This week’s main topic is on ACL’s (Access Control Lists). How to use them on what they protect: Files, Shares, Registry, Services, AD OU’s.
The following command will protected service security:
subinacl /service spooler /deny=users=PTO
I will start create teams to complete future assignments and post those to this thread.
I’ll add the links we talk about on Thursday night here:
In the News:
First ‘Jackpotting’ Attacks Hit U.S. ATMs
File Your Taxes Before Scammers Do It For You
- Why we are doing this! (Auditing for a secure OS)
SANS Reading Room (https://www.sans.org/reading-room/)
- Building the New Network Security Architecture for the Future
Slides for this week: Week3 Slides
Hypervisor Discussion From Week 2 Follow-up:
…per our class discussion from from the week 2 review tonight..
Question/observation/speculation was made tonight about how different hypervisors actually store their guest VM configurations,i.e., what format do they use?
Hyper-V definitely stores them as an unreadable binary file (as opposed to XML formatted). I was a bit curious about what format other hypervisors use. I verified that KVM does store its guest VM configuration files as XML (so you can just open them up and look at them/programmatically change them. But VirtualBox stores them that way as well
I took a guest VM, CentOS 7.1 , and pealed open its config. file which I pasted at the bottom of this post.
The scary thing here is that the guest VM configuration file also contained the user account, the computer UUID and the password for the VM ** IN CLEAR TEXT!! ** (I crossed them out of the example below)
In this case, I had previously imported the CentOS VM from VMWare into VirtualBox so there was an old copy of the .VMDK file as well as the VirtualBox .VBOX VM guest file image in the following directory:
D:\Whatever directory you tell VirtualBox to store the VM in\CentOS7.1\
In addition to the .VBOX and .VMDK files, VirtualBox also stores a file called,(in this case);
CentOS7.1.vbox-prev in the same directory. It gives it a file type of “VBOX-PREV”. If you open this file up in notepad you can look at the XML detail – (see below)
One other note, in the CentOS7.1 directory there is another subdirectory called:
D:\Whatever directory you tell VirtualBox to store the VM in\CentOS7.1\ Logs\
This subdirectory contains 3 text files that you can open up and look at with a text editor/notepad:
VBox.txt
VBoxStartup.txt
VBox.log.1
Seems like these files could be a goldmine in a forensics investigation because (it looks like) they are logs of every single aspect pertaining to that guest VM runtime state. This includes things like;
What OS VirtualBox was running on at the time, as well as its HW configuration, what time it started, the exact virtual devices that were loaded, how many CPUs were used,, Assembly level registers and their state (ebx, ecx, edx) and what looks like L1 and L2 instruction cache state information, etc., etc, etc….
Below is the cut & paste of the CentOS7.1. guest OS configuration file (pretty cool;):);)
Centos7 VM for VboxVMLab NGNE Fundamentals
base VM NO Software Installed
user=account
password=xxxxxxx
all openstack passwords are xxxxxxxxx
sorry, it looks like this blogging software truncated the config file text (I guess ya get what you pay for;). Here is the cut & paste of the configuration file again:
”
Centos7 VM for VboxVMLab NGNE Fundamentals
base VM NO Software Installed
user=xxxxxxxxxxxxxxxxxxxxxxxxxxx
password=xxxxxxxxxxxxxxxxxxxxxxx
all openstack passwords are xxxxxxxxxxxxxxxxxxxxxx
“
…..posting the XML failed a second time. I think this el-cheapo blogging tool may be trying to interpret the XML statements – so you’ll have to check it out on your own or send me an email and I’ll reply with the text
How to Capture Video Clips in Windows 10 (XBOX)
Hi everyone,
Windows 10 has a built-in tool that will help us record video clips of screen activity. I`ve tried and liked it. I recommend to you all.
Following are the steps about how it works:
1- Open the app or screen you wish to record.
2- Press Win + G to open the Game Bar.
3- You’ll see a message: “Do you want to open Game bar” along with a checkbox that reads: “Yes, this is a game.” Click on the checkbox to pretend you’re recording a game.
4- The Game Bar pops up with controls to start and stop the recording. If you wish to record your own voice or other external audio, click “Record mic.”
5- You can either press the red record button on the Game Bar or press Win + Alt + R to kick off the screen capture. If you wait too long or click on the screen, the Game Bar disappears, in which case you’ll have to press Win + Alt + R.
6- Start your screen activity.
7- After the Game Bar vanishes, in its place will be a small floating bar in the upper-right corner of the screen through which you can control the recording.
8- To stop the recording, press the square box in the center of the floating bar. Alternatively, you can press Win + G to bring up the Game Bar and click the square box or simply press Win + Alt + R.
9- A message pops up that says: “Game clip recorded.”
10- You can now view the clip via the Windows 10 Xbox app. Click on the Start button in Windows 10, scroll to the bottom of the Apps list, and select the Xbox app.
11- Click on the Game DVR icon on the left toolbar and make sure the clip you just captured is selected.
12- From here, click the Play button to view the clip; click the Pause button to pause it.
13- You can click on the double arrow at the end of the Play line to enlarge the video. You can rename the file, trim the clip at the beginning and at the end, and delete the file if you don’t want to keep it.
14- To view the file outside of the Xbox app, click on the Open Folder button. You’ll see the clip is saved as an MP4 file in a folder under your user account called Videos > Captures.
15- Finally, you can customize certain settings for your video captures. Press Win + G to launch the Game Bar. Click on the Settings icon at the end of the bar.
Ref: https://www.pcmag.com/news/349410/how-to-capture-video-clips-in-windows-10
Thanks for sharing Mustafa. I used SnagIt because it was recommended in Wade’s class, but I had to purchase it. I like it because it allows you to create advanced screen shots with detailed annotations, perform screen recording, and perform video recording. The only thing I don’t like about it is that I cannot seem to edit the recordings in SnagIt. I ended up using iMovie on my phone for this.
Does Game Bar allow you to record video? For some reason I don’t meet the hardware requirements for Game Bar on this PC.
What are some of the tools others used for Assignment 1?
I used Camtasia. It has a Camtasia Recorder and an Editor. I found the editor to be pretty useful since I could stitch multiple video recordings and also could add audio or other features later. It also comes with a bunch of features like adjusting frame speed and also supports several formats . However, it is not free!
Hey class,
I found out that there’s a built in way to do screen recordings with in MacOS. You should be able to do screen recordings on your mac using the native quicktime player. After you open quicktime player, there’s an option under file to do a “new screen recording”. You can select the complete screen or you can select an area of the screen to record. Also there’s an option that shows your clicks in the recordings too.
Good luck!
Sev Shirozian
Hey All, Is anyone else having issues with getting the PowerShell setup? I’m following the video from Box, but for my virtual machine, whenever I run the setup file, it’s showing the following messages.
