You consider yourself a responsible person when it comes to taking care of your physical possessions. You’ve never left your wallet in a taxi or lost an expensive ring down the drain. You never let your smartphone out of your sight, yet one day you notice it’s acting oddly.
Did you know that your device can fall into cybercriminals’ hands without ever leaving yours? SIM swapping is a method that allows criminals to take control of your smartphone and break into your online accounts.
Don’t worry: there are a few easy steps you can take to safeguard your smartphone from prying eyes and get back to using your devices confidently.
First off, what exactly is a SIM card? SIM stands for subscriber identity module, and it is a memory chip that makes your phone truly yours. It stores your phone plan and phone number, as well as all your photos, texts, contacts, and apps. In most cases, you can pop your SIM card out of an old phone and into a new one to transfer your photos, apps, etc.
Unlike what the name suggests, SIM swapping doesn’t require a cybercriminal to get access to your physical phone and steal your SIM card. SIM swapping can happen remotely. A hacker, with a few important details about your life in hand, can answer security questions correctly, impersonate you, and convince your mobile carrier to reassign your phone number to a new SIM card. At that point, the criminal can get access to your phone’s data and start changing your account passwords to lock you out of your online banking profile, email, and more.
SIM swapping was especially relevant right after the AT&T data leak. Cybercriminals stole millions of phone numbers and the users’ associated personal details. They could later use these details to SIM swap, allowing them to receive users’ text or email two-factor authentication codes and gain access to their personal accounts.
The most glaring sign that your phone number was reassigned to a new SIM card is that your current phone no longer connects to the cell network. That means you won’t be able to make calls, send texts, or surf the internet when you’re not connected to Wi-Fi. Since most people use their smartphones every day, you’ll likely find out quickly that your phone isn’t functioning as it should.
Additionally, when a SIM card is no longer active, the carrier will often send a notification text. If you receive one of these texts but didn’t deactivate your SIM card, use someone else’s phone or landline to contact your wireless provider.
Check out these tips to keep your device and personal information safe from SIM swapping.
With just a few simple steps, you can feel better about the security of your smartphone, cellphone number, and online accounts. If you’d like extra peace of mind, consider signing up for an identity theft protection service like McAfee+. McAfee, on average, detects suspicious activity ten months earlier than similar monitoring services. Time is of the essence in cases of SIM swapping and other identity theft schemes. An identity protection partner can restore your confidence in your online activities.
The post How to Protect Your Smartphone from SIM Swapping appeared first on McAfee Blog.
For years now, the popularity of online dating has been on the rise—and so have the number of online romance scams that leave people with broken hearts and empty wallets.
In a recent CBS News story, one Texan woman was scammed out of $3,200 by a scammer claiming to be a German Cardiologist. After months of exchanging messages and claiming to be in love with her, he said that he’d been robbed while on a business trip in Nigeria and needed her help.
According to the U.S. Federal Trade Commission (FTC), the reported cost of online romance scams was $1.14 billion in 2023.
Dating and romance scams aren’t limited to online dating apps and sites, they’ll happen on social media and in online games as well. However, the FTC reports that the scam usually starts the same way, typically through an unexpected friend request or a message that comes out of the blue.
With the phony relationship established, the scammer starts asking for money. The FTC reports that they’ll ask for money for several bogus reasons, usually revolving around some sort of hardship where they need a “little help” so that they can pay:
The list goes on, yet that’s the general gist. Scammers often employ a story with an intriguing complication that seems just reasonable enough, one where the romance scammer makes it sound like they could really use the victim’s financial help.
People who have filed fraud reports say they’ve paid their scammer in a few typical ways.
One is by wiring money, often through a wire transfer company. The benefit of this route, for the scammer anyway, is that this is as good as forking over cash. Once it’s gone, it’s gone. The victim lacks the protections they have with other payment forms, such as a credit card that allows the holder to cancel or contest a charge.
Another way is through gift cards. Scammers of all stripes, not just romance scammers, like these because they effectively work like cash, whether it’s a gift card for a major online retailer or a chain of brick-and-mortar stores. Like a wire transfer, once that gift card is handed over, the money on it is highly difficult to recover, if at all.
One more common payment is through reloadable debit cards. A scammer may make an initial request for such a card and then make several follow-on requests to load it up again.
In all, a romance scammer will typically look for the easiest payment method that’s the most difficult to contest or reimburse, leaving the victim in a financial lurch once the scam ends.
When it comes to meeting new people online, the FTC suggests the following:
Scammers, although arguably heartless, are still human. They make mistakes. The stories they concoct are just that. Stories. They may jumble their details, get their times and dates all wrong, or simply get caught in an apparent lie. Also, keep in mind that some scammers may be working with several victims at once, which is yet another opportunity for them to get confused and slip up.
As mentioned above, some romance scammers troll social media and reach out through direct messages or friend requests. With that, there are three things you can do to cut down your chances of getting caught up with a scammer:
Social media platforms like Facebook, Instagram, and others give you the option of making your profile and posts visible to friends only. Choosing this setting keeps the broader internet from seeing what you’re doing, saying, and posting, which can help protect your privacy and give a romance scammer less information to exploit.
Be critical of the invitations you receive. Out-and-out strangers could be more than a romance scammer, they could be a fake account designed to gather information on users for purposes of cybercrime, or they can be an account designed to spread false information. There are plenty of them too. In fact, in Q4 of 2023 alone, Facebook took action on 693 million fake accounts. Reject such requests.
