Security Awareness Newsletter May 2024

June 3, 2024

This is a security awareness newsletter meant for internal distribution. Feel free to grab and share with your company internally.

Steer Clear of Job Scams: Tips for New Graduates

Be cautious of job scams targeting new graduates. Here are some key takeaways to protect new graduates:

Be skeptical of unsolicited offers, especially those coming out of the blue. Legitimate companies typically have established recruitment channels.
Guard your personal information. Don't share sensitive details like bank accounts or Social Security numbers in initial communications.
High starting salaries with minimal experience requirements are often red flags. Scammers lure victims with unrealistic promises.
Do your research! Verify the legitimacy of companies by checking their websites and contacting them directly through listed channels.
Don't hesitate to leverage school resources. Career centers can offer guidance and help spot scams.
Trust your gut. If something feels off about a job offer, it probably is. Don't be pressured into rushing forward.

By following these tips, graduates can navigate a job search with confidence and avoid falling victim to scams. Remember, protecting your personal information and conducting thorough research are crucial steps towards landing a safe and rewarding job opportunity.

Love on the Rocks? Watch Out for Verification Scams!

Looking for love online? While dating apps can be a great way to meet someone special, be on the lookout for scammers trying to exploit your emotions. The FBI recently issued a warning about verification scams targeting dating app users.

Here's the lowdown:

The Scam: Scammers lure you in with the promise of a secure dating experience through a "verification process."

The Hook: They'll often move the conversation to a private platform and then send a link to a fake website offering a "free" verification service.

The Bait and Switch: This website is designed to trick you into signing up for a fraudulent monthly subscription .

Don't let love blind you! Here are some tips to stay safe:

Be wary of requests to move conversations off the dating platform. Legitimate dating apps have robust security features.

Don't click on suspicious links, especially those promising verification. Verify information directly through the dating app's support channels.

If something sounds too good to be true, it probably is. Don't fall for promises of guaranteed love matches or enhanced security behind a paywall.

Remember, online dating requires a healthy dose of skepticism. Trust your instincts, and prioritize your safety!

Shein Phishing Alert: Protect Your Fashion Finds and Login Info!

Calling all fashionistas! Watch out for phishing emails spoofing popular online retailer Shein. These emails aim to steal your login credentials and compromise your online shopping accounts.

Here's the Scheme:

The Lure: The email might claim you have an unclaimed order, exclusive discounts, or a problem with your account.

The Trap: Clicking a link in the email takes you to a fake Shein login page designed to steal your username and password.

Don't Fall for Fake Fashion Frenzy!

Beware of unsolicited emails, even if they look official. Shein won't contact you about account issues through unexpected emails.

Inspect sender addresses carefully. Legitimate Shein emails will come from a Shein domain address, not a random one.

Hover over links before clicking. See if the link's destination matches the displayed text. Don't enter your login details on suspicious websites.

Always access your Shein account directly through the official website or app. Don't rely on links in emails.

By staying vigilant, you can protect your hard-earned cash and sensitive information. Happy (and secure) shopping!

North Korean Threat Actors Targeting Developers with Fake Job Interviews

A new social engineering attack campaign is targeting software developers. This campaign is likely associated with North Korean threat actors. The attackers are sending fake job interviews that contain malicious software.

How the Attack Works

The attackers will send a seemingly legitimate job offer email to a software developer. The email will contain a link to a malicious website or a document that, when opened, will download malware onto the victim's computer. The malware is a Python-based RAT (Remote Access Trojan) that can steal information from the victim's computer, such as files, keystrokes, and browsing history.

How to Protect Yourself

Be cautious of unsolicited job offers, even if they seem to come from a legitimate company.

Do not click on links or open attachments in emails from unknown senders.

Verify the legitimacy of a job offer by contacting the company directly.

Maintain a security-focused mindset during job interviews. If something seems too good to be true, it probably is.

Monitor your computer for suspicious activity, such as unknown programs running or unusual network traffic.

Don't Let Ransomware Hit You Where It Hurts: Protecting Your Family From SIM Swapping

Cybercriminals are getting more personal in their attacks. A recent report from Mandiant highlights a disturbing trend: ransomware attackers targeting executives by SIM swapping their children's phones.

What is SIM Swapping?

SIM swapping is when a scammer takes control of your phone number by transferring it to a new SIM card. This allows them to receive your calls, texts, and potentially even two-factor authentication codes.

How Can You Protect Yourself?

Be Wary of Unusual Activity: Monitor your phone bill for any suspicious changes, like increased data usage or new charges.

Enable Two-factor Authentication (2FA): But not with SMS verification! Use a dedicated authentication app instead.

Don't Share Personal Information Online: This includes your birthday, address, and even your child's school name.

Talk to Your Family: Educate them about SIM swapping and the importance of online safety.

Contact Your Carrier: Ask about SIM swapping security measures and how to add additional protections to your account.

For More Information:

How to Protect Yourself from SIM Swapping: https://consumer.ftc.gov/consumer-alerts/2019/10/sim-swap-scams-how-protect-yourself

Alert: Cybercriminals Exploiting Docusign with Sophisticated Phishing Scams

Summary: Cybercriminals are increasingly targeting Docusign users by distributing customizable phishing templates on cybercrime forums. These templates closely mimic legitimate Docusign emails, luring recipients into providing sensitive information or clicking malicious links. These attacks facilitate various malicious activities, including credential theft and business email compromise (BEC) scams.

Key Indicators of Docusign Phishing Emails:

Sender's Email: Ensure it originates from the docusign.net domain.
Greetings: Genuine emails use your name, not generic salutations.
Security Codes: Authentic codes are long and complex.
Links: Hover over links to check if they lead to docusign.net.
Direct Access: Use Docusign's secure document access instead of clicking links.

Prevention Tips:

Always verify the sender's email address.

Avoid clicking on suspicious links and attachments.

Contact the sender through trusted channels if in doubt.

Growing Confidence Among CISOs Despite Rising Cyber Threats

Overview: According to Proofpoint's 2024 Voice of the CISO report, 70% of CISOs feel at risk of a cyber attack, yet only 43% feel unprepared—a significant improvement from previous years. Despite this growing confidence, human error remains a critical vulnerability, with 74% of CISOs identifying it as a top concern. Encouragingly, the adoption of AI-powered solutions and enhanced employee education are seen as key strategies to mitigate these risks. However, challenges such as ransomware, malware, and employee turnover continue to test cybersecurity resilience.

Key Points:

Rising Confidence: 43% of CISOs feel unprepared for attacks, down from 61% last year.

Human Error: 74% of CISOs see human error as the biggest vulnerability.

AI Solutions: 87% are deploying AI to combat human-centric threats.

Top Threats: Ransomware, malware, and email fraud are major concerns.

Takeaway: Continuous improvement in AI adoption and employee training is vital for bolstering cybersecurity defenses.

New Social Engineering Scheme by Black Basta Ransomware Group

Overview: The Black Basta ransomware group has launched a new mass spam and social engineering campaign, targeting various industries. The attackers flood users' emails with spam and then pose as IT support, convincing victims to download remote access tools like Quick Assist or AnyDesk. This grants the attackers initial access to deploy ransomware and steal credentials.

Key Points:

Spam Overload: Victims receive thousands of spam emails.

Impersonation: Attackers pose as IT support to gain trust.

Remote Access: Tools like Quick Assist and AnyDesk are used to gain access.

Prevention: Block newly registered domains and restrict remote management tools.

Takeaway: Stay vigilant against unsolicited IT support offers and ensure employees are aware of this tactic.

From Phish to Phish Phishing: How Email Scams Got Smart

Phishing scams have evolved dramatically over the years, becoming more sophisticated and harder to detect. Here are key points from Check Point's recent article on how email scams have become smarter:

Evolution of Phishing Tactics:
- Old vs. New: Early phishing attempts were often easy to spot due to obvious mistakes like all-caps subject lines, poor grammar, and bad spoofing. Modern phishing emails, however, are much more convincing, using official-looking logos and professional language.
- Advanced Spoofing: Attackers now use advanced techniques to spoof emails, making them appear as if they come from trusted sources such as banks, government agencies, or company executives. This creates a sense of urgency and legitimacy.
Techniques and Vectors:
- Email and Attachments: Phishing emails often include links to fake websites or attachments that require personal information. These can lead to data theft or malware infections.
- Vishing and SMiShing: Phishing is not limited to emails. Attackers use voice phishing (vishing) and SMS phishing (SMiShing) to trick victims into revealing sensitive information over the phone or through text messages.
Common Scams:
- Ransomware Delivery: A significant number of phishing emails now deliver ransomware, locking victims' files and demanding a ransom for their release.
- Fake Alerts: Emails claiming to be from PayPal, Wells Fargo, or even the FBI often contain urgent messages about account issues, prompting victims to click on malicious links or provide personal information.
Preventive Measures:
- Stay Vigilant: Always verify the sender’s email address and look for signs of phishing, such as generic greetings and urgent requests for personal information.
- Check Links and Attachments: Hover over links to see their true destination and avoid clicking on suspicious attachments.
- Use Security Tools: Employ email filtering and antivirus software to help detect and block phishing attempts.

By staying informed and cautious, you can protect yourself and your organization from falling victim to these increasingly sophisticated email scams.

Beware the Piano Scam

Cybercriminals are exploiting unsuspecting individuals with a new scheme known as the "Piano Scam." Victims receive emails offering a free piano due to a family death, but they are asked to pay shipping fees through fake shipping companies. These scammers also collect personal information. Protect yourself by verifying the sender, avoiding clicking on unknown links, and reporting suspicious emails.

Key Points:

Advance Fee Fraud (AFF): The scam involves requesting a small upfront fee for a larger promised reward, in this case, a free piano.
Payment Methods: Scammers request payment via Zelle, Cash App, PayPal, Apple Pay, or cryptocurrency.
Personally Identifiable Information (PII): Scammers collect names, addresses, and phone numbers.
Indicators of Compromise: Emails from unknown senders, requests for upfront payments, and varied sender addresses.

Beware Advance Fee Fraud (AFF): The Piano Scam

May 31, 2024

This is a short blog post I wrote for our security awareness internal communication. Feel free to grab and use for your own program. Created with the help of ChatGPT.

Beware Advance Fee Fraud (AFF): The Piano Scam

Cyber threats are constantly evolving, and one of the latest scams targets unsuspecting individuals with a piano-themed fraud. This scheme, dubbed the "Piano Scam," preys on the goodwill of victims by offering a "free" piano, only to defraud them through advance fee payments for shipping.

This type of scam is targeting people in the education sector but other scams like this will target other industries such as healthcare or the food industry. Understanding these types of scams will help identify when similar scams are used against our company.

How the Scam Works

Initial Contact: Victims receive an email claiming a free piano is available due to a family death.

Shipping Fraud: The scammer directs victims to a fake shipping company, which requests payment for delivery fees via various methods, including Zelle, PayPal, and cryptocurrency.

Data Harvesting: Personal information such as names, addresses, and phone numbers are also solicited.

Recognizing the Scam

Too Good to Be True: Be cautious of unsolicited offers that seem excessively generous.

Unverified Senders: Emails from unfamiliar addresses or free email services should raise suspicion.

Payment Requests: Legitimate giveaways do not require upfront fees for shipping or handling.

Prevention Tips

Verify Sources: Independently verify the sender and the legitimacy of the offer.

Avoid Clicking Links: Do not click on links or download attachments from unknown emails.

Report Suspicious Activity: Inform your IT department or local authorities if you encounter such scams.

Understanding the tactics used in the Piano Scam can help you avoid becoming a victim. Stay vigilant and informed to protect yourself from these and other cyber threats.

For more detailed information on this scam, visit Proofpoint's Security Brief.

Phishing Threat Intelligence May 2024

May 30, 2024

These are the articles and blogs I’ve read over the last month with a lean towards phishing and healthcare. I share this internally with the security team. Feel free to take and use for your own programs.

Unprecedented Surge in Proxy-Driven Credential Stuffing Attacks

Okta identified a substantial rise in credential stuffing attacks targeting online services in the past month. These attacks exploit widely available resources like stolen login credentials, residential proxies, and scripting tools to gain unauthorized access to user accounts. The attacks appear to originate from anonymizing services like Tor and leverage proxies to bypass security measures.

Key Takeaways:

Identity and access management (IAM) provider Okta has observed a significant increase in credential stuffing attacks over the past month.

These attacks leverage readily available resources like residential proxy services, stolen credential lists, and scripting tools.

The attacks target online services and seem to originate from anonymizing tools like Tor exit nodes and various proxies.

Indicators of Compromise (IOCs):

The timeframe for this attack surge is noted to be between April 19th and April 26th, 2024.

Okta's Identity Threat Research detected the activity.

While specific IoCs aren't listed, the report mentions attacks targeting VPN appliances and routers from various vendors.

Black Hat SEO Techniques Used to Distribute Malware

This report details a malware distribution campaign that leverages black hat SEO techniques. Attackers create malicious websites designed to look legitimate and rank high in search results. These websites are then used to trick users into clicking on them and downloading malware.

Technical Details:

The malware payloads are delivered through multi-level zipped files.

Once downloaded and executed, the malware can steal sensitive information such as browsing history and user credentials.

Phishing Remains a Top Threat Despite Decline in Q4

Phishing attacks continue to be a major threat to organizations of all sizes. According to a recent report by the Anti-Phishing Working Group (APWG), 2023 saw a significant increase in phishing activity, making it the worst year on record. Over 5 million phishing attacks were detected in 2023, highlighting the prevalence of this cyber threat.

The report also details a decrease in phishing attacks during the fourth quarter of 2023. This decline is attributed to the takedown of Freenom, a service frequently abused by attackers to register domains that spoofed legitimate companies. While this is a positive development, it serves as a reminder that threat actors are constantly evolving their tactics.

Key Takeaways

2023 was the worst year on record for phishing attacks, with over 5 million attempts detected.

While there was a decline in Q4 2023 due to the takedown of Freenom, phishing remains a significant threat.

Security awareness training is crucial for educating employees on how to identify and avoid phishing attempts.

Organizations should implement a layered security approach that includes email filtering, employee training, and staying informed about the latest phishing tactics.

New Technique for Detecting Malware Stealing Browser Data

A recent blog post by Google Security Blog details a new technique for detecting malware that steals browser data. The technique involves monitoring Windows Event Logs for signs of unauthorized access to browser data.

How Browser Data Theft Works

Many malware programs target browser data, such as cookies and saved credentials. This data can be valuable to attackers, as it can be used to gain access to online accounts, steal financial information, or launch other attacks.

Traditional Detection Methods

Traditional methods for detecting malware that steals browser data often rely on behavioral analysis or signature-based detection. However, these methods can be ineffective against new or sophisticated malware.

Detecting Browser Data Theft with Windows Event Logs

The new technique described by Google Security Blog involves monitoring Windows Event Logs for DPAPI events. DPAPI (Data Protection API) is a Windows API that is used to protect sensitive data. When an application attempts to decrypt data protected by DPAPI, a DPAPI event is generated in the Windows Event Log.

By monitoring DPAPI events, it is possible to identify unauthorized attempts to access browser data. This is because legitimate applications should not need to decrypt browser data unless the user is actively using the browser.

Benefits of This Technique

This technique has several benefits over traditional methods for detecting browser data theft. First, it is less reliant on signatures, making it more effective against new and unknown malware. Second, it can provide valuable forensic information, such as the time and process that attempted to access the data.

Security Implications

This technique highlights the importance of monitoring Windows Event Logs for security threats. By monitoring these logs, security professionals can gain valuable insights into the activities of applications running on their systems.

Recommendations

Enable logging of DPAPI events in Windows Event Logs.

Monitor Windows Event Logs for suspicious DPAPI events.

Investigate any unauthorized attempts to access browser data.

Regularly update your security software and operating system.

By following these recommendations, organizations can improve their ability to detect and prevent browser data theft.

Healthcare Organizations Targeted in Social Engineering Campaign with Deceptive Tactics

High Importance

A recent report by ReliaQuest exposes a cunning social engineering campaign targeting healthcare organizations' revenue cycle management (RCM) departments. Then attackers employed deceptive tactics to manipulate help desk staff into resetting multifactor authentication (MFA) credentials. This allowed them to infiltrate the system and steal funds by altering bank routing information for fraudulent money transfers.

Social Engineering Techniques Used:

The report details how attackers impersonated legitimate users, often healthcare staff, by leveraging readily available personal information. This information might have been obtained through various means, including phishing emails, data breaches, or even social media. Once impersonating a staff member, attackers would contact the help desk, feigning an issue with their MFA and requesting a reset. To heighten their legitimacy, they might provide seemingly valid personal details associated with the target user, such as the last four digits of their Social Security number, date of birth, or home address. By exploiting trust and creating a sense of urgency, attackers could potentially trick help desk personnel into resetting the MFA, compromising the account's security.

LockBit Black Ransomware Delivered via Phorpiex Botnet Spam Campaign

High Importance

A recent phishing campaign leveraged the Phorpiex botnet to distribute LockBit Black ransomware. Millions of malicious emails were sent, targeting a widespread audience.

Campaign Details:

Phishing emails with malicious ZIP attachments

LockBit Black ransomware deployed upon opening the attachment

Ransomware likely based on leaked LockBit 3.0 source code

LockBit Black Ransomware:

LockBit Black is a ransomware variant known for encrypting victim files and demanding a ransom payment for decryption. This iteration is likely derived from a leaked version of LockBit 3.0, raising concerns about potential widespread attacks.

Alert: Threat Actors Expand Malicious Use of DNS Tunneling

High Importance

Security researchers warn of a growing trend: threat actors are increasingly exploiting DNS tunneling for malicious purposes. DNS tunneling involves encoding data within legitimate DNS requests, creating covert communication channels that bypass traditional security measures.

Why is this concerning?

Evasion Capabilities: DNS tunneling allows attackers to fly under the radar of firewalls and security tools, making detection difficult.

Operational Flexibility: This technique offers attackers a versatile tool for various malicious activities, including:

Phishing Email Monitoring: Attackers can use DNS tunneling to monitor how users interact with phishing emails, allowing them to refine their tactics.

Network Vulnerability Scanning: Malicious actors can leverage DNS tunneling to scan networks for vulnerabilities without raising red flags.

Security Measure Bypassing: This technique can be used to bypass security controls and establish persistence within a compromised network.

Cybercriminals Exploit Docusign Phishing Templates

Rising Shadow AI Accounts Elevate Corporate Data Risks

Summary: Recent research by Cyberhaven Labs reveals a 485% surge in AI tool usage among workers, with 90% occurring through personal "shadow AI" accounts. This trend exposes sensitive corporate data to public AI models, posing significant security risks. Key findings highlight that tech workers are the highest contributors, with substantial portions of sensitive data like legal documents, source code, and HR records being inputted into non-corporate accounts. Companies must address these vulnerabilities to safeguard their data.

Action Points:

Implement strict AI usage policies.

Educate employees on the risks of shadow AI.

Monitor AI tool usage within the organization.

How AI Has Impacted Our Lives in the Last Year

May 21, 2024

In the past year, the field of AI has seen significant advancements and a greater focus on regulatory and ethical considerations. At ColaSec we will be talking about AI for our May meetup. This will be a group discussion like we had last year. We wanted to revisit AI and how our views and uses of it have changed. We have a virtual option available for those that can’t make it in person.

To prepare for the discussion I wanted to put this blog post together reviewing AI and how it’s impacted our society over the last year. Ironically, this post was created with help from ChatGPT.

ChatGPT weighs in

Generative AI's Expansion: Generative AI technologies have experienced widespread adoption and development. Companies increasingly use these capabilities not just for enhancing existing products and services but also for innovating new business models (McKinsey & Company).
Ethics and Regulation: There has been a growing global movement towards regulating AI more stringently. For example, the European Union has been active in proposing comprehensive AI legislation, and the White House has introduced an executive order aimed at setting standards for AI development and deployment (MIT Technology Review) (Goodwin).
Technological Innovations: On the technical front, major advancements have been made in areas such as AI explainability, privacy, and safety. New tools have been developed to improve the transparency and accountability of AI models, such as watermarking technologies for identifying AI-generated content (Google DeepMind).
Application in Science and Healthcare: AI's application in scientific research and healthcare continues to grow, with new models enhancing our ability to design novel proteins and materials, potentially revolutionizing fields like drug discovery and environmental sustainability (Microsoft Cloud).
Public Discourse and Awareness: The public discourse around AI has matured, with more widespread discussions on the ethical implications, societal impacts, and long-term consequences of AI technologies. This includes concerns about AI-generated disinformation and the privacy implications of widespread surveillance technologies (CSIS) (Digital Watch Observatory).
Generative AI and Cybersecurity: AI technologies are playing an increasingly critical role in cybersecurity, automating tasks and enhancing threat detection and response capabilities. The dynamic nature of AI is likened to an arms race among companies, governments, and cybercriminals, emphasizing the need for vigilant cybersecurity practices (TechNewsWorld).
AI in Political Processes: The use of AI in political processes, such as elections, has become a significant concern. Issues like the generation and spread of political deepfakes are becoming more prevalent, complicating the political landscape and potentially influencing election outcomes. This underscores the urgent need for robust methods to detect and mitigate such AI-generated disinformation (MIT Technology Review) (AI Index)(Check Point).
Advancements in AI Applications: AI's capabilities continue to expand into more complex and nuanced areas, including multimodal interactions where AI systems can understand and generate outputs across text, image, video, and audio. This broadens AI's application in various fields but also raises concerns about privacy and the creation of synthetic content that can be difficult to distinguish from human-generated content (Tech Xplore).
Ethical Concerns and AI Bias: The integration of AI in sectors like finance, healthcare, and public services brings benefits such as increased efficiency and new capabilities. However, it also brings risks such as biases in AI algorithms, which can perpetuate existing inequalities. There is a growing emphasis on developing responsible AI practices to address these issues (AI Index).

These developments reflect a dynamic field that is not only advancing rapidly in terms of technology but also becoming increasingly intertwined with broader societal and regulatory frameworks.

Tim weighs in

Verizon DBIR: I recently read the latest Verizon DBIR and made a blog post about it. One of the takeaways was that AI hasn’t had a significant impact on attacks. It is helping with improving efficiencies of attacks but it’s not an action in itself yet. This may change or it may not. Attackers use the path of least resistance. Setup a scheme to attack people with deepfakes and voice impressions can be a bit more elaborate. Not to say that they aren’t out there. It’s just not as widespread.
Policy creation: One of the first things I did was create security policies for a small business. It took me just a few hours to create 10 security policies that the company was being required. They were concise and easy to read. I hope that security teams are paying attention as this will improve the quality of policies overall and make them much more consumable and easier to understand.
Building out ExploreSec.com: I’ve used AI to build out a large portion of this site. I’ve gotten a lot more done than I ever would have on my own. I can put up deep dives in less than an hour. I will go back and edit the initial output from ChatGPT. I’ve written a few blog posts with ChatGPT with varying results. I believe my better posts are going to be me and my stories and experiences. I did have one blog post get deleted accidentally after I wrote it. Instead of doing a full rewrite, I had ChatGPT write the article and I thought it came out very well. It’s been very useful for the podcast. I now use ChatGPT almost entirely to write my show notes. When I record I also transcript the conversation. I then take that transcript and have AI build show notes. It’s been an enhancement for show notes and streamlines my post editing process.
Creating Security Awareness Content: My new role is building out a security awareness program for a large healthcare organization. I’ve used ChatGPT to build out blog posts and create newsletter items. Smishing is my most recent blog post. Like the building out content on the site, I have it create the first draft and then make adjustments from there. This allows me to easily create regular content for our internal communication site while also educating people on different security topics. I’ve also started releasing a monthly newsletter for phishing threat intelligence and security awareness. I take articles I find online and have either ChatGPT or Gemini write a short newsletter item. With Gemini and Co-Pilot I could take the link and just feed it that instead of having to scrap the data. I found Co-Pilot to have the best repeatable format. Eventually I ran out of a free trial and it wanted me to login. It also got very uncomfortable when I was doing phishing research and it forced me off the topic. ChatGPT recently released 4o and it is now taking links and creating content out of it.
Scripting: I’ve found AI extremely useful for building out PowerShell scripts. One of the things I like to do in a new role is build out the metrics. This often means custom metrics that a platform doesn’t have reporting on. I’ve taken the raw data and created PowerShell scripts that massage the data into the metrics I want. The PowerShell created usually works the first time. If it doesn’t then I simply feed the AI the error. They usually start out being this simple script and quickly get more complicated as I think of more use cases for the script. I will be posting these scripts on my GitHub at some point.
Research: I’ve been using AI to help do research on topics. I still find that Google is better for some thing. AI is still several months behind on what it can provide but it’s getting better. Like creating content it’s a starting point for research. I’ve found in some of the topics I’ve explored in security it provides resources I’ve never heard of before but it can also be susceptible to marketing content. I would expect this will get worse as marketing teams figure out how to get their content into AI and a top result. Similar to how they figured out Google and other search platforms.
Image Generation: I’ve been extremely happy with the images generated by ChatGPT. I use it for blog posts where I can’t find images. Usually I feed it the content and ask it to make an accompanying image. I’ve also used it for my presentations when I can’t find a meme or visual that highlights the content. It’s not always great. It still struggles with words but I’ve seen it get better. The same prompt will give different results. Sometimes there’s one thing I don’t like and ask it remove it and it’ll create a whole new image. I’ve messed around with photoshop for a couple images but it usually ends up being more hassle than it’s worth. I just keep giving it prompts until I get something I want. Sometimes starting over and taking a different approach with the prompt is the best option.
Social Media: I’ve played around with AI for use on LinkedIn. Some of the posts it creates are cheesy. I primarily use it for podcast announcements. I need to play around with it more but I’ve started to move away from it. I have found that the view point for the prompt is big. It can get caught up creating words for a marketing team instead of someone with an idea or wants to comment on a blog post. This makes sense as I imagine marketing teams are using this to create social media posts on a more regular basis.
Presentations: This year I used AI to help build my abstract, bio, and outline for my presentation. I haven’t had it build my slide deck yet, but I’m toying around with it. The abstract and bio alone are huge for me as I’m not a great self-promoter. I was able to build out all three in 30 minutes. This used to take me several hours to put together. I also believe I’ve been accepted to speak more because of it.

