Franco Piergallini Guida How to Trick Apps That Use Deep Learning for Melanoma Detection One of the great achievements of deep learning is image classification using convolutional neural networks. In the article “The Internet of Health” we find a clear example where this...
ElevenPaths Cyber Security Weekly Briefing February 13-19 Privilege escalation vulnerability in Windows Defender SentinelLabs researcher Kasif Dekel has discovered a new vulnerability in Windows Defender that could have been active for more than twelve years. The flaw,...
ElevenPaths ElevenPaths participates in AMBER (“enhAnced Mobile BiomEtRics”) project ElevenPaths participates in the AMBER (“enhAnced Mobile BiomEtRics”) project since 1st January 2017 as an Industrial Partner. AMBER is a Marie Skłodowska-Curie Innovative Training Network under Grant Agreement No....
ElevenPaths ElevenPaths Radio English #5 – The Path After a Security Audit What is the path for a company after a security audit? It is increasingly common for companies of all sizes to decide to carry out such analyses, but what...
Franco Piergallini Guida How to Trick Apps That Use Deep Learning for Melanoma Detection One of the great achievements of deep learning is image classification using convolutional neural networks. In the article “The Internet of Health” we find a clear example where this...
ElevenPaths Cyber Security Weekly Briefing February 13-19 Privilege escalation vulnerability in Windows Defender SentinelLabs researcher Kasif Dekel has discovered a new vulnerability in Windows Defender that could have been active for more than twelve years. The flaw,...
Cytomic Team, unit of Panda Security Indicators of Compromise, Key to Detecting and Solving Incidents in an Agile Way Quick and agile response to incidents is a basic aspect of a good cybersecurity strategy. Little by little, more and more companies are becoming aware of this, and this...
ElevenPaths Foca Files Finder, our new Chrome extension to feed FOCA Our Chrome extension is really simple. It takes advantage of the Bing technology (already used by FOCA) to perform a search of documents on the domain being visited at the moment...
Franco Piergallini Guida How to Trick Apps That Use Deep Learning for Melanoma Detection One of the great achievements of deep learning is image classification using convolutional neural networks. In the article “The Internet of Health” we find a clear example where this...
ElevenPaths Cyber Security Weekly Briefing February 13-19 Privilege escalation vulnerability in Windows Defender SentinelLabs researcher Kasif Dekel has discovered a new vulnerability in Windows Defender that could have been active for more than twelve years. The flaw,...
Antonio Gil Moyano Homeworking: Balancing Corporate Control and Employee Privacy (II) As a continuation of the first article in which we saw both the regulation of homeworking and the security and privacy measures in this modality, in this second issue...
ElevenPaths Cybersecurity and Business: ElevenPaths at the RSA Conference 2020 We are back from the RSA Conference 2020, the year when the standard ‘humanization of technology’ has been set within the sector. We already predicted it last year with our commitment under...
What Do Criminals in the Ransomware Industry Recommend so that Ransomware Does Not Affect You?Sergio De Los Santos 14 September, 2020 We all know the security recommendations offered by professionals on malware protection. Frequently: use common sense (personally, one of the least applicable and abstract pieces of advice that can be given), use an anti-virus, a firewall (?)… All of them good intentions that are not practical, very repeated yet not very effective. Users and companies still get infected. So, what if, for a change, we listen to the creators of ransomware themselves? Wouldn´t they most certainly have a more practical and realistic vision of what to do to avoid their own attack? What are their recommendations against their own selves? First of all, a distinction must be made between homemade ransomware and professional ransomware. In the first one, the target is any individual’s random computer, the one that doesn’t apply protection recommendation can be affected. The second one is the ransomware developed with a specific company as a target. The attackers will spend months planning the attack, probably weeks inside the network and within minutes they will encrypt everything they can to ask for a millionaire ransom. And once affected, little can be done. Garmin has recently paid and so has CWT, a US business travel and event management company that has just paid $4.5 million to decode its own data. The deal with the attacking negotiator has been by chat and has been made public. The transcription shows the management of any business between professionals. Let’s have a look at the recommendations that the “bad” negotiator made to the CWT representative and analyse the effectiveness. Anti-Ransomware Recommendations It is worth stressing that these are recommendations from the attackers themselves in order to help large companies attacked by professional ransomware. Let’s check them out and analyse if they are suitable. List of recommendations. Source: Twitter Jack Stubbs Disable local passwords On systems and servers controlled by Domain Controller, it is a good idea not to use local users and to focus on those of the domain controller. This improves traceability and reduces exposure. Good recommendation.Force the end of administrators’ sessionswhen attackers are already on the network at ease, they will try to escalate to the administrator domain and open sessions with it, otherwise they will not be able to encrypt everything important and the backups. It is a good idea that these sessions come to an end, to have an expiration date and that they are fully monitored.Avoid WDigest (Digest Authentication) used in LDAP, store the passwords in the memoryThe attacker here refers, veiled and almost certainly, to Mimikatz and how it most likely recovers the domain controller administrator password and escalates privileges thanks to this tool. If a certain Windows value is set to zero, they will not be able to see the password clearly and the elevation will be complicated for the attackers. Excellent recommendation.Monthly passwords