , , , , , , , , , , , , , , , , , , , , , , , ## $ type <chr> "type2", "type2", "type2", "type2", "type2", "type2... ## $ percentile <dbl> 0.8056068, 0.3884421, 0.4687077, 0.5004795, 0.94132... </dbl> </chr> </fct> </dbl> </fct> </fct> </dbl> </dbl></em> <code>cubist_cv$finalModel$coefficients %>% glimpse</code> <em>## Observations: 2,234 ## Variables: 48 ## $ `(Intercept)` <dbl> 26.4, 59.3, 11.1, 19.1, 17.7, ... ## $ Has_Contractor_Notified_Schools <dbl> NA, 1.5, NA, 0.7, NA, NA, 3.3,... ## $ Has_Contractor_Notified_Parents <dbl> 0.6, 1.3, 1.5, 0.5, NA, 2.5, N... ## $ Have_You_Alerted_OPT <dbl> 1.4, -0.6, -4.5, -2.4, 0.4, -1... ## $ Number_Of_Students_On_The_Bus <dbl> -0.14, -0.07, -0.14, -0.08, -0... ## $ School_Age <dbl> NA, NA, NA, NA, NA, NA, NA, NA... ## $ Reason_Accident <dbl> 4, 6, NA, 2, NA, NA, NA, NA, 7... ## $ Reason_DelayedbySchool <dbl> -2, NA, NA, NA, NA, NA, NA, NA... ## $ Reason_FlatTire <dbl> 2, 4, NA, NA, NA, NA, NA, NA, ... ## $ Reason_HeavyTraffic <dbl> -2.4, -1.1, NA, -0.4, -3.7, NA... ## $ Reason_LatereturnfromFieldTrip <dbl> NA, 1.1, NA, NA, NA, NA, NA, 1... ## $ Reason_MechanicalProblem <dbl> 2.2, 2.5, NA, 0.8, NA, NA, NA,... ## $ Reason_ProblemRun <dbl> NA, 2, NA, NA, NA, NA, NA, NA,... ## $ Reason_WeatherConditions <dbl> NA, 3.9, NA, NA, 5.0, NA, NA, ... ## $ Reason_WontStart <dbl> 2, 2, NA, NA, NA, NA, NA, NA, ... ## $ Boro_Bronx <dbl> 0.6, 0.6, -1.1, -1.3, 4.2, -2.... ## $ Boro_Brooklyn <dbl> 2.4, -0.4, NA, 2.5, 0.6, 1.4, ... ## $ Boro_Connecticut <dbl> NA, NA, NA, NA, NA, NA, NA, NA... ## $ Boro_Manhattan <dbl> 2.3, 1.5, -1.0, -0.4, 0.6, NA,... ## $ Boro_NassauCounty <dbl> 4, 2, NA, NA, NA, NA, NA, NA, ... ## $ Boro_NewJersey <dbl> NA, NA, NA, NA, NA, NA, NA, NA... ## $ Boro_Queens <dbl> 3.9, 0.7, NA, NA, 0.8, NA, -4.... ## $ Boro_RocklandCounty <dbl> NA, NA, NA, NA, NA, NA, NA, NA... ## $ Boro_StatenIsland <dbl> NA, 1.9, NA, NA, NA, NA, NA, N... ## $ Boro_Westchester <dbl> 2.5, NA, NA, NA, NA, NA, NA, N... ## $ drivers_numServ_school <dbl> -2.0, NA, NA, NA, -0.3, NA, NA... ## $ drivers_numServ_prek <dbl> -2.4, NA, NA, NA, NA, NA, NA, ... ## $ drivers_total_driver <dbl> 0.0330, -0.4627, 0.1162, 0.523... ## $ drivers_total_attendant <dbl> -0.1228, -0.4552, 0.2071, 0.29... ## $ drivers_num_servPreK <dbl> -0.592, NA, -0.463, -0.872, -0... ## $ drivers_num_servSchool <dbl> NA, NA, NA, NA, -1.7894, NA, 1... ## $ drivers_staff_servPreK <dbl> 0.303, NA, NA, NA, -0.982, 0.0... ## $ drivers_staff_servSchool <dbl> 0.0372, 0.3984, -0.2191, -0.42... ## $ Active_Vehicles <dbl> 0.4074, 0.0722, 0.0733, 0.1984... ## $ vehicle_total_max_riders <dbl> -0.00330, 0.00047, 0.02326, 0.... ## $ vehicle_total_reg_seats <dbl> -0.00571, -0.00160, -0.01979, ... ## $ vehicle_total_disabled_seats <dbl> NA, -0.0183, -0.0368, -0.0802,... ## $ vehicle_total_ambulatory_seats <dbl> NA, NA, NA, NA, NA, NA, NA, 0.... ## $ vehicle_total_with_lifts <dbl> 14.131, 0.130, 0.120, 0.460, 1... ## $ vehicle_total_with_attendants <dbl> -0.2296, -0.0095, -0.0022, -0.... ## $ service_type_d2d <dbl> -1.6, 0.5, NA, -1.8, -0.6, -0.... ## $ time_am <dbl> -5.0, -0.5, NA, NA, NA, NA, 4.... ## $ rush_within <dbl> -2.3, 1.3, NA, NA, -1.3, -2.8,... ## $ rush_between <dbl> -4.8, -1.2, NA, -1.3, -3.2, -5... ## $ rush_outside <dbl> -1.6, 0.6, NA, -0.4, -3.5, -2.... ## $ rush_min_from_peak <dbl> NA, 0.019, NA, 0.006, NA, 0.02... ## $ committee <chr> "1", "1", "1", "1", "1", "1", ... ## $ rule <chr> "1", "2", "3", "4", "5", "6", ... </chr> </chr> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl> </dbl></em> <code>cubist_cv$finalModel$usage %>% head</code> <em>## Conditions Model Variable ## 1 48 86 vehicle_total_reg_seats ## 2 41 20 vehicle_total_ambulatory_seats ## 3 37 75 vehicle_total_with_lifts ## 4 35 49 Reason_HeavyTraffic ## 5 28 90 vehicle_total_max_riders ## 6 24 86 vehicle_total_with_attendants </em> <code>cubist_man <- train(time_delayed ~ . -Busbreakdown_ID, data = ii_train, method = "cubist", metric="RMSE", na.action = na.pass, trControl = rctrl_manual, tuneGrid = cubist_grd, control = Cubist::cubistControl(unbiased = T, rules = 30, sample = 0) ) ii_withpred <- ii_test %>% mutate( time_predicted = predict(cubist_man, newdata = ii_test) ) ii_withpred %>% summarise( rms = (mean((time_predicted-time_delayed)^2))^0.5, sum_sq = sum((time_predicted-time_delayed)^2), tot_sum_sq = sum((time_delayed - mean(time_delayed))^2), r_sq = 1- sum_sq / tot_sum_sq ) #0.371, RMSE 11.6</code> <em>## # A tibble: 1 x 4 ## rms sum_sq tot_sum_sq r_sq ## <dbl> <dbl> <dbl> <dbl> ## 1 11.5 5422077. 8556551. 0.366 </dbl> </dbl> </dbl> </dbl></em> <code>ii_overfit <- ii_train %>% mutate( time_predicted = predict(cubist_man, newdata = ii_train) ) ii_overfit %>% summarise( rms = (mean((time_predicted-time_delayed)^2))^0.5, sum_sq = sum((time_predicted-time_delayed)^2), tot_sum_sq = sum((time_delayed - mean(time_delayed))^2), r_sq = 1- sum_sq / tot_sum_sq ) #0.374, RMSE 11.5: the overfit is not too bad.</code> <em>## # A tibble: 1 x 4 ## rms sum_sq tot_sum_sq r_sq ## <dbl> <dbl> <dbl> <dbl> ## 1 11.5 21412743. 34357934. 0.377 </dbl> </dbl> </dbl> </dbl></em> protec <- ii_withpred %>% mutate(Reason_Other = 1L) %>% #dummy flag to get the name in select(-contains("Reason")) %>% colnames() pal <- brewer.pal(10, "Paired") ii_withpred %>% mutate(Reason_Other = ifelse(Reason_Accident + Reason_DelayedbySchool + Reason_FlatTire + Reason_HeavyTraffic + Reason_LatereturnfromFieldTrip + Reason_MechanicalProblem + Reason_ProblemRun + Reason_WeatherConditions + Reason_WontStart == 1, 0L, 1L)) %>% gather(key = Reason, value = dummy, -one_of(protec)) %>% filter(dummy == 1) %>% mutate(dummy = NULL) %>% filter(row_number() %% 10 == 0) %>% ggplot(aes(x = time_predicted, y = time_delayed, fill = Reason, color = Reason)) + geom_point(alpha = 0.75, shape = 21) + scale_fill_manual(values = pal) + geom_abline(intercept = 0, slope = 1, color = "red") + coord_cartesian(expand = c(0,0), x = c(0,60)) + theme_classic() + labs(x="time_predicted [min]",y="time_delayed [min]") + theme(text=element_text(family="Arial", size=16)) + theme(axis.line = element_line(colour = 'black', size = 1)) + theme(axis.ticks = element_line(colour = "black", size = 1)) + ggtitle("Cubist with extra predictors: delayed vs predicted")