I’ve found AI to be a valuable tool for content and scripting. It’s helped me build content for ExploreSec.com. It’s helped me improve my presentations both from a submission and content standpoint. I’m excited to get back into scripting to see what sorts of automation I can build for doing regular tasks like metrics. Looking ahead, I’m continuing to come up with use cases. My next project is to understand how to use voice AI from an attackers standpoint but also from a podcasters standpoint. There are some use cases that I think will enhance the podcast.

What are your thoughts on AI and how have you used it over the past year?

What is Smishing and How You Can Protect Yourself

May 20, 2024

This is an article I’ve put together for my internal Security Awareness program. Feel free to grab and use in your own program. Created with help from ChatGPT.

In today's digital age, cybersecurity threats are evolving rapidly, and one of the rising threats is "smishing." Smishing, a blend of "SMS" (short message services) and "phishing," is a form of phishing that involves sending fraudulent SMS messages designed to deceive recipients into revealing personal information or installing malware.

Understanding Smishing

Smishing attacks typically involve a text message that appears to come from a legitimate source, such as a bank, a well-known retailer, or even government agencies. These messages may claim that there's an urgent issue requiring your immediate attention, such as a problem with your bank account, a missed delivery, or a tax refund opportunity. The message will usually include a link that you are urged to click to resolve the issue.

How Smishing Works

The goal of smishing is to trick the recipient into providing sensitive information, such as login credentials, credit card details, or personal identification numbers. Alternatively, the link may download malware onto the recipient’s phone, which can lead to data theft or loss, financial loss, and sometimes even identity theft.

Examples of Smishing Attacks

Financial Frauds: "Notice from Bank XYZ: Unusual activity detected on your account. Please verify your identity immediately to prevent closure. Click here [link]."
Fake Contests: "Congratulations! You’ve won a $500 gift card from [Popular Brand]. Claim your prize now [link]."
Impersonation of Authorities: "Urgent COVID-19 alert in your area. Click here for safety measures to follow [link]."
CEO Fraud: “Hi [employee], are you available? I have an urgent need.”

Tips to Protect Yourself from Smishing

Be Skeptical of Unsolicited Messages: Always be wary of text messages that ask for personal information, especially if they convey a sense of urgency.
Verify the Source: If a message claims to be from an organization you do business with, verify its authenticity by contacting the organization directly using a phone number or email address from their official website—not the contact details provided in the message.
Avoid Clicking on Suspicious Links: Do not click on links in unsolicited texts or emails. Instead, go directly to the website by typing the URL into your browser.
Educate Yourself and Others: Awareness is your best defense. Learn about the latest smishing tactics and educate your family and friends on how to protect themselves.

Conclusion

Smishing is a significant and growing threat in the realm of cyber scams. By staying informed and cautious, you can protect yourself from falling victim to these malicious attacks. Always remember that when it comes to protecting your personal information, vigilance is key. If you suspect you’re being targeted by a smishing attack please contact [INTERNAL SECURITY TEAM INBOX].

Exploring the Verizon DBIR - Image created by ChatGPT

2024 Verizon DBIR Insights and Thoughts

May 13, 2024

The Verizon Data Breach Investigations Report (DBIR) for 2024 was recently released. It’s a must read of those in cybersecurity. It gives great insight into the overall threat landscape and then breaks it down by industry. Working in healthcare this is important because while ransomware grabs the news a bigger concern may actually be insider threat. This is highlighted even more this year with new requirements around reporting on security incidents and breaches insider threat and specifically the Miscellaneous Error category. My random thoughts from the report are below with a lean towards healthcare.

Insights and thoughts on the Verizon DBIR

Vulnerability exploitation on the rise

Exploitation of vulnerabilities tripled from last year. I’ve read similar numbers from other trend reports and it makes sense. As organizations get more controls in place such as Multi-Factor Authentication (MFA) and people get better at identifying phishing (later in the report) attackers will pivot to other ways of getting in. We’ve already seen a rash of vulnerabilities in network appliances over the last several months that could allow attackers into the network.

Human Element Calculation Change

Privilege misuse was removed from the human element calculation which means the human element metric dropped to 68% instead of 76% if it were kept in this year. I’m a little torn because I still believe it’s human element misusing privilege. The idea is to align their security awareness recommendation better. From that angle I get it because privilege misuse is more intentional regardless of security awareness training.

Added third-party vendor and supply chain issues

This is a good one to add. As organizations get better at defending attackers will look to get in via third-party vendor or supply chain issues. Which really isn’t a new concept see: Target breach or the Trojan War. A good third-party vendor risk management program is essentially to keeping organizational data secure.

Errors Increases due to mandatory breach notifications

Errors increased to 28% this year. Internal actors increased from 20% to 35%. Organizations that don’t have to report won’t. In healthcare if a breach is under 500 records then reporting doesn’t have to occur, so there’s even more Errors not being reported. I expect more regulation will make this number continue to grow for healthcare . This will hopefully highlight and shift focus to finding solutions to the insider threat problem. Yes, there’s Data Loss Prevention (DLP) but it’s a pain in the ass to get in place.

Security Awareness is Improving

20% of people are reporting simulated phishing emails and 11% are reporting after clicking. That’s positive improvement. I also really like that the report focused on report rates and not clicking. Click rates can fluctuate depending on the difficulty of the phish and the time of year. Too much focus is put on clicking when what’s really needed is an improvement in reporting.

Reporting gives the security team an opportunity to respond to an incident sooner. I always tell people that clicking doesn’t bother me. Did they report it? It’s much easier to respond now, than several weeks later when there’s a bigger issue. Encouraging reporting, even when a click happens, also helps build a more positive security culture. We’re all human and make mistakes. I’ve fallen for my own phish before.

Generative AI Not as much of an issue as we thinK

It’s recognized that AI is helping attackers in writing phishing email and malware and being deployed in political campaigns but it’s not being used in way that is significantly contributing to breaches. This is why I love the Verizon DBIR. Despite the news headlines and play on social media AI and all the awful things it can do is not currently having a measurable impact. It’s certainly still something that needs to be discussed, understood, and controls put in place, but it may be better to focus on efforst that may make a more substantial impact such as vulnerability management and security awareness.

Distributed Denial of Service is the top action in incidents

This is where understanding the verbiage of the report is important. Incident vs breach. Breach is a loss of data. An incident is a security incident that may not involve data being stolen. Hence, DDoS isn’t about taking the data it’s about taking the service offline for an extended period of time. This shocked me a little. DDoS is still happening and it’s impacting a lot of organizations. Having mitigating controls and a plan in place to respond is important for any organization.

Jen Easterly comments on vulnerabilities and the need to shift focus

“...recurring classes of software defects to inspire the development community to improve their tools, technologies, and processes and attack software quality problems at the root.”

Quality code is secure code is something I’ve been preaching for years. If the quality is there then the security will be there. It’s in the documentation. When developers don’t follow best practices and the documentation that’s when vulnerabilities get created. The reason why security folks have a job is because people aren’t developing, coding, or configuring things right in the first place.

I like that Jen is taking a more broad view and it’s not something I’ve thought about. Instead of focusing on individual vulnerabilities or bugs we should go a level up. Every organization is different and every development team is going to have different issues with certain quality issues. We need to be looking at the class of bugs and trying to solve for the large grouping of vulnerabilities. This will help the development community identify where they can make improvements in their tools, technologies, and most importantly processes.

Social Engineering Section

BEC attacks had a median transaction of $50,000. They have a great graph that shows most organizations can get their money back by reaching out to law enforcement. I had a great conversation with Jayson E. Street recently on the Exploring Information Security podcast on social engineering and he had a great idea to send everyone involved in financial transactions a card with a code word on it. If that code word wasn’t authenticated then it’s very likely a BEC attack. I love the simplicity of the solution and I think it can make a good impact.

WEB APPLICATION ATTACKS SECTION

Credential stuff and brute force attacks are the most common against APIs. Authentication and authorization are the biggest issues for APIs, not so much injection vulnerabilities. This improves security but also means permissions should be top of mind when developing APIs. Things like MFA and rate limiting also need to be in place to help mitigate the potential of a breach. 1000 credentials are available online daily for $10. Credentials are cheap and easy to come by.

Free gaming currency lures lead malicious NPM packages was not something on my radar. This is the younger generation looking to make a fast bUck in the gaming landscape. Unfortunately, they’re downloading malware. Typo squatting was second. From the report it talked about packages checking external repositories before internal. It’s always better to try and build an internal repo system that pulls updates from the known good repositories. This is easier said than done.

Miscellaneous ERrors

This is often overlooked by organizations. Insider threat is the bigger concern in industries like healthcare where people are handling personal, health, and financial data. There’s a lot of data flying around. More than 50% was due to misdelivery which means people sent sensitive information to the wrong party and often non-malicious.

87% of users accounted for errors. System administrators go from 46% last year to 11% this year. System administrators largely accounted for internal threat issues due to misconfiguration. They’ve tightened up but it also highlights how under reported user errors were.

Data Loss Prevention (DLP) is huge to help prevent this. The problem is that DLP is a pain in the ass to implement. I hope that highlighting how big of an issue insider threat will encourage companies to try and tackle the problem in more creative ways.

Healthcare Industry

I’ve already talked a lot about healthcare above. Miscellaneous Errors regained the top spot after being second to system intrusions last year. I would expect system intrusions to continue to decline in next year’s report due to law enforcements increased involvement in taking down ransomware gangs. Privilege misues was second. This is the more malicious actions internal threat actors are taking. System intrusions were third.

Conclusion

The 2024 Verizon Data Breach Investigations Report (DBIR) is a must read. It provides critical insights into the evolving threat landscape, particularly emphasizing the increasing complexity of cybersecurity challenges across various industries. It’s a good anchor point for challenging assumptions about the biggest risk to our own organization.

As cybersecurity environments become increasingly complex, the DBIR’s insights are invaluable for professionals seeking to bolster their defenses and anticipate potential threats. The report serves not only as a tool for understanding but also as a catalyst for implementing robust security measures tailored to specific industry needs. For those in cybersecurity, especially in sectors as sensitive as healthcare, the DBIR is an essential resource that supports ongoing efforts to protect sensitive information and systems from both external and internal threats.

Exploring the security awareness newsletter - *Image created by ChatGPT*

Security Awareness Newsletter April 2024

May 6, 2024

These are the stories I’ve been tracking that are of interest to people outside of security. Feel free to take this and use it as part of your own security awareness program. The items were created with the help of ChatGPT

Confirmed: AT&T Data Breach Exposes Millions

A large data leak containing personal information of millions of AT&T customers is being investigated. While AT&T denies the breach originated from their systems, this incident highlights the importance of protecting your personal information.

Here are some steps you can take to stay safe:

Be mindful of the information you share online and over the phone.
Use strong passwords and change them regularly.
Monitor your bank statements and credit reports for suspicious activity.

AI in Elections: Beware the Deepfakes!

AI is shaking up elections! Check Point Research warns of deepfakes and voice cloning being used to mislead voters. They found evidence in 10 out of 36 recent elections. Stay informed - the future of voting might depend on it!

Heads Up, Gamers! Malware Lurks in YouTube Video Game Cracks

Phishing for free games can land you in hot water!

