security

the state of cyber security in 2020

let’s get an overview about actual threads in 2020 – especially regarding spaming, phishing, whaling, vishing, etc.

30,000% increase in #COVID19 threats

The Evil Internet Minute 2020

as Jack Johnson already sang “Well I was sitting, waiting, pishing” … *just kidding*

phishing

is the primary way malicious actors trick people into downloading malware, which ultimately can allow attackers to access their organization’s network and steal sensitive corporate data

alongside with COVID19 phishing raised in importance and is further growing

since then google added proactive monitoring in place for COVID-19 related malware and phishing – 63% of the malicious docs blocked and block more than 100 million phishing emails per day with Machine Learning

Safari/iOS

it’s Safe Browsing feature also use Google, but be aware that “These safe browsing providers may also log your IP address”

Screenshot from Safari Setting at iOS

chrome

since a hyperlink doesn’t always target the name of the link, often pointing to another website URL

<a href='https://attack.com'>https://safe.com</a>

chrome is experimenting to easy spot spoof to determine the identity and authenticity of a site @blog

android

an example: an android app offers Coronavirus Safety Mask but delivers SMS trojan @zscaler

machine learning

“ML is rapidly becoming core to organizations’ value propositions (with a projected annual
growth rate of 39% for ML investments in 2020)” and it’s only natural that organizations
invest in protecting their crown jewels – Cyberattacks will further ultilize Artificial Intelligence (AI) @Microsoft Digital Defense Report

spear phishing vs. whaling

more tragetet with a reference to company, project or proposal – while whaling targets CEOs, CFOs, and other executives to gain access or steal bitcoin, with reported success rate up to 90% – even froms attackers that “not extremely technically advanced” @decrypt

new domains aren’t blocked and look as from corporate @zscaler

vishing

“criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information” targeting remote workers with social engineering and fake VPN page – the FBI warn in an Advisory

ransomware

it has been sneaking into our world at a remarkable rate, huge increase in the daily average of ransomware attacks, compared to the first half of the year – parallel is malware 39% down overall … “but trending upward”

Denial of Service

25% increase during the pandemic lockdown – unprecedented number of shorter, faster, more complex attacks – Hidden Impact: consume payed bandwidth & throughput

stay secure and healthy – both private and business

… use 2-Factor-Authentication

switch to modern authentication – sms as second factor is insecure

not only since twitter ceo jack dorsey was a victim with activated additional sms authentication for it’s account – now twitter disabled “temporarily” the ability to tweet via sms …that phone numbers and sms’s were not designed to be used as two-factor authentication systems, as they are insecure. Fabio Assolini, Senior Security Researcher at Kaspersky… Continue reading switch to modern authentication – sms as second factor is insecure

security

deploy client certificates – secure your data

cybersecurity thread gain more and more weight and potential to harm your seriously, time to protect your data

asymmetric cryptography enable two parties to communicate securely with eachother, by using a related private and public key, let’s have a lot how to usalize

X.509 is the official standard for public key certificates, secure the access to webbased services or protect access via vpn or wifi – the schema below is my interpretation, or definition @wikipedia

x.509 client certificate authenticiation

OpenSSL

OpenSSL is a cryptographic tool, open-source, to provide free encryption – jump in to see how easy to generate private security certificates

FIRST generate private key for your certificate authority (ca)

openssl genrsa -out ca.key 4096

create ca certificate from key, fill out the reqired certificate information

openssl req -new -x509 -days 365 -key ca.key -out ca.crt

implement ca certificate in your application/service

NOW create client private key …

openssl genrsa -out /etc/nginx/ssl/key/client_abc.key 1024

… and certificate signing requst (csr)

 openssl req -new -key client_abc.key -out client_abc.csr

SIGN the client certificate

openssl x509 -req -days 365 -in client_abc.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client_abc.crt

provide client certifcate to used client devices

online/hosted service

CAcert is a comunity-driven and want to push awareness for encryption und education by providing cryptographic certificates

enterprise

several vendor offer pki services – microsoft provide it’s windows server 2008R2 buildin certificate services selfhosted, with network device enrollment service (ndes) for automated client certificate enrollment – others like digicert/globalsign/etc. provide payed hosted services

apple, security

iOS VPNonDemand gets “inactive”

recently we noticed VPN wasn’t working, could be the disabled connect on demand option – nope – the entire VPN configuration was inactive?!

a bit history: apple introduced VPN on demand (VPoD) still in iOS 5, it’s required setup certificate authentication – at first it was just possible to define single domains, over the years it advanced to ignore, evaluate or disconnect for certain domains – along with iOS 7 apple intoduced Per-app VPN to connect specific apps – since iOS13 it is even possible to tunnel just mail/calandar/contacts domains

noticed that this just happed for VPoD configuration, even if a single domain overlap in OnDemand rule, always the last pushed VPN configuration is active

even though all other obsete profiles are remove, the VPN config stays in it’s current state, even if it’s the last remaining configuration

you either manually enable the desired config or repush the config via MDM to remote enable

security

stay private and prevent of spam with these simple services

you have to signin for every service online, with 10minutemail.com you don’t need to provide your own/private mail account, it creates a valid random account for about (for sure) 10 minutes, the provider explains

sign up for a site which requires that you provide an e-mail address to send a validation e-mail to. And maybe you don’t want to give up your real e-mail address

check out https://10minutemail.com

as same as for mail it is also available for sms, your don’t have to provide your personal phone number, e.g. send any verification code to one of the free available numbers

try it: https://www.receive-sms-online.info/

security

share everywhere – cloud clipboard and others handle your content

working with different devices and handling with content could be quite tricky – use the cloud-based clipboard to copy and paste images and text across devices