‘\\vmware-host\Shared Folders\Windows_Linked\PS_WU_Setup’
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported. Defaulting to Windows directory.
C:\Windows>z:
Z:\>cd \Windows_Linked\PS_Scripts\
The system cannot find the path specified.
Z:\>Set Target=C:\Users\Public\Temple
Z:\>cd
Z:\
Z:\>echo C:\Users\Public\Temple
C:\Users\Public\Temple
Z:\>pause
Press any key to continue . . .
Z:\>dir C:\Users\Public\Temple
Volume in drive C has no label.
Volume Serial Number is 7ACD-BF08
Directory of C:\Users\Public
File Not Found
Z:\>pause
Press any key to continue . . .
Nevermind everyone, I think I figured it out.
Article:
Building the New Network Security Architecture for the Future | Sonny Sarai, John Pescatore
https://www.sans.org/reading-room/whitepapers/analyst/building-network-security-architecture-future-38255
Brief:
The paper describes how network changes such as the addition of IoT and expansion into the Cloud have made security architecture more obscure. For example, SANS writes that IoT devices increase the risk of DDoS attacks, and widen the attack vector. SaaS and IaaS users meanwhile have no insight in the cloud vendor’s infrastructure and security, thus attacks are out of their control. SANS’ whitepaper lays out the plan to secure this new type of network with new network architecture. The security recommendations can be split into two objects; networking and systems security.
Networking:
First, to overcome SaaS/IaaS obscurity, the paper recommends using packet brokers. With network packet brokers, or NPBs, such as Cisco Nexus, all traffic can be aggregated and collected for analysis. Virtual taps can be used in virtualized environments and work in conjunction with a NPB.
Web application firewalls offer a mature firewall option for IaaS and are available on services such as AWS and Azure.
Systems:
The whitepaper also emphasizes that traffic analysis can only “tell what is going on in the wire” but logs are needed to secure endpoints.
Logging events should be sent to a centralized, on-premise collector so that the security team can react to unwanted system changes. Traditional signature-based antivirus is not sufficient enough to protect endpoints. SANS recommends using heuristic and behavior based analysis, and not to rely on AV alone.
The whitepaper explains the need for a new approach to security, but it seems that the methodology has not changed. Logging endpoints is just as important, and overall security software now follows the trend of SaaS.
Freddy-
Does the white paper mention anything about redundancy for storing logs? On site sounds great but I would think having another copy is important. As we have learned in this program, malware and attackers will overwrite logs to hide suspicious activity.
And how about logging access to the logs? I need to read this white paper.
Fraser,
I did not see anything about off-site log storage, but that definitely makes sense to implement. You could log on a IaaS server and then pull the logs to your backup using a secure service broker. If the attacker somehow manages to intercept the logs then you probably have bigger problems.
A fresh Windows 10 installation contains a lot of unnecessary applications, which you can remove with PowerShell.
Here are most of the removal scripts, you can copy and paste this into an elevated PowerShell prompt. Unfortunately it does not get rid of every useless app.
Get-AppxPackage *Minecraft* | Remove-AppxPackage
Get-AppxPackage *DrawboardPDF* | Remove-AppxPackage
Get-AppxPackage *FarmVille2CountryEscape* | Remove-AppxPackage
Get-AppxPackage *Asphalt8Airborne* | Remove-AppxPackage
Get-AppxPackage *PandoraMediaInc* | Remove-AppxPackage
Get-AppxPackage *CandyCrushSodaSaga* | Remove-AppxPackage
Get-AppxPackage *MicrosoftSolitaireCollection* | Remove-AppxPackage
Get-AppxPackage *Twitter* | Remove-AppxPackage
Get-AppxPackage *bingsports* | Remove-AppxPackage
Get-AppxPackage *bingfinance* | Remove-AppxPackage
Get-AppxPackage *officehub* | Remove-AppxPackage
Get-AppxPackage *BingNews* | Remove-AppxPackage
Get-AppxPackage *windowsphone* | Remove-AppxPackage
Get-AppxPackage *HolographicFirstRun* | Remove-AppxPackage
Get-AppxPackage *Netflix* | Remove-AppxPackage
Get-AppxPackage *bingweather* | Remove-AppxPackage
Get-AppxPackage *Microsoft3DViewer* | Remove-AppxPackage
Get-AppxPackage *ZuneVideo* | Remove-AppxPackage
Get-AppxPackage *3dbuilder* | Remove-AppxPackage
Get-AppxPackage *Facebook* | Remove-AppxPackage
Get-AppxPackage *Microsoft.SkypeApp* | Remove-AppxPackage
Get-AppxPackage *SkypeApp* | Remove-AppxPackage
Get-AppxPackage *Appconnector* | Remove-AppxPackage
Get-AppxPackage *Wallet* | Remove-AppxPackage
Get-AppxPackage *Office.Sway* | Remove-AppxPackage
Get-AppxPackage *ZuneMusic* | Remove-AppxPackage
Also it makes sense to run “Update-Help” in an elevated PowerShell, to download all PowerShell documentation (similar to “man” on Linux).
Thanks Frederic, a good post. We have an imaging process at our work to deploy workstations. We routinely run Powershell scripts to configure our workstations. Powershell is such a useful utility that most people don’t know about. With a little time and practice , you can really use it to your advantage! Just test what you’re doing first, I’ve seen some scripts really blow up a machine!! 🙂
These are really useful, thanks Freddy!
Nice post Frederic,
I used these useful removal scripts with Powershell for some unnecessary applications. Thank you.
Wow, I’m going to have to check these out and look more into what PowerShell is capable of. I’m more of a beginner with PowerShell and after several software installation issues, I didn’t have enough time or focusing capability after a long day at work to really dig deep into all that PowerShell can do.
I feel like with removing these it can definitely free up some storage and memory on the virtual machines.
Thanks Frederic..this was very helpful!
Good Morning,
I have see a few of you have sent me video files for you first assignment. Don’t forget to send in your outline of the steps as well. If you have any questions please let me know via e-mail.
I apologize if these posts about VM configuration files are becoming annoying – last one, I promise;)
As it turns out, usernames and passwords do NOT seem to be stored in VirtualBox VM configuration files. In my previous post, I had (incorrectly) interpreted some AUP banner display which contained the passwords (that VM was an old lab file).
But (in my opinion) this doesn’t let VirtualBox off the hook because the VM configuration file, (recall that the VM configuration file has an extension of .VBOX-PREV), still contains a LOT of valuable information that shouldn’t be exposed.
With this in mind, I tried turning on VirtualBox encryption for the VM in question and the following is what happened:
DISCLAIMER:
I did not delve into the VirtualBox documentation, so I may have very well mis-configured or just missed something entirely – comments MORE than welcome!
HOW TO TURN ON ENCRYPTION FOR A VM
-Start VirtualBox manager
– Highlight the VM that you want to encrypt
– Click Settings–>General
Check the box called ‘enable Encryption’
Select a cipher from the ‘Encryption Cipher’ dropdown box
[Side Note]:
There are only 2 cipher options – 128 or 256 bit encryption. I decided to use AES128 bit encryption because I felt 256 would be overkill. According to:
“How secure is AES against brute force attacks?”
https://www.eetimes.com/document.asp?doc_id=1279619
it would take 1 billion billion YEARS to successfully crack 128-bit encryption – and ‘NO’ that doesn’t take into account Quantum computing! 🙂 🙂
[Continuing]:
After selecting the cipher, you are then prompted to enter a ‘password’
VirtualBox then took approximately 15 minutes to complete the encryption process
WHAT WAS THE IMPACT TO PERFORMANCE AFTER ENCRYPTING THE VM?
Did a TOTALLY un-scientific performance test to see if there might be a hit to the encrypted VM
[Note]:
Your results will probably vary widely because ANY performance test is highly dependent upon things like CPU, memory, Disk, the OS and type of hypervisor that is used. I used the following:
CPU: i5-3210M single 64bit core processor clocked at 2.5GHz
Memory: 6GB DRAM
Disk I/O: Didn’t have any baselines to go off of but I used a mechanical 500G hard drive
OS Windows 8.1
Hypervisor: VirtualBox 5.2.4
-I cloned an existing Windows VM and called it WindowsEncrypted and then encrypted it with 128-bit AES
– There was a huge penalty hit (for both encrypted and unencrypted VMs) if the VirtualBox VM wasn’t run before (you just booted the PC for example) or if the VMs have not been previously loaded into memory and then shut down .
Apparently VirtualBox stores what it can in some sort of ‘prefetch’ buffers (possibly in memory) in order to speed up VM start-up time – which, again from a hacker’s perspective might be good to know
The point here is that I loaded both the un-encrypted and the encrypted VMs into memory and then shut them down again before doing the timings.
– I arbitrarily decided to use ‘start and stop timing’ that was from the time that I double clicked on the VM icon until the point where I saw a complete desktop that was ready to go.
– Basically, on average, it took the un-encrypted VM somewhere between 26 and 28 seconds to load.
It took the encrypted VM somewhere between 28 and 30 seconds to load so, for all intents and purposes I didn’t see any real discernible impact by encrypting the VM
[SIDE NOTE]:
The first time that I tried to load the encrypted VM, Windows instantly dropped into “Startup Repair” (which I could not cancel) – it ran for nearly 15 minutes. I *think* the reason for this was because of how the encryption was done – the virtual disk may have been ‘out of phase’ with one of the configuration files.
VIRTUALBOX RAN ENCRYPTION BUT WHAT EXACTLY DID IT ENCRYPT?
As far as I can tell, VirtualBox only encrypted the virtual disk drive, it did NOT encrypt the VM configuration files or any of the VM log files (recall from the last post that there seem to be a BOATLOAD of useful information in those log files).
Not only could I open up and read the VM config file, but it seems that VirtualBox also stores (what looked to me like) the actual key for the cipher in the configuration file itself!
…….interesting 🙂
Very interesting article Vince. I was looking at some VM encryption about a year ago. I never got around to testing it out. I was very curious about the performance impact on the VM itself. Seems like in your test, there was very minimal impact. I was looking at storing a Virtual Server offsite for DR. Looking at encryption was one of the items we had on our list. We never moved forward with the project, so I never got to play around.
Building the New Network Security Architecture for the Future
https://www.sans.org/reading-room/whitepapers/analyst/building-network-security-architecture-future-38255
After reading the “Building the New Network Security Architecture for the Future” from the sans reading-room, it made me remember all the new ways we need to architect security in our companies with new technology and new ways of using old technology too. Here’s a list of ways to build the new network security architecture:
1. Use a packet broker – use something like Gigamon to capture traffic off your network duplicate it and send it to other tools that can analyze them like an Intrusion Detection System (IDS) or a network monitor for Data Loss Prevention (DLP)
2. All networks have some IoT devices on them. Protect them since they are probably not patchable. Segment them off on their own network so if they do get compromised they cannot affect the rest of the network. Use firewalls and network address translation so the outside world can’t get to them.
3. Use a Security Incident and Event Monitoring (SIEM) platform to monitor the traffic and logs on your network.
4. Use IDS and IPS on your network. Don’t just detect it with IDS but also block/protect your network with IPS.
5. Segmentation is important. I mentioned this for IoT but it’s important for other critical systems on your network too.
6. Use a next generation firewall like a Palo Alto instead of just a traditional layer 3/4 firewall. Inspect all layers of traffic up until layer 7 to see if there’s anything going on in your traffic you need to block.
7. Anti Virus isn’t dead, but maybe instead of just using signature based AV, we should also use behavior or heuristic based AV maybe onto of the traditional AV we are used to.
8. When dealing with the cloud, don’t be afraid to use a web application firewall (WAF) and virtual firewalls. Vendors like Sophos and Palo have virtual firewalls you can download from the Amazon Marketplace and deploy to your cloud as a virtual appliance.
9. Most importantly know the norm on your network and then report out on the deviations. All these tools above can help with this.
– Sev Shirozian
Hi Sev,
Nice post, I agree. With new architecture methodology, we would definitely need new security controls. Unfortunately, security technologies have not reached the same level of advancement. These methodologies all connected to the internet, newer encryption technologies need to keep up. Such as quantum cryptography.
Great post Sev – the key points were nicely laid out. The impression that I came away with after reading the paper was that the recommendations made in the SANS article seemed to me like they were preparing to ‘fight the next war using weapons and implements from the last war’ The document seemed to take a perspective more along the lines of security best practice recommendations from a couple of years ago instead of providing an insight into future security architecture.
For example,in my opinion:
– The article continually references the need to secure ‘THE cloud’. That may have been applicable a few years ago when enterprises where initially starting to experiment with cloud viability as a delivery platform (by moving a few non-mission critical applications over to a SINGLE AWS or GCS instance) but today, there is no ‘THE cloud’ – today businesses deploy their applications on MULTIPLE public and private clouds in addition to maintaining legacy, mission critical applications inside the data center. The point is, an architecture that is designed for ‘THE cloud’ will be radically different than one that needs to be designed for the realities of today’s environments.
-The articles suggested architecture fails to take into account major paradigm shifts in how information and information services are delivered and consumed today – things like the security implications of the transition to new microservice based architectures, the ‘co-mingling’ of both legacy and cloud native application environments, the explosion of ‘Shadow IT’, the creation of vast, abstracted, distributed pools of resources that are clustered across multiple geographically disbursed data centers and clouds, (resources like storage pools and VMs) etc., etc., etc.,
– The idea of software based ‘packet brokers’ (again in my opinion), should be an anathema to any well thought out security architecture because, among other things, the packet broker function is THE FIRST place that an adversary is going to attack. This means that adding this function just creates another attack vector that must be protected which in turn adds more complexity and hence more vulnerability to the environment.
