Orenda Security

THE BENEFITS OF USING SAST AND DAST TOGETHER

admin — Tue, 19 Feb 2019 06:10:26 +0000

Both static application security testing (SAST) and dynamic application security testing (DAST) are methodologies used to test the security of application environments.

DAST is a black-box security testing method that tests applications from the outside-in.
SAST is a white-box security testing method that tests applications from the inside-out.

So, when cyber analysts are using SAST, they are pouring through the source code to determine any potential vulnerabilities. DAST, on the other hand, tests applications in their running state in an attempt to stress the applications exactly how a real-life attacker would. In short, DAST finds vulnerabilities in run-time, while SAST finds vulnerabilities in source code. These two different methods both have their strengths and weaknesses, which is why it’s best to use both for more thorough and accurate security.

A Clean Sweep for Code

SAST is fantastic at targeting source code, byte code, and binary vulnerabilities in environments across-the-board. It also finds weaknesses one line at a time before you launch the software, giving you the exact location of each vulnerability. Common vulnerabilities consist of:

Numerical errors
Input validation
Race conditions
Path traversals
Pointers and references

SAST thrives in Sequential Design Process environments, real-time systems, mobile applications, and software on embedded devices. Remember: if you want your SAST scanner to be effective, ensure it supports the language for the web application framework; this includes PHP, Java, Python, and more. The scanner also needs support, in turn, from the framework.

A Full Framework Analysis

DAST handles the complicated aspects of app security, discovering weaknesses within the entire application framework, including:

Web proxies
Servers (AWS, Azure, physical, etc.)
Databases (MySQL, Oracle, Microsoft, etc.)
Caches (out-of-process, in-process)

Since DAST takes place in a running environment, all interconnected structures that exist outside of your source code are simultaneously being tested to expose vulnerabilities. Pinpointing misconfigurations between all app environments gives DevOps a deeper understanding of vulnerability particulars while also exposing potential threats outside-the-code. Because SAST doesn’t take an app’s entire external framework into consideration, DAST complements SAST’s work. DAST provides results in an HTTP request that can be replayed for verifiability. This combination of run-time testing and replayable results makes DAST incredibly accurate and dynamic enough to provide vulnerability repeatability.

A Two-Pronged Attack

DAST and SAST should both be implemented on two fronts, automated and manual. Services, like Orenda Security, provide automated and manual assessments for both methods of application security testing. Automated DAST assessments can give good overall coverage of app framework and perform basic attacks and stress patterns. At the same time, manual assessments can dive deep into hyper-specific attack patterns and attempt to leverage expert insights to perform complex attack patterns. This combination can uncover complex and simple vulnerabilities while ensuring that every known attack pattern is replicated thoroughly across app frameworks.

Note: Good SAST providers should also leverage automated solutions while still using SMEs to manually review code vulnerabilities.

Conclusion

SAST and DAST make for a dynamic duo by helping WebOps uncover vulnerabilities in applications. If you’re looking for security experts who provide thorough automatic and manual reviews of applications via SAST, DAST, and penetration testing, contact us now.

The post THE BENEFITS OF USING SAST AND DAST TOGETHER appeared first on Orenda Security.

THE BENEFITS OF WEB AND MOBILE APP PENETRATION TESTING

admin — Fri, 15 Feb 2019 10:16:40 +0000

Mobile applications find many uses in the retail, finance, and health sectors. They’re always just one tap away, and they can include device-specific functionality, which web applications don’t have. One thing which they have in common with web apps, though, is a need to be very careful about their security. Penetration testing for mobile apps is just as important as penetration testing for web applications.

Comparing Web and Mobile Apps

A web application runs on a server, and users access it through a browser. It can be something as simple as a set of forms that initiate actions, or as complicated as a fast-action game or an ERP system. A mobile application runs as a separate application on the client side, but it’s often built around browser code that accesses a single site. Some mobile apps are effectively just single-page browsers while others add native functionality.

There are also mobile applications—which are entirely native—and they have security issues as well. But they’re more varied, and each one has to be considered based on its own functionality. For this discussion, we’re looking at applications that consist largely of access to a web server, whether they’re standalone or use a normal browser.

The Differences in Risk

Web and mobile applications each have their distinctive risks. A web application coexists in the browser with other sites. It has less control over its environment and what the user can do compared to a mobile application. It may run on an outdated, unpatched browser. It could find itself on an obscure browser with which it was never tested. Trying the application out with enough different environments to be confident about it is a laborious but necessary task.

A mobile application comes with its own browser, so it has full control over the client and server. However, it has enough risks of its own that Open Web Application Security Project (OWASP) has compiled a list of mobile device risks. Some of these are particularly relevant to developers and security testers.

Insecure communication. Applications that send sensitive data ought to send it securely. In a browser, this is just a matter of setting up an HTTPS server and using appropriate URLs in the browser. A mobile application needs to do more work. Some of them do it poorly, ignoring validation errors. Some don’t use it at all, sending passwords and credit card numbers over the air as cleartext.
Inadequate form validation. Forms in mobile applications are vulnerable to malicious data if they don’t check their inputs carefully enough. Mobile developers, sometimes, get careless because they don’t think of their applications as web apps.
Unsafe data storage. A mobile application typically needs to store some data for the user. Some apps store sensitive information without protecting it, in ways that other applications can read.
Hardcoded passwords and keys. It would take a really foolish web developer to put an undisguised password or key into a page’s JavaScript, but mobile app developers have more of an illusion of safety. Extracting such information from a mobile app is harder than pulling it out of a browser, but it’s a dangerous risk all the same.
Access to device functionality. A mobile application can request access to the user’s microphone, camera, email, and address book. Most users will grant it without a thought. If it’s compromised, it will have access to information that a web application can’t easily reach and even spy on the user.

Ironically, security problems in a mobile application often result from an excess of trust. Because it’s self-contained, developers don’t always think about the issues as carefully as they would for a website.

The Importance of Penetration Testing

Any type of application that accesses server-side code and handles private information needs testing to ensure confidence that it’s secure. Penetration testing for mobile apps has some differences from penetration testing for web applications. There’s no address bar in a mobile app, so people can’t enter arbitrary URLs. Different testing tools are needed. Real or simulated attacks may involve simulating the application and replicating its server requests.

When people grant access to their personal financial or health data, they have a right to see it protected. Developers need to earn trust by subjecting their applications to rigorous testing. Orenda Security specializes in penetration testing, DAST, and application assessments. We serve the healthcare, financial, and retail sectors.

The post THE BENEFITS OF WEB AND MOBILE APP PENETRATION TESTING appeared first on Orenda Security.

HOW TO SPOT AN INSIDER THREAT

admin — Mon, 11 Feb 2019 10:19:09 +0000

Most businesses are aware of the threats posed by external hackers or malicious actors to their business. Thousands—if not millions—of dollars are spent annually by these businesses to safeguard their network against unauthorized external access. However, most businesses do not invest as much effort or resources to guard against insider threats to their business. Insider threats pose as much of a threat and cause as much damage to businesses as threats from external hackers. The following statistics highlight the danger of insider threats to businesses:

Sixty-eight percent of all network attacks that targeted healthcare organizations in 2016 were due to insider threats.
In 2018, 53 percent of all businesses reported that they had been victims of insider threats within the previous 12 months.
The total average cost for businesses impacted by insider threats is $8.76 million.
The average time taken to contain an insider threat is 73 days.

TYPES OF INSIDER THREATS

There are two types of insider threats that businesses should be aware of when trying to secure their networks. Neglect of one or the other type of insider threat can leave a business vulnerable to an insider attack. The types of insider threats include:

Malicious/deliberate insiders. These are individuals who willfully look for ways to sabotage a business by compromising their data.
Accidental/unintentional insiders. These individuals unknowingly put the company at risk through negligence and other poor work practices.

EXAMPLES OF INSIDER THREATS

Some instances of businesses that became victims of insider threats for a variety of reasons include:

Anthem: In 2017, the health insurance carrier BlueCross BlueShield sent out notices to about 18,000 of its Medicare customers that their data had been breached. LaunchPoint Ventures, Anthem’s Medicare insurance coordination services vendor, reported that one of its employees was discovered to have been stealing personal customer information, such as Medicare IDs, Social Security numbers, and health plan IDs.
Target: Target Supermarket was the victim of a massive data breach in 2013. It reported that the personal information of about 110 million of its customers had been compromised; the compromised data included both personal and credit/debit card information. An employee of one Target’s third-party vendors unintentionally facilitated this data breach by falling victim to a phishing email; hackers were, then, able to install the malware to access the protected data.
Sage: In 2016, software firm Sage reported that a data breach had compromised the data of about 280 of its UK business customers. One of its employees used an internal login to access unauthorized data and was, therefore, able to compromise the network.

INSIDER THREAT RISK FACTORS

Given the damage that can be caused by insider threats, it is essential that potential vulnerabilities are promptly recognized and mitigated. Some factors that can put businesses at an increased risk of insider threats include:

Unrestricted access: Employees whose access is not regulated or is poorly controlled often pose severe threats to an organization. Willful or unintentional data breaches caused by these individuals can often be devastating. Ideally, the principle of least privilege should be used when granting access; an employee should have only the minimum access necessary to fulfill job duties.
Poor security practices: The use of poor security practices by employees, such as using weak passwords, reusing passwords, clicking on links from suspicious emails or leaving computers unlocked, can put businesses at risk of insider threats. Regular training should be done to educate users about the importance of good security practices.
Bring Your Own Device (BYOD): Employees who use their personal devices to carry out work-related activities can put their businesses at risk. The personal devices may not be secured adequately and as such, be at risk.

At Orenda Security, we know all about the risks of both internal and external threats to business networks. We offer cloud security, penetration testing, and dynamic testing to protect your network.

The post HOW TO SPOT AN INSIDER THREAT appeared first on Orenda Security.

WHAT MAKES SECURITY SYSTEMS VULNERABLE TO CYBER-ATTACKS?

admin — Fri, 01 Feb 2019 10:19:25 +0000

Everyone claims to have network security in place. This doesn’t mean that everyone has network security that works. Unverified, untested cybersecurity is better than none at all, but it isn’t enough.

Many businesses are stuck in a system of protection that no longer works, if it ever did. Verizon’s 2018 Data Breach Investigations Report suggests that the Internet faces “an information security dystopia.” According to the report, “cybercriminals are still finding success with the same tried and tested techniques, and their victims are still making the same mistakes.”

Poor security puts the personal information of individuals at risk. Industries, such as healthcare, have seen repeated failures. HIPAA Journal reported in March 2018 that data breaches had subjected more than 41 percent of the people in the United States to exposure of their personal information.

Common Mistakes in Security

The mistakes most commonly found in security systems include using ineffective solutions, expending too much effort in the wrong places, or working from a good idea but not following through consistently.

Here are some examples:

An inadequate or non-existent patch management program. Simply urging employees to keep their software up to date isn’t a patch management program. Without a systematic approach, people will overlook critically outdated software components. Sometimes, people avoid updating software because they’re afraid it will break. Sometimes, a component goes unnoticed because no one has been assigned the responsibility for it. A systematic approach is necessary to make sure nothing is left behind.
Lack of vulnerability scans. Prioritizing software updates requires knowing where the critical weaknesses are. A vulnerability scan identifies software that has known weaknesses and ranks the problems by severity. Without vulnerability checking, serious security holes will go unnoticed.
Inadequate account protection. Many organizations don’t have a policy defining and requiring strong passwords, or they don’t enforce it. They don’t purge expired accounts. They grant privileges too freely. They don’t limit login attempts. There’s no move to multi-factor authentication. Without these protections, life is easy for people trying to break into accounts.
Insufficient application-level protection. Protection only at the network level overlooks threats, which are tailored to applications. Web servers and other public-facing applications need their own filtering and threat detection.
Incomplete network coverage. An inadequate security system doesn’t cover all devices. Common mistakes include letting mobile and Wi-Fi devices in without restrictions and allowing telecommuting without setting up a VPN or equivalent protection. Getting into the network may be as easy as using a laptop in the parking lot.
Lack of testing and monitoring. A security system may sound strong when its authors talk about it, but without independent verification, there’s no way to be sure. No protection is perfect, and intrusion detection is as important as prevention. The Verizon report states that two-thirds of system compromises go unnoticed for months or even longer.

An effective cybersecurity system takes a multilayered approach. It protects the entire network perimeter, including user-owned and cloud connections. It limits the ports and services, which are available by direct Internet access. It monitors all systems for signs of intrusions and malware. There’s no single point of failure; an attacker has to jump through multiple hoops to do any damage.

The consequences of inadequate security are expensive. System downtime and data loss have direct costs. Beyond that, failure to take adequate precautions can be evidence of negligence. Regulatory fines, such as those under HIPAA, can be huge if a breach is due to lack of care. People whose information was compromised can take legal action.

If your network’s security system hasn’t had a thorough review recently, it needs one to make sure it can face today’s many threats. Orenda Security can help with risk assessment, penetration testing, and DAST.

Contact us today to request a quote!

The post WHAT MAKES SECURITY SYSTEMS VULNERABLE TO CYBER-ATTACKS? appeared first on Orenda Security.

2018 FACTS AND STATS ON THE STATE OF CYBERSECURITY

admin — Fri, 25 Jan 2019 10:20:16 +0000

2018 was a more expensive year for businesses that were victims of cyber-attacks compared to the previous years. Hackers and other malicious actors adopted innovative strategies for penetrating business networks and remaining undetected for longer periods. The 2018 cost of a data breach study conducted by the Ponemon Institute showed that there was a 2.2 percent increase in the average size of data breaches compared to 2017. Also, the average total cost of a data breach increased in 2018 from $3.62 million to $3.86 million, which is a 6.4 percent increase. In addition, the average price of each lost record increased from $141 to $148—an increase of 4.8 percent.

Let us review some of the strategies that were used by hackers to successfully penetrate the networks of their victims in 2018. By reviewing, you can strengthen your business, whether you were a victim or not.

1) FILELESS ATTACKS

Fileless attacks—also known as zero-footprint attacks, macro attacks, or non-malware attacks—are cyber-attacks that occur without the need to install new software on the end user’s device. As a result, fileless attacks can evade traditional security and forensic tools. With fileless attacks, hackers use approved applications already installed on the end user’s device. When the end user clicks on a malicious link or document, the code opens pre-installed programs, such as Windows PowerShell or Windows Management Instrumentation, which the code uses to locate and transfer the user’s data to the hacker.

Between January and June of 2018, there was a 94 percent increase in the use of fileless attacks by hackers. At present, fileless attacks comprise 42 out of every 1,000 attacks. The Equifax breach, which resulted in the compromise of 148 million records, was executed using fileless malware. Equifax downloaded vulnerable versions of the Apache Struts open software package that were exploited by hackers.

2) CRYPTOJACKING

Cryptojacking is the illegal use of an end user’s device to mine cryptocurrency. Most times, the end user is unaware that the device has been commandeered, letting the hacker root around in the work unseen in the background. Affected devices or networks can experience several adverse effects including, performance degradation, increased power consumption, and hardware degradation.

In 2018, there was an increase in the incidence of cryptojacking as hackers shifted away from using ransomware as their preferred cyber-attack strategy; between January and June, cryptojacking increased by nearly 1,000% and 47 new cryptocurrency miner families were detected. Examples of some applications that were used by hackers for cryptojacking in 2018 include Google DoubleClick and adware ICLoader; users clicking on these applications had their devices hijacked and used for illicit crypto-mining.

3) EMAIL PHISHING

Despite the increase in public awareness, email phishing increased by 46% in the first quarter of 2018. Users clicked on attachments or links within emails they received or on websites, allowing hackers to install malware that compromised their devices and, in some instances, entire networks. Traditionally, phishing attacks were made on websites that used HTTP instead of HTTPS, as well as SSL certificates. Due to increased awareness, however, phishing attacks are increasingly being carried out on websites with HTTPS; unsuspecting users click on links on these websites because they are fooled into thinking that the links are legitimate. More than one-third of phishing attacks were conducted using websites with HTTPS and SSL certificates in the second quarter of 2018. The sectors most targeted by these phishing attacks in 2018 were:

Payment (39.4 percent)
Software-as-a-Service (18.7 percent)
Financial institutions (14.2 percent)
Cloud storage/file hosting (11.3 percent)

As we begin 2019, cyber-attacks are poised to become an even greater threat to businesses as hackers develop more innovative ways to compromise business networks for malicious purposes. As such, you should seek out the experts at Orenda Security to keep your network protected. With our expertise in cloud security, dynamic testing, and penetration testing, we ensure that all access points to your network are continuously monitored and fully protected.

The post 2018 FACTS AND STATS ON THE STATE OF CYBERSECURITY appeared first on Orenda Security.

INTEGRATION FLAWS IN APIS OFTEN RESULT IN SECURITY BREACHES

admin — Thu, 10 Jan 2019 10:20:58 +0000

Many companies regard API security issues as events that only happen to large businesses (250+ employees) like T-Mobile, and McDonalds. It’s true: cyberattacks are most frequently targeted toward companies that possess expansive quantities of data that can be stolen by using the least amount of effort.

Even though corporations of that size manage to glide through these situations without experiencing a large loss from their customer base, it is disruptive and possibly dangerous. When small-to-medium companies are attacked they have even more to lose. With data ransom, financial theft and a myriad of new attacks on the loose, it is no longer safe to assume security is tight.

The downtime required to reverse the damage should be enough to make CIOs, CISOs, CSOs and other members of the security team take action. There is an inordinate amount of downtime required to:

Find the API flaws and security breakdowns
Secure the data with (encryption, tokenization,de-identification)
Centralize control of data users
Contact customers who may be affected
Strengthen the weak links (automated and human)

By the time these measures are taken, sales momentum is lost and customers may lose confidence and interest in the brand, which brings in another layer of turmoil.

According to the Canadian Survey of Cyber Security and Cybercrime, companies worldwide have seen a 57.5 percent increase in cyberattacks during the holiday season in 2017 which is more than double the amount in 2016. According to Statistics Canada, more than one in five Canadian companies experienced a cyberattack in 2018.

A StatCan spokesperson reminds us, “Canadian businesses continue to rapidly embrace the Internet and digital technologies, which expose them to greater cybersecurity risks and threats. However, the impact of these risks and threats on the investment and day-to-day decisions of businesses are not easily understood as cybersecurity incidents often go unreported.”

API Flaws are Attractive to Cybercriminals

APIs provide the digital integration between apps, cloud resources, data, and application services, which provides a high level of motivation for cyberhackers.

Think about it… APIs provide access to customers’ data and often their entire digital environment. Additionally, many APIs have gaping flaws that are not easily detected without proper testing and periodic retesting. API flaws provide easy opportunities for security theft therefore it is crucial to verify iron-clad integration of the various components. In 2018 alone, there have been an increased number of high-profile data breaches and exposures due to poor API security. Salesforce, Instagram, and Venmo were all victims of API insecurity, to name a few.

Since APIs are provided to developers and public users in an effort to increase software usage, there are tremendous opportunities for cybercriminals. According to a study by Imperva, the average company manages an average of 363 APIs due to the increased use of micro-services.

Testing APIs – Now Critical to Security Maintenance

API testing can be accomplished during development; however when APIs are added, changed or updated repeat API testing is recommended. In the past UI testing seemed to be enough, yet API testing is much faster and more efficient than waiting for users to discover bugs over a longer period of time. API testing allows communication between integrated software systems and can discover vulnerabilities that can be fixed and marked as cyber safe.

In the case of the year-long API flaw the United States Postal Service experienced (November 2018), mass confidential customer information was prominently available to be accessed without special authority. That means just about anyone could access over 60 million corporate users’ email addresses, street addresses, phone numbers, et al. This defect could have been responsible for an epic incidence of phishing, social-deception and fraud in multiple directions. At this time, the USPS claims the vulnerability has not been leveraged. Yet after nearly a year of exposure, it may be only a matter of time before the ramifications surface.

Other prominent examples include Air Canada, the Bank of Montreal, the Canadian Imperial Bank of Commerce, and Equifax. API testing would have prevented each and every incidence.

Mark Your APIs as Safe

According to all sources, API cyber abuses will be the most prominent cause of data breaches by 2022. Even though internet security has become one of the most important aspects of retail and E-commerce companies, API integration is often overlooked. In order to overcome these odds systems must be tested to allow chinks in the armor to be corrected. As technology advances, testing must remain a priority for all companies that want to maintain the highest standards in cybersecurity. Gain confidence in your API integrations by staying ahead of the looming threats that could temporarily (or permanently) cripple your business.

Our highly trained and experienced Orenda Security team specializes in application assessment and API testing, among all types of internet security. We can test your software to determine if it meets expectations for functionality, reliability, performance, and security. Gain peace of mind by preventing situations that can negatively affect your growing business.

The post INTEGRATION FLAWS IN APIS OFTEN RESULT IN SECURITY BREACHES appeared first on Orenda Security.

4 CYBERSECURITY TIPS TO HELP AFTER THE MARRIOTT DATA BREACH

admin — Fri, 07 Dec 2018 10:22:08 +0000

Last week, it was revealed that the Starwood guest reservation system had been hacked, affecting 500 million guests. The Starwood chain is a subsidiary of Marriott International, and they are picking up the pieces of the breach, which dates back to 2014. Personal information of the 500 million guests have been compromised, including names, email addresses, passport numbers, and credit card data. It has been deemed by CNN to be “the second biggest corporate data breach in history.”

The Starwood hotels that have been affected include:

W Hotels
St. Regis
Sheraton Hotels & Resorts
Westin Hotels & Resorts
Element Hotels
Aloft Hotels
The Luxury Collection
Tribute Portfolio
Le Meridien Hotels & Resorts
Four Points by Sheraton and Design Hotels
Starwood-branded timeshare properties

So, what’s being done to fix this problem, and what can you do about it?

Mariott is in the process of emailing all of the guests that were affected, and they have set up a website to answer your questions about the data breach. But we have some helpful security measures that you should take to protect your data. These measures should be practiced on a daily basis.

Security Measure #1: Stop Oversharing

Social media is being used frivolously with people sharing too much information, from their bathroom schedule to their home address. Most people doing this would never admit these details to a stranger in front of them, but because they are using a device, they don’t feel the reality of exposure.

What should you do, then?

The smart way to share is to post highlights as opposed to every little detail and do it every few days instead of every day. When it comes to sensitive information, such as family problems, don’t post it. Chances are, the people involved don’t want the situation known by outsiders. If you’re looking for help, talk to the right people instead by phone or in person. You will get better results.

Security Measure #2: Monitor Your Accounts

Businesses push consumers to go paperless and input their personal information into a multitude of websites. Whether it’s banking, shopping, or job hunting, it’s hard to get results without putting your information into a device. Everyone is connected, and we’re trying to reduce the amount of paper used—which is commendable—but it means we must exercise more caution.

Bank accounts—and now Starwood Preferred Guest accounts—are among the most important ones to monitor. Marriott has made several recommendations to protect your data:

Freeze your credit cards.
Consider credit monitoring services.
Sign up for identity theft protection.
Dedicate a credit card to a certain type of transaction, such as online shopping.

If you were a guest of a Starwood hotel or not, you should always check your accounts on a regular basis, keeping an eye out for suspicious activity. A good way to strengthen this practice is to keep all of your receipts; if you forget about products you bought or a store you were at for the first time, your receipts will help you verify what is suspicious and what is not in your account.

Security Measure #3: Think Before You Click

Have you just received an email from a person or business? Whether or not you know this person or have an account at that bank, don’t click any links. Even if you don’t have the slightest doubt that your friend or bank sent you the email, leave the cyber world and verify by phone or in person that it is legitimate.

Our very own vice-president and co-founder received a phishing invite through LinkedIn Messenger. No matter what platform or browser you use, always have a good amount of skepticism before clicking on any links or giving over your personal information.

Security Measure #4: Seek Certified and Professional Help

Through penetration testing, our Orenda Security experts can simulate real-world cyber attacks to find the vulnerabilities hidden within your system. With the results of our cybersecurity risk assessments, we will help you achieve a strong security posture. Contact us today and request a quote!

The post 4 CYBERSECURITY TIPS TO HELP AFTER THE MARRIOTT DATA BREACH appeared first on Orenda Security.

HOW I NEARLY GOT HACKED VIA LINKEDIN MESSENGER BY MY NEW FRIEND

admin — Tue, 04 Dec 2018 10:22:57 +0000

On October 25th, I was contacted via LinkedIn Messenger by a new connection I had added five days earlier. The message was pertaining to a potential business opportunity.

By reading the text and looking at the compensation offered to sit on a board of directors, I had already noticed something wrong; the compensation didn’t make sense. For reasons you will see below, I thought it might just be a mistake, and the person meant to write 20k as opposed to 20M, which would make more sense :)Nonetheless, I wanted to know more. As an entrepreneur, I am always interested in learning about networking opportunities, like this one.

At first sight, I saw nothing alarming about the profile. My new ‘’LinkedIn friend’’ had over 500 connections, and his professional description was looking pretty good.The profile also showed a very credible career path with multiple job experiences over a long period of time.

Looking deeper into the profile, I also saw that this person was endorsed by multiple LinkedIn users—some of whom were also highly skilled and highly endorsed. Everything seemed to be legit with the profile in question.

One thing I always like to do is read people’s recommendations before I engage with a new connection. My new ‘’ LinkedIn friend’’ had over 10 recommendations, and that’s more than acceptable for most LinkedIn users. The recommendations he received also seemed to be legit.

At this point—and after verifying all the basics of this profile—I decided to engage in the conversation and see how that would go. A few seconds later, I received a new message from this person with a brief description of the opportunity and a link to access the information.

After reading his message and looking at the nature of the link, I already knew what was going on.

Let’s start by the message itself:

The person is proposing to share some confidential and sensitive information with me, such as: a business plan, organizational goals, key objectives, and more without asking for a non-disclosure agreement (NDA) to be signed or even a phone call.

Now, let’s look at the link:

That link looks phishy!

“Why would someone share a PHP file from within a theme’s directory!?” said one of our security consultants at Orenda Security.

When a WordPress site is compromised, the theme’s directory is usually one of the easiest aspects to modify, so you can incorporate your own PHP code.

This type of link is uncommon for exchanging this type of electronic document or information, especially for a known company, like DocuSign.

Using a free, top-ranked Google website, I scanned the URL for malicious activity. The resultswere surprising, and full of green. If you’ve never used a website like this one before, just know that there are hundreds of them that offer free scanning services. This site utilizes multiple scanning sites and only one indicated that something was suspicious.

I guess it’s fair to say that some people would trust the link based on the scan results.

Just for fun, I tested the link on Mac, and the antivirus (a trusted one) did not pick it up either.

Unfortunately, without proper guidance from a trusted expert or without having completed a security awareness course, it’s safe to say that a click could be the next step for many users.

In fact, the link is delivering a JS.Phishing.5 spear phishing attack:

Now, let’s see what this cybercriminal had in mind.

When opening the link in a secured environment, a fake DocuSign login portal was displayed, requesting me to login with either Office 365, Gmail, Facebook, or other known providers.

On first glance, the page itself is not bad. A lot of people could fall for the scam and I’m sure many already have.

Characteristics of this phishing scenario:

The overall look is of poor quality and does not reflect the corporate image of a serious organization. ·
There are no spelling or grammatical errors, which used to be one of the most common indicators of a fake landing page. However, phishing attacks are getting more and more sophisticated, and of course you cannot rely solely on this aspect.
The logo and the branding don’t correspond to the real DocuSign format.
None of the links on the page are functional.

If you go directly on the official DocuSign website, it’s easy to see what the real login page should be. Even a simple Google search will guide you.

Real DocuSign login pages (from support.docusign.com):

The next morning, I wanted to know more about this hacker, so I asked my new friend if they had a PDF document instead because I wanted to keep the conversation going a little longer.

Below was their answer:

I also asked them for a good phone number to discuss this “opportunity”.

But, of course, I did not get a response from the person.

At this point—and for obvious reasons—it was important to report this account to LinkedIn, so they could protect other LinkedIn members. We have also hid the name of the profile user in this post because it is very possible that this account was compromised and is now controlled by a malicious user without the real account owner knowing it. I also noticed that we had two connections in common and made sure they knew about this situation, so they wouldn’t get phished. Although, they could also be working together…

The reason why I’ve taken the time to share this experience with you is to show you that, when it comes to phishing attacks, most people think that it only happens via personalized or generic emails. However, hackers use all kinds of methods to target their victims, such as social media, text messaging (#smishing), and even LinkedIn Messenger.

I have the chance to work every day with a group of elite cybersecurity experts at Orenda Security. I also had the chance to work in the cybersecurity awareness business for a decade, helping organizations of all sizes with security awareness programs and phishing simulations services. However, that is not the case for most professionals outside of the cybersecurity world, and this direct attack via LinkedIn Messenger can be devastating for any of us.

Just remember to stay alert at all times, and if you have any doubts or find yourself in a similar situation, just reach out to someone that can help you. You can also ignore the message, but don’t open any links. If it’s a real opportunity or something important, that person will find a better way to reach out to you anyway!

The post HOW I NEARLY GOT HACKED VIA LINKEDIN MESSENGER BY MY NEW FRIEND appeared first on Orenda Security.

HOW THE XMRIG TROJAN VIRUS SNEAKS ONTO YOUR COMPUTER SYSTEM

admin — Thu, 25 Oct 2018 09:24:07 +0000

It’s difficult to know what is real and what is fake in the cyber world because most computer users are ignorant of ever-evolving threats. It’s not their fault because professional cybercriminals can mask their viruses, like Trojans. The XMRig CPU Miner is a Trojan Horse that many unsuspecting users install. It hijacks the user’s computer and uses its resources to mine digital currency. This includes:

Bitcoin
Monero
Dashcoin
DarkNetCoin

Our experts are here to inform you about the best ways to notice this virus’s presence and what to do if you accidentally install it on your system.

How to Recognize XMRig

Because the XMRig CPU Miner is a Trojan, it has been made to look like an Adobe Flash Player update, which is an often-targeted software program. XMRig has an NVIDIA GPU and an AMD GPU version. Within the last year, cybercriminals have tweaked this Trojan virus, allowing the user to update their Adobe Flash Player to further propel the illusion that it is the real deal.

Thanks to Palo Alto Networks’ security researchers who investigated the virus, users can determine several details that give XMRig away:

The installer pop-up browser will say the publisher is unknown when it should say the publisher is Adobe Flash.
The user’s computer will suddenly become slow because XMRig uses 70% of a computer’s CPU and draws power from the graphics cards.
The user’s computer will run hot over long periods of time, which will reduce the CPU’s life.
Users may notice the Wise program on their computer and the Winserv.exe. file.

The Palo Alto researchers have not zeroed in on the URLs that lead to users accidentally downloading the virus, but there are many ways to prevent against it and other viruses.

How to Protect Your Computer System

Although Adobe announced Flash’s end-of-life and that Microsoft would officially remove it by the end of 2020, businesses are still using it and run the risk of installing the XMRig Trojan.

Here are some methods of preventing the virus from entering your system:

Run a trusted anti-virus program with scheduled scans and continually update the software.
Use web and email filtering to block malicious URLs.
Make your staff aware of security prompts and the risks of using unknown sources for downloads and running programs.
Go directly to Adobe’s website for updates.

Why Businesses Use Flash

Generally, businesses use outdated proprietary software because updating requires time and funding they don’t have. This is how businesses develop vulnerabilities. Flash is useful in ad creation because it allows companies to track the number of clicks a particular ad receives. Thus far, everyone can use Flash to easily watch videos and play music, but some users are unable to use the alternative, which is HTML5. Businesses don’t like HTML5 because it’s harder to protect delivered content from the end user. Flash Media Server has a DRM functionality that is built-in, allowing users to stream any content while protecting the URL and preventing data from being cached.

Businesses have critical information, whether it’s financial or private, so they need to put the strongest safeguards in place. Trust our Orenda Security experts to use their diverse knowledge to find your system’s vulnerabilities through penetration testing, dynamic testing, and other useful practices. Contact us today at [email protected] or request a quote!

The post HOW THE XMRIG TROJAN VIRUS SNEAKS ONTO YOUR COMPUTER SYSTEM appeared first on Orenda Security.

BLOCKCHAIN TECHNOLOGY IN THE RETAIL INDUSTRY

admin — Wed, 03 Oct 2018 09:25:17 +0000

VMware recently released their Project Concord and is continuing to advance blockchain technology. A blockchain acts like a public log, facilitating the security of a transaction between two users in the same network. The transaction’s information is secured, verifiable, and permanently stored with its data sealed behind an endless series of hierarchical cryptographic blocks. The data blocks allow for transactions to be traced and easily verified. It is from these data blocks that the technology’s name is derived.

Those who are familiar with the digital currency, Bitcoin, will know that it was based on the workings of blockchains because they provide a top level of security. A transaction cannot be altered once it is entered into a blockchain. Each block contains a connective link that joins the blocks together, as well as a timestamp and the transaction data itself.

The Retail and Sales Industry

The retail and sales industry is a lucrative field for hackers and cybercriminals because of all the personal information available on these databases. Blockchain technology is only starting to be used outside of the financial sphere. The retail industry would benefit from blockchain technology by incorporating it into loyalty programs, protecting data from cyber-attacks, giving customers more control over their personal information, and tracking merchandise from its source to its destination.

The German restaurant, Sausilitos, adopted a loyalty program this past May that uses blockchains in their app and they also created their own cryptocurrency. Customers earn coins whenever they make a transaction at the restaurant and can exchange their tokens for cash, as well as for cryptocurrencies and tokens belonging to other brands. The CEO, Christoph Heidt, believed customers receive a higher return on investment and lifetime value combined with data protection.

Shopin was created to compete with Amazon and provide empowerment to shoppers. It’s a universal shopper profile that allows retailers to offer a higher quality of product recommendations and more valuable rewards to shoppers who provide retailers with access to their data, such as product and service preferences. Shopin is built on blockchain technology so it also enables easy and secure transactions. Shopin takes the shopping experience to the next level with its incorporation of artificial intelligence and the combined efforts of retailers to accumulate and pass on a shopper’s years of purchases. These features create a more sustainable retail economy because retailers grow stronger with accessible knowledge and customers own and have complete control over their data and with whom they decide to share it.

Walmart & IBM

Walmart and IBM combined forces in 2016 to use blockchain technology for recording food supply details, such as where they were grown and the methods used, as well as the inspector who performed the evaluation. Food supplies can easily become contaminated and undetected, but with blockchain technology, staff can quickly find any of the contaminated food and remove it from the shelves to ensure the health of thousands. The vice president of food safety and health at Walmart commented that the store’s tracking time went from six days to two seconds with the help of blockchain technology.

Pinpointing Vulnerabilities in the Retail Industry

Orenda Security provides assessments, DAST, and could use penetration testing to expose areas of risk and prevent significant breaches of data. Our managed DAST services empower development teams. We customize our reporting methods to better serve your business while demonstrating how these security risks apply to your products and services.

The post BLOCKCHAIN TECHNOLOGY IN THE RETAIL INDUSTRY appeared first on Orenda Security.