updatesThere is a lot of controversy about updating passwords. Users find it tedious to update their passwords monthly and end up writing them down or following a pattern. But for administrators (which is where criminal is target) it makes sense. Attackers may spend more than a month on a network without revealing themselves, studying when it is the best time to launch the most effective attack. Changing passwords, which they have probably already figured out, can force them to rethink the attack and may undo much of their work. Interesting recommendation.Reduce user permissions to access only the essentialWell, this is a common recommendation. It also very probably refers to how attackers manage, from a simple user, to increase privileges thanks to the negligence in the segmentation of permissions and privileges.Applocker and the use of the necessary applications This is every network administrator’s dream: to be able to have a whitelist of applications that users can run and ignore the rest. With AppLocker, already integrated in Windows, this would be enough. It works very well and allows you to limit by certificate, location, etc. Attackers would not be able to download their tools and launch them in order to increase privileges. It is an excellent, complex measure to implement yet not impossible.Don’t count on anti-virus in short termWell, unfortunately, we have already explained this on many occasions. Antivirus (as such) is not the best solution for early detection. “Don’t count on them”. Here, the attacker claims that anti-viruses could work in a long term, as something reactive. And unfortunately, he is right. Anti-viruses as such are a reactive element and that is where they work best: as a system for detecting and eradicating an infection when it has already occurred. To prevent, it is reasonable to use a much broader set of measures. Furthermore, he points out that the anti-virus is only useful if the attacker “for some reason does not attack in a short term”. He suggests that professional attackers are rarely impulsive. He adds that they take their time to analyse the victim and strike effectively.Install an EDR (EndPoint Detection and Response) and efficient technicians to work with itAn EDR is more than just an anti-virus, it is actually aimed at early detection, at analysing what is happening in the system in real time, beyond the traditional anti-virus firms. And yes, that could be useful. But the subtlety touch added by the attacker is interesting: not only that they use it but also that “the technicians work with it”. As with any software, there is no point in setting up the EDR if it is not properly configured, known, worked on and monitored.Work 24/7For large companies, the attacker recommends three eight-hour shifts for managers, covering 24 hours a day. This means that attackers will most likely look for times when administrators are not working to launch attacks, side moves, or privilege elevations. If they manage to do so without alarms being raised (and checked), then they can wipe out the tracks. So full shifts of “human surveillance” are important. Conclusions Bearing in mind that they have just charged $4.5 million for a ransom they themselves have provoked, the attacker undoubtedly belongs to a professional group that knows exactly what they are doing. The recommendations seem sincere and, although it may seem counterproductive, aimed at hindering their own work. Why reveal these tricks? They communicate it exclusively to their victim (who let´s recall, has just paid) as an act of professionalism. They have completed a transaction between “professionals” for a service and so they give a “bonus” of information. Like the plumber who, after fixing a pipe blockage, advises you before he leaves, while he is billing you, on how to prevent the sink from getting stuck again. No plumber would deny this little tip thinking he wasted opportunities by doing so. On the contrary, as a good professional, the attacker needs to generate confidence because the next time he attacks a big company and demands a few million, he wants them to know that paying is the best option to recover their data. Treat your present and future clients well… even if they are victims. But even if these tips have been leaked, we assume that they don´t really mind. There are thousands of large companies out there who will not listen. Due to their ignorance or lack of resources, who knows, but they will still be potential victims. Attackers can afford to give advice on how to stop them from attacking and still enjoy a sufficient surface to maintain a prosperous business. Cybersecurity Weekly Briefing September 5-11Analysis of APPs Related to COVID19 Using Tacyt (I)
Franco Piergallini Guida How to Trick Apps That Use Deep Learning for Melanoma Detection One of the great achievements of deep learning is image classification using convolutional neural networks. In the article “The Internet of Health” we find a clear example where this...
ElevenPaths Cyber Security Weekly Briefing February 13-19 Privilege escalation vulnerability in Windows Defender SentinelLabs researcher Kasif Dekel has discovered a new vulnerability in Windows Defender that could have been active for more than twelve years. The flaw,...
Gonzalo Álvarez Marañón Functional Cryptography: The Alternative to Homomorphic Encryption for Performing Calculations on Encrypted Data — Here are the exact coordinates of each operative deployed in the combat zone.— How much?— 100.000.— That is too much.— And a code that displays on screen the...
ElevenPaths WhatsApp, Telegram or Signal, Which One? In the world of smartphones, 2021 began with a piece of news that has left no one indifferent: the update of WhatsApp’s terms and conditions of use. This measure,...
Sergio De Los Santos 26 Reasons Why Chrome Does Not Trust the Spanish CA Camerfirma From the imminent version 90, Chrome will show a certificate error when a user tries to access any website with a certificate signed by Camerfirma. Perhaps it is not...
ElevenPaths Cyber Security Weekly Briefing February 6-12 Attempted contamination of drinking water through a cyber-attack An unidentified threat actor reportedly accessed computer systems at the City of Oldsmar’s water treatment plant in Florida, US, and altered the...