Hackers are exploiting insecure UPnP implementations in routers to expose millions of computers from inside private networks to SMB attacks.

Universal Plug and Play (UPnP) is a service that allows devices to discover each other inside local networks and automatically open ports for data sharing, media streaming and other services. Normally, UPnP should only be exposed to the LAN interface, but insecure implementations have been found in numerous devices over the years, especially in home routers.

Recent Articles By Author

U.S. Charges Two Iranians for SamSam Ransomware Attacks Cisco Takes Another Stab at Patching Recent WebEx Vulnerability ECC Memory Not Safe from Rowhammer Attack

Earlier this year, researchers from Akamai found that attackers were scanning the internet for routers that exposed their UPnP service without authentication and were abusing them to set up port forwarding rules that allowed them to use the devices as proxies for malicious traffic. The researchersdubbed that attack UPnProxy.

Now, six months later, there are still 3.5 million devices that expose their UPnP endpoint to the internet and 277,000 of them are vulnerable to UPnProxy. Even worse, attackers have switched from simply using this technique to proxy malicious traffic to exposing computers behind the affected routers.

Akamai found malicious UPnP injections on more than 45,000 routers that opened random external ports in the devices and mapped them to ports 445 and 139 TCP on internal IP addresses. Ports 445 and 139 are used by SMB, a network file-sharing protocol enabled by default on windows and linux computers.

This means that attackers now have the capability to access internal computers over SMB directly from the internet. And SMB has known vulnerabilities, such as EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) which have been widely exploited in the wild by ransomware worms including WannaCry and NotPetya.

In fact, attackers have put “galleta silenciosa”―Spanish for “silent cookie/cracker”―in the description field of the injected port mapping rules. Because of this, the Akamai researchers have named the new attack EternalSilence.

“Taking current disclosures and events into account, Akamai researchers believe that someone is attempting to compromise millions of machines living behind the vulnerable routers by leveraging the EternalBlue and EternalRed exploits,” the company said in its report .

These appear to be opportunistic attacks where hackers have taken a shotgun approach and are blindly injecting SMB port forwarding rules wherever they can. This doesn’t make the attacks less serious, as corporate networks might still contain a significant number of computers and devices that haven’t yet been patched against SMB flaws and are only protected because they can’t be reached from the internet.

“The EternalSilence attacks remove this implied protection granted by the NAT from the equation entirely, possibly exposing a whole new set of victims to the same old exploits,” the Akamai researchers said.

Detecting the injections is not easy because they don’t typically show up in administrative interfaces. To see them, administrators have to use special tools that interact with UPnP and can dump the entries from the NAT table.

Worse, the injection technique can be used in the future for additional services, every time a serious vulnerability appears in a protocol that’s not typically exposed to the internet but can be attacked over the local network.

Router owners should make sure their devices are running the latest available firmware version and they should disable UPnP if it’s not needed. For devices that might have already been compromised, a reset to factory default settings is recommended to clean the NAT injections after disabling UPnP.

NUUO Patches Vulnerability That Exposes Surveillance Cameras

Security researchers have identified a serious vulnerability in a network video recorder (NVR) product from NUUO that can be used to compromise the recordings and feeds from surveillance cameras.

The vulnerability is a buffer overflow affecting NUUO’s NVRMini2 and was found by researchers from security firm Digital Defense. NVRMini2 is an NVR-NAS combo device that’s capable of recording and controlling video feeds from multiple surveillance cameras.

The vulnerability allows remote unauthenticated attackers to execute arbitrary code on affected systems with root privileges. It can be exploited by sending a specially crafted GET request to the affected service with a URI length of 351 characters or greater.

Users should update theirNVRMini2 systems to the latest firmware version released by the manufacturer. The vulnerability affects firmware versions 3.9.1 and older.

It’s estimated that NUUO’s devices are used in more than 100,000 video surveillance deployments worldwide, in industries such as retail, transportation, education, government and banking. Since each NVR device can be used to control up to 16 cameras, the number of indirectly affected cameras is most likely in the hundreds of thousands.

If you’re looking to roll down a new career path, you should stick tight to this little mantra: go where the jobs are. And if you want a job that’s all but guaranteed to present loads of opportunities in the coming years, becoming an information security analyst (better known as an ethical hacker) is high on the list. In fact, the job market for a trained hacker is expected to rise by almost 30 percent by 2026.

That should be enough incentive to make you consider your options, like training with The 2019 Ethical Hacker Master Class course bundle . This package is on sale right now for thousands off its regular price,just $39 from TNW Deals.

Hard Fork?

Hard Fork.

HARD FORK

Over 10 courses featuring almost 190 hours of instruction, you’ll learn how to break into the ethical hacking field. You’ll learn the basics all the way up to advanced skills, and the tools of security testing. You’ll be well trained in all the components you’ll need to score a great new career in this challenging IT realm.

The courses include:

Certified Ethical Hacker v9 Training (a $2,000 value) Certified Cyber Threat Intelligence Analyst (a $100 value) Certified Advanced Persistent Threat Analyst (a $100 value) Computer Hacker & Forensic Investigator Training (a $100 value) CompTIA A+ Certification Prep (a $100 value) CompTIA Security+ Certification Prep (a $100 value) CompTIA Network+ Certification Prep (a $100 value) Certified Security Analyst Training (a $100 value) Certified Ethical Hacker Bootcamp (a $2,083 value) Ethical Hacking With python (a $100 value)

Much of this training is geared toward skills directly linked to job certification, including some valuable CompTIA credentials. Packing these critical examples of your mastery, you can start the new year in a new industry willing to pay for your expertise.

Consider you can bring home a $95,000 a year paycheck for identifying and fixing a company’s vital digital systems. Plus, never forget that the cool quotient of being a professional hacker is practically off the charts. An over $4,300 value, get in on this limited time offer now to get all this training at a fraction of that price ―only $39.

I’m writing this quick wrap-up in Vienna, Austria where I attended my first DeepSec conference. This event was already on my schedule for a while but I never had a chance to come. This year, I submitted a training and I was accepted! Good opportunity to visit the beautiful city of Vienna! Like many security conferences, the event started with a set of trainings on Tuesday and Wednesday. My training topic was about using OSSEC for threat hunting.

On Thursday and Friday, regular talks were scheduled and split across three tracks. Two tracks for regular presentations and the third one called “Roots”, more dedicated to academic researches and papers. There was a good balance between offensive and defensive presentations.

The keynote speaker was Peter Zinn and he presented a very entertaining keynote called “ We’re all gonna die “. Basically, the main idea was to review how our world is changing in many points and new threats are coming: the climate change, magnetic fields, Donald Trump, etc. But also from an information technology point of view. Peter revealed that we have to face 4 types of “cyber-zombies”:

People Inequality Operational technology and IOT Artificial Intelligence (here is a funny video that demonstrate how AI may fail )

Later, we will face the “IoP” of “Internet of People”. IT will be present inside our bodies (RFID implants, sensors, contact lenses, …) and we’ll have to deal with them. Nice keynote!

Here is a quick recap of the talk that I attended. Fernando Arnaboldi and “ Uncovering Vulnerabilities in Secure Coding Guidelines “. The idea behind this talk was to demonstrate that, even if you follow all well-known development guidelines (like OWASP, CWE or NIST), you can fail. He gave several snippets of code as examples. Personally, I liked the mention to the new KPI: “the WTF’s/minute”.

Then, Werner Schober presented the “ Internet of Dildos “. Always entertaining to have a talk focusing on “exotic” IoT devices. He explained the different vulnerabilities that he found in a sex-toy and the associated mobile app & website in Germany. Basically, he explained how it was possible to access all (hot) pictures uploaded by the users, how to enable (make vibrate) any device connected in the world or, worse, access to personal data of the consumers…

Then,Eric Leblond talked about the new features that are constantly added to the Suricata IDS with a focus on eBPF filters. I already saw Eric’s presentation a few month ago but he added more stuff like a crazy idea to use BCC (“BPF Code Compiler”) to generate BFP filters from C code directly present in a python script!

Joe Slowik came to speak about ICS attacks. More and more ICS attacks are reported in the news because there is some kind of aura of sophistication around them. Joe started with a recap of the major ICS attacks that industries faced in the last years. But, many attacks are successful because the IT components used to control the ICS components are vulnerable and the same tools are abuse to compromize them (like Mimikatz, PsExec, etc). Note that the talk was a mix of offensive & defensive.

Benjamin Ridgway (from the Microsoft Incident Response Center) came to speak about incident handling. The abstract was not clear and a lot of people expected a talk explaining how to select and use the right tools to perform incident management but it was completely different and not technical. Benjamin explained how to implement your IH process with a focus on the following points:

Human psychological response to stressful and/or dangerous situations Strategies for effectively managing human factors during a crisis Polices and structures that set up incident response teams for success Tools for building a healthy and happy incident response team

It was an excellent presentation, one of my preferred!

Then,Dr. Silke Holtmanns from Nokia Bell Las came to speak about new attack vectors for mobile core networks. The problem for people that are not in the field of mobile networks is the complexity of terms and abbreviations used. It’s crazy! But Silke explained very well the basic: how roaming is used, how billing profile are managed. Of course, the idea was then to explain some attacks. I like the one focusing on how to change a billing plan when you’re abroad to reduce the roaming costs. Very didactic!

The new speaker wasMark Baenziger which is doing incident handling. He explained the challenges that incident handlers might face when handling personal data (and so, how to protect their privacy). He explained how, in some case, security teams failed to achieve this properly.

The last slot was assigned to Paula de la Hoz Garrido (she’s studying in Spain). She explained her project of network monitoring tools bundled on a Raspberry Pi. Interesting but the practical part was missing (how to build the project on the Pi. The talk was more a review of tools that are used to capture/process packets.

The second day started with a nice talk called “ Everything is connected: how to hack Bank Account using Instagram “. The idea was to abuse phone services provided by some banks to allow their customers to perform a lot of basic operations (through IVR).Aleksandr Kolchanov explained the attacks he performed against an Ukrainian bank. Some services are available only based on the caller-ID. This information can be easily spoofed using only services (ex: spooftel.com ). Funny but crazy!

Then, I switched to the “Roots” room to attend a talk about using data over sound. More precisely, ultrasonic sounds.Matthias Zeppelzauer explained the research he made about this technology which is used more then we could expect! It’s possible to collect interesting informations (ex: how people watch television programs) or to deliver ads to people entering a shop. He also presented the project “ SoniControl ” which is some kind of an ultrasonic firewall to protect the privacy of users.

My next choice was “ RFID Chip Inside the Body: Reflecting the Current State of Usage, Triggers, and Ethical Issues ” presented byUlrike Hugl. RFID implants in human bodies are not new but what’s the status today? Are people ready to have such kind of hardware under their skin? There is not massive deployment but some companies try to convince their users to use this technology. But it remains usually tests or funny projects.

Finally, my last choice was “ Global Deep Scans Measuring Vulnerability Levels across Organizations, Industries, and Countries ” byLuca Melette & Fabian Brunlein. I was curious when I read the abstract. The idea behind this research was to scan the Internet, to classify scanned IP addresses by location and business. Then, they used an algorithm to compute an “hackability” level. Indeed, from a defender perspective, it’s interesting to learn how your competitor are safe. From an attacker point of view, it’s nice to know which are the most juicy targets. The result of their research is available here .

This was a very quick wrap-up of my first DeepSec (and I hope not the last one!). The conference size is nice, not too many attendees (my rough estimation is ~200 people) and properly managed by the crew. Thanks to them!

The Marriott statement said for around 326 million of its guests, the personal information compromised included “some combination” of, name, address, phone number, email address, passport number, date of birth, gender and arrival & departure information. The hotelier also said encrypted payment card data was also copied, and it could not rule out the encryption keys to decrypt cardholder data had not been stolen.

The hotel giant said it would notify customers affected and offer some a fraud detecting service for ayear for free, so I expect they will be making contact with myself soon. In the meantime, Marriott has launched a website for affected customers .

The UK ICO said it would be investigating the breach , and warned those whobelieve they are impacted to be extra vigilant and to follow the advice on the ICO website, and by the National Cyber Security Centre . The hotel chain could face huge fines under the GDPR, and possibly a large scale class action lawsuit by their affected guests, which could cost them millions of pounds.

What I really would like to know is why the hotel chain had retained such vast numbers of guest records post their stay. Why they held their customer’s passport details and whether those encryption keys were stolen or not. And finally, why the unauthorised access went undetected for four years.

Tom Kellermann, Chief Cybersecurity Officer for Carbon Black , said “It appears there had been unauthorised access to the Starwood network since 2014, demonstrating that attackers will get into an enterprise and attempt to remain undetected. A recent Carbon Black threat report found

The report also found that more than a third (36%) of today’s attackers now use the victim primarily for island hopping. In these campaigns, attackers first target an organisation’s affiliates, often smaller companies with immature security postures and this can often be the case during an M&A. This means that data at every point in the supply chain may be at risk, from customers, to partners and potential acquisitions.”

Jake Olcott, VP of Strategic Partnerships at BitSight, said “Following the breaking news today that Marriott’s Starwood bookings database has been comprised with half a billion people affected, it highlights the importance of organisations undertaking sufficient security posture checks to avoid such compromises. Marriott’s acquisition of Starwood in 2016 allowed it to utilise its Starwood customer database. Therefore, proactive due diligence during this acquisition period would have helped Marriott to identify the potential cybersecurity risks, and the impact of a potential breach”.

“This is yet another example of why it is critical that companies perform cybersecurity analysts during the due diligence period, prior to an acquisition or investment. Traditionally, companies have approached cyber risk in acquisitions by issuing questionnaires to the target company; unfortunately, these methods are time consuming and reflect only a “snapshot in time” view.

“Understanding the cybersecurity posture of an investment is critical to assessing the value of the investment and considering reputational, financial, and legal harm that could befall the company. After an investment has been made, continuous monitoring is essential.”

They're also honoring unsubscribe requests as soon as they're made, according to the Online Trust Alliance.

A survey of North America's top 200 retailers released this week by the Internet Society's Online Trust Alliance found they have made great progress in managing emails on their websites.

In fact, 84% of retailers have clear and conspicuous unsubscribe links on their websites, says Jeff Wilber, the OTA's technical director.

Now in its fifth year, the " 2018 Email Marketing & Unsubscribe Audit " also found 100% of the retailers use authentication tools like SPF and DKIM, 71% have DMARC records, and another 35% use DMARC enforcement. All of these tools have become generally accepted in the security industry for tracking and stopping email spoofing.

Another good number, according to Wilbur, is that 89% of retailers said they stop sending messages right after an unsubscribe request was submitted, as opposed to the permitted 10-day period.

"That's really a big one," Wilbur says. "People just want to know if they don't want the site to send them any more messages that they will stop sending them."

Vince Romney, director of information security at cosmetics company Younique Products, says the OTA survey mirrors many of the trends he has been seeing.

For starters, unsubscribe requests from users are being honored right away, he says. Younique has been using SPF and DKIM authentication built into Mimecast to filter emails and prevent spoofing, Romney added, plus the company has a very clear unsubscribe option on its website.

He also pointed out that many other retailer have stepped up their incident response activities. When he came on as security director in March, Younique started using AlienVault, which in effect serves as a SIEM for the company.

Related Content: Adidas US Website Hit by Data Breach Payment Security Compliance Takes a Turn for the Worse Retail Sector Second-Worst Performer on Application Security Securing Retail Networks for an Omnichannel Future

Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md.View Full Bio

相关新闻：

万豪旗下喜达屋酒店数据库遭入侵 5亿顾客信息或泄露

新浪 美股 北京时间12月1日讯， 万豪国际 （Marriott International）昨日证实，喜达屋（Starwood）客房预订数据库遭到破坏，可能危及5亿名酒店客人的敏感个人数据。

据悉，今年9月8日，万豪国际就收到了一份事故警报，显示有人试图访问喜达屋的客房预订数据库。随后的调查揭示了一个令人震惊的事实：早在2014年，就有人设法非法进入喜达屋网络。

万豪国际在今日发布的一份声明中证实，该侵入者复制并加密的信息已被解密，并被发现包含喜达屋客房预订处的个人信息数据包。发现的数据包括姓名、邮寄地址、电话号码、电子邮件地址、护照号码、喜达屋首选客户账号信息、出生日期、性别、到达和离开信息、预订日期以及在喜达屋集团旗下酒店预订的客人的沟通偏好。

真正令人震惊的是，万豪国际认为，这个尚未完全解密的加密数据库包含大约5亿份宾客记录。其中约3.27亿包括此前提到的多种数据包。

万豪披露的信息中还披露了一些“信息还包括支付卡号和支付卡有效期”。虽然这些支付卡号是使用AES-128加密的，但万豪表示，无法排除攻击者已经访问了解密这些卡号所需的组件。

任何在今年9月10日或之前预订喜达屋物业的人，都有信息被泄露的可能。万豪将用官方邮箱starwoodhotels@email-marriott.com给所有可能受到影响的人发电子邮件，地址是starwoodhotels@email-marriott.com。请注意，这个地址很重要，很可能会有钓鱼者利用围绕泄露通知发送假冒的警告邮件来钓鱼。

万豪的声明中，包括了那些数据库已沦为威胁行为受害者的公司如今再熟悉不过的道歉：“万豪对这起事件的发生深感遗憾。”人们对“我们迅速采取行动遏制了这起事件，并在安全专家的协助下进行彻底调查”等说法仍很熟悉。

然而，客人和更多的游客想知道的是，这一切最初是如何发生的。我怀疑特别是在主要披露本身的最后一段中有很大线索。声明称，万豪“支持执法部门的努力，并与领先的安全专家合作改进”，然后又出人意料地承认，万豪“正投入必要的资源，逐步淘汰喜达屋系统，并加快我们网络正在进行的安全改进”。

正如Outpost24的产品经理Simon Roe所指出的那样，“组织需要将新获得的基础设施、应用程序和系统视为业务关键风险，直到它们能够识别和映射新的、扩展的攻击表面并优先考虑降低风险。”我担心，对于5亿客人来说，这个建议太少且太晚了。

AlienVault的安全倡导者贾维德马利克（Javvad Malik）似乎也同意这一点。“信用卡数据库加密固然很好，但是，如果根据该公司的泄露文件攻击者能够解密密钥，那么这一切依然是徒劳的”Malik说，并补充说这是“这些数据相当于在前门的脚垫下留下钥匙。”

鉴于2016年喜达屋与万豪的合并，这也让万豪处于一个潜在的危险境地，而与此同时，这起违约显然正在顺利进行。“万豪在宣布收购喜达屋（Starwood）之前两年多发生了一起网络安全事件，如今该公司正面临品牌和声誉受损、监管监管和法律问题，“弗雷斯特公司的首席分析师杰夫波拉德说，他继续说“网络安全入侵具有长尾效应，这将给万豪带来意想不到的成本。”这也会给那些资料被盗的客人带来意想不到的损失。

CensorNet首席执行官埃德麦克奈尔建议，任何被此次违规行为牵连的人，“最好与一家信用检查服务机构签约，以确保他们的个人信息没有被不当使用。”MacNair还建议，“为使用相同登录细节的其他账户更改密码也是明智的。”

Trusted Knight公司威胁情报官员特雷弗雷施克（Trevor Reschke）警告说，“这5亿人的详细信息极有可能在网上被出售。”瑞斯克的结论是，任何在过去几年入住喜达屋或万豪酒店并经历过某种欺诈行为的人，无论是信用卡信息被盗还是身份被盗，都可能会发现这一漏洞“被用来增加罪犯成功的机会”。

This article assumes you already have OSSEC deployed. If you need a refresher, refer to the Part I of OSSEC for website security , written March 2013.