windows

in it’s may 2019 update, select start  > settings  > system  > clipboard , and then use the toggles to turn on both clipboard history and sync across devices. you can also press the windows logo key +V as a shortcut to easily access your clipboard – what’s also new in current windows update

to share just websites you could use continue on PC from mobile devices

apple

use Universal Clipboard with any Mac, iPhone, iPad, or iPod touch – read requirements here – sign in with your apple id, enable bluetooth, enable wifi and enabele handoff – copy the text, image, or other content content – is automatically added to the clipboard of your other nearby device

android

google’s device doen’t offer any buildin feature like cloud clipboard – between android you could use blueooth or ncf to share data

other android oem implent it’s own technology, like Huawei Share as an immediate file transfer tool just between Huawei mobiles, using bluetooth connection and wifi direct technology

on Samsung Galaxy phone utilize Direct share feature as a pipeline for instantly sharing photos, videos, and more

mixed

to share data between difference devices and vendors it’s quite tricky, the way touse to any of the following 3rd party services like OneNote, Google Keep or Pushbullet – additionally your able to enrich your content that copied with style and format

fortunately, there several option and a lot more apps available for android or in chrome webstore – but with all of it’s possiblity …

keep security and trust of your data in mind

security

unmanaged but secured – how mobile application management support your enterprise

while ios and android offer more and more deep api to securely managed a mobile device and integrate into enterprise – apple utilize restrictions to natively separate managed from unmanaged content – android buildin work container on every device to secure enterprise data – both offer enrollment program to easiely intergrate the devices to management system

but there a argument to not rely on device management api – ios lack unfinished restriction of unmanaged/managed data, it is possible to bypass limitation under certain conditions – android depricated existing device admin feature in favor of android enterprise technology, but new container ui/ux isn’t consitant between different os releases and lack of some existing features, e.g. private/business calender overlay

privacy is a main point to offer a byod solution for your employees, ios managed devices could report your installed app and fully wipe even your private data (until user-enrollment was released), android enterprise addressed this from the very first, apple introduced user-erollment to address privacy concerns for byod deployments

usablity is the other big point to address for your users – while apple provide the ability to use business data within ios native applications, android lack of a consistant look and feel between os releases and different management api, batch icons differ at different releases and espesially samsung devices – to ease support provide the same email app across both mobile os

2019-06-09 07_00_15-MobileIron Email+ - Apps on Google Play

2019-06-09 07_00_05-‎MobileIron Email+ on the App Store

mobile application management also named non-MDM managed your data within an app or a entire framework, the app is’t capable to control your device, e.g. to enforce device pin or encryption – major mdm vendor like airwatch, mobileiron, blackberry formerly good and citrix provide a framework to secure your data over serveral productivity apps, without the need to rely on device api

blackberry_uem-logos

microsoft offer with it’s office 365 apps the capability to secure business data with app protection policies without the need to enroll your device to a unified endpoint management, 3rd party mdm could optinally integrate these features with graph api

Conceptual image that shows company data being protected by policies

when it comes to enterpise integration with full device vpn support, certificate authentication or kiosk (single use) devices there is no way around a uem solution

don’t be a fool, select your prefered solution, based on the requirement for each usecase

security

switch to modern authentication – sms as second factor is insecure

not only since twitter ceo jack dorsey was a victim with activated additional sms authentication for it’s account – now twitter disabled “temporarily” the ability to tweet via sms

…that phone numbers and sms’s were not designed to be used as two-factor authentication systems, as they are insecure.

Fabio Assolini, Senior Security Researcher at Kaspersky Lab, TechRadar Middle East

sim swapping is a technique of porting the same number to a new sim card of someone else, instead use features like oauth (already developed in 2006) – modern uem solutions ot casb take care about this with checking additional properties, like manged apps or encrypted devices > further secure alternatives below

multi-factor authentication
security, technology

cookbook: have I been breached or leaked?

… again 620 million accounts were stolen – it is all about your data – in the digitalisation it defines who you are – who do you trust – the following assist you to check if you got pwned and should raise the awareness


leaked

accounts monitored and collected in this database
=>> https://hacked-emails.com/


check

if you got pwned, enter your email address

=>> https://haveibeenpwned.com/

dns

leak is atransparent way to intimidate your traffic =>>https://www.dnsleaktest.com/

tracking

of your browser analyse your behavior, quick test of your browser is safe against tracking
=>> https://panopticlick.eff.org/

bad passwords

still common in 2019, if your password is listeted here? change it!
=>> https://www.prweb.com

read more about secure authentication and multi factor

tips

to being completely anonymous online
=>> https://www.csoonline.com

apple, security

apple adds more barriers to increase security

as far fas know from this ios 12.2 beta, there are several improvement/changes, at least in regards to the users security

enroll here: beta.apple.com

ssl security

not just since edward snowden, chelsea manning and other leaked infromation – your data matters – apple adds the noticable change in safari when browsing at webages that a not secure

@ios.gadgethacks.com
This image has an empty alt attribute; its file name is arrow-e1536485014760.jpg

read more about ssl strip @wifi security today and attack vectors

profile installation

profile at ios devices mean everything in enterprise, to enroll a private users device in emm system it is nessccary to manually install the ios mdm profile – before ios 12.2 the profile popped up to install – beginning with the new release, after successfully authenticated with emm the ios profile is download, user needs to manually navigate to settings and select to install profile

motion data

the new motion & orientation access stetting is toggled off by default, a webpage is unable to get accelerometer and gyroscope data from the iPhone – test at what web can to today website with iOS 12.2 beta

ios13 should be available in about 4 months