the state of cyber security in 2020

let’s get an overview about actual threads in 2020 – especially regarding spaming, phishing, whaling, vishing, etc.

30,000% increase in #COVID19 threats

The Evil Internet Minute 2020

as Jack Johnson already sang “Well I was sitting, waiting, pishing” … *just kidding*

phishing

is the primary way malicious actors trick people into downloading malware, which ultimately can allow attackers to access their organization’s network and steal sensitive corporate data

alongside with COVID19 phishing raised in importance and is further growing

since then google added proactive monitoring in place for COVID-19 related malware and phishing – 63% of the malicious docs blocked and block more than 100 million phishing emails per day with Machine Learning

Safari/iOS

it’s Safe Browsing feature also use Google, but be aware that “These safe browsing providers may also log your IP address”

Screenshot from Safari Setting at iOS

chrome

since a hyperlink doesn’t always target the name of the link, often pointing to another website URL

<a href='https://attack.com'>https://safe.com</a>

chrome is experimenting to easy spot spoof to determine the identity and authenticity of a site @blog

android

an example: an android app offers Coronavirus Safety Mask but delivers SMS trojan @zscaler

machine learning

“ML is rapidly becoming core to organizations’ value propositions (with a projected annual
growth rate of 39% for ML investments in 2020)” and it’s only natural that organizations
invest in protecting their crown jewels – Cyberattacks will further ultilize Artificial Intelligence (AI) @Microsoft Digital Defense Report

spear phishing vs. whaling

more tragetet with a reference to company, project or proposal – while whaling targets CEOs, CFOs, and other executives to gain access or steal bitcoin, with reported success rate up to 90% – even froms attackers that “not extremely technically advanced” @decrypt

new domains aren’t blocked and look as from corporate @zscaler

vishing

“criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information” targeting remote workers with social engineering and fake VPN page – the FBI warn in an Advisory

ransomware

it has been sneaking into our world at a remarkable rate, huge increase in the daily average of ransomware attacks, compared to the first half of the year – parallel is malware 39% down overall … “but trending upward”

Denial of Service

25% increase during the pandemic lockdown – unprecedented number of shorter, faster, more complex attacks – Hidden Impact: consume payed bandwidth & throughput

stay secure and healthy – both private and business

… use 2-Factor-Authentication

switch to modern authentication – sms as second factor is insecure

not only since twitter ceo jack dorsey was a victim with activated additional sms authentication for it’s account – now twitter disabled “temporarily” the ability to tweet via sms …that phone numbers and sms’s were not designed to be used as two-factor authentication systems, as they are insecure. Fabio Assolini, Senior Security Researcher at Kaspersky…

by matthias mader 9. September 2019

switch to modern authentication – sms as second factor is insecure

not only since twitter ceo jack dorsey was a victim with activated additional sms authentication for it’s account – now twitter disabled “temporarily” the ability to tweet via sms

…that phone numbers and sms’s were not designed to be used as two-factor authentication systems, as they are insecure.

Fabio Assolini, Senior Security Researcher at Kaspersky Lab, TechRadar Middle East

sim swapping is a technique of porting the same number to a new sim card of someone else, instead use features like oauth (already developed in 2006) – modern uem solutions ot casb take care about this with checking additional properties, like manged apps or encrypted devices > further secure alternatives below

multi-factor authentication

cookbook: have I been breached or leaked?

… again 620 million accounts were stolen – it is all about your data – in the digitalisation it defines who you are – who do you trust – the following assist you to check if you got pwned and should raise the awareness

leaked

accounts monitored and collected in this database
=>> https://hacked-emails.com/

check

if you got pwned, enter your email address

=>> https://haveibeenpwned.com/

dns

leak is atransparent way to intimidate your traffic =>>https://www.dnsleaktest.com/

tracking

of your browser analyse your behavior, quick test of your browser is safe against tracking
=>> https://panopticlick.eff.org/

bad passwords

still common in 2019, if your password is listeted here? change it!
=>> https://www.prweb.com

read more about secure authentication and multi factor

tips

to being completely anonymous online
=>> https://www.csoonline.com

apple adds more barriers to increase security

as far fas know from this ios 12.2 beta, there are several improvement/changes, at least in regards to the users security

enroll here: beta.apple.com

ssl security

not just since edward snowden, chelsea manning and other leaked infromation – your data matters – apple adds the noticable change in safari when browsing at webages that a not secure