– It seems to me that the article/architecture overemphasizes a reliance on ‘visibility’. For example, the article constantly brought up monitoring logs as a way to gain viability.. This may have been effective a few years ago when logging was essentially confined to a small subset of devices that resided within the confines of a data center but today, those ‘logs’ are probably spread across multiple data centers AS WELL AS multiple clouds. The point here is that (again in my opinion) the article’s emphasis on visibility ignores the need for new methods of governance and control. Detective controls are important but so are the preventative, responsive and countermeasure controls that the article’s ‘architecture’ fails to address.
Existing security policies must be adapted to leverage new approaches to administration, technical and physical controls. For example, a proper security architecture should take advantage of new capabilities like machine learning that is integrated into a single compute, storage and network ‘fabric’. This kind of capability would instantly identify, classify and remediate bad-actor behaviors – AUTOMATICALLY. This would be an architecture that HOLISTICALLY addresses security governance and controls.
I thought that there were other deficiencies in the SANS article but its getting late and I’m out of gas right now;););)
https://krebsonsecurity.com/2018/01/first-jackpotting-attacks-hit-u-s-atms/
This issue, although destructive, the vulnerability seems to be somewhat limited or easily mitigated. At the end of the reading was a suggestion to update the OS of the ATMs would mitigate this sort of attack. Another point was that the hackers needed physical access to the ATMs, this would mean implementations of physical controls would also mitigate this vulnerability.
I found it really interesting, well actually surprised, that these ATMs were still running Windows XP. Microsoft released this OS in 2001, roughly 17 years ago! They stopped supporting updates for it in 2014, so these machines hadn’t had any security updates or patches in at least 4 years. That’s really a scary thought considering that these are financial devices which could possibly put a lot of people at risk of having their account information compromised.
It would be wise for ATM manufacturers to begin installing a failsafe for not installing your security updates in a timely fashion. Perhaps have the ATM suspend service if a patch is released and not installed after more than 30 days, or similar.
Definitely, updating the OS would mitigate this issue. And, just as physical security is being given due consideration, so should we tighten the network security. Because, a lot of the ATM hackers have swung lately to network-based attacks. Attackers can hack into the bank’s main network easily through phishing mails directed at bank’s employees and once they enter the network, they can easily access the network’s meant for bank ATMs. Taiwan network attack (2016) is one such example. Such network-based attacks may not just steal the money from ATM but also jeopardizes personal information of the customers.
Other major concern is that these malware creators do even sell their “products” to perpetrators who are not well versed with developing malware.
I don’t know enough about the full functions of an ATM machine. What do they store in their Electronic Journals? How long? Seeking answers on the internet I found this pdf of ATM Software
Security Best Practices Guide from ATIMA an independent, non-profit trade association for ATM connivence and growth.
https://www.atmia.com/files/Best%20Practices/ATMIA%20Best%20Practices%20v3.pdf
It is a very thorough paper on the history and security of ATMs. I’d like to point out their goals 3, 4 & 6 ,which if followed by Diebold Nixdorf potentially could have saved them $1 million at the time of this writing.
Goal 3: Maintain a Vulnerability Management Program Pg 23
Goal 4: Implement Strong Access Control Measures Pg 24
Goal 6: Maintain an Information Security Policy Pg 26
ATM jackpotting, at least in this current instance, is a governance issue. Improper security practices have left a vulnerability and the crooks are finding it.
https://krebsonsecurity.com/2018/01/first-jackpotting-attacks-hit-u-s-atms/
Just a little over a year ago we saw jack potting in Europe. We all knew it was a matter of time before it would reach the US. Honestly, I thought we would have seen it sooner. The major weakness for jack potting currently is physical security. Crooks need to get to an internal data port either by finest, a master key or brute force. Don’t find comfort in the fact they fraudsters are only effecting machines from the Diebold Nixdorf company because a minor change in the malware code could effect every vendor. Currently the secret service reports the most susceptible are systems still running windows XP and 7.
Security reports recommend strengthening physical security. That is about the best “no Duh” answer they could provide. Now, it is reported that this is a form of organized crime. As of 7 hours ago to this writing the FEDs have charged two suspects in Jackpotting schemes in CT and RI. The two suspects if convicted face 30 years in prison. The two suspects of Spanish decent (thats relevant as the first case of jack potting in the Americas took place in Mexico) dressed as field technicians were caught mid money dispensing act on an external drive through ATM.
I am surprised honestly that ATM companies use existing OSs. The biggest shock to me in this article was that they are using a Windows OS. I just assumed it was a proprietary or heavily modified OS. Sounds like what I thought, is what might need to be done to ensure better security.
Brock, when I first heard about how they were getting into ATM’s, I too was very surprised to find that the ATM systems were relying upon Windows. I would have bet anything that it was using some flavor of Unix/Linux as the OS. You’re right on target, the best way to stop these attacks is beefing up the physical security at the ATM. Connecting physically to the system, adding skimmers to read cards, it’s all physical. I assume they thought Windows was a safe operating system to use since it was contained, or so they thought. Kind of locked away and unobtainable! It just goes to prove again that thieves will go to any lenght, and find any little hole in a system to get through.
I’m going to assume that it was just lack of knowledge that led these ATM owners/operators to believe that keeping an old ATM without updating the software was perfectly fine. It honestly terrifies me considering that our financial institutions and devices should be one of the most secure things out there but these devices hadn’t had software patches or updates in at least 4 years since Microsoft stopped supporting XP. Just think of how many people could have had their financial assets put at risk, even if you aren’t considering this recent string of Jackpotting
I mentioned in my other post, but I’ll reiterate here. I’m actually not very surprised that these devices are running Windows. Most ATMs were deployed many years ago and they are very expensive to replace or upgrade. At the time, a decision was probably made to use Windows based on user experience and functionality. I imagine financial institutions accepted some of the security risks and assumed they could rely on physical security and monitoring controls to LIMIT losses. One of the YouTube videos I watched mentioned that there has been over $1 million in losses related to these jackpotting attacks, but if you think about it, I know it would cost much much more to upgrade and.replace all of these devices. In today’s age, however the tools and techniques available to attackers are much more sophisticated. ATM manufacturers and financial institutions are clearly rethinking the traditional model.
$1 million loss is still a large loss to any organization. It might cost a lot to perform upgrades and especially a redesign… BUT NOW Diebold Nixdorf is at least -$1 million in the hole and is still holding the bag for a solution. This is another example of a failure to address security concerns or a lack auditing. Upgrades and patches are imminent now and so is spending more $$$$
Check out how easy it is to start an ATM business. It is similar to the Vending Machine Business. The owners of these ATM, with Diebold Nixdorf software (running on Windows) have no clue about Windows XP, the software, the hard drive, or even the physical controls.
These owners are making an investment in a “franchise” type business. They are putting the machines in a location and visiting them every week or two, just to fill and check to see if something looks different. I would imagine one large company owning millions of ATM machines that were purchased through Diebold Nixdorf.
So Diebold emails the owner and says, hey franchisee… The millions of ATM machines you purchased are vulnerable. We will send you a new hard drive (Which the owner says, “What is a hard drive”), Then the owner will need to install and configure the hard drive (Which the owner says, “What is a hard drive”) Then the owner will need to purchase and install new security locks on the cases of all “million” of your machines.
Or you can risk a very sophisticated hacker will conduct a jackpoting scam and get a max amount of $40,000 per machine if the standard machine held all $20. (Common machines hold 20,000 notes. The note value depends on how you configure ATM). I can almost guarantee that the company with over a million ATM machines have only decided to do this on certain ones and will take their chances.
They don’t feel like spending the money to protect it properly, so they will say, “Hey, if you are good enough to do it, go for it… I have insurance for this anyway, and if the police catch you… You are going to jail.” Now, let me get back to fishing on my Yacht…
I agree with this post. It’s no secret that finance drives industry. The fact that some machines still run Windows XP is a strong indication that security is not a high priority for these ATM machines. As you stated, the company is most likely insured to withstand a reasonable amount of hits from the ATM machines, so it will take a significant loss until the franchise takes a hit. So who suffers from this theft? Ultimately I feel the ATM users in the short run, through higher ATM fees. Banks may charge a higher fee on their end to cover risk. It will be interesting to see what, if any, significant effect this has on the ATM industry.
From my experience in the industry, generally speaking, bank-owned ATM’s are more likely to be more updated and have better security than non-bank owned ATMs. I know several banks are now rolling out ATMs which have enhanced security features to the point where you don’t even need your ATM card. This new technology can use token technology through your phone similar to ApplePay where your account number isn’t even sent. I personally try never to use non-bank owned ATMs (for the very few times I actually need to get paper money anymore). As we can see with this article, these non-bank ATMs are often not kept up to the same standards as the bank owned.
Article: File Your Taxes Before Scammers Do It for You
Link: https://krebsonsecurity.com/2018/01/file-your-taxes-before-scammers-do-it-for-you/
This article discusses the tax refund frauds that affect thousands of US citizens every year. One of the most common ways scammers have been stealing tax refund is by identity theft. Data breaches like the Equifax breach that occurred last year has posed serious identity threats. Identity thieves uses your personal information to file tax returns before you do, collect the claim and you get to know that your are a victim when your return is rejected.
The author specifies several methods to mitigate the chances of you being a victim of such a fraudulent attack.
i) File your taxes early before the scammers file a bogus return in your name. However, there are limitations to filing the returns early since several companies are slow in sending out 1099 forms. And some companies require you to provide your personal information on a third-party site to obtain the 1099 forms sooner, which again jeopardizes your personal information. This limitation can be overcome if you keep a correct track of your earnings since you do not have to attach 1099 forms to your return, unlike W2.
ii) Placing a security freeze on your credit card file is another method which would mitigate the chances of someone else acquiring your sensitive information to bypass the security on the IRS website. Security freeze will also prevent identity thieves from claiming credits in your name and unauthorized check on your credit report.
iii) Be wary of fake emails and phone calls asking for personal information and phishing emails.
Apart from this, I would like to highlight a public awareness campaign, Taxes. Security. Together. (link) conducted by IRS which lists out various steps that you can undertake to protect your financial and personal information. A few of the points mentioned here are a) to look for ‘https’ addresses when sharing sensitive information on web sites b) do not overshare personal information on public media, e.g. exposing license plate of your car in the pictures you post online. C) back up your tax files c) shred tax documents before trashing. Such awareness campaigns, I believe will be highly useful for average tax payers.
Seems like hyperlink for the campaign page I mentioned isn’t clickable. Below is the actual link:
https://www.irs.gov/pub/irs-pdf/p4524.pdf
File taxes early is probably the most efficient way to keep you tax return in your name but it is a highly improbable outcome. I have never been able to file early. Forget your employer, if you invest in stocks it takes until March to see your documents. That has been my experience at least. When we are at the mercy of other, larger entities, what is someone to do?
The other best practices provided in this story are relevant and should be followed by everyone on the internet most always. I like that they mentioned oversharing on social media. The general public is way too willing to add content to their social conglomerate that they are forfeit basic privacy. If you wouldn’t be willing to provide personal information to a stranger over the phone on a cold call then you should keep it off social media.
The Equifax leak will likely aid in identity fraud for a few lifetimes.
Interesting stuff. I was recently discussing the Equifax breach with a colleague. A question came up regarding the risk of a system that had a SSN and account information, but did not actually contain the customers name or other identifiable information. Obviously this is restricted information regardless, but now the risk is much higher for these systems after the Equifax breach. Even if you only have the SSN of a person and their account information, with the Equifax breach you could potentially allow someone to purchase their Equifax record and look up their name using the SSN (if it was one of the 145 million records breached).
This is a really risky situation. If a fraudster is able to get a valid SSN and a Name, or even a birthday, they could easily open all kinds of credit cards, bank accounts, etc, and virtually ruin someones life with credit fraud. With the increases in these types of crime, could it possibly be time to upgrade our government SSN system from a number to possibly some sort of biometrics? We already have biometric scanning at ports of entry into the country, on a majority of smart phones, and even in public schools. We should implement these biometric scanning systems into our Government Identification systems as well as our banking systems to be used when opening any accounts.
The general public is way too willing to add content to their social conglomerate that they are forfeit basic privacy.
YES!
Challenge questions that can be guess by visiting social media sites:
What is your high school mascot?
Where did you go to elementary school?
What road did you grow up on?
What is your favorite sports team?
What is your favorite color?
On, and On, and On…
This article is actually disclosing the real truth behind ongoing tax frauds. I am in favor of organized programs where people can get information about the complete steps of how they can safeguard their information. Such a step will educate and empower people to make sure that no frauds are taking place. I deeply believe that people are usually honest unless they don’t have an opportunity to commit something illegal. Therefore, if we can close all such windows of opportunities, the problem can automatically be eradicated.
Is it crazy that we still use a 9 digit plain text number to conduct authentication for our federal tax reporting system?
Another sobering fact is that the article indicates a situation where someone was able to get sensitive tax information from a mortgage company simply by supplying the last four digits of a SSN and matching caller id. With all of the recent breaches of PII in the news, how long will it take for companies to shore up their security regarding PII? Until then, It is up to the consumer to ensure their information is not being used fraudulently, the awareness campaign you mentioned, Satwika, is a great way to educate the consumer and help mitigate against these attacks.
File Your Taxes Before Scammers Do It For You
https://krebsonsecurity.com/2018/01/file-your-taxes-before-scammers-do-it-for-you/
This is an interesting article. Tax scams have been around forever. I remember the first scam I heard of. The scam I heard about years ago was people filling out tax returns for people who had passed away. It’s not a surprise that criminals are now using the electronic filings as an avenue for theft. It’s safe to say, that any technology that is invented for our convenience, is also a target for theft. Technology, and the conveniences if provides, comes with inherent risks, and those risks are theft.
This article does a good job of explaining some steps to help prevent yourself from being a victim. Perhaps the most sensible thing to do is put a hold on your Experian credit account. You basically get a secret pin/code that has to be revealed anytime you contact Experian to open an account or confirm credit information. But, as always, it will only be a matter of time before these pins are leaked/stolen too, thus forcing a whole new set of measures into place to protect ourselves.
The only thing that is certain, is that as long as there is a profit to be gained from it, then it will be a target.
It’s inevitable that sensitive information will get breached at some point in time, It’s up to us, as consumers, to demand that companies are held responsible for any negligence and to ask our governing bodies to enact logical and effective regulation and standards to promote heightened security measures against cyber attacks. Like you mentioned about putting the hold on your Experian credit account and using the multi-factor authentication. Multi-factor authentication is very helpful in adding an additional layer of security.
Just from personal experience, I have an account with a popular cryptocurrency trading site which requires multi-factor authentication via a digital token. Whenever I first set up my account, I had to download Google Authenticator, which is a digital token generator. Now when I login, it asks for my username, password, and token number in addition to an anti-bot puzzle test. In my opinion, any secure or sensitive information should use multi-factor authentication, especially if making changes to an account or opening a credit card or something along those lines.
Absolutely Scott. I believe multi-factor authentication is a good way to keep the consumer’s information safe and secure. In today’s fast changing world where we see a lot of customer data driven businesses coming up, it is the responsibility of the organizations to ensure that data is secure and not available for malicious use to anybody. In such scenarios, multi-factor authentication a sense of confidence to users as well. This internet driven age is like a two sided sword and a secure ecosystem for any kind of transactions is what can reduce this feeling of insecurity.
https://krebsonsecurity.com/2018/01/first-jackpotting-attacks-hit-u-s-atms/
This article describes an attack on Diebold ATM Machines using malware known as Ploutus.D. Ploutus.D was first described in 2013 and allows an attacker to empty a machine of its bills quickly. The attacker has to gain physical access to the internals of a machine and in some cases uses an endoscope (same thing they use in… human physiology) to located internal cables. The attacker attaches a cable (ethernet? They don’t say) to the internal interface and runs the malware – sometimes using an external attacking party to launch the attack. The details aren’t very specific, which makes sense as Diebold doesn’t want too much info to get out. I did find a video of an attack here where you can see the attackers breaking a small panel to get physical access to the machine:
https://youtu.be/BG8sN1VNo8c?t=41
This article was great, and highlights the importance of OS security. We talk about defense in depth – layers of security. The article mentions that some ATMs still run WinXP… Regardless of how good the physical security (in this case the protective plastic fairings / “Skin”) is, you still need to have strong OS Security. This is a perfect demonstration of this point! People are hackers, intentionally, unintentionally, black hat and white hat. They will break in and find out how things work.
If I were the ATM manufacturer, I would re-assess my baseline security standards for OS’s and implement a better authorization and access control system. Spitting out the bills should require an RSA token authorization or something similar that is one time.
“Cryptocurrency Mining Malware Infected Over Half-Million PCs Using NSA Exploit”
Cryptocurrency Malware has become very popular and profitable choice of cyber criminals and beginning of this year has noticed to have fast-pace shift in cyber threat landscape. Recent exploitation of Windows vulnerability using well-known leaked NSA Exploit Tool “EternalBlue”, affected thousands of Windows-based computers resulting in taking advantage of computer hardware power to mine cryptocurrency which generates very large profits for criminals. Most importantly, gained profit is not traceable given nature of cryptocurrency mechanism.
Ref. link:
https://thehackernews.com/2018/01/cryptocurrency-mining-malware.html
TakeAway and Solutions:
– Patch Windows machines on regular basis!
– Monitor and review processes that are running on server to reveal unknown/suspicious processes which may uncover hidden process that use hardware for mining.
– Implement NIDS/NIPS for behavioral analysis over ports 8080, 8081, 10034, which are used by Mining Pools to connect over internet.
I also found a document developed by SANS explaining how Crypto Mining works and how organizations can detect and prevent from unauthorized crypto-mining.
Ref. link:
https://www.sans.org/reading-room/whitepapers/threats/detecting-crypto-currency-mining-corporate-environments-35722
File Your Taxes Before Scammers Do It For You
https://krebsonsecurity.com/2018/01/file-your-taxes-before-scammers-do-it-for-you/
According to the article the first day of the tax-filing season, also known as the day fraudsters start requesting phony tax refunds in the names of identity theft victims. And this tax refund fraud affects hundreds of thousands of U.S. citizens annually. If we look at the highlights of article:
– If you file your taxes electronically and the return is rejected, and if you were the victim of identity theft, you should submit an Identity Theft Affidavit – Form 14039.
– The IRS advises that if you suspect you are a victim of identity theft, continue to pay your taxes and file your tax return, even if you must do so by paper.
– If the IRS believes you were likely the victim of tax refund fraud in the previous tax year they will likely send you a special filing PIN that needs to be entered along with this year’s return before the filing will be accepted by the IRS electronically.
– While you’re getting your taxes in order this filing season, be on guard against fake emails or Web sites that may try to phish your personal or tax data. The IRS stresses that it will never initiate contact with taxpayers about a bill or refund. If you receive a phishing email that spoofs the IRS, consider forwarding it to phishing@irs.gov.
– Fraudsters threatening taxpayers with arrest, deportation and other penalties if they don’t make an immediate payment over the phone. If you care for older parents or relatives, this may be a good time to remind them about these and other phone-based scams.
https://krebsonsecurity.com/2018/01/first-jackpotting-attacks-hit-u-s-atms/
The ATM “jackpotting”article goes over the complexity and step that are taken in order to perform a jackpotting scheme. Using a malware known as “Ploutus.D,” the attack can cause an ATM to dispense the cash it holds at a rapid rate. First discovered in 2013, the malware was mostly used to target banks in Europe and Asia, however, it was discovered recently that it is starting to shift into the US. The elaborate scheme mostly targeted ATMs that were manufactured by Diebold Nixdorf. The attack requires an endoscope in order to locate an internal location in which the attacker can use to sync their laptop to the ATM’s computer. Seeming as if it out of order to potential customers, the attacker would remotely control the ATMs to forcefully dispense cash.
The recommended solution is to update ATMs that are currently Windows XP into Windows 7. Upgrading will be a costly effort on the manufacturer’s part as well as a long process to update all ATMs. Tenable, the creators of Nessus, has implemented a way to detect the malware on infected ATMs with their tool Tenable.io. Although it won’t be able to prevent from the attack occurring, it is possible to stop any future possible attacks from happening again on that specific ATM.
https://www.tenable.com/blog/ploutus-d-atm-malware-reported-in-u-s
First ‘Jackpotting’ Attacks Hit U.S. ATMs
https://krebsonsecurity.com/2018/01/first-jackpotting-attacks-hit-u-s-atms/
ATM attacks are stated to be widespread in Asia and Europe and have only just recently been showing up in the U.S. The article explains how organized crime groups seem to be, for the moment, targeting stand-alone, front-loading ATM’s which are running Windows XP operating system. The thieves pose as ATM technicians and install a type of malware called “Plotus.D” which gives someone in the criminal organization the ability to control when the money gets disbursed. When it does get disbursed, it empties the ATM of all it’s cash.
To address the issue, it has been recommended that the operating systems be upgraded to Windows 7. It seems that ATM owners don’t seem to understand the importance of Operating Systems Updates & Patches as well as software patches. This creates major vulnerabilities which these ATM owners may not know about or just don’t care about.
First, ATM owners/operators should immediately update their software and operating systems and ensure all security patches are installed.
Second, the thieves seem to need to have physical access to the machines to implant the malware. I would recommend all ATM owners/operators to also enhance physical security so that unauthorized persons do not have access to any of the internals or connections of the machines. This may include things such as installing a secondary metal enclosure surrounding the ATM with a secure lock which only the ATM owner/operator holds on to, or other such devices.
As a more long term investment, and depending on if the trend of increasing attacks continues, it may be wise for them to invest in a more secure and robust ATM as opposed to just beefing up an old one.
This is an important point to make Patrick. I completely agree with you about what you stated about the vulnerabilities in the existing ATM systems. To avoid these attacks, the technological upgradation is very much necessary. The business owners need to understand the importance of being safe from the loopholes of outdated versions of technologies. The physical safety of the premises is another relevant aspect which needs to be looked after. These safety measures can also be taken using the technology which can provide remote access of any such devices.
First ‘Jackpotting’ Attacks Hit U.S. ATMs
ATM “jackpotting”
https://krebsonsecurity.com/2018/01/first-jackpotting-attacks-hit-u-s-atms/
This recently caused a major stir in the threat intel community for the Financial Services industry. The article explains how attackers were targeting Diebold Opteva 500 and 700 series ATMs using Plotus.D malware to remotely force ATMs to spit out cash.
To understand more about the attack, I checked YouTube and found this video interesting:
https://www.youtube.com/watch?v=cRmpbPl78ck
It seems there are two major ways that attackers can perform this attack. They can gain physical access to the machine and swap the hard drive or they can use and endoscope attached to a mobile device to take control of the ATM.
The article also references the Global Security report from Diebold that offers recommendations to mitigate these attacks. These include limiting physical access to the ATM, updating firmware and configuration settings, and implementing additional monitoring procedures. For example, an organization could monitor if a device goes offline, which is required for this attack to be conducted.
Finally, I wasn’t surprised to learn that the machines most susceptible to this attack were those that are running Windows XP. I also wasn’t surprised that ATMs still used versions of Windows XP. ATMs are expensive to replace and/or upgrade so it is not uncommon to have them running on legacy operating systems that have sunset support.
ATM “jackpotting”
https://krebsonsecurity.com/2018/01/first-jackpotting-attacks-hit-u-s-atms/
People want to mitigate the risk of ATM attacking should first understand how the attack is performed. Usually, most ATM attacks are logical or malware attacks by offline or online method. Basically, there are four lines which bank security professionals could focus on: Physical access to the ATM; Offline protection (BIOS configuration, Hard disk encryption, Cash Dispenser Communications); Online protection (Network, firewall, Anti-malware and logical protection, USB protection), and some additional measures (like ATM installation, Secure Software delivery, ATM and fraud monitoring)
Another thing I feel after I read this article is that the IoT is no longer just a trend anymore, it is truly existing on every aspect of people’s life. While bringing with convenience, the IoT also take us to a place where fulfill unknew/potential cyber security issues. IoT devices are vulnerable, and these vulnerabilities present opportunities for attackers to gain access to your network and install malware, steal intellectual property, or worse. However, a new approach shows the way towards an adaptable, extensible means of protecting vital services such as medical care, electric utilities, manufacturing, and more. We should prepared.
https://technet.microsoft.com/en-us/library/cc514539.aspx
Windows Server 2008 Security Baseline
Microsoft has launched the security baseline for its Microsoft Security Compliance Manager platform. The SCM is basically a free tool from Microsoft that enables users to configure security parameters on computers, private cloud, datacentres, and Microsoft System Center Configuration Manager. The SCM is primarily designed to configure, access, and monitor the security baselines and parameters as defined for the Windows Server 2008 SP2 environment. The security baselines server as a great way for users to protect their systems from threats. The Server security baselines provides technical support in understanding the nature of threats, implementing appropriate countermeasures and risk strategies, etc. The countermeasures list out the recommended measures to counter threats and to know the state of the each countermeasure against those threats.
The various features of the SCM include baseline portfolio, security baseline export flexibility, and baseline management features to efficiently manage the security parameters against threats.
First ‘Jackpotting’ Attacks Hit U.S. ATMs
From
Jackpotting- Installing malicious software and/or hardware in an untheorized manner at the ATM machines which targets the control of the dispense in order to Cash-Out the ATM.
Ability to connect a chord of ATM to a laptop and the press of a button to install malware and start controlling the ATM using keyboard or an sms message.
ATMs of a particular manufacturer using Windows XP as OS on ATMs are prone to this attack, the manufacturer was recommended to upgrade the OS of ATMs to windows 7.
I think there should not be an option to connect external machines with the ATM machine onsite, even for repair , one needs to bring in a new machine replace with new machine and only repair the machine at a centralized location.
If the above option is not feasible there should be an alert mechanism which alerts the nearest bank or police station when someone tries to connect an external device to the ATM at site.
From:
https://krebsonsecurity.com/2018/01/chronicle-a-meteor-aimed-at-planet-threat-intel/
Chronicle: A Meteor Aimed At Planet Threat Intel?
This article talks about the following:
Alphabet, which is the parent company of the billion dollar search firm Google, aims to equip companies with tools that could allow them to work more efficiently on threat data that is generated by cybersecurity tools. While many organizations rely solely on the internal software and service to detect malicious threats and stop them, it doesn’t do any good because of the massive amounts of data generated by these cybersecurity tools, making it further difficult to identify missed threats.
The service from Alphabet named Chronicle is an advanced service offered that combines the power of advanced search, machine learning, data analytics, and storage capabilities. The goal of the service is however to give much more power to the security teams to identify and analyse security signals in a more cost-effective manner.
It’s pretty clear that with the massive amounts of data that Google has and the internal resources that it possesses, Chronicle might be the next big-thing in the world of cybersecurity. It is more important that any new service is not only efficient, but also filters out threats faster and is cheap. Today, many companies spend millions of dollars on software and systems that do not eradicate the vulnerability of threats.
https://krebsonsecurity.com/2018/01/expert-iot-botnets-the-work-of-a-vast-minority/
Expert: IoT Botnets the Work of a ‘Vast Minority’
This article is a conversation between Brian Krebs and Allison Nixon, who is the director of security research at Flashpoint. Nixon throws light on his perspective of IoT security and the role of law enforcement in the investigations of the Mirai attack. Mirai is a self-propagating botnet virus that attacked some of the world’s biggest websites by launching DDoS last year.
https://thehackernews.com/2017/12/hacker-ddos-mirai-botnet.html
Nixon believes that the state of cyber security investigations have definitely improved, but there is and always will be a greater scope to improve. The improvements came especially last year in the DDoS space. However, the reason that Nixon believes is making IoT security more difficult is because of the fact that as tie progresses, attackers become more proficient and knowledgeable in executing new attacks and this makes it a big challenge for counter measures.
I have to agree to the fact that IoT security is an evolving thing and that systems and processes should become constantly robust and advanced to counter new attacks. In fact, as per him the majority of the Mirai attacks and malware variants are coming from just a minority of people. While there are many measures that can be taken with respect to this, one interesting approach that the firm has taken is to force manufacturers to harden their products with more security while shipping.
https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/
Hacked Cameras, DVRs Powered Today’s Massive Internet Outage
The increase in the quantum of data and the growing interactions between various devices has further increased the risk of threats. In a similar incident as stated in the article, a massive internet attack took place, affecting a large number of websites. These attacks happened with the help of hacked IoT devices including CCTV video cameras and digital video recorders. The cyber criminals trained the Dyn to cause internet problems for users who tried hitting sites such as Amazon, Netflix, Twitter, Reddit, etc.
While the source of the attacks have been unclear, it is said that Mirai could have been behind the attack. The way Mirai works is by attacking the less protected IoT devices that have no other than factory supplied security.
https://krebsonsecurity.com/2018/01/first-jackpotting-attacks-hit-u-s-atms/
First ‘Jackpotting’ Attacks Hit U.S. ATMs
Attack on ATMs has been a common threat for banks in Europe and Asia. The article discussed the recent attacks on U.S. ATMs. The way these attacks work is when the attackers either install a specialised software on the physical ATM or use specialized electronics to control the operations of the ATM. With this in hand, the thief’s can force ATMs to dispense required amount of cash at will. The attacks however were found to happen on non-NCR ATMs. This type of logical attack has been quite common and the need of the hour has to be to inform the respective financial institutions and plan mitigations steps. The secret service in the matter has warned that a jackpotting malware named Ploutus.D has been the reason for the attacks, especially on stand-along ATMs. These stand-along ATMs are located in pharmacies, retail shops, and drive-thru ATMs. The attackers usually are dressed as ATM technicians and use specialised mobile device that has an image of the ATMs operating system. Once the fraudsters gain access to the ATMs, a default program repeatedly shows that the ATM is out of service to potential customers.
It’s however quite surprising to see the kind of attacks that happened without an ATM technician authentication. Usually these technicians are appointed by the financial institutions and it is shocking how these fraudsters bypassed ATM security to attack the systems. Moreover, the article says that some ATMs used Windows XP. I feel that the layered security in Windows XP should have been patched to the latest one. I also wonder why these ATMs have such old OS installed in the ATMs.
https://krebsonsecurity.com/2018/01/file-your-taxes-before-scammers-do-it-for-you/v
This is definitely an informative article that cautions people to file taxes before scammers make an entry in pulling all the tax refund money out. The case of tax fraud has hit America for many years now and it is still evident that necessary safety information is not passed on to the tax payers in the right manner. Good thing to learn from this is the fact that it gives some really important facts such as submitting an Identity Theft Affidavit (Form 14039) in case if a person’s SSN is misused. This article does a great job in explaining the precautionary measures citizens should take during tax filling process. Even if a person is a victim of identity theft, one should continue to pay the taxes, even if it on paper.
The good thing that has happened over the years is the fact that the IRS has taken necessary steps to prevent fraud for victims of tax refund last year. The IRS will send a special PIN that needs to be entered while filing tax returns. The question that needs to be understood is how people stay protected from telephonic tax scams requesting them to immediately pay. I think the IRS should have a secure PIN for requesting party to validate their authenticity. This might be a good measure of the changes of success in the future.
Building the New Network Security Architecture for the Future
https://www.sans.org/reading-room/whitepapers/analyst/building-network-security-architecture-future-38255
Building the New Network Security Architecture for the future requires moving from legacy security architecture implementations which assume all assets are located within the company premises. Cloud computing using Saas, Iaas, or Paas, involve securing applications, servers, or networks that may be located off premises in a different environment. Traditional forms of security architecture are inadequate for this type of environment and requires updating to avoid blind spots in the architecture which could create new vulnerabilities for attackers. This SANs whitepaper offers some insight on how to shore up an existing security architecture to increase its effectiveness in a cloud computing environment. A few key points taken from the article are:
• Start by understanding where all your systems and data reside, both in the cloud and on premises.
• Place a lightweight, industrial-grade firewall in front of the IIoT (Industrial IoT) device.
• Segment off any IT services from IoT device communication at the corporate level. Implement a Zero Trust model for the IoT segment. IoT devices should run in a separate segment from critical business systems. Implement strict access control from within the IoT segment and for traffic in an out of the IoT segment, treat as a hostile environment.
• Security should be baked into DevOps’ day-to-day activities, as per the DevSecOps principle.
• Log monitoring and analytics system should be implemented to monitor assets in the cloud.
• Keep in mind that these security devices are there to protect the customer’s environment within the cloud, not the cloud vendor’s entire environment.
• Security teams must ensure that the security posture of their cloud service’s infrastructure is at a reasonable level.
• Use Software-based packet brokers IDS/IPS SIEM (D)DoS attack prevention Virtual security appliances (WAF, router, NGFW).
• Virtual web application firewalls, Virtual netVirtual routers, and work-based firewalls