Online protection software like ours can help you spot fakes and scams. Features like McAfee Scam Protection use advanced AI to detect scam links in texts, email, and social media messages before you click. Our Personal Data Cleanup can keep you safer still by removing your personal info from sketchy data broker sites — places where scammers go to harvest useful info on their victims. And if the unfortunate happens, we offer $2 million in identity theft coverage and identity restoration support.
If you suspect that you’re being scammed, put an end to the relationship and report it, as difficult as that may feel.
Notify the FTC at ReportFraud.ftc.gov for support and next steps to help you recover financially as much as possible. Likewise, notify the social media site, app, or service where the scam occurred as well. In some cases, you may want to file a police report, which we cover in our broader article on identity theft and fraud.
If you sent funds via a gift card, the FTC suggests filing a claim with the company as soon as possible. They offer further advice on filing a claim here, along with a list of contact numbers for gift card brands that scammers commonly use.
Lastly, go easy on yourself. If you find yourself a victim of online dating or romance fraud, know that you won’t be the first or last person to be taken advantage of this way. By reporting your case, you in fact may help others from falling victim too.
The post How to Spot Dating Scams appeared first on McAfee Blog.
EDRaser is a powerful tool for remotely deleting access logs, Windows event logs, databases, and other files on remote machines. It offers two modes of operation: automated and manual.
In automated mode, EDRaser scans the C class of a given address space of IPs for vulnerable systems and attacks them automatically. The attacks in auto mode are:
To use EDRaser in automated mode, follow these steps:
python edraser.py --auto
In manual mode, you can select specific attacks to launch against a targeted system, giving you greater control. Note that some attacks, such as VMX deletion, are for local machine only.
To use EDRaser in manual mode, you can use the following syntax:
python edraser.py --ip <ip_addr> --attack <attack_name> [--sigfile <signature file>]
Arguments:
--ip
: scan IP addresses in the specified range and attack vulnerable systems (default: localhost).--sigfile
: use the specified encrypted signature DB (default: signatures.db).--attack
: attack to be executed. The following attacks are available: ['vmx', 'vmdk', 'windows_security_event_log_remote', 'windows_application_event_log_local', 'syslog', 'access_logs', 'remote_db', 'local_db', 'remote_db_webserver']Optional arguments:
port
: port of remote machinedb_username
: the username of the remote DB.db_password
: the password of the remote DB.db_type
: type of the DB, EDRaser supports mysql
, sqlite
. (# Note that for sqlite, no username\password is needed)db_name
: the name of remote DB to be connected totable_name
: the name of remote table to be connected torpc_tools
: path to the VMware rpc_toolsExample:
python edraser.py --attack windows_event_log --ip 192.168.1.133
python EDRaser.py -attack remote_db -db_type mysql -db_username test_user -db_password test_password -ip 192.168.1.10
You can bring up a web interface for inserting and viewing a remote DB. it can be done by the following command: EDRaser.py -attack remote_db_webserver -db_type mysql -db_username test_user -db_password test_password -ip 192.168.1.10
This will bring up a web server on the localhost:8080 address, it will allow you to view & insert data to a remote given DB. This feature is designed to give an example of a "Real world" scenario where you have a website that you enter data into it and it keeps in inside a remote DB, You can use this feature to manually insert data into a remote DB.
In manual mode, EDRaser displays a list of available attacks. Here's a brief description of each attack:
Read this statement, then read it again: Just five distracted seconds at 55 mph is equivalent to driving the length of a football field with your eyes closed. This alarming truth from the National Highway Traffic Safety Administration (NHTSA), highlights the need for parents to address the issue of distracted driving with their teens.
Additional distracted driving statistics are mind-blowing. According to the NHSTA, 77 percent of drivers admitted to using their phones while driving, 74 percent used their map app, 56 percent read emails or texts, 27 percent updated or checked their social media accounts, and shockingly, 19 percent of drivers—equivalent to one in five—engaged in online shopping while driving.
In the United States, distracted driving has become a leading cause of fatal crashes, accounting for 25 to 30 percent of all fatal crashes. Furthermore, overall highway fatalities have increased by 22 percent, as reported recently by The Los Angeles Times, which attributed this rise to the allure of technology turning our cars into “candy stores of distraction.”
While technology plays a significant role in distracted driving, other everyday choices and factors can also contribute to accidents. Eating while driving, managing a lively pet in the car, navigating unfamiliar streets, and even talking with peer passengers can distract young drivers. Studies have shown that crash risk doubles when teens drive with one peer passenger and quadruples with three or more teen passengers.
In the throes of summer, it’s a great time for parents to have a conversation with their teen drivers about the dangers of distracted driving and texting while driving. Here are some important topics to discuss and tips to help keep your kids safe on the road:
Remember, developing good (or better) habits takes time, effort, consistency, and parental involvement in teen driving. Preventing distracted driving with positive behavior change won’t happen overnight. Repeat yourself when it comes to road safety without apologies. Giving your child rules and expectations demonstrates love. By making some of these shifts, hopefully, you will worry less, raise wiser drivers, and improve safety for everyone on the roads.
The post Parent’s Guide: 8 Ways to Help Your Teen Combat Distracted Driving appeared first on McAfee Blog.
This tool will help you on your IR & Threat Hunting & CA. just drop your event log file and anlayze the results.
$ ThreatHound.exe -s ..\sigma_rules\ -p C:\Windows\System32\winevt\Logs\ -print no
NOTE: give cmd full promission to read from "C:\Windows\System32\winevt\Logs"
$ git clone https://github.com/MazX0p/ThreatHound.git
$ cd ThreatHound
$ pip install - r requirements.txt
$ pyhton3 ThreatHound.py
This script will parse all the channels of events from the win-event log to extract all the log relatives to AppLocker. The script will gather all the important pieces of information relative to the events for forensic or threat-hunting purposes, or even in order to troubleshoot. Here are the logs we fetch from win-event:
And, The result will be saved to a csv file: AppLocker-log.csv
The juicy and useful information you will get with this script are:
This parameter specifies the type of events you are interested in, there are 04 values for this parameter:
1. All
This gets all the events of AppLocker that are interesting for threat-hunting, forensic or even troubleshooting. This is the default value.
.\Get-AppLockerEventlog.ps1 -HunType All
2. Block
This gets all the events that are triggered by the action of blocking an application by AppLocker, this type is critical for threat-hunting or forensics, and comes with high priority, since it indicates malicious attempts, or could be a good indicator of prior malicious activity in order to evade defensive mechanisms.
.\Get-AppLockerEventlog.ps1 -HunType Block |Format-Table -AutoSize
3. Allow
This gets all the events that are triggered by the action of Allowing an application by AppLocker. For threat-hunting or forensics, even the allowed applications should be monitored, in order to detect any possible bypass or configuration mistakes.
.\Get-AppLockerEventlog.ps1 -HunType Allow | Format-Table -AutoSize
4. Audit
This gets all the events generated when AppLocker would block the application if the enforcement mode were enabled (Audit mode). For threat-hunting or forensics, this could indicate any configuration mistake, neglect from the admin to switch the mode, or even a malicious action that happened in the audit phase (tuning phase).
.\Get-AppLockerEventlog.ps1 -HunType Audit
To better understand AppLocker :
Diving in AppLocker for Blue Team — Part 1
This project welcomes contributions and suggestions.
As technology weaves itself into our lives in new and unexpected ways, some of it will get quite personal and close to home. That made itself clear at CES this year, which makes a strong case for your security.
The more things we connect, the more data we create. Data about ourselves that companies and others collect, share, and sell—where we are and what we’re doing, along with what we buy, watch, and search for. And today, we’re creating more of it and in more exacting detail.
We connect our homes with smart devices that create data about our comings and goings, and we connect ourselves with smart glasses and watches, rings, and things that track our health, our sleep, and wellness overall. Meanwhile, we have virtual reality and augmented reality hardware companies that want a place on your face with headsets and experiences that will take you into the metaverse.
Walking the floor of this year’s CES, you’ll see all these things, and plenty more. Yet central to it all is one thing—you. Specifically, your privacy and identity.
As technology evolves so rapidly and brings new ways of experiencing our world, it’s an exciting time. It’s also a somewhat uncertain time. What data will these devices create? Who’ll collect it? What will they do with it? And importantly, what can you do to protect yourself? Questions about your security are very much on our minds, and they’re on yours too. You’ve told us as much.
And unsurprisingly, protection is very much on your mind as well.
And that’s where we come in. Just as the floor of CES showcases the evolution of life online, we’re evolving online protection as well. McAfee+ represents that next step—a product line that gives you a full slate of online protection that covers your privacy, identity, and devices so you can enjoy life online with confidence.
At the center of that online life is you, and our definition of online protection has become quite expansive as a result. We see how it can help you monitor your credit, your identity, and where your personal information crops up online. We see how it can prevent the wrong people from getting their hands on data and info too. And we see how our industry-first Protection Score can show you how safe you are—and offer guidance that can make you safer still. In all, we see it as an online companion, one that removes uncertainty and gives you a feeling of security. Because you truly are secure.
In all, protection today demands this comprehensive approach because we go about so much of our day online. McAfee+ reflects that reality. And with that, the various plans for McAfee+ include:
And that list will only continue to grow. As the year takes shape, we’ll roll out yet more protections that will give you even more control of your privacy and identity. Particularly as you and your household rely on life online more and more.
As is true any year at CES, we see all manner of potential. New ways to make the day easier, more enjoyable, and more productive thanks to life online. Yet amidst it all, we see you. We see how you’ll use these new technologies, what the privacy, identity, and security implications are, and how we can protect you so you can benefit from these advances in technology, safely.
Like you, we’re excited for what’s next, and we’ll see to it that you can enjoy it—with protection that looks after you, your household, and your family.
The post The Case for Your Security at CES 2023 appeared first on McAfee Blog.
Ransomware. Even the name sounds scary.
When you get down to it, ransomware is one of the nastiest attacks a hacker can wage. They target some of our most important and precious things—our files, our photos, and the information stored on our devices. Think about suddenly losing access to all of them and being forced to pay a ransom to get access back. Worse yet, paying the ransom is no guarantee the hacker will return them.
That’s what a ransomware attack does. Broadly speaking, it’s a type of malware that infects a network or a device and then typically encrypts the files, data, and apps stored on it, digitally scrambling them so the proper owners can’t access them. Only a digital key can unlock them—one that the hacker holds.
Nasty for sure, yet you can take several steps that can greatly reduce the risk of it happening to you. Our recently published Ransomware Security Guide breaks them down for you, and in this blog we’ll look at a few reasons why ransomware protection is so vital.
The short answer is pretty bad—to the tune of billions of dollars stolen from victims each year. Ransomware targets people and their families just as explained above. Yet it also targets large organizations, governments, and even companies that run critical stretches of energy infrastructure and the food supply chain. Accordingly, the ransom amounts for these victims climb into millions of dollars.
A few recent cases of large-scale ransomware attacks include:
Who’s behind such attacks? Given the scope and scale of them, it’s often organized hacking groups. Put simply, these are big heists. It demands expertise to pull them off, not to mention further expertise to transfer large sums of cryptocurrency in ways that cover the hackers’ tracks.
As for ransomware attacks on people and their families, the individual dollar amounts of an attack are far lower, typically in the hundreds of dollars. Again, the culprits behind them may be large hacking groups that cast a wider net for individual victims, where hundreds of successful attacks at hundreds of dollars each quickly add up. One example: a hacker group that posed as a government agency and as a major retailer, which mailed out thousands of USB drives infected with malware.
Other ransomware hackers who target people and families are far less sophisticated. Small-time hackers and hacking groups can find the tools they need to conduct such attacks by shopping on the dark web, where ransomware is available for sale or for lease as a service (Ransomware as a Service, or RaaS). In effect, near-amateur hackers can grab a ready-to-deploy attack right off the shelf.
Taken together, hackers will level a ransomware attack at practically anyone or any organization—making it everyone’s concern.
Hackers have several ways of getting ransomware onto one of your devices. Like any other type of malware, it can infect your device via a phishing link or a bogus attachment. It can also end up there by downloading apps from questionable app stores, with a stolen or hacked password, or through an outdated device or network router with poor security measures in place. And as mentioned above, infected storage devices provide another avenue.
Social engineering attacks enter the mix as well, where the hacker poses as someone the victim knows and gets the victim to either download malware or provide the hacker access to an otherwise password-protected device, app, or network.
And yes, ransomware can end up on smartphones as well.
While not a prevalent as other types of malware attacks, smartphone ransomware can encrypt files, photos, and the like on a smartphone, just as it can on computers and networks. Yet other forms of mobile ransomware don’t have to encrypt data to make the phone unusable. The “Lockerpin” ransomware that has struck some Android devices in the past would change the PIN number that locked the phone. Other forms of mobile ransomware paste a window over the phone’s apps, making them unusable without decrypting the ransomware.
Part of avoiding ransomware involves reducing human error—keeping a watchful eye open for those spammy links, malicious downloads, bogus emails, and basically keeping your apps and devices up to date so that they have the latest security measures in place. The remainder relies on a good dose of prevention.
Our Ransomware Security Guide provides a checklist for both.
It gets into the details of what ransomware looks like and how it works, followed by the straightforward things you can do to prevent it, along with the steps to take if the unfortunate ends up happening to you or someone you know.
Ransomware is one of the nastiest attacks going because it targets our files, photos, and information, things we don’t know where we’d be without. Yet it’s good to know you can indeed lower your risk with a few relatively simple steps. Once you have them in place, chances are a good feeling will come over you, the one that comes with knowing you’ve protected what’s precious and important to you.
The post Your Guide to Ransomware—and Preventing It Too appeared first on McAfee Blog.
Cybersecurity has changed dramatically since the dawn of firewalls in the 1980s. But despite all the upheaval and innovation, they have stood the test of time. The basic concept of allowing “good” traffic to flow and blocking the bad stuff remains essential. Of course, it looks much different now than in the era of Care Bears and Cabbage Patch Kids.
Today’s workers, data, and applications are everywhere, and firewalls must be as well. There’s no longer just one finite space to defend. With the recent explosion of hybrid work and the rapid transition to multi-cloud environments, it’s imperative that firewalls evolve alongside a business — and be ready for whatever’s next.
So, can your firewall grow with you? Or is it stuck in the age of Hair Bands and He-Man?
The past few years have brought about a keen focus on resilience — remaining strong, yet adaptable in the face of unexpected and even unfathomable challenges. But an organization cannot persevere without security being at the forefront of any resilience strategy.
96% of executives consider security resilience highly important to their business.
– Cisco Security Outcomes Report
Firewalls are a critical foundation for building powerful, resilient security infrastructure. Yet contemporary firewalls have to be and do more than one thing. Cisco Secure Firewall delivers world-class security controls wherever you need them, with unified visibility and consistent policy management and enforcement.
As a worldwide leader in networking and security, Cisco is better positioned than any other vendor to incorporate effective firewall controls into your infrastructure — anywhere your data and applications reside. According to a study conducted on behalf of Cisco by Forrester Research, Cisco Secure Firewall customers can:
Cisco Secure Firewall delivers on several key aspects necessary for security resilience: visibility, flexibility, intelligence, integration, and unified controls. Together, they enable organizations to close gaps, see and detect threats faster, and adapt quickly to change.
Watch video: Cisco Secure Firewall Overview
With most of today’s internet traffic being encrypted, security measures can become obsolete without the ability to see into all traffic, encrypted or not. While decryption is commonplace, it is simply not feasible in many cases, and can have serious impacts on network performance. With its Encrypted Visibility Engine, Cisco Secure Firewall leverages deep packet inspection (DPI) to identify potentially malicious applications in encrypted traffic without offloading to another appliance and degrading performance.
Due to a highly distributed network and workforce, as well as constantly maturing attacks, the ability to see into every corner of your ecosystem is crucial. Cisco Secure Firewall blends multiple technologies to detect and block more threats in more places. By combining traditional firewall capabilities with URL filtering, application visibility and control, malware defense, and Snort 3 intrusion prevention, organizations gain robust protection against even the most sophisticated threats.
Cisco offers a wide variety of firewalls for defending the different areas of your network — including physical, virtual, and cloud-native — as well as cloud-delivered. We can secure businesses and offices of all types and sizes, from the data center to the cloud.
Cisco Secure also provides flexible firewall management options, enabling you to deploy and operate your security architecture in a way that is tailored to the unique requirements of your NetOps, SecOps, and DevOps teams. No matter which firewall models you choose or environments you operate in (physical or virtual), you can use a single, simplified application to manage all your firewalls from one place.
The threat landscape changes every day, and our defenses must change with it. Cisco Talos is one of the largest and most trusted threat intelligence groups in the world. Its in-depth insight into global threats, and advanced research and analysis, enable us to quickly incorporate protections for new threats into our products via hourly updates. That way, Cisco customers are continuously safeguarded from both known and unknown threats.
“When the Log4j vulnerability was discovered, we were protected before we even completed our patching,” said Paul Smith, network administrator at Marian University. “As a result of automated hourly updates from Talos, Cisco Secure Firewall had an early detection signature, so it was already blocking the concerning traffic from infiltrating our network.”
Another differentiator for Cisco Secure Firewall is that it’s part of an integrated security ecosystem. With Cisco SecureX, organizations can correlate data from multiple technologies and unleash XDR capabilities for a centralized, automated response to threats.
“At the end of the day, it’s about protecting the data, and we do that with the integration of [Cisco] Secure Endpoint, Umbrella, and Secure Firewall, which combine to protect the networks, endpoints, workstations, and servers — and all of this can be correlated easily within SecureX.”
– Elliott Bujan, IT Security Manager, Marine Credit Union
The new Cloud-delivered Firewall Management Center leverages the cloud to facilitate agile, simplified operations for a distributed, hybrid network. It provides efficiency at scale by allowing security teams to swiftly deploy and update policies across their environment with just a few clicks, as well as take coordinated actions to prioritize, investigate, and remediate threats within a single pane of glass. And with a cloud-delivered management center, Cisco regularly updates its software behind the scenes, which reduces risk, maintains compliance, and gives your team more time to focus on other priorities.
Additionally, Cisco Secure Firewall dynamically shares policies driven by intelligence from Cisco Secure Workload, which uses microsegmentation to prevent lateral movement of attackers throughout a network. This allows security policies to be harmonized across both the network and application environments, boosting efficacy and fostering collaboration between teams.
These are just some examples of what makes up a comprehensive, modernized firewall. But Cisco is not stopping there. We continue to innovate to meet evolving business needs. For example, the new enterprise-class 3100 Series firewalls are specially designed for hybrid work, supporting more end users with high-performance remote access for increased organizational flexibility.
Additionally, Cisco Secure Firewall serves as a key component of advanced security strategies including XDR, SASE, and zero trust, helping businesses keep pace with accelerating digital transformation. According to Cisco’s most recent Security Outcomes Report, organizations with mature XDR, SASE, and zero trust implementations all boast significantly higher levels of security resilience.
Fuel and energy retailer, Ampol, uses a variety of Cisco technologies, including Secure Firewall, to segment and safeguard its network. “Cisco was an integral part of our success during COVID-19 as we were able to serve customers without interruption in stores,” said Amir Yassa, senior project specialist at Ampol. “Deploying our retail resilience project, mostly comprised of Cisco products, enabled us to reduce our IT-related incidents by 90%, thus enabling us to serve our customers better now and into the future.”
Is your firewall keeping up with future demands, or is it still stuck in the 80s teasing its hair? If it’s the latter, we can help. Visit cisco.com/go/firewall and learn how to refresh your firewall.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
EDR with artifact collection driven by detection. The detection engine is built on top of a previous project Gene specially designed to match Windows events against user defined rules.
It means that an alert can directly trigger some artifact collection (file, registry, process memory). This way you are sure you collected the artifacts as soon as you could (near real time).
All this work has been done on my free time in the hope it would help other people, I hope you will enjoy it. Unless I get some funding to further develop this project, I will continue doing so. I will make all I can to fix issues in time and provide updates. Feel free to open issues to improve that project and keep it alive.
NB: the EDR agent can be ran standalone (without being connected to an EDR manager)
NB: event filtering can be done at 100% with Gene rules so do not bother creating a complicated Sysmon configuration.
In order to get the most of WHIDS you might want to improve your logging policy.
Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\System\Audit Security System Extension
-> EnableComputer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Object Access\Audit File System
-> EnableSelect a principal
(put here the name of the user/group you want the audit for). Put group Everyone if you want to log access from any user.Apply this to
is used to select the scope of this audit policy starting from the folder you have selectedBasic permissions
select the kinds of accesses you want the logs to be generated forSecurity
log channelMicrosoft-Windows-Windows Defender/Operational
monitored by the EDR.This section covers the installation of the agent on the endpoint.
manage.bat
as administrator
manage.bat
or using your preferred text editormanage.bat
or just reboot (preferred option otherwise some enrichment fields will be incomplete leading to false alerts)NB: At installation time the Sysmon service will be made dependent of WHIDS service so that we are sure the EDR runs before Sysmon starts generating some events.
The EDR manager can be installed on several platforms, pre-built binaries are provided for Windows, Linux and Darwin.
Please visit doc/configuration.md
\\vbox\test
is mounted as Z:
drive, running Z:\whids.exe
won't work while running \\vbox\test\whids.exe
actually would.Github:https://github.com/tines Website:https://www.tines.com/ Twitter:@tines_io
The Internet, while a useful tool for the exchange of ideas and information, can equally be a dangerous place. This is largely due to nefarious practices that compromise the safety and privacy of individuals, and one such practice is doxing. Here’s all you need to know about this alarming phenomenon.
Doxing, a shorthand term for ‘dropping documents,’ is a form of online harassment where individuals share personal, identifying information about others without their consent. This information often includes sensitive data such as home addresses, phone numbers, email addresses, and even Social Security numbers. The practice, which is illegal in many jurisdictions, is often used to intimidate, harass, harm, or exert control over the targeted individual.
But why should you worry about doing it? Well, the answer is quite straightforward. In the current digital age, privacy is increasingly becoming an elusive concept. Your personal information can be leveraged against you in various ways, from identity theft to stalking cases. By understanding the ins and outs of doing so, you can better protect yourself and your loved ones. So, without further ado, let’s delve into everything you need to know about doxing.
Doxing isn’t a modern concept, contrary to what many people believe. While the digital age has facilitated its widespread adoption, doxing has a long and storied history dating back decades.
In the early days, doxing was a tactic primarily used by hackers, who would leverage private information to intimidate or harm their rivals. For instance, they would publish a rival’s real name, address, and other sensitive data on bulletin board systems and early Internet forums. The purpose was to inject an element of fear, as anonymity was often critical in the hacking community.
Over the years, doxing has dramatically evolved, becoming increasingly pervasive and more harmful. With the advent of social media and other online platforms, individuals now have a wider audience and a variety of channels to disseminate personal information. This increased visibility has seen doxing become a go-to tactic for cyberbullies, internet trolls, and even organized hate groups.
In recent years, we’ve seen several high-profile doxing cases, underscored by a toxic combination of personal vendettas, political disagreements, and cyber warfare. These instances have brought issues of online privacy, internet regulation, and cyberbullying to the forefront, prompting calls for more comprehensive legislation to curb the practice.
At its core, doxing is about information gathering and dissemination. It revolves around collecting personal and identifying information about an individual and publicly sharing it – typically over the internet. But how is it done?
Typically, the doxing process begins with identifying the target – this could be anyone from a public figure to an ordinary internet user. The perpetrator then embarks on collecting information about their target. This is often done by combing through the individual’s digital footprint. For instance, they can scrutinize social media profiles, forum posts, online directories, websites, and databases to gather information.
In some cases, doxers employ more sophisticated tactics, such as hacking, phishing, or even social engineering. These techniques can be incredibly invasive, allowing doxers to access even more sensitive information than what’s publicly available. Once the information is collected, it’s then published online, typically on social media platforms or public forums. In extreme cases, the information can be sent directly to the victim’s family, friends, or employer, causing severe emotional distress and potential reputational damage.
While the process may seem straightforward, the implications are anything but. The fallout from doxing can be long-lasting and incredibly damaging, leading to a myriad of personal and professional problems for the victim. This underscores the significance of understanding and combating doxing.
The dangers of doxing cannot be overstated. Depending on the extent of the information released, doxing can lead to a wide array of harmful scenarios, ranging from online harassment and cyberstalking to identity theft and physical attacks.
Primarily, doxing strips individuals of their privacy – a fundamental human right – leaving them feeling vulnerable and exposed. This can lead to psychological fallout, driving victims into anxiety and depression. The invasion of privacy can also lead to social implications, damaging relationships as friends, families, and even employers are drawn into the ordeal.
Social media platforms have unintentionally played a significant role in facilitating doxing. These platforms, designed to foster connections and share information, have instead become tools for malicious activities, including doxing.
On social media, users often unknowingly provide an abundance of information that can be exploited by doxers. Moreover, the platforms provide an easy way for doxers to disseminate the collected personal information to a wide audience. Some social media platforms have taken steps to curb doxing; however, these efforts are often insufficient, as doxers continue to exploit loopholes and other tools to carry out their malicious activities.
Due to the severe implications of doing so, it’s critical to implement measures to protect yourself from becoming a victim. However, this can be challenging due to the sheer amount of personal information individuals share online, often without realizing it. Consequently, prevention strategies often revolve around being cautious about the information you share online and taking steps to enhance your digital security.
Firstly, it’s crucial to limit the amount of personal information you disclose online. This includes being mindful of the information you share on social media platforms, forums, and other online spaces. Be cautious about what you post, who can view it, and how it can be interpreted. Moreover, when signing up for online services, ensure you only provide the minimum required information.
Secondly, regularly review and update your privacy settings on various online platforms. Most platforms have settings that allow you to limit who can view your information. However, these settings often change with platform updates, so it’s essential to regularly review them. Similarly, when downloading apps, review the permissions before installation and disable any that seem unnecessary.
Thirdly, Exercise caution when downloading apps, particularly third-party apps. Some applications may harbor malware or viruses that can compromise the security of your device. To delve deeper into this topic, explore our informative blog for valuable insights and tips on ensuring the safety of your digital experience.
Finally, consider investing in tools and services that enhance your digital security. This includes antivirus software, firewalls, and services such as VPNs that encrypt your internet connection, masking your IP address and other identifying information. Using a password manager can also help protect your accounts from hacking attempts.
As mentioned earlier, doxing is considered illegal in many jurisdictions due to its invasion of privacy and potential for harm. However, the law hasn’t fully caught up with the digital age, and legal measures against doxing vary widely across different countries and regions. That being said, it’s essential to know your legal options should you fall victim to doxing.
When it comes to civil law, victims of doxing may have multiple potential claims, including invasion of privacy, infliction of emotional distress, defamation, harassment, or even stalking. In some cases, these claims can result in monetary damages, cease and desist orders, or other forms of relief.
Under criminal law, doxing may fall under various categories, including identity theft, cyberstalking, or harassment. Depending on the severity of the case, perpetrators can face significant fines or even jail time. Nevertheless, successful legal action often depends on the specific circumstances of the case and the availability of evidence. Therefore, it’s advisable to consult with legal professionals if you’ve been a victim of doxing.
Despite the challenges, many jurisdictions are making efforts to strengthen laws against doxing. For instance, some are proposing laws that explicitly outlaw doxing and provide stronger protections for victims. While these measures are encouraging, legal remedies often come after the fact, underscoring the importance of prevention and preparedness in combating doxing.
Doxing is a pervasive and serious issue in the digital age. The practice not only violates one’s right to privacy but also opens up a Pandora’s Box of potential harm, including harassment, intimidation, and even physical attacks. However, by understanding what doxing is, how it works, and its potential implications, you can better protect yourself and your loved ones from this harmful practice.
Furthermore, it’s critical to be vigilant about your digital footprint and take proactive measures to enhance your online security. This includes being mindful of the information shared online, regularly reviewing privacy settings, and investing in tools that enhance digital security. Additionally, while legal measures against doxing vary, knowing your legal options can be empowering should you fall victim to doxing.
Ultimately, as with many facets of the digital age, navigating the issue of doxing requires a balance between leveraging the benefits of online spaces and protecting against potential pitfalls. With vigilance, preparedness, and an understanding of the risks, you can enjoy the online world while safeguarding your personal information and privacy.
The post 5 Things About Doxing You Should Know appeared first on McAfee Blog.
RPCMon can help researchers to get a high level view over an RPC communication between processes. It was built like Procmon for easy usage, and uses James Forshaw .NET library for RPC. RPCMon can show you the RPC functions being called, the process who called them, and other relevant information.
RPCMon uses a hardcoded RPC dictionary for fast RPC information processing which contains information about RPC modules. It also has an option to build an RPC database so it will be updated from your computer in case some details are missing in the hardcoded RPC dictionary.
Double click the EXE binary and you will get the GUI Windows.
RPCMon needs a DB to be able to get the details on the RPC functions, without a DB you will have missing information.
To load the DB, press on DB -> Load DB...
and choose your DB. You can a DB we added to this project: /DB/RPC_UUID_Map_Windows10_1909_18363.1977.rpcdb.json
.
We want to thank James Forshaw (@tyranid) for creating the open source NtApiDotNet which allowed us to get the RPC functions.
Copyright (c) 2022 CyberArk Software Ltd. All rights reserved
This repository is licensed under Apache-2.0 License - see LICENSE
for more details.
For more comments, suggestions or questions, you can contact Eviatar Gerzi (@g3rzi) and CyberArk Labs.
Persistence by writing/reading shellcode from Event Log.
The SharpEventPersist tool takes 4 case-sensitive parameters:
The shellcode is converted to hex and written to the "Key Management Service", event level is set to "Information" and source is "Persistence".
Run the SharpEventLoader tool to fetch shellcode from event log and execute it. Ideally this should be converted to a DLL and sideloaded on program start/boot.
Remember to change the Event Log name and instanceId in the loader, if not running with default values.
Default values will leave the following artifact:
Welcome to the new normal. We’re all now living in a post-COVID-19 world characterized by uncertainty, mass home working and remote learning. The lines demarcating normal life have shifted abruptly – perhaps never to return. That’s not the worst that can happen, as we all know, but it does mean we all need to get used to new ways of living, working and studying from home. This has major implications for the online safety, security and privacy of our families.
To help you adapt to these new conditions while protecting what matters most, Trend Micro has developed a two-part blog series on “The New Normal.” Part 1 identifies the scope and specific cyber-threats of the new normal. Part 2 provides security tips and products to help address those threats.
In April, nearly 300 million Americans were estimated to be in government-mandated lockdown. Even as some businesses, municipalities and states begin to relax these rules, experts have warned of subsequent waves of the virus, which could result in new localized lockdowns. In short, a lot of people will continue to work from home, while their children, also at home, attempt to study remotely from their mobile devices.
This has considerable implications for how we spend our time. Without that morning commute to work or school, more of it than ever will involve sitting in front of a desktop, laptop, tablet or smartphone screen. Even the smart TV is enlisted. Dangers include
|
|
Unfortunately, the increase in working from home (WFH), especially for those not used to it, may lead to an increase in risky behavior, such as: using non-approved apps for work; visiting non work-related sites on work devices; and using personal devices to access work resources. Recent global Trend Micro research found that:
|
|
This is not about restricting your freedom to visit the sites you want to visit while at home. It’s about reducing the risk of exposing corporate data and systems to possible malware.
Unsurprisingly, there has also been a major uptick in the volume of cyber-threats targeting home users. With a captive audience to aim at, it’s a huge opportunity for cyber-criminals to steal your log-ins and personal data to sell to fraudsters, or even to steal corporate passwords and information for a potentially bigger pay-off. They are helped by the fact that many home workers may be more distracted than they usually would be at the office, especially if they have young children. Your kids may even share the same laptops or PCs as you, potentially visiting risky sites and/or downloading unapproved apps.
There’s also a chance that, unless you have a corporate machine at home, your personal computing equipment is less secure than the kit you had in the office. Add to that the fact that support from the IT department may be less forthcoming than usual, given that stretched teams are overwhelmed with requests, while themselves struggling to WFH. One recent report claimed that nearly half (47%) of IT security pros have been taken off some or all of their typical security tasks to support other IT-related jobs. In another, only 59% of respondents said they believe their cybersecurity team has the right tools and resources at home to perform their job effectively.
It’s time to step up and take security into your own hands. Stay on the lookout for the following threats.
|
|
So what’s a remote worker/concerned parent to do to protect themselves and the family in the midst of the “new normal?”
Read Part 2 in this mini-series, which we’re publishing simultaneously with Part 1, where we share some best practice advice on how to keep your digital lives and work systems safe from online threats during lockdown—and where we provide tools to help you do just that.
The post Top Tips For Home Cybersecurity And Privacy In A Coronavirus-Impacted World (Part 1) appeared first on .
The past few months have seen radical changes to our work and home life under the Coronavirus threat, upending norms and confining millions of American families within just four walls. In this context, it’s not surprising that more of us are spending an increasing portion of our lives online. But this brings with it some familiar cyber-risks. In Part 1 of this mini-series, we explained how cyber-criminals are looking to capitalize on these sweeping changes to society to further their own ends.
Now let’s take a look at what you can do to protect your family, your data, and access to your corporate accounts.
The bad guys are laser-focused on stealing your personal data and log-ins and increasingly see the remote worker as an easy target for leapfrogging into corporate networks. That’s not to mention the potential internet safety risks inherent in bored kids spending more time in front of their screens. To respond, you’ll need to create an equally focused “home security plan” governed by sensible policies and best practices. Here are some of the key areas to consider.
Protect your smart home and router
Increasingly, unprotected smart home devices are being targeted by cyber-criminals to turn into botnets to attack others. They might also provide sophisticated attackers with a stepping-stone into your corporate systems, via the home network. The home router, with its known flaws, is (after the modem) the digital front door to the smart home and the basis for your networking, so it should be first in any security strategy. Consider the following when tackling home network security:
|
|
Secure your home office
Cyber-criminals are primed to take advantage of distracted home workers and potentially less secure PCs/devices. Secure this environment by doing the following:
|
|
Stay safe from phishing
Phishing is the number one tactic used by attackers to trick you into installing malware or handing over your log-ins. Emails, text messages, social media messages and more are spoofed to appear as if sent by a legitimate company or contact. In response:
|
|
Use video conferencing safely
New videoconferencing platforms can introduce risk, especially if you’re not familiar with the default settings. Here’s how to stay safe when video conferencing:
|
|
Stay safe shopping and banking
Next, protect your financial information and stay safe from e-commerce fraud by doing the following:
|
|
Think about online safety for kids
They may be under your roof for more hours of the day than usual, but your children are also likely to be spending more time online. That means you need to have a measured conversation with them about internet safety, backed up with parental controls. Consider the following:
|
|
Mobile security best practices
Finally, sheltering at home has limits, particularly for restless kids. When they go to the store or out to the park, facemasks notwithstanding, they’re likely going to use their mobile devices, just as they’ll continue to do at home. Of course, you’re not exempt either from mobile threats. Ensure mobile security by
|
|
When it comes to protecting the home from security and privacy threats during lockdown, leave no stone unturned. Cyber-criminals will always look for the weak link in the chain and focus their efforts there. Network security is important, but it doesn’t replace the need for protection on each individual device. You’ll need to cover your router, network, smart devices, and all endpoints (PCs, laptops, mobiles and other devices). Here’s how Trend Micro can help:
Trend Micro Home Network Security
Trend Micro Home Network Security provides industry-leading protection against any threats to internet-connected devices in the home. The solution
|
|
Trend Micro Security (PC and Mac)
Trend Micro Security, available in various editions (led by Trend Micro Maximum Security), is Trend’s flagship endpoint security product for consumers. Available for both PCs and Macs, it features AI learning to stop advanced threats. Among a wide range of protections, it includes:
|
|
Trend Micro Mobile Security:
Trend Micro Mobile Security provides endpoint security for all your mobile devices, whether Android or iOS-based.
|
|
Additional Trend Micro Tools:
Network and endpoint security should be supplemented with tools that accomplish specific tasks, such as protecting your internet connections, your passwords, and your identity data. Trend Micro provides
|
|
Maintaining your family’s security and privacy on all their devices during the coronavirus lockdown above all means changing your mindset, to take into account the mix of work and play in the household during the “new normal.” Use these tips and tools during lockdown and you’ll be well on your way to ensuring you and your family’s safety from malicious viruses—both digital and natural.
The post Top Tips For Home Cybersecurity And Privacy In A Coronavirus-Impacted World (Part 2) appeared first on .