A recent report by Proofpoint discovered threat actors using YouTube to distribute malware disguised as popular video game cracks.

Here's the breakdown:

Compromised Accounts: Hackers are targeting both legitimate and newly created YouTube accounts.
Deceptive Content: Videos promise free software or game upgrades, but descriptions contain malicious links.
Targeting Young Gamers: The campaigns exploit younger audiences' interest in bypassing paid features.

Alert on Privacy Risks in Dating Apps: Spotlight on Hornet

Recent investigations by Check Point Research have exposed critical privacy vulnerabilities in the popular dating app Hornet, affecting its 10+ million users. Despite Hornet's attempts to safeguard user locations by randomizing displayed distances, researchers found ways to determine users' exact locations within 10 meters using trilateration techniques. This finding poses a significant privacy risk, particularly in dating apps that rely on geolocation features to connect users.

Highlights:

Hornet's geolocation vulnerabilities could allow attackers to pinpoint users' precise locations.
Even after implementing new safety measures, locations could still be determined within 50 meters.
Check Point Research advises users to be cautious about app permissions and consider disabling location services to protect their privacy.

The study illustrates the ongoing challenges and potential dangers of balancing app functionality with user privacy, urging both developers and users to remain vigilant.

Ransomware Scams Can Get Creative

Ransomware gangs are constantly looking for new ways to pressure companies into paying up. A recent article on TechCrunch describes a hilarious (but ultimately unsuccessful) attempt by a hacker to extort a company through their front desk Ransomware gang's new extortion trick? Calling the front desk.

While this specific incident might be lighthearted, it serves as a reminder that ransomware attackers are always adapting their tactics. Here's what you should be aware of:

Be cautious of any unsolicited calls or emails claiming a security breach. Don't engage with the sender and report them to the IT department immediately.
Never click on suspicious links or attachments. These could contain malware that gives attackers access to our systems.
Be mindful of what information you share over the phone. Hackers may try to sound legitimate to gather details about our company's network.
Stay informed about cybersecurity best practices. The IT department may send out phishing simulations or training materials – take advantage of these resources.

By staying vigilant and following these tips, we can all play a part in protecting our company from ransomware attacks. Remember, if you see something suspicious, report it!

FBI Alert: Increase in Social Engineering Attacks

The FBI has issued a warning about the rise in social engineering attacks targeting personal and corporate accounts. These attacks employ methods like impersonating employees, SIM swap attacks, call forwarding, simultaneous ringing, and phishing, which are designed to steal sensitive information.

Key Techniques:

Employee Impersonation: Fraudsters trick IT or helpdesk staff into providing network access.
SIM Swapping: Attackers take control of victims' phone numbers to bypass security measures like multi-factor authentication.
Call Forwarding and Simultaneous Ring: Calls are redirected to the attackers' numbers, potentially overcoming security protocols.
Phishing: Cybercriminals use fake emails from trusted entities to collect personal and financial data.

How to Protect Yourself:

Ignore unsolicited requests for personal information.
Ensure unique, strong passwords for all accounts.
Contact mobile carriers to restrict SIM changes and call forwarding.
Regularly monitor account activity for signs of unauthorized access.

If Compromised:

Immediately secure accounts by changing passwords and contacting service providers.
Report the incident to the FBI’s Internet Crime Complaint Center at www.ic3.gov.

Stay vigilant and implement these protective measures to defend against these sophisticated social engineering threats.

Smishing Scam Hits the Road!

Beware of texts claiming unpaid tolls! Scammers are targeting drivers with smishing attacks. The texts claim that the recipient has unpaid tolls. Don't click links or give out info. Report scams to the FBI: https://www.ic3.gov/Home/ComplaintChoice. Stay safe!

Data Breach at Hospital: Ex-Employee Admits to Sharing Patient Records

Patients at Jordan Valley Community Health Center in Missouri are being notified of a data breach involving over 2,500 individuals. The culprit? A former employee, Chante Falcon, who admitted to accessing and sharing patient records.

Facing federal charges for wrongful disclosure of patient information, Ms. Falcon pleaded guilty and awaits sentencing. The potential penalty? Up to 10 years in prison.

Tax Time Trouble: Don't Fall Victim to Tax Scams!

It's tax season again! While you're busy gathering documents and filing your return, scammers are out in force trying to steal your money and personal information.

This year, security experts are seeing a rise in Artificial Intelligence (AI)-powered tax scams. These scams can look and feel more sophisticated than ever before, making them even trickier to spot.

Here are some red flags to watch out for:

Urgency and Threats: Scammers often try to pressure you into acting quickly by claiming you owe overdue taxes or face penalties.
Suspicious Emails and Texts: Be wary of emails or texts claiming to be from the IRS or tax software companies. Don't click on links or attachments unless you're sure they're legitimate.
Phishing for Information: Scammers may ask for your Social Security number, bank account details, or other personal information you wouldn't normally share via email or text.

Stay Safe This Tax Season:

Go Directly to the Source: If you receive a message about your taxes, contact the IRS directly using a phone number you know is correct (don't use the one provided in the message).
Don't Share Personal Information Unsolicited: The IRS will never ask for sensitive information through email or text message.

By following these tips and staying vigilant, you can protect yourself from tax scams and ensure a smooth tax season!

Tracking AI's Influence in Global Elections

Rest of World, a news organization, has launched a new initiative to monitor and document the impact of artificial intelligence (AI) on global elections. This effort comes as generative AI tools become increasingly accessible, presenting both innovative uses and potential risks in political contexts.

Scope and Objective: The project tracks AI incidents across the globe, particularly focusing on regions outside the Western hemisphere. From the general elections in Bangladesh to those in Ghana, the tracker will compile AI-generated content related to elections, encompassing both positive applications and problematic issues like misinformation.

Noteworthy Incidents:

In Belarus, a ChatGPT-powered virtual candidate is providing voter information while circumventing censorship.
AI-generated videos have enabled Pakistan’s former Prime Minister Imran Khan to address the public from imprisonment.
A spam campaign against Taiwan’s president has been linked to a Chinese Communist Party actor.
Deepfake videos falsely depicted Bangladeshi candidates withdrawing on election day.

Comprehensive ChatGPT Risk Assessment

Walter Haydock from StackAware has conducted an exhaustive risk assessment of OpenAI's ChatGPT. This summary encapsulates the critical findings and documentation from the assessment, aiming to enhance your understanding and governance of AI tools.

Key Findings from the Assessment:

Purpose and Criticality: ChatGPT serves multiple functions, from generating marketing content to converting unstructured data into structured formats. Its operational importance is significant, with potential major business impacts in case of system failure.
System Complexity and Reliability: Despite its complex nature, ChatGPT has shown reliable performance, although occasional performance and availability issues have been documented on OpenAI’s status page.
Environmental and Economic Impacts: ChatGPT's operation is energy-intensive, with considerable carbon emissions and water usage. However, it also offers potential economic benefits, potentially contributing significantly to global productivity and economic output.
Societal and Cultural Impacts: The system’s ability to automate repetitive tasks could liberate millions from mundane work but also poses risks to employment and misinformation, particularly during sensitive periods like elections.
Legal and Human Rights Considerations: The system's deployment must carefully navigate potential impacts on employment and privacy, with strict adherence to legal and human rights norms.

Deepfake Phishing Attempt Targets LastPass Employee: Audio Social Engineering on the Rise

A recent incident reported by LastPass sheds light on a concerning trend: the use of audio deepfakes in social engineering attacks.

What Happened?

A LastPass employee received a series of calls, text messages, and voicemails supposedly from the company's CEO.
The voice messages utilized deepfake technology to convincingly mimic the CEO's voice.
The attacker attempted to pressure the employee into performing actions outside of normal business communication channels and exhibiting characteristics of a social engineering attempt.

Why This Matters:

This incident marks a potential turning point in social engineering tactics. Deepfakes can bypass traditional email-based phishing attempts and create a more believable scenario for the target.
Audio deepfakes pose a significant threat because they exploit the inherent trust we place in familiar voices.

How LastPass Responded:

The targeted employee, recognizing the red flags of the situation, did not respond to the messages and reported the incident to internal security.
LastPass highlights the importance of employee awareness training in identifying and reporting social engineering attempts.

Change Healthcare Cyberattack: A Costly Reminder for Physicians

A recent cyberattack on Change Healthcare, a major healthcare IT provider, has had a significant impact on physicians across the country. According to a KnowBe4 article, a staggering 80% of physicians reported financial losses due to the attack. United Health announced the attack cost them $1.6 billion alone.

The High Cost of the Breach

The article details the financial strain placed on physician practices:

Revenue Loss: Disruptions caused by the attack made it difficult to submit claims and verify benefits, leading to lost revenue.
Increased Costs: Extra staff time and resources were required to complete revenue cycle tasks.
Personal Expenses: Some practices were forced to use personal funds to cover business expenses.

USPS Now the Most Impersonated Brand in Phishing Attacks

Phishing attacks are one of the most common cyber threats. Criminals impersonate well-known brands to trick people into giving up personal information. According to a recent report, the United States Postal Service (USPS) has surged to the top spot on the list of most impersonated brands.

Here are some tips to avoid falling victim to a USPS phishing attack:

Be wary of emails or text messages that claim to be from USPS about a delivery issue or package requiring additional fees.
Do not click on any links or attachments in suspicious emails or text messages.
If you are unsure about the legitimacy of an email or text message, contact USPS directly.
Be mindful of the sender's email address and look for typos or inconsistencies.

By following these tips, you can help protect yourself from phishing attacks.

Exploring phishing threat intelligence from April 2024 - *Image created by ChatGPT*

Phishing Threat Intelligence April 2024

April 29, 2024

These are the phishing related stories I paid attention to in April 2024. Feel free to use these and share them with your own security teams.

The NaurLegal Campaign Unveiled

BlueVoyant's Threat Fusion Cell has exposed a new cyber attack campaign, dubbed ‘NaurLegal’, led by the notorious eCrime group Narwhal Spider. This campaign ingeniously exploits the trust in legal transactions by distributing malicious PDF files posing as invoices from reputable law firms. With filenames like "Invoice_[number]from[law firm name].pdf," these documents are crafted to bypass casual scrutiny and initiate malware infections.

Key Insights:

Tactic Exploitation: NaurLegal leverages the routine nature of legal document exchanges, using this as a vector to deploy malware, including sophisticated threats like WikiLoader and potentially IcedID.
Infrastructure: The campaign operates through compromised WordPress sites for command and control (C2), a hallmark of Narwhal Spider’s modus operandi.
Evolving Threat: Unlike previous attacks primarily targeting Italian entities, NaurLegal broadens its focus, indicating a strategic shift towards exploiting a wider array of organizational vulnerabilities.

Google Ads Malware Alert for Security Professionals

In a recent discovery by AhnLab Security Intelligence Center (ASEC), a sophisticated malware distribution campaign has been identified exploiting Google Ads' tracking feature. Dubbed by ASEC, this campaign cleverly disguises malware as popular groupware installers like Notion, Slack, and Trello, leveraging Google Ads to reach a broad audience. The exploitation of the Ads platform's vast user base and complex targeting options presents a notable security concern, highlighting the innovative strategies of cybercriminals to breach defenses.

Key Campaign Insights:

Malware Distribution: Attackers create or hijack Google Ads to distribute malware through tracking URLs hidden in legitimate-looking ads, leading unsuspecting users to download harmful executables.
Targeted Malware: The campaign specifically uses malware-laden files with names mimicking reputable software installers to trick users into initiating downloads.
Sophisticated Evasion Techniques: Upon execution, the malware contacts attacker-controlled servers to fetch additional malicious payloads, utilizing compromised domains and text-sharing sites for hosting.
Payloads and Execution: The Rhadamanthys infostealer malware, fetched from these links, is then injected into legitimate Windows system files, enabling it to steal private data while avoiding detection.

Security Alert: New Loader and Agent Tesla Campaign Detected

SpiderLabs has identified a phishing campaign deploying Agent Tesla via a sophisticated new loader. Initiated via email attachments disguised as bank payment receipts, this campaign utilizes advanced obfuscation and encryption to deliver its malicious payload while evading detection.

Key Insights:

Attack Vector: Phishing emails with attachments that trigger a complex infection chain to deploy Agent Tesla.
Evasion Tactics: The loader showcases advanced evasion, including polymorphism and AMSI bypass techniques, to execute the payload stealthily.
Agent Tesla Execution: Executes entirely in memory, focusing on data theft and utilizing SMTP for data exfiltration through compromised accounts.