@ios.gadgethacks.com

read more about ssl strip @wifi security today and attack vectors

profile installation

profile at ios devices mean everything in enterprise, to enroll a private users device in emm system it is nessccary to manually install the ios mdm profile – before ios 12.2 the profile popped up to install – beginning with the new release, after successfully authenticated with emm the ios profile is download, user needs to manually navigate to settings and select to install profile

motion data

the new motion & orientation access stetting is toggled off by default, a webpage is unable to get accelerometer and gyroscope data from the iPhone – test at what web can to today website with iOS 12.2 beta

ios13 should be available in about 4 months

virtual smart card

… for desktop/laptop a physical smartcard inserted in the device provides additional security, user just need to unlock the smartcard with a pin, without the need to know their password – in times of mobile devices it is possible to attach those smartcard with adapters, but with bad user experience

derived credentials ensure compliance with HSPD12 / FIPS 201 personal identity verification (piv) requirements

derived credentials provider, e.g. entrust, provides an overview about the integration in the infrastructure and enrollment of trusted certificate with modern emm system

citrix provides an easy way to secure authenticate at workspace app for emm trusted devices, better usability and higher security

download NCCoE released second draft version of NIST cybersecurity practice guide SP 1800-12, derived piv credentials attached:

qr code & share wifi

qr code in business it is quite common to use qr code to optimize processes – in private this feature is rarely adopted, but …

read more: enterprise features of android pie

 

qr code

often used to link webpages, promote sales offers or share contacts – different styles, colors or even logos are possible …

     

 

… but it gets complicated if you don’t know how to scan the code, first need to download a qr code reader app – since ios11 apple added the native function to scan qr code with camera app – some android device got a qr code reader pre-installed, other need to download it from app store

 

wifi qr code

enterprise facing other challenges to secure authenticate and trust devices

read more: wifi security today and attack vectors

friends often request to join private wifi – tell the password ? no – enter your 12diget&complex$pezialC4ract3r password ? maybe not

create a qr code of your wifi incl. password, with services like qifi, your friends needs to “simply” scan the code

tested: for ios since ios11 it is working pretty easy, android devices with pre-installed qr code reader need to find the right app, but even my huawei ai powered camera is unable to recognize the qr code

update: since ios12 it is possible to add qr code scanner to control center to access from lockscreen and qr codes  highlighted in camera while scanning

 

ios share wifi

even since ios11 apple added a feature to share wifi password between two ios devices, unless you have an ios device, the are some requirements to be meet

• both ios devices need ios11 or newer installed
• both ios devices need wifi and bluetooth enabled
• your ios device must be actively connected to the wifi that the other device wants to join
• both ios devices need physical proximity to each other
• you must have each other in contacts list

 

be aware

1. that trusted devices are inside your network, may access your private services (sonos) or unsecured storages (nas) – better setup a separate guest wifi, with just access to the internet
2. shared passwords synced to google backup or icloud backup

secure private cloud

secure your private data as secure as enterprises – accessing a synology nas for private or small and medium-sized businesses

authentication

enable for admin and other sensitive accounts the 2-step verification – read more @multi-factor authentication

dns

add some kind of dynamic dns service to access your changing public ip address like dyndns, changeip, strato, etc.

certificate

secure encrypted connection should mandatory, at least since edward snowden leaked information about “security” agency’s

1. redirect traffic from http to encrypted https – be aware of public wifi, read more about ssl strip @attack vectors
2. add a public trusted certificate to your system, letsencrypt.org provide free certificates – request via control panel at your synology

This slideshow requires JavaScript.

firewall

active port forwarding for vpn connection to your nas/vpn server

vpn

to access private data from remote, configure devices vpn settings or download an app, enter you external ip address or full qualified domain

This slideshow requires JavaScript.

additionally you can add higher security if you authenticate via certificate from your device – read more @blog.centurio

profile

create a vpn profile in apple configurator with you account information and connection secret, send to your apple devices

we’re done

 

everything just cloud

from bad weather to increase productivity – pamphlet for the cloud

• flexibility – easy to setup, scalable according to your requirements, highavailable
• technology – hosted private or public, a mix of both as hybrid or as community cloud
• security – encryption, access control, access rights, identity management

a service could be as secure or reliable as possible – it is all about trust

pictured from faz

cloud access security broker (casb) is state ot the art technology to utilize security where trust is missing, e.g. mobileiron access ensure secure access of trusted devices from mobile to cloud services

mobileIron access

better veil mit privacy

veil is a system to make private browsing more private – wang, an mit graduate student, said:

…the fundamental problem is that [the browser] collects this information, and then the browser does its best effort to fix it. But at the end of the day, no matter what the browser’s best effort is, it still collects it…

it doesn’t require any modification on the browser, because it doesn’t rely on browsers – a compiler can create a veil version of a site

veil was presented at the network and distributed systems security symposium or read at mit news  

then and now

smartphones changed the way we live, work and communicate, but not everything changed …

this survey gives a detailed inside about the usage of smartphone, feelings around mobile devices and the impact in surprising ways, read it here

many of us spend more than three hours a day on our phones

controversal – there is a unwritten etiquette guide of rules when not to use smartphone

You know what… Fuck smartphones… from depression

never the less – working with mobile devices increase productivity while an emm system maintain the required security, some examples of thousands are: