Tag Archives: cyber security

Anti-malware Testing Undercover

lab malware

This week Cylance’s Chad Skipper published an article called Security Testing Houses: Know the Truth! that all people interested in security solutions testing should read. There are some serious accusations against some testing houses and vendors (without naming them) such as:

–          “vendors who pay so that their test results will show 100% efficacy”

–          “bribing the testing house to hide the negative results of their tests.”

Even though I have been involved in this industry for more than 17 years, I am not aware of any case like those described above. That being said, I do agree with most of the article. To name a few: outdated testing methodologies, not enough samples being used, having to pay to challenge the test results… that happens. And it has to be fixed, that’s why organizations like AMTSO exist, and the first thing that came to my mind after reading the blog was “we need to have Chad in the next AMTSO meeting”. Guess what, when I asked AMTSO about it they told me he had already registered for the next meeting we’ll have next month in Malaga. Awesome!

Chad ends the article saying “Test for Yourself”. I also agree with this, and in fact it is something that has been happening for a long time. The largest customers we have in different areas (Governments, Telecommunications, Financial, Health, Facilities industries) have selected our EDR solution (Adaptive Defense 360) after several months of intensive and deep testing of different solutions.

The truth is that this kind of “do-it-yourself” testing is only available for big corporations. Small and medium companies lack the resources to do it properly, and that’s why they trust professional testing companies’ results to make decisions. Security Week’s Kevin Townsend wrote an article a few months ago about this topic in this fantastic article: “Inside The Competitive Testing Battlefield of Endpoint Security”.

Out of all the regular tests performed by the biggest testing companies one of the tests I like the most is the Real-World Protection Test performed by AV-Comparatives. In the aggregated February-June 2016 test with 1,868 test cases (PDF), how many vendors obtained 100% accuracy with 0 false positives? None of them. It is clear that Chad cannot be referring to AV-Comparatives when he is talking about vendors that pay to obtain a 100% efficacy.

This is the same AV-Comparatives I talked to last year to test our EDR solution, Adaptive Defense 360, with a number of other similar solutions. Have you seen that test? No, that’s because even though Panda offered to pay for each product included in that test, the other vendors (Cylance was NOT one of them) didn’t want to.

In 3 weeks I will be in Denver to discuss these topics at the 26th Virus Bulletin conference with ESET’s Righard Zwienenberg in our talk “Anti-malware Testing Undercover”.

The post Anti-malware Testing Undercover appeared first on Panda Security Mediacenter.

LastPass Bug Lets Hackers Steal All Your Passwords

A critical zero-day flaw has been discovered in the popular cloud password manager LastPass that could allow any remote attacker to compromise your account completely.

LastPass is a password manager that also available as a browser extension that automatically fills credentials for you.

All you need is to remember one master password to unlock all other passwords of your different online

End of SMS-based 2-Factor Authentication; Yes, It's Insecure!

SMS-based Two-Factor Authentication (2FA) has been declared insecure and soon it might be a thing of the past.

Two-Factor Authentication or 2FA adds an extra step of entering a random passcode sent to you via an SMS or call when you log in to your account as an added layer of protection.

For example, if you have 2FA enabled on Gmail, the platform will send a six-digit passcode to your mobile

I'm Warning You, Don't Read this Article. It's a Federal Crime!

Yes, you heard it right. If I tell you not to visit my website, but you still visit it knowing you are disapproved, you are committing a federal crime, and I have the authority to sue you.

Wait! I haven’t disapproved you yet. Rather I’m making you aware of a new court decision that may trouble you and could have big implications going forward.

The United States Court of Appeals for the Ninth

Traveling to US? Agencies want to Spy on your Social Media activities right from Airport

Hey! Welcome to the United States. May we have your Twitter handle, please?

That’s exactly what you’ll likely be asked by the U.S. Customs and Border Protection at the airport prior to entering U.S. soil.

Yes, your Twitter handle may soon be part of the US Visa process as U.S. Customs and Border Protection has entered a new proposal into the federal register, suggesting a new field in which

MIT builds Artificial Intelligence system that can detect 85% of Cyber Attacks

In Brief
What if we could Predict when a cyber attack is going to occur before it actually happens and prevent it? Isn’t it revolutionary idea for Internet Security?

Security researchers at MIT have developed a new Artificial Intelligence-based cyber security platform, called ‘AI2,’ which has the ability to predict, detect, and stop 85% of Cyber Attacks with high accuracy.

Cyber security

Hackers Are Offering Apple Employees $23,000 for Corporate Login Details

An unsatisfied Employee may turn into a Nightmare for you and your organization.

Nowadays, installing an antivirus or any other anti-malware programs would be inadequate to beef up the security to maintain the Corporate Database.

What would you do if your employee itself backstabbed you by breaching the Hypersensitive Corporate Secrets?

Yes! There could be a possibility for an

NASA HACKED! AnonSec tried to Crash $222 Million Drone into Pacific Ocean

nasa-hacked-drone
Once again the Red Alarm had been long wailed in the Security Desk of the National Aeronautics and Space Administration (NASA).
Yes! This time, a serious hacktivism had been triggered by the Hacking group named “AnonSec” who made their presence in the cyber universe by previous NASA Hacks.
The AnonSec Members had allegedly released 276 GB of sensitive data which includes 631 video feeds from the Aircraft & Weather Radars; 2,143 Flight Logs and credentials of 2,414 NASA employees, including e-mail addresses and contact numbers.
The hacking group has released a self-published paper named “Zine” that explains the magnitude of the major network breach that compromised NASA systems and their motives behind the leak.

Here’s How AnonSec Hacked into NASA

The original cyber attack against NASA was not initially planned by AnonSec Members, but the attack went insidious soon after the Gozi Virus Spread that affected millions of systems a year ago.
After purchasing an “initial foothold” in 2013 from a hacker with the knowledge of NASA Servers, AnonSec group of hackers claimed to pentested the NASA network to figure out how many systems are penetrable, the group told InfoWar.
Bruteforcing Admin’s SSH Password only took 0.32 seconds due to the weak password policy, and the group gained further indoor access that allowed it to grab more login information with a hidden packet sniffing tool.
They also claimed to infiltrate successfully into the Goddard Space Flight Center, the Glenn Research Center, and the Dryden Research Center.

Hacker Attempted to Crash $222 Million Drone into the Pacific Ocean

Three NAS Devices (Network Attached Storage) which gathers aircraft flight log backups were also compromised, rapidly opening a new room for the extended hack:
Hacking Global Hawk Drones, specialized in Surveillance Operations.
Hackers have tried to gain the control over the drone by re-routing the flight path (by Man-in-the-Middle or MitM strategy) to crash it in the Pacific Ocean, but…
…the sudden notification of a security glitch in the unusual flight plan made the NASA engineers to take the control manually that saved their $222.7 Million drone from drowning in the ocean.
This hacking attempt had happened due to the trivial routine of drone operators of uploading the drone flight paths for the next fly, soon after a drone session ends.
After this final episode, AnonSec lost their control over the compromised NASA servers and everything was set to normal by NASA engineers as before.
This marked the attack’s magnitude at a steep height by infecting into other pipelines of NASA, leading to this nasty situation.

However, in a statement emailed to Forbes, NASA has denied alleged hacking incident, says leaked information could be part of freely available datasets, and there is no proof that a drone was hijacked.

“Control of our Global Hawk aircraft was not compromised. NASA has no evidence to indicate the alleged hacked data are anything other than already publicly available data. NASA takes cybersecurity very seriously and will continue to fully investigate all of these allegations.”

Why Did AnonSec Hack into NASA?

If you are going to point your fingers against the AnonSec Hackers, then Wait! Here’s what the group of hackers wants to highlight:

“One of the main purposes of the Operation was to bring awareness to the reality of Chemtrails/CloudSeeding/Geoengineering/Weather Modification, whatever you want to call it, they all represent the same thing.” 

“NASA even has several missions dedicated to studying Aerosols and their affects (sic) on the environment and weather, so we targeted their systems.”

And Here’s What NASA was actually doing:
  • Cloud seeding: A weather alteration method that uses silver iodide to create precipitation in clouds which results to cause more rainfall to fight carbon emission which ultimately manipulates the nature.
  • Geoengineering: Geoengineering aims to tackle climate change by removing CO2 from the air or limiting the sunlight reaching the planet.
Similar projects are running on behalf of the US Government such as Operation Icebridge [OIB], Aerosol-Cloud-Ecosystem (ACE) which are dedicated to climate modeling.
This security breach would be a black label for the Security Advisory Team of NASA and became a warning bell to beef up the security.

They Named it — Einstein, But $6 Billion Firewall Fails to Detect 94% of Latest Threats

einstein-cybersecurity-firewall

The US government’s $6 Billion firewall is nothing but a big blunder.

Dubbed EINSTEIN, the nationwide firewall run by the US Department of Homeland Security (DHS) is not as smart as its name suggests.
An audit conducted by the United States Government Accountability Office (GAO) has claimed that the firewall used by US government agencies is failing to fully meet its objectives and leaving the agencies open to zero-day attacks.

EINSTEIN, which is officially known as the US’ National Cybersecurity Protection System (NCPS) and has cost $5.7 Billion to develop, detects only 6 percent of today’s most common security vulnerabilities and failed to detect the rest 94 percent.

How bad is EINSTEIN Firewall in reality?

In a series of tests conducted last year, Einstein only detected 29 out of 489 vulnerabilities across Flash, Office, Java, IE and Acrobat disclosed via CVE reports published in 2014, according to a report [PDF] released by the GAO late last year.
Among the extraordinary pieces of information revealed are the fact that the system is:
  • Unable to monitor web traffic for malicious content.
  • Unable to uncover malware in a system.
  • Unable to monitor cloud services either.
  • Only offers signature-based threat and intrusion detection, rather than monitoring for unusual activity.
Yes, Einstein only carries out signature-based threat and intrusion detection, which means the system acts like a dumb terminal that waits for the command what to find, rather than to search itself for unusual activity.

Einstein Uses Outdated Signatures Database

In fact, more than 65 percent of intrusion detection signatures (digital fingerprints of known viruses and exploit code) are outdated, making Einstein wide open to recently discovered zero-day vulnerabilities.
However, in response to this, DHS told the office Einstein was always meant to be a signature-based detection system only. Here’s what the department told the auditors:

“It is the responsibility of each agency to ensure their networks and information systems are secure while it is the responsibility of DHS to provide a baseline set of protections and government-wide situational awareness, as part of a defense-in-depth information security strategy.”

Einstein is Effectively Blind

If this wasn’t enough to figure out the worth of the $6 Billion firewall, Einstein is effectively Blind.
The Department of Homeland Security (DHS), which is behind the development of Einstein, has not included any feature to measure the system’s own performance, so the system doesn’t even know if it is doing a good job or not.

So, “until its intended capabilities are more fully developed, DHS will be hampered in its abilities to provide effective cybersecurity-related support to federal agencies,” reads the report.

Einstein was actually developed in 2003 to automatically monitor agency network traffic, and later in 2009 expanded to offer signature-based detection as well as malware-blocking abilities.
Most of the 23 agencies are actually required to implement the firewall, but the GAO found that only 5 of them were utilising the system to deal with possible intrusions.
Despite having spent $1.2 Billion in 2014 and $5.7 Billion in total project, Einstein still only monitors certain types of network flaws along with no support for monitoring web traffic or cloud services.

Top 8 Cyber Security Tips for Christmas Online Shopping

As the most wonderful time of the year has come – Christmas, it has brought with itself the time of online shopping.

According to National Retail Federation, more than 151 million people shopped in store, but more than 100 Million shopped online during Cyber Monday sales and even why wouldn’t it be so given the vast conveniences of online shopping.

It is quite visible in these days that