AI-Powered Malware Spreads Through Social Media Malvertising Campaigns

This article from Bitdefender highlights a recent surge in information-stealing malware campaigns targeting social media users.

Key Points:

Attackers Exploit Popularity of AI Software: Cybercriminals are leveraging the rising interest in AI-powered image and video generators to distribute malware.
Malicious Ads Impersonate Legitimate Software: Fake social media pages and sponsored ads mimic popular AI tools like Midjourney, Sora, and CapCut.
Ads Trick Users into Downloading Malware: Clicking on these ads leads users to download malicious software disguised as official installers.
Malware Steals Sensitive Information: The malware steals login credentials, browsing history, cookies, and even crypto wallet information.
Rilide V4, Vidar, IceRAT, and Nova Stealer Used: The report identifies various information stealers used in these campaigns, including Rilide V4, Vidar, IceRAT, and Nova Stealer.
Midjourney Most Targeted Platform: Midjourney, a popular AI image generation tool, was the most impersonated platform in this campaign.

Attention Security Teams: Malware Spreads Through YouTube Video Game Cracks

Threat actors are leveraging compromised YouTube accounts to distribute information stealers disguised as popular video game cracks. This campaign, detailed in a recent Proofpoint report, targets unsuspecting gamers, particularly younger audiences.

Compromised Accounts: Legitimate and newly created YouTube accounts are being used to upload malicious videos.
Deceptive Content: Videos advertise access to pirated software or game upgrades. Descriptions contain links that download malware upon clicking.
Targeted Audience: The campaign exploits the desire to bypass paid features, likely appealing to younger gamers.

Security Implications:

Information stealers like Vidar, StealC, and Lumma Stealer can compromise user credentials and other sensitive data.
Compromised accounts can be used to further distribute malware or host phishing attacks.
Younger audiences may be less familiar with online safety best practices, increasing susceptibility.

For further investigation: The Proofpoint report provides Indicators of Compromise (IOCs) to assist in identifying these malicious videos.

ReliaQuest’s Annual Cyber-Threat Report: 2024

According to the report:

Phishing links or attachments were involved in 71% of all initial access phases of cyber attacks
The top three MITRE ATT&CK techniques in attacks involved phishing or spear phishing
Drive-by-compromise was used in 29% of attack
QR code phishing saw a 51% increase in just one month – September – over the previous 8 months combined

Android Malware Vultur Expands Its Capabilities

A recent report by Fox-IT details the evolving capabilities of the Android malware Vultur. Key takeaways:

New Functionality: Vultur now possesses features that enable remote interaction with a device's screen through Accessibility Services.
Enhanced File Management: The malware can now download, upload, delete, install, and locate files on infected devices.
Evasion Techniques: Vultur employs app impersonation and communication encryption to evade detection.

These expanded capabilities pose a significant threat to Android users, as Vultur can now perform a wider range of malicious activities.

Agent Tesla Targets US and AU Organizations: A Newsletter for Security Professionals

A recent campaign by cyberespionage actors, nicknamed "Bignosa" and "Gods", has been targeting organizations in the United States and Australia. The attackers use phishing emails with topics related to purchasing goods and order delivery to distribute the Agent Tesla malware. Once installed, Agent Tesla can steal keystrokes and login credentials.

Key takeaways:

Malicious Mails: Phishing emails with seemingly legitimate topics are being used to lure unsuspecting victims.
Agent Tesla: This malware steals keystrokes and login credentials, posing a significant threat to compromised systems.
Stay Vigilant: Keeping software updated and exercising caution regarding unexpected emails are crucial for mitigating such attacks.

New Download Threat: Latrodectus Emerges

A new downloader malware called Latrodectus has emerged, posing a threat to system security. Two threat actors, TA577 and TA578, have been distributing Latrodectus, raising concerns about its potential reach.

This malware functions as a downloader, capable of not only information theft but also installing additional malware, potentially escalating the attack. Security experts believe Latrodectus might be linked to the creators of IcedID, another malicious software. Key takeaways:

Latrodectus's Reach: The involvement of multiple threat actors (TA577 and TA578) indicates a wider distribution network, increasing the potential for encountering this malware.
Multi-faceted Threat: Latrodectus goes beyond information theft; its ability to install additional malware poses a serious risk of system compromise.
Possible Connection to IcedID: The link to IcedID suggests a potentially sophisticated threat actor behind Latrodectus.

New Malware Delivery Techniques on the Rise

New research from Check Point reveals that cybercriminals are developing new methods to deliver malware. These techniques involve novel infection chains designed to bypass common security measures and deliver Remcos, a powerful Remote Access Trojan (RAT).

The report also highlights the evolving tactics employed by attackers to exploit vulnerabilities. While Lockbit3 remains the most prevalent ransomware, Blackbasta has worryingly climbed the ranks, entering the top three.

Key takeaways:

Cybercriminals are developing new methods to deliver malware, employing novel infection chains to bypass common security measures.
Remcos, a powerful Remote Access Trojan (RAT), is being delivered through these new techniques.
Lockbit3 remains the most prevalent ransomware, but Blackbasta has risen in prominence.
FakeUpdates is the most common malware encountered.

Tycoon 2FA: Phishing As A Service Evolving to Bypass MFA

MFA Fatigue? Tycoon 2FA Raises Concerns

A new variant of the Tycoon 2FA phishing kit is making waves for its effectiveness in bypassing multi-factor authentication (MFA). This phishing-as-a-service (PhishingaaS) tool targets Microsoft 365 credentials and utilizes a technique known as adversary-in-the-middle (AiTM) to steal session cookies, granting access even with MFA enabled.

Key Points for Security Teams:

Active Threat: First observed in August 2023, Tycoon 2FA has become a prevalent threat due to its ease of use and affordability.
MFA Bypass: The phishing kit steals Microsoft 365 session cookies, allowing attackers to bypass MFA and gain access to compromised accounts.
Stealthier Than Ever: Recent updates enhance the kit's stealth capabilities, potentially reducing detection by security products.
Widespread Impact: Sekoia has identified over 1200 domain names associated with Tycoon 2FA infrastructure since its release.

Alert: Cisco Duo's Multifactor Authentication Service Compromised

Cisco Duo has issued a warning to its customers following a breach involving a third-party telephony service provider. This incident, which unfolded on April 1, 2024, involved the unauthorized access of SMS logs due to a social engineering cyberattack.

Key Details:

Breach Dynamics: Threat actors gained access by using compromised employee credentials at a third-party provider that handles SMS and VOIP services for Cisco Duo's multifactor authentication (MFA).
Data Compromised: The breach resulted in the unauthorized download of message logs for SMS messages sent between March 1, 2024, and March 31, 2024. These logs included phone numbers, carriers, country and state data, and other metadata like the date, time, and type of messages.
No Message Content Exposed: It's important to note that the content of the messages was not exposed in the breach.

Customer Advisory: Cisco Duo has advised all impacted users to notify individuals whose information was compromised and to stay alert for potential phishing attacks leveraging the stolen data.

Tech Giants Lead Phishing Charge: Microsoft, Google Top Q1 Brand Impersonation

Phishing remains a top threat, with technology brands the most impersonated.

A recent report by Check Point Research (CPR) paints a concerning picture of the evolving phishing landscape. Their analysis of brand phishing attempts in Q1 2024 reveals a worrying trend: technology giants are the most targeted sectors.

Key Findings:

Microsoft Maintains Top Spot: Microsoft continues to be the most impersonated brand in phishing attacks, accounting for a staggering 38% of all attempts in Q1 2024.
Google Makes Gains: Google rose to the second-place position, capturing 11% of phishing attempts – a significant increase from its previous third-place ranking.
Tech Sector Dominates: Technology remains the most impersonated industry, likely due to its prevalence in corporate environments and the potential for lucrative access to company assets through stolen credentials.

Why Tech Brands?

Cybercriminals often target technology brands for several reasons:

Widespread Use: These brands are familiar and widely used, making them a believable target for phishing attempts.
Access to Sensitive Data: Gaining access to compromised accounts in these platforms can grant attackers access to sensitive corporate data or financial information.
Remote Work Reliance: The increased use of cloud-based services and remote work environments expands the potential attack surface for tech-focused phishing campaigns.

Beware of Sophisticated Phishing Attacks Targeting Help Desks!

Alert! A recent report from the Department of Health and Human Services (HHS) warns of a rise in sophisticated social engineering attacks targeting IT help desks within the healthcare sector.

Here's what you need to know:

Impersonation Tactics: Attackers are making phone calls to help desks, impersonating employees (often in financial roles) and claiming they require urgent assistance.
Credentials at Risk: These imposters are armed with convincing details about the targeted employee, including the last four digits of their Social Security number and corporate ID. This information allows them to bypass initial security checks.
Potential for Data Breaches: The ultimate goal of these attacks is to steal login credentials or trick help desk personnel into granting access to sensitive systems and data.

Malvertising Campaign Targets IT Teams with "MadMxShell" Backdoor

Threat actors are leveraging malvertising campaigns to distribute a previously unseen backdoor dubbed "MadMxShell." This campaign targets IT security and network administration teams by spoofing legitimate IP scanner software websites.

Key Details:

Attack Chain: The threat actors register typosquatted domain names resembling popular IP scanner software.
Google Ads Abuse: They then exploit Google Ads to push these malicious websites to the top of search engine results pages (SERPs) for relevant keywords used by IT professionals searching for IP scanner tools.
Delivery of Backdoor: Unsuspecting victims who visit the spoofed websites are redirected to download links that deliver the MadMxShell backdoor.

Technical Analysis:

MadMxShell Backdoor: This backdoor offers remote access capabilities, allowing attackers to gain unauthorized control over compromised systems.
Limited Information: While details about MadMxShell's functionalities are scarce, the report suggests it possesses file system manipulation and process execution abilities.

Shift in Attack Tactics: Vulnerability Exploitation on the Rise

Phishing Declines, Zero-Days Soar

A recent report by Mandiant indicates a significant shift in cyberattacker tactics. Vulnerability exploitation has overtaken phishing as the primary method for gaining initial network access. Researchers found that in 2023, vulnerabilities were exploited in 38% of intrusions, a 6% increase over 2022. Phishing attempts, while still the second most common initial infection vector, dropped from 22% to 17% over the same period.

The report also highlights a sharp rise in the exploitation of zero-day vulnerabilities, previously unknown flaws in software, by 56% year-over-year. Chinese cyber espionage groups were found to be the most active users of zero-days, while financially motivated attackers continue to leverage these vulnerabilities to steal financial data.

Key Takeaways

Patching vulnerabilities promptly is crucial to preventing initial network access by attackers.
Organizations should prioritize vulnerability management and invest in threat detection solutions capable of identifying zero-day exploits.
While phishing remains a threat, user awareness training should be supplemented with additional security measures to mitigate the evolving tactics of cybercriminals.

Ransomware on the Rise: More Groups, More Victims

Ransomware is back with a vengeance. A GRIT report shows a worrying 20% increase in victims in Q1 2024 compared to the same period last year. This coincides with a surge in active ransomware groups, jumping from 29 to 45 (a 55% increase). BlackBasta and Play are new major players, joining the persistent LockBit.

Brutality and Distribution Mark New Era

These groups are targeting critical infrastructure like hospitals, highlighting a ruthless shift in tactics. Additionally, RaaS groups are recruiting affiliates, creating a more distributed threat landscape.

Key Takeaways:

Patching and Detection are Critical: Shore up defenses by patching vulnerabilities and implementing security solutions.
Beyond Phishing: Non-phishing attacks are the new norm, so vulnerability management is key.
Backups are Essential: Regular backups ensure a swift recovery from an attack.
Stay Ahead of the Curve: Keeping informed about the evolving threat landscape allows for proactive defense.

Phishing Attacks on the Rise: AI-powered Threat Landscape

A recent report by AI-ThreatLabz highlights a significant increase in phishing attacks, with a staggering 58% rise observed in 2024 compared to the previous year. This surge is attributed to the growing adoption of Artificial Intelligence (AI) by attackers, enabling them to craft highly personalized and believable phishing campaigns.

Key Takeaways

Phishing Attacks are Soaring: Phishing remains a major threat, with a sharp increase in incidents this year.
AI-powered Attacks: Attackers are leveraging AI to create more believable and personalized phishing emails, making them harder to detect.
Zero Trust Security is Key: Traditional security approaches may not be sufficient. Zero trust security principles can help mitigate the risk of phishing attacks by continuously verifying access requests.

FBI PSA on Social Engineering techniques *- Create by ChatGPT*

FBI Warning: Rising Social Engineering Threats Targeting Personal and Corporate Accounts

April 12, 2024

This is a timely article I put together for internal distribution as part of a Security Awareness program. Feel free to grab and use as part of your Security Awareness program.

Link: https://www.ic3.gov/Media/Y2024/PSA240411

The Federal Bureau of Investigation (FBI) has issued an alert regarding an increase in social engineering attacks that cybercriminals are using to compromise personal and corporate accounts. The techniques identified include impersonating employees, SIM swap attacks, call forwarding, simultaneous ringing, and phishing—each designed to manipulate victims into divulging sensitive information.

Social Engineering Techniques:

Employee Impersonation: Cybercriminals pose as company employees to trick IT or helpdesk staff into granting them network access.
SIM Swapping: Attackers deceive mobile carriers to transfer a victim’s phone number to a device they control, potentially bypassing multi-factor authentication to access financial and other secure accounts.
Call Forwarding and Simultaneous Ring: This method involves forwarding a victim’s calls to the attacker’s number, again potentially circumventing multi-factor authentication.
Phishing: Phishing emails mimic legitimate institutions to solicit sensitive information, such as login credentials and personal identification numbers.

Protection Recommendations:

Personal Security Measures:

Avoid responding to unsolicited requests for personal information.
Set unique passwords for voicemail and mobile accounts.
Contact your mobile carrier to block unauthorized SIM changes and call forwarding.
Regularly check your account activity for any unauthorized changes.
Use complex passwords and avoid posting personal data online.

Corporate Security Measures:

Pay attention to email banners for messages coming from external sources.
Use non-email based multi-factor authentication.
Report any phishing and social engineering attempts.

Reporting and Additional Actions:

If you believe you are a victim of a social engineering attack:

Contact your service providers to secure your accounts.
Report the incident to the FBI’s Internet Crime Complaint Center at www.ic3.gov for further investigation.
Reach out to [INSERT SECURITY INBOX] if you suspect any of these social engineering techniques are being used at work.

This alert underscores the need for heightened vigilance and proactive measures to safeguard against sophisticated social engineering tactics that are increasingly prevalent in today’s digital landscape. We thank you for helping keep [COMPANY] secure.

AI security and healthcare - created by ChatGPT

Embracing AI with Care: A Guide for using AI in the healthcare workplace

April 10, 2024

This is an article I put together for internal communication on my companies intranet. I actually put two different articles together. Both are along the same lines just written different. I would love feedback on anything I may have missed. Otherwise feel free to use this as part of your company’s internal communication. This was most written by ChatGPT.

Introduction

In the rapidly evolving world of healthcare, Artificial Intelligence (AI) has emerged as a beacon of hope and innovation. From improving patient outcomes to optimizing operational efficiencies, AI's potential is undeniable. However, as we integrate these powerful tools into our daily operations, it's imperative to approach AI with a blend of enthusiasm and caution.

The Power of AI in Healthcare

AI's application within healthcare spans from predictive analytics in patient care to automating administrative tasks, allowing healthcare professionals to focus on what they do best—caring for patients. AI algorithms can analyze vast amounts of data to predict patient deterioration or optimize treatment plans. Additionally, AI-driven chatbots can enhance patient engagement and support, providing timely information and assistance.

Ethical Considerations and Patient Privacy

While AI can significantly improve efficiency and patient care, its implementation in healthcare comes with profound ethical implications, especially concerning patient privacy and data security. As stewards of sensitive health information, it's our collective responsibility to ensure that AI tools are used ethically and in compliance with all applicable laws and regulations, such as HIPAA.

Transparency and Consent: Patients should be informed about how AI might be used in their care, including the benefits and potential risks. Obtaining informed consent is not just a legal requirement; it's a cornerstone of trust.
Data Privacy: Always ensure that AI systems handling patient data are secure and compliant with data protection laws. Anonymization of data before AI analysis is a critical step in safeguarding patient privacy.
Bias and Fairness: AI systems are only as unbiased as the data they're trained on. It's essential to continuously monitor and evaluate AI tools for any form of bias, ensuring equitable healthcare outcomes for all patients.

Cybersecurity Implications

The integration of AI into healthcare systems increases the complexity of our cybersecurity landscape. AI can both bolster our cybersecurity defenses and represent a novel vector for cyber threats. Therefore, a proactive and informed cybersecurity approach is essential.

Adherence to Security Policies: All use of AI technology must comply with our comprehensive security policies, which are designed to protect both patient data and our IT infrastructure. This includes strict access controls, regular security audits, and adherence to best practices in AI ethics and governance.
Education and Awareness: Employees must be educated about the potential cybersecurity risks associated with AI, including social engineering attacks that leverage AI-generated content.
Handling of sensitive data: It is crucial to ensure that sensitive data is not entered into or processed by AI systems that are not under our direct control and that do not meet our strict security and privacy standards. Employees should avoid the use of unauthorized AI tools and platforms that could inadvertently expose sensitive patient information or proprietary data. This includes being aware of third-party companies that have integrated AI into their platforms.
Secure AI Development: AI systems must be developed and maintained with security in mind. Threat modeling helps to identify potential issues before they arise. Regularly updating and patching systems helps maintain the integrity and security of systems.
Vigilance and Reporting: Employees are empowered to report any suspicious activities or vulnerabilities. Early detection is key to preventing cyber incidents or data privacy issues.

Looking Ahead

As we journey forward, integrating AI into our healthcare practices, let us do so with a vigilant eye on the ethical, privacy, and security implications. By fostering a culture of responsible AI use, we not only protect our patients and their data but also contribute to the advancement of healthcare, making it more accessible, efficient, and effective for all.

Conclusion

The integration of AI in healthcare represents a frontier of endless possibilities. Yet, as we harness these technologies, we must navigate this terrain thoughtfully and responsibly, ensuring that we remain steadfast in our commitment to patient care, privacy, and security. Together, we can create a future where AI empowers us to deliver better healthcare than ever before.

Phishing Threat Intelligence March 2024

April 3, 2024

Tax Season Phishing Campaigns - Targeting New Tactics

Microsoft Threat Intelligence (MSTI) has uncovered a rise in phishing campaigns targeting taxpayers during the tax season. These campaigns leverage social engineering tactics to trick victims into revealing sensitive information or clicking on malicious links.

Targets and Techniques:

High-Risk Groups: New taxpayers, small business owners, and older adults are identified as the most vulnerable demographics.
Phishing Methods: Emails disguised as legitimate tax documents or communications from employers are common methods. The emails may contain urgency or use scare tactics to pressure recipients into clicking malicious links or opening attachments containing malware.

Iranian Threat Actor TA450 Shifts Tactics in Latest Campaign

Summary: A recent campaign by Iranian threat actor TA450 has been detected leveraging a new technique.

Previous Tactics: Historically, TA450 has targeted Israeli users via email campaigns containing malicious links directly embedded within the email body. These links typically led to file-sharing sites that, when clicked, downloaded remote access trojans (RATs).

New Development: Proofpoint researchers observed a shift in TA450's tactics. The latest campaign utilizes PDF attachments containing malicious links. The social engineering lure involves emails disguised as pay slips, likely designed to trick victims into opening the attachments.

Security Implications: This new delivery method makes TA450's emails appear more legitimate, potentially increasing the success rate of these phishing attacks. Security professionals should be aware of this evolving technique and update email security filters accordingly.

New Trojan: VCURMS Discovered by Fortinet

Fortinet researchers have uncovered a new trojan named VCURMS. This trojan leverages obfuscation techniques to bypass traditional antivirus detection and establish persistence on compromised systems.

VCURMS Capabilities:

Information Theft: VCURMS can steal sensitive information from infected devices.
Remote Access: The trojan grants remote access to attackers, enabling them to control the compromised system.

Delivery Method:

VCURMS primarily spreads through phishing campaigns. Attackers target victims with emails containing malicious attachments. Once a user opens the attachment, the trojan infects the system.

Zscaler ThreatLabz Releases New Report on AI Security Trends and Risks

A recent Zscaler report, "New AI Insights: Exploring Key AI Trends and Risks ThreatLabz 2024 AI Security Report," delves into the evolving landscape of AI security. Key takeaways for security professionals include:

Soaring Enterprise AI Adoption: The report highlights a significant increase (595%) in enterprise adoption of AI technologies. This presents both opportunities and challenges for security teams.
Balancing Benefits and Risks: While AI offers significant advantages, it also introduces new security risks. The report emphasizes the need for a well-defined security posture to mitigate these risks.
Heightened AI-Driven Threats: Zscaler ThreatLabz observed an 18.5% rise in blocked AI traffic, indicating a rise in malicious actors leveraging AI.
Security Best Practices: The report outlines essential security practices for securing AI deployments. These include data loss prevention (DLP) controls and granular access controls to safeguard sensitive data and prevent unauthorized access.

Exploring the newsletter below - Image created with the help of ChatGPT

Security Awareness Newsletter March 2024

April 1, 2024

This is a security newsletter I’ve put together as part of our security awareness program. This leans more towards healthcare and news items that are more general in nature. I’ll have a more technical focused newsletter later this week that’s targeted at security teams. Feel free to take this newsletter and use it internally as part of your security awareness program.

The Great Zoom-Skype-Google Masquerade: Beware of digital doppelgängers. Fake Zoom, Skype, and Google Meet sites are the latest traps set by cyber tricksters. These spoofed meetings can trick users into downloading harmful software that compromises their computer. Ensure you’re clicking on the real deal to keep those malware masqueraders at bay. Beware of QR codes that will try to steal credentials as part of this type of attack.

Beware of fake websites mimicking popular brands!: Typosquatting attacks are surging, and cybercriminals are exploiting user mistakes to steal login credentials and spread malware. Typosquatting is where an attacker registers a similar domain to one a person is familiar with. This increases the chance a malicious link will be clicked.

Small Businesses Hit Hard by Cybercrime: Some social engineering techniques highlighted in the article include: malicious ads; attackers starting a conversation before trying to get the person to take an action; and the move to PDF attachments. These types of attacks help launch ransomware against small businesses.

Beware of AI-Driven Voice Cloning in Vishing Scams: The Better Business Bureau (BBB) has issued a warning about the rise of voice phishing (vishing) scams utilizing AI-driven voice cloning technology. Scammers can now mimic voices convincingly with just a small audio sample, leading to fraudulent requests for money transfers or sensitive information. Tips to Stay Safe:

Pause Before Acting: Resist the urge to act immediately on unexpected requests, even if they seem to come from a familiar voice.
Verify Directly: Contact the supposed caller using a known, saved number—not the one provided in the suspicious call.
Question the Caller: Ask specific questions that an impostor would struggle to answer correctly.
Secure Your Accounts: Implement multi-factor authentication and verify any changes in information or payment requests.

Update on Change Healthcare Cyberattack Recovery: Change Healthcare is on track to bring its systems back online by mid-March following a cyberattack that has caused widespread disruption since February 21. The cyberattack has significantly affected healthcare operations nationwide, with providers facing difficulties in payment processing, insurance verification, and clinical data exchange. This highlights why security awareness is so important. Identifying and reporting security threats to the organization is the responsibility of everyone.

Beware of Tax Season Scams Targeting SMBs and Self-Employed Individuals: As tax season unfolds, a new scam has surfaced targeting small business owners and self-employed individuals. Scammers are using emails to lure victims to a fraudulent site, claiming to offer IRS EIN/Federal tax ID number applications. However, this service is free through the IRS, and the scam site is designed to steal personal information, including social security numbers, creating a significant risk for identity theft and fraud. A Microsoft report identifies green card holders, small business owners, new taxpayers under 25, and older taxpayers over 60 as prime targets for these scams. Check Point has some example phishes in their tax scam article.

Apple Users Beware: "MFA Bombing" Phishing Attacks on the Rise: Leveraging Apple's password reset system attackers can bombard users with password reset prompts. If a person clicks "allow" on one of the prompts, the attackers can gain access to the user's account. The attackers may also call the person pretending to be Apple support. Some ways to protect yourself from this attack include not clicking on any of the prompts and contacting Apple directly if you receive a suspicious call.

The Art of Secure Passwords: Safeguarding Your Digital Life

March 27, 2024

This is a blog post I plan to submit to my companies intranet site as part of security awareness program. I wanted to post this here in case others would like to use it for their own internal programs. This was largely generated with ChatGPT. I have gone through and made my own edits and adjustments.

In today’s interconnected world, passwords are the gatekeepers to our digital existence. Whether it’s accessing your email, online banking, or social media accounts, a strong password is your first line of defense against cyber threats. In this blog post, we’ll explore essential practices for creating and managing secure passwords.