OSSEC is popular open-source Host Intrusion Detection System (HIDS) . It was founded by Daniel Cid, and currently maintained by a very large community of security professionals. Please note that I don’t my installations off the official repo, instead I run directly off Daniel’s repo (instructions in the last post).

In the following series I’m going to share the foundational elements of my OSSEC deployments. We’ll start by placing emphasis on the importance of deploying a distributed architecture in this article, making use of the Agent / Manager options. In future articles you can expect insights into the best way to configure for CMS applications like WordPress, tuning the engine to make use of the alerts, and notifications.

If you have questions, don’t hesitate to ask.

Agent / Manager Architecture

Proactively monitoring, aggregating and storing server activity (i.e., logs) is important for security professionals. It’s the less sexy aspect of security, but having a source of truth for this activity is imperative to understanding what is happening on your servers especially post-compromise.

In fact, if you operate an online store you actually have an obligation to store and manage this activity:

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

Logging mechanisms and the ability to track user activities are critical in preventing, detecting and minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs. ( Source: Requirements and Security Assessment Procedures, version 3.2.1 )

To help with this process I deploy OSSEC in a distributed manner, leveraging its agent and manager architecture . While I have a degree of confidence in my web server deployments, I realize that there is always the threat that I might have missed something. For that reason, I always push my activity to a remote service who has the sole responsibility of managing, aggregating and reporting on all activity across my entire architecture.

This provides me the following assurances:

Reduces the risk that an attacker might try to delete or otherwise modify activity; Consolidates activity from the entire environment into one record of truth, especially important when managing multiple servers; Facilitates the creation ofsynchronized orchestration for the entire stack (i.e., it all works and reports the same);

In basic terms, this illustrations highlights my deployment:

Deploying an Agent / Manager Architecture

If you are running a local implementation of OSSEC you will need to rerun the OSSEC installer. There are ways to hack your way around the configuration, but it’s not worth it unless you have a free weekend (it’s never just one thing…).

On your web server:

Select your language, the installer will begin. You will set Agent at this point: OSSEC HIDS r2016-04 Installation Script - http://www.ossec.net
You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).
- System: linux
- User: root
- Host: [webserver name]
-- Press ENTER to continue or Ctrl-C to abort. --
1- What kind of installation do you want (server, agent, local or help)? agent The next step is to provide the IP of your manager, if you don’t know it at the time of installation that’s ok. You can always update the IP in your ossec.conf file. OSSEC HIDS r2016-04 Installation Script - http://www.ossec.net
You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).
- System: Linux
- User: root
- Host: [webserver name]
-- Press ENTER to continue or Ctrl-C to abort. --
1- What kind of installation do you want (server, agent, local or help)? agent
- Agent(client) installation chosen.
2- Setting up the installation environment.
- Choose where to install the OSSEC HIDS [/var/ossec]:
- Installation will be made at /var/ossec .
3- Configuring the OSSEC HIDS.
3.1- What's the IP Address of the OSSEC HIDS server?: [Manager IP]
- Adding Server IP [Manager IP] Follow the instructions, setting your configuration options. Once done, the final step will be pressing Enter on your keyboard to complete the installation.

This will get your local agent configured, but now you have to navigate to your OSSEC manager to make sure it’s ready to accept the communication from the agent. You do this by creating a key pair that both the agent and manager will use to authenticate with each other.

On your OSSEC manager navigate to the Manage Agents application:

# /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2016-04 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q:

You want to add a new Agent, so enter A into the input field. It will then ask you a series of questions, this is where you want to give some thought to your naming convention. For instance, see below:

****************************************
* OSSEC HIDS v2016-04 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: a
- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: pb.webserver1
* The IP Address of the new agent: any
* An ID for the new agent[001]: 01001
Agent information:
ID:01001
Name:pb.webserver1
IP Address:any
Confirm adding it?(y/n): y

What you see is I use the PB (perezbox) to identify servers I’m responsible for (assume maybe you have managing servers aren’t yours) and I apply a naming convention for each web server (e.g., webserver1). I could choose to make it more descriptive (maybe, use the name of the domain on that server).

Note: I select ANY for the “IP Address of the new agent” this is intentional. I have found this to be more effective than explicitly defining the IP of the agent server.

If everything looks good, select Y.

If all is successful, it’ll look something like this asking you what you want to do next:

In this episode Tom and Scott are joined by special guest Tanya Janca who is a Senior Cloud Developer Advocate for Microsoft . We speak with Tanya about her journey into the world of AppSec, women and minorities in Cybersecurity, her advice for getting started in AppSec, her OWASP project (DevSlop) , the current state of DevOps and privacy, and much more! Tanya is one of our most fun and engaging guests, it’s one not to miss! Below are show notes and links mentioned in the podcast:

Tanya’s blog on Medium and her article on getting started in AppSec . Follow Tanya on Twitter . You can try connecting with her on LinkedIn but she’s maxed out her connections! (we didn’t even know this was possible) Tanya hosts a weekly live streaming OWASP DevSlop show every Sunday at 1pm Eastern. Check it out on Mixer , Twitch , or YouTube .

You can also watch this episode with Tanya on YouTube !

Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook , Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel . Thanks for listening!

Setting up Aurora as a slave for an external mysql server that acts as the master is a bit tricky. Of course we want a secured connection. For this reason we need to create client certificates to be used by AWS RDS. The steps below should work for RDS as well.

Generate and Sign the Certificates

The process is actually simple, but AWS is picky how you generate the certificates. I was using a SHA flag that was accepted by a regular MySQL 5.6 instance, but caused a cryptic (pun intended) MySQL 2026 Generic SSL error and it was quite hard to find the source. Also note that you need to have different common names (CN) for all three certificate pairs. They do not necessarily need to fit the actual domain name, but they need to be different.

First we need to create the certificate authority that can sign the keys

# Generate a certificate authority key pair
openssl genrsa 2048 > ca-key.pem
# Notice the CN name. It needs to be different for all of the three key pairs that we create!
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem -subj "/C=AT/ST=Tirol/L=Innsbruck/O=The Good Corp/OU=IT Department/CN=ca.mysql"

Then create the server key pair

#Generate a server key. Note again the different CN
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem -subj "/C=AT/ST=Tirol/L=Innsbruck/O=The Good Corp/OU=IT Department/CN=server.mysql"
# Convert the format
openssl rsa -in server-key.pem -out server-key.pem
# Sign it
openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

Finally we generate a client certificate and its key. You can repeat these steps to generate multiple certificates for clients

# Again, note the CN
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem -subj "/C=AT/ST=Tirol/L=Innsbruck/O=The Good Corp/OU=IT Department/CN=client.mysql"
# Convert
openssl rsa -in client-key.pem -out client-key.pem
# Sign
openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
# Verify
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem

Now we have all the certs we need.

Master Setup

The setup is pretty standard. Add the server certificates to the MySQL configuration of your master and restart.

# SSL Server Certificate
ssl-ca=/etc/mysql/ssl/ca.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pem

Then create a user for the slave

CREATE USER 'aws'@'%' IDENTIFIED BY 'SECRET';
GRANT REPLICATION CLIENT, REPLICATION SLAVE ON *.* TO 'aws'@'%' IDENTIFIED BY 'SECRET' REQUIRE SSL; Slave Setup

On AWS you do not have SUPER() privileges, but can use stored procedures provided by Amazon to setup the slave.

Start fresh by removing old records. If there was no previous setup, there might be an error.

CALL mysql.rds_remove_binlog_ssl_material;
CALL mysql.rds_reset_external_master;

Now you need to pass the client certificate data as a JSON to AWS Aurora.

CALL mysql.rds_import_binlog_ssl_material('{"ssl_ca":"-----BEGIN CERTIFICATE-----
MIIBAgMBVRpcm9sMRIw...
...
-----END CERTIFICATE-----\n","ssl_cert":"-----BEGIN CERTIFICATE-----
KAoIBAQCzn28awhyN8V56Z2bskCiMhJt4
...
-----END CERTIFICATE-----\n","ssl_key":"-----BEGIN RSA PRIVATE KEY-----
SbeLNsRzrPoCVGGqwqR6gE6AZu
...
-----END RSA PRIVATE KEY-----"}');

A message that the SSL data was accepted will appear if you pasted the certificate, the key and the CA certificate correctly.

Finally, start the replication and check the status

CALL mysql.rds_start_replication;
SHOW SLAVE STATUS\G Tests and Troubleshooting

On the master, you can check if the slave even tries to connect for instance with tcpdump. In the example below the IP 1.2.3.4 would be the AWS gateway address as seen by your firewall.

sudo tcpdump src host 1.2.3.4 -vv

Hotel group Marriott International has reported a data breach in its Starwood line of hotels and resorts, with the details of up to 500 million guests likely to have been stolen by malicious attackers.

Marriott said it had become aware of the breach on 8 September and investigations had shown that data was being exfiltrated since 2014.

In a statement , the group said for about 327 million of these, the details included a combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

For some, payment card numbers and expiry dates were also leaked, the statement said, adding that the numbers were encrypted using AES-128. But Marriott said it could not rule out the fact that both components needed to decryption had been stolen by those who attacked the website.

In the case of the remaining guests, less details were stolen: name, mailing address and email address.

Marriott said it was offering guests free enrolment on the WebWatcher site; they would be informed by this site in the event that their personal information turned up on sites where such information was generally shared.

Commenting on the breach, Mark Bower, the chief risk officer at data protection firm Egress, said: "The breach at Marriott should be a concern for any traveller who stayed at their properties but should also send warning signals to any business that may have had an employee stay at one of the properties as well.

"We expect the attackers to monetise the stolen PII, but also use it as fuel for future attacks on any organisation that had employees stay at one of the properties. The detailed information stolen from Marriott is typically used for advanced and sophisticated phishing attacks, business email compromise, and other well-orchestrated schemes that target employees and C-level executives alike."

Bower added that any organisation that may have had employees caught up in the latest breach should expect and prepare for this information to be weaponised against them.

"The application of machine learning and AI in helping detect and mitigate the risk of these types of email-borne attacks can help organisations stay ahead of the attackers. By analysing various attributes of email and its users ― from the sender’s authenticity to the recipient’s ‘normal’ email behaviour ― we can start to highlight anomalies and truly begin to detect and mitigate email-based attacked," he said.

David Pearson, the principal threat researcher at network detection and response firm Awake Security, said the number of people compromised in this breach made it a far-reaching incident that could affect other enterprises too.

"With 500 million people potentially impacted, that’s a large ocean for malicious actors to go phishing in," he said. "As we’ve seen in the past, there will be scores of hackers trying to exploit this breach with lookalike notification emails. And all it takes is one person to click on a malicious link while connected to a corporate network for attackers to compromise their organisation even if that link was sent to a personal email address.

"This type of non-malware activity is so hard to detect because it weaponises the tools that people and businesses rely upon for every-day activities. Traditional security solutions that look for known-malware aren’t good enough in this new environment. We need to go beyond looking for patently malicious activity and start looking for malicious intent. The only way to do this is though the deep analysis of network data with advanced network traffic analysis, security teams can see everything that’s happening on the network to find and stop attacks that are hiding in plain sight.

"In the case of a phishing incident, this type of network analysis can also identify what kinds of interaction an enterprise user has had with the phishing site. If the site is so new that it doesn't get identified as phishing until after the fact (or if no phishing detection solution is used), it wouldn't be blocked. So knowing what happened which users and devices were impacted, what kind of information was divulged, whether other users are browsing related sites, etc. is crucial for determining how to respond."

47 REASONS TO ATTEND YOW! 2018

With 4 keynotes + 33 talks + 10 in-depth workshops from world-class speakers, YOW! is your chance to learn more about the latest software trends, practices and technologies and interact with many of the people who created them.

Speakers this year include Anita Sengupta (Rocket Scientist and Sr. VP Engineering at Hyperloop One), Brendan Gregg (Sr. Performance Architect Netflix), Jessica Kerr (Developer, Speaker, Writer and Lead Engineer at Atomist) and Kent Beck (Author Extreme Programming, Test Driven Development).

YOW! 2018 is a great place to network with the best and brightest software developers in Australia. You’ll
be amazed by the great ideas (and perhaps great talent) you’ll take back to the office!

Register now for YOW! Conference

Sydney 29-30 November

Brisbane 3-4 December

Melbourne 6-7 December

Register now for YOW! Workshops

Sydney 27-28 November

Melbourne 4-5 December

REGISTER NOW!

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

How does business security get breached?

What can it cost to get it wrong?

6 actionable tips

DOWNLOAD NOW!

Occasionally, users ask me to take a look at a document (usually .docx or .pdf) that they are unsure of. It might be that the sender is someone known to them but they weren't expecting a report or an invoice, or perhaps they don't know the sender but the message seems legitimate. As a part of our security awareness campaigns, I have repeatedly encouraged them to ask. I'm glad they do.

Other times, it comes to my attention that a user has, or might have, opened a malicious attachment. In these cases also I need to find out what I'm dealing with. Is the document malicious? What does it do if you open it (and Enable Content)? Does it actually execute code or just link to a phishing site?

My favorite tool for analyzing these documents is https://www.hybrid-analysis.com . This site makes it very easy to figure out if a document is malicious, analyze its behavior, and identify potential indicators of compromise. The following is a quick walk-though the highlights some of the information that is provided when you analyze a document on the site.

To start with, simply drag and drop the file into the box or provide a URL, and click Analyze.

You can provide an email for optional notification, or just proceed. You do have to agree to their terms. Be very careful if there is any possibility that your document contains PII. Most of the documents I deal with are (if they turn out to be legitimate) things like invoices that are not confidential (I work in the public sector).

Pick a VM and you're ready to go.

As you can see, the overview will tell you whether this file has been seen before ("Last Sandbox Report" and what percentage of AV programs detect it as malicious. The AV results were less certain when I ran this document through a couple of days ago (I think it was at about a 10-15% detection rate). But, what if it's not detected as malicious or only a few programs think so. We should dig in.

Further down, is the sandbox report. It usually takes 15-20 minutes to get a report back but I've run this file through before so I have a report available now. Let's click the report on the right and see what we get.

This already looks bad. My Word document is spawning new processes and making network connections. Not what I'd normally expect (or want).

This document appears to run a series of PowerShell commands, drops an executable jDY.exe, and creates nirmalahistory.exe. I don't know what the ultimate purpose is, but I've seen more than enough to know that I don't want anyone to open this.

Further down, I can see that this opening this document resulted in contacting several sites with phishy-looking names. On the right, I can see that all of them are tagged as malicious by at least some AV engines.

Further down, we can see the actual command lines that are executed by this document. They appear obfuscated, but we can see what we already knew: it executes a bunch of PowerShell commands.

Under Suspicious Indicators, we can see that the processes accesses the Service Control Manager and appear to be starting a new service.

A little further down we have a handy list of IP addresses that these processes connect to.

And domain names and URLs too.

Near the bottom, we get to see screenshots from the VM that was used to open and analyze the document. This is very helpful for cases where the document either not malicious or where it links to a phishing site rather than trying to execute code. If the document is legit, I would expect to see a real invoice, letter, etc. I can show this to my users and ask them if its something they were expecting. In the case that it's used for phishing and doesn't execute any code, I might see that the document contains a fake link to Dropbox or Google Drive.

Hover over the right-hand side of the series to scroll right and see additional images. Click on one to open it.

Here, we see that this document offers the user a pretext for clicking "Enable Content".

Near the bottom we can see all of the files that were dropped as well as the AV scan results for those files. In this case, the jDY.exe file is identified as Emotet.

MalwareBytes describes Emotet as "a banking Trojan that can steal data, such as user credentials stored on the browser, by eavesdropping on network traffic." The "banking trojan" part is clear enough. In the next part, I think they mean to say that it steals credentials from the browser AND grabs network traffic. They also say "[o]nce Trojan.Emotet has infected a networked machine, it will propagate using the Eternal Blue vulnerability." Gnarly. CERT says that "Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans." They indicate that it can spread over SMB but do not mention using EternalBlue or other exploits. Symantec reports that Emotet has been used to spread Qakbot which uses Mimikatz.

If you wanted to do some additional reverse engineering, this is probably the point at which you'd want to load this into another tool and start analyzing the executables yourself. For my purposes, I've got more than enough information.

One important thing that I haven't discuss so far is that this tool provides lots of indicators of compromise (IOCs):

A process named "nirmalahistory.exe" An executable named "jDY.exe" Several IP addresses and domain names

I could follow up by checking to see if any of my users have reached out to the addresses given here. If so, they are compromised. I could also search my EDR tool for the executables named. I might also check logs for evidence of any new service installations, but there's a lot more noise there.