The Key to Your Account: Guard Your Passwords

Your passwords are like the keys to your virtual kingdom. Treat them with utmost care and never share them with anyone. Remember, a password shared is a vulnerability exposed. Whether it’s your Netflix account or your corporate email, keep those keys close and confidential.

Password managers are great for both storing and creating passwords. Password managers generate and store complex, unique passwords for each of your accounts. Instead of remembering dozens (or even hundreds) of passwords, you only need to remember one master password. Password managers can auto-fill your login information on websites and apps, streamlining the login process. Below are some recommended password managers for personal use:

LastPass

Features: LastPass offers a user-friendly interface, secure password storage, and strong password generation. It's accessible across various devices and browsers, making it convenient for users who need to manage their passwords on the go. LastPass also features secure sharing options, allowing users to safely share login information with trusted individuals.

1Password

Features: 1Password is known for its strong security measures, including a unique security key for encryption, making it nearly impossible for unauthorized users to access your vault. It also offers a Travel Mode, which temporarily removes sensitive data from your devices when crossing borders. 1Password's user interface is clean and intuitive, with excellent organization features for managing passwords and documents.

Dashlane

Features: Dashlane provides a robust set of features, including password management, a secure digital wallet, and a VPN for safe browsing. Its password changer feature can automatically update passwords on various sites, enhancing security with minimal user effort. Dashlane is suitable for individuals and businesses looking for a comprehensive security solution.

Bitwarden

Features: Bitwarden stands out for being open-source, offering transparency in its security practices. It provides a secure vault for passwords and sensitive information, with options for self-hosting for users who prefer complete control over their data storage. Bitwarden's free version is feature-rich, making it an excellent choice for budget-conscious users seeking reliable security.

Keeper

Features: Keeper is noted for its high-level security features, including biometric logins and a secure messaging vault. It offers flexible storage options for passwords, files, and private client data, making it a suitable option for both personal and professional use. Keeper also includes breach monitoring to alert users of potential security threats.

Browsers

Browsers can be a good place to store passwords for users seeking convenience and simplicity, offering several features that facilitate better password practices. However, for those who require more robust security features, flexibility, and functionality, a dedicated password manager might be a more suitable option. As with any security tool, the best choice depends on your specific needs, habits, and the level of risk you're comfortable with.

Crafting Strong and Memorable Passwords

Creating strong and memorable passwords is essential, especially for securing critical accounts like those for work, email, and finances. Here's how to craft passwords that are both robust and easy to remember:

Ensure Uniqueness for Each Account

Distinguish your work and personal passwords to safeguard against potential breaches. Each account should have a unique password to prevent a security issue in one from affecting others. Websites like Have I Been Pwned offer valuable insights by letting you check if your email has been involved in any breaches, underscoring the importance of uniqueness.

My personal email shows up in the LinkedIn breach

Opt for Passphrases with Special Characters

Early in my career, I learned the effectiveness of using multi-word passphrases with special characters interspersed. This strategy not only makes passwords more difficult for attackers to guess or crack but also helps in keeping them memorable. Despite witnessing 22-character passwords being compromised, it's clear that security isn't solely about length. Crafting your password—a mix of length, complexity, and unpredictability—is key.

Avoid common or popular phrases. Instead, draw inspiration from less obvious sources, like obscure quotes or unique phrases from your favorite media. This approach significantly lowers the risk of your password being easily cracked while ensuring it remains memorable to you.

By focusing on creating unique, complex passphrases that are personal and meaningful, you can significantly enhance the security of your online accounts while maintaining ease of recall.

Conclusion

By adopting recommended practices—treating passwords as keys to our digital domains, leveraging password managers for enhanced security, and crafting strong, memorable passwords—we fortify our digital presence against unauthorized access.

Password managers like LastPass, 1Password, Dashlane, Bitwarden, and Keeper offer robust protection. For added simplicity, browser-stored passwords can also serve as a basic defense. Utilizing unique passphrases enriched with special characters further strengthens our security posture, as echoed by services like Have I Been Pwned, which emphasize the importance of password uniqueness.

In conclusion, secure password practices are not just about technical security; they're about empowering ourselves to navigate the digital space confidently and securely. Let's prioritize our digital safety by embracing these practices, ensuring our online presence is shielded from potential threats.

Demystifying the Dark Web: Challenging the Myth of a Hidden Internet

March 22, 2024

I’m still adjusting to my new role as Sr Specialist of Security Awareness and Training at Acadia Healthcare, so things have gotten behind on this site. Behind the scenes I’m still recording and editing episodes and I’ve got some really good ones coming up. I still want to post content on this site and try to get one blog post out a week. I have some ideas to do that with the time allotted and one of those ideas is AI. This article was entirely written by AI.

I would love feedback in the comments below if you liked or didn’t like and if you feel there are any corrections that need to be made. I have read over it and thought it did a pretty good job but my experience is limited on the “Dark Web.”

The dark web is often portrayed as a shadowy underworld of the internet, a place where anonymity reigns supreme and illicit activities thrive. This portrayal has been popularized by media and folklore, painting a picture of a digital "no-man's-land" inaccessible to the average user and law enforcement alike. However, upon closer examination, the assertion that the "dark web doesn't exist" can be a provocative way to challenge misconceptions and misunderstandings about what the dark web truly is and what it represents.

Understanding the Internet's Layers

To debunk the myth, it's essential to understand the internet's structure, which is more nuanced than a binary division between the "surface web" and the "dark web." The internet is better described in layers, with the surface web comprising websites indexed by search engines. Beneath this lies the deep web, which contains unindexed content like private databases, academic journals, and secure personal accounts. The dark web is a small portion of the deep web, accessible only through specific, anonymizing networks like Tor.

The Dark Web: A Concept, Not a Place

One critical argument against the dark web's mythical status is the recognition of it as a concept rather than a physical or digital "place." The dark web refers to the use of anonymized networks to access content and services that are either intentionally hidden from the surface web or require specific software to access for privacy and security reasons. It is not a separate internet but part of the broader, intricate ecosystem that constitutes the web.

The Role of Anonymity and Privacy

The dark web's existence is often justified by its role in protecting anonymity and privacy. Activists, whistleblowers, and those under oppressive regimes use it to communicate safely. This aspect challenges the notion that the dark web is solely a haven for illegal activities. It serves a crucial function in facilitating secure communication, underscoring that its existence is not inherently malevolent but rather a tool that can be used for good or ill.

Misconceptions and Exaggerations

The sensationalization of the dark web contributes to its mythical status. Stories of nefarious activities and marketplaces often overshadow the less dramatic, yet equally important, uses of the dark web for privacy and security. By challenging the existence of the dark web as a singular, monolithic entity, we can shed light on the realities of digital anonymity and its implications for society.

Conclusion

The assertion that "the dark web doesn't exist" serves as a starting point for a more nuanced discussion about the internet's complexities and the importance of privacy and anonymity online. It invites us to reconsider our preconceptions and understand the dark web not as a hidden den of iniquity but as a component of the internet that reflects the diverse needs and ethical considerations of its users. In demystifying the dark web, we confront not just the technical realities of the internet, but also the broader questions of rights, freedoms, and responsibilities in the digital age.

Exploring the job market with my handy briefcase

Exploring the cybersecurity job market from late 2023 to early 2024

March 13, 2024

A job search is work

Below you will find several log entries from me as I recently went through a job search. I wanted to do this to highlight how things have changed and show that even for someone who has several years of experience it’s tough. I started my search around the end of November and had it end in early March. The holiday’s certainly slowed things down but it still took a good three solid months. Getting hired at the end of a year is a rare thing because companies aren’t looking to add more to their books. Their focus is to close out the books and look as good as possible from a financial standpoint.

A lot more job posting went up at the beginning of the year and things seemed to pick up from a reach out and interviewing perspective. The job I eventually accepted had their posting up in early December but didn’t start talking to me until the beginning of the year.

I cater my resume to the role and despite all that I still got A LOT of rejection letters. In fact I just got another one yesterday. Prepare for baseball type of stats where it’s normal to bat .300 instead of .800. I did notice that it’s less likely a company will talk to you if their not in their city. Through my network I heard this quite a bit despite my willingness to relocate to certain parts of the country. Talking to some recruiters it was certainly a weird market with a lot of companies wanting to be back in office and with the layoffs last year it was harder to stand out.

Another factor is my background. I have a broad background and have successfully implemented programs in multiple disciplines. I have confidence I can adapt my skillset to any role. I’ve done it in just about every job I’ve had. Unfortunately, a lot of hiring managers are looking for a specific skillset and only that skillset. Recruiters are another layer where they often are just looking for keywords in a resume. I also found that AI was starting to play a part. I had a screening call that utilized AI. I tried to better understand how that worked on the backend but couldn’t find a lot of materials. I’d like to see how AI is impacting candidates both positively or negatively.

Last year I took some time to reflect on what I really wanted to do and where my background and skillset could really be useful. I found that security awareness was something I’ve done at all my previous jobs and that there were companies hiring and paying well enough for the role. That’s where I focused my job search and that’s where I’ve ended up. I’m excited for what’s ahead. Below is my journey to that role.

Log

Entry 1: Willo and one-way video interviewing. This was an interesting experience because I was given a set of questions and asked to record my responses. I’ve never done this before and found it interesting. I had three minutes to record. I could save and continue or re-record. There was only one question I needed to re-record multiple times either because I ran out of time or screwed up. I thought it was a great way to do a screening. I also loved that the screening involved behavioral questions. Which I’m a big proponent of using.

Entry 2 (five days later): To this point I’ve applied to 16 roles: I’ve got one early stage interview setup; I’ve had one one-way video screening; and two, “we think you’re a great candidate but we don’t want to talk to you.” The last one I know one of them was due to pay because they reposted and took out the top part of the salary range and the other probably my resume. The one early stage interview I have is due to knowing someone at the company who put me in for a role. Which is why I always recommend networking to find a job.

I haven’t had to do a job search where I submitted blindly to companies for over 10 years. This is an experiment for me. Is my resume just not up to snuff anymore or is there some other factor. A couple factors I’m keeping in mind is that it’s the end of the year which means deadlines and goals. People outside of government work are usually pretty busy trying to wrap up the year and so hiring takes a back seat. Financially, people aren’t looking to add budget to their team at the end of the year.

It’s also been a tougher job market with the economy being down. I’ve talked to recruiters and they say it’s been a slow weird end of the year. There’s more competition for me in the job market so I’ll get less looks or get looked over. I’m also being more picky about the opportunities I apply for because I feel like I know what I want to do. My experience can be an issue because it’s a little all over the place. The closest I came to niching was application security but two years into that role I was promoted to manager over security engineers, pentesters, and application security.

Which brings me back to my resume. When I redid it over 10 years ago it was due to not getting call backs. It ended up taking 15 months to find a new job. Redoing it to the current format increased my interview opportunities by 50%. My resume format may be dated. My theory is that my resume may work for hiring managers but not for recruiters or talent acquisition people because they’re not in the field. They’re looking for those specific words and probably something more eye appealing. I’ve already started experimenting with different formats and I’ll provide the results here when it’s completed.

Entry 3 (Star Date -299052.05): The rejection emails have come in. I got two this morning and I expect more if I haven’t been reached out to by a recruiter. This means my resume is a problem and I need to work on that. I watched this talk from BSides San Francisco 2023 by Zach Strong on Hacking the Hiring Process. I think I need to simplify my resume and get it back down to under two pages. My master resume is currently at five pages. When I customize it to the job role it get’s down to four pages but I think I still need to cut that in half. Next role that I’m interested in, I’ll have to be brutal with my cuts. The last few I have added a new section called, “Applicable Qualifications” or “Applicable Experience” to try and highlight what makes me a potential candidate. We’ll see if that helps.

Ultimately, networking is still the best way to get in front of the hiring manager. I’ve gotten in front of one. Had the interview and then haven’t heard from them in about a week. This is unfortunately typical and disappointing. I’ve had enough of these that the behavior doesn’t bother me as much anymore. I’ve probably eliminated myself but it’d still be nice to be told that and given any feedback on what I’m lacking.

Entry 4 (some time later): More rejection letters have come in. I’ve gotten my resume down to two pages. I’m not sure the format is great but I like it and I’d like an organization that would want that kind of format. That’s me being naïve though and I’ll end up changing it. I want to make small tweaks just to see if I start getting more screening calls.

I did recently talk to someone else doing a job search and they said it was tough. They had read an article or something on reddit where someone had applied to 500 jobs. Got 20 call backs and two offers. I think it highlights the current state of the job market. It’s tough but I feel like I’m starting to see more posts go up and as people start ramping up for 2024.

To be continued…

Entry 5 (later): I got the rejection email from the place that had me do a one-way interview. I noticed it mentioned AI in the email and now I’m curious what that actually means for the hiring process.

Ignyte AI is the tool that was used for the screening. Looking it up there’s not a lot of information on it other than marketing material. Definitely something to explore in the future. Here are some links I found on it.

https://www.ignyteai.com/

https://huntscanlon.com/recruiting-platform-ignyte-ai-launches/

Entry 6 (Happy New Year!): I got a screening call setup for a position I applied for a few weeks ago. Hiring slows down during the holiday pretty significantly. Either the talent acquisition people are out or the hiring people are out or both. I’m hoping thinks pickup thought I expect I’ll continue to get rejection letters.

Entry 7 (busy): I’ve been focusing on getting podcast and blog posts produced and published so this has gone by the wayside a little bit. Screening call and interview with the hiring manager went well. I am setup for another interview with a panel of people and then a decision will be made. I have gotten more rejection letters, but I also recorded and published a really interesting podcast with Erin Barry from Code Red Partners.

I learned a couple things from the conversation. As I suspected it’s a weird time to be looking for a job. Networking is still king but there’s also some really crappy things that organizations do. They’ll put up a posting just to see what the market. There’s also people just looking for keyword searches and not getting anywhere near your resume. One of the key points she made was not getting down on yourself as part of the process. There’s a lot of factors that go into an opening that we just don’t see.

As part of another recording session I had, the guest pointed out to me that my LinkedIn page needed some work. I followed their recommendation around adding a banner and cleaning some other stuff up. Today I got a call from a recruiter for a director cybersecurity position in my area. Not sure it’s a great fit but the resume is off and we’ll see if we ever hear anything back.

Entry 8 (end of January): I just had a final interview for the one position that has progressed significantly. I’m still in for another position that I started the conversation in early December but it’s been very quiet. Talking with the hiring manager it sounds like a lot of internal politics and a question about remote work. The position is unfortunately up north and a region that is off limits for my family. I am still looking at job postings and applying to the ones I find interesting. I have also reached out to a recruiter about one position but haven’t heard back from them.

I like the idea of reaching out to recruiters and feel I should have done it before but I imagine some of them may not get back to me because they’re busy. I have seen encouraging signs though for the market with recruiters seeing there’s more jobs being posted. There are also more people getting back into the job market hunt so I would expect it’s still a competitive market. The place of my final interview is local. I have an advantage there because the discussion around relocation won’t be necessary.

Entry 9 (beginning of February): Shortly after my final interview for one position, I had another one start with a screening. That has progressed to another panel interview that I’m still waiting to hear back on. I still have not heard anything from the one I had a final interview on. I’m okay with that because I’m still in process on a couple other things and I continue to find security awareness positions being posted. It seems to be a position that a lot more companies are looking at and that hopefully means I can land in one. I haven’t really talked about it here but security awareness is where I want to head with my career. several years ago it was an addon to GRC or other roles. I did it as a passionate project but that were was never the thought of it being a full time gig. I’m happy to see this because I have the experience, knowledge, and desire to be successful in this discipline. It’s now just a matter of convincing someone else I’m right for the job.

I will say the waiting is a bit frustration. Even if things are being lined up a yes or not would be fine with me because it allows me to adjust and something I’ll talk about more in a future blog post. I did have some progression on the first position where I’ve had some conversations. That’s actually shifted to a discussion on being a contractor and would significantly help me with continuing down the self-employed path.

One other item I want to talk about is using AI to prepare for an interview. I took the job description and information I got from the recruiter and had ChatGPT create me some interview questions. I then wrote the questions on one side of a notecard and my answers on the other. Then I practiced the question and answering the question out loud. This is something I’ve always done for interviews but AI helped me create the questions a lot easier and made them applicable to the questions I get accessed. I had a technical assessment on the panel interview. I suck at technical questions in interviews. I always overthink them. I didn’t do great but the idea that came from that experience was to use AI practice for the technical assessment in an interview.

Entry 10 (later that week): Got a call this morning for one job and my salary requirements. Also got an email about not moving forward in another interview process because of the competitive talent pool. I’ll address both below.

Salary requirements are always an interesting thing for me. I am not a person that is motivated by money. I’ve reached all my financial goals and so the range I’m in now. I’ve been told I can go make 200k easily and have several peers that do. I don’t need that much money. The problem with telling people that though is that I get the sense they feel bad and then don’t give me the work I need to stay busy. So I’m in this weird balancing act of taking less money or making my requirements higher. I’m always willing to negotiate lower if it’s a position I’m interested in. I’m also very likely overthinking it.

It’s tough getting a notice that I won’t be moving on in a process or another candidate was selected. I got no feedback other than it was a competitive pool of candidates which I have no doubt there are. I was told salary was not a factor in the decision. This is the part where I need to remind myself that I may have interviewed well but the decision could have been any number of factors out of my control. Someone may have been referred. There may have been an internal candidate preferred. The process may have not been set up to allow me to shine properly. It could have been any number of things. I would have still liked to get more feedback because I want to improve but I’ve said the same thing to other candidates. I had multiple people and liked both and one just edged out the other for whatever reason. The one thing I knew I could have been better on was the technical assessment. I have played around with AI a bit and I think it would be very useful for practice for a technical assessment. I will have a future blog post on the topic.

Entry 11 (last one): I did get a job offer the next week and I’ve started the onboarding process, which is why I haven’t updated this post until now. I start next Monday and this post will be up shortly after I start. The onboarding process has been good. I think a lot of organizations have embraced automations and using platforms to onboard people. This is a good thing and it seems like I’m getting a lot of the stuff I need lined up ahead of time. I’ve also got my first day orientation schedule which is nice to have and know ahead of time.

I’m excited for this opportunity. I’ll be focusing on security awareness for my career which is a role that wasn’t around a few years ago. Organizations seem to be taking security awareness a lot more seriously instead of it being just a checkbox. I’ve been doing security awareness at organizations as a passion project for years, so it’s nice to have a role where I can just focus on that. I’ll be writing more about it more in other blog posts and probably talking about it on the podcast. While I have a full-time job now, I do plan to continue to producing content on this site.

Exploring Information Security - Change Log - March 1 -7 , 2024

March 8, 2024

This is a log of changes to the site over the last week.

Podcast posts:

Navigating the Currents of Open Source Intelligence: Insights From the Field - Micah Hoffman and Griffin Glynn join me to discuss OSINT.

ShowMeCon: Bypassing MFA with Shameer Amir - A ShowMeCon sponsored episode on bypassing MFA

Blog posts:
Charting a New Course Into Security Awareness at Acadia Healthcare - Thoughts on my new role

Other:

The podcast is now available on Spotify

Exploring Information Security Now Available on Spotify

March 8, 2024

Exploring Information Security is now on Spotify.

If you have other preferred platforms you listen to podcasts on let me know and I’ll submit the RSS feed there.

Security explorer heading into the security awareness field - Created by ChatGPT

Charting a New Course in Security Awareness at Acadia Healthcare

March 6, 2024

I have started a position as a Senior Specialist, Security Awareness and Training at Acadia Healthcare. I’m excited for this opportunity because it’s a role that’s only more recently started to get some traction. I’ve been doing security awareness activities at previous organizations as a part-time thing. I’m excited to get the opportunity to really focus on security awareness training. It’s something that has been seen as a checkbox for a lot of organizations. I think it can be more than that. I think it can help build a security culture and foster a security mindset at an organization which result in a more secure organization.

I’ve been in a bit of a career transition the last 2-3 years. I’m not looking to get super technical. I’ve been in management and would probably be okay going back but I don’t play the political game as well as other. Reflecting over these last few years, I discovered that I enjoyed educating others. It’s actually something I wanted to do since high school but the only path I saw then was a high school teacher and I wasn’t really interested in leaving high school only to return shortly thereafter.

In the Navy I got the opportunity to go through instructor training and do some training while being an electronics technician. That led to me getting into the information technology field and eventually into security. At previous roles I’ve always either created content for distribution or presented internally. This past fall, I started looking for security awareness roles and found that several organizations were hiring for security awareness roles. This fit well with my desire to educate and where I was at in my career. I have a generalist background so I can speak to a variety of different fields within security.

I want to make security awareness interesting and impactful for an organization. Not just a checkbox. In my view I am here to foster and improve the security culture at the organization. To do that I’ll have to be creative and identify what engages people to think more about security. I’m excited for this challenge. I see people as the most complex systems in an organization.

I am going to continue to run Exploring Information Security (EIS) with a focus on security awareness. I believe this new role and EIS will compliment each other well. Next week I am planning to post my job search log. As part of the job search I decided to put in entries documenting my progress and thoughts during the hiring process. I wanted to show others that the hiring process is stressful, even for someone with 22+ years of IT experience. It’s also changed significantly since I first got in the job market and I wanted to highlight some of those changes as well.

Exploring Information Security - Change Log - February 22-29, 2024

March 1, 2024

This is a log of changes to the site over the last week.

New pages:

Zero Trust - Deep Dive - Getting deeper into Zero Trust

Podcast posts:

What cybersecurity tools every organization should have - Hacker Historian Mubix joins me to discuss useful tools for security

Blog posts:
Impressions from the 2024 Palmetto Cybersecurity Summit - Thoughts from last weeks conference

7 Tips and Best Practices for Threat Modeling - Some of the tips and best practices I do to make threat modeling efficient and effective

Leveraging AI to Prepare for an Interview - My experience and some ideas around using AI to prepare for an interview

Leveraging AI to Ace Your Next Job Interview

February 29, 2024

In today's rapidly evolving job market, Artificial Intelligence (AI) has become more than just a buzzword—it's a tool that can provide a competitive edge in various aspects of life, including job hunting and interview preparation. As interviews become increasingly sophisticated, candidates are seeking innovative ways to prepare and stand out. I’ve recently gone through a few different interview processes and as part of that I leveraged AI to help do research and prepare for my interviews. Here's how AI can be your ally in acing your next job interview.

Understand the Role and Company

Before you even start preparing for the questions, it's crucial to have a deep understanding of the role you're applying for and the company behind it. AI-powered tools can analyze job descriptions, company websites, and news articles to provide a comprehensive overview of what the company values in its employees and what skills and experiences are critical for the role. This information can help tailor your interview responses to align with the company's culture and needs.

Personalized Practice Sessions

AI-driven interview preparation tools can simulate realistic interview scenarios tailored to the job you're applying for. These platforms use natural language processing to evaluate your answers, providing feedback on content, tone, clarity, and even body language in video-based practice sessions. This personalized feedback can help identify strengths to highlight and weaknesses to improve upon, making your preparation more focused and efficient.

I’ve taken the job description and my resume and put them into ChatGPT to help identify how my experience aligns with the role. I’ve also taken the job description and any other information about the interview I’ve been provided and asked ChatGPT to create practice questions. I then take those questions and practice saying out loud my responses. I found the interview questions to be pretty close to the real questions I got asked. The questions allowed me to think through how I would answer questions and lean on past experiences. While not an exact match it did afford me an opportunity to think through my experiences and apply those to similar questions.

If there is a technical aspect to the interview AI can be used to prepare by getting quizzed on technical questions. Unfortunately, I didn’t think of this use case until after I had already gone through an interview that had technical questions in it. I struggled through those questions and did not move one. Had I prepared using AI I would have been better prepared to answer those questions and a better shot at moving on.

Enhancing Your Answers

AI doesn't just stop at practice; it can also help refine your answers. Tools like GPT (Generative Pre-trained Transformer) can suggest ways to structure your responses more effectively or creatively. Input your basic answer, and AI can enhance it, ensuring you communicate your thoughts coherently and compellingly. However, it's essential to keep your answers authentic to your experiences and voice; use AI as a tool for improvement, not a crutch. It’s also very important to say the responses out loud to understand how the responses will come off. Sometimes what’s in our head doesn’t sound as good when it’s said out loud.

Final Thoughts

As AI continues to transform the job market, its role in interview preparation is undeniable. By offering personalized feedback, and enhancing response, AI can be a valuable asset in your job search toolkit. However, it's important to remember that AI is a supplement, not a substitute, for genuine preparation. The goal is to use AI to enhance your authentic self, showcasing your skills, experiences, and personality in the best possible light.

Embrace AI as part of your interview preparation strategy, but keep the focus on your unique contributions and how you can add value to the company. With the right preparation and mindset, you can use AI not just to prepare for interviews but to excel in them.

This blog post created with the help of ChatGPT