threat

I have the great opportunity to spend time with CSOs and IT executives to understand their cybersecurity concerns and help them map out a strategy for success. An increasingly common question I’ve been hearing is, “Does my organization need a threat intelligence team?” Adding threat intelligence capabilities to your organization can be valuable, with their ability to hunt for advanced attacks; profile never-before-seen malware, campaigns or adversaries; and really think like an attacker. However, the number of organizations with their own dedicated threat intelligence team is quite low today, with some very good reasons behind this trend.

The fact is that in-house threat intelligence teams are rare because of the difficulty and cost of identifying and hiring qualified staff. In the grand scheme of things, cybersecurity itself is a relatively new industry, and the number of highly technical threat analysts is still low. The fact is, the number of open security jobs is far greater than the number of candidates, something many of you experience on a daily basis when trying to fill your open positions. For example, most universities don’t offer a cybersecurity major, and many people currently pursuing computer science fields are not aware of the potential opportunity in front of them.

Today’s threat intelligence analysts learned what they know through hands-on work in related computing fields and/or years of experience on the IT frontlines. With threat intelligence analysts in short supply, the demand for their services keeps their salaries high and beyond the budgets of all but the largest organizations.

So my answer to the threat intelligence team question mentioned above usually consists of several more questions:  What is your organization’s current security posture? Are you automatically preventing attacks before they can breach your network? Do you have an information security team, and do they have a proven workflow in place for handling a successful cyberattack? How are you protecting your organization’s intellectual property and high-value assets? Is your network properly segmented? If the answer to any of those questions is “no,” my advice to the customer is to get those issues addressed first, before they even begin to ponder the need for a dedicated threat intelligence team.

This isn’t to say that an organization doesn’t need threat intelligence; good intelligence plays an important role in defending against attacks. But for many organizations, the best way to get value from threat intelligence is by ensuring their security platforms can natively consume and enforce protections derived from it. When you exist in a world where attacks are generated at machine scale, you must ensure you can automate as much of the creation, sharing, ingestion and application of threat intelligence as possible. The desired end state is preventing the majority of attacks, identifying targeted threats, and ensuring your security staff has easy access to the intelligence and context to prioritize the most critical attacks for immediate action. Inherent in this is the belief that more data doesn’t always yield better security: you need the right intelligence, delivered in a simple way.

Once you have established a good baseline for your security posture, I would advise you to start considering how to build a threat intelligence team now. It will take time to identify the right people and secure the support you need to build the team. Think about the following guidelines as you move down this path:

Support From the C-Suite

The cost involved in building a threat intelligence team is so great that most boards of directors will need assurances that the work being done is truly necessary. I would advise any CSOs considering building a threat intelligence team to make sure they can translate the benefits of their threat intelligence team’s research in a way that clearly communicates its value to the board. For instance, you want to report out threats targeting your organization and industry, and make the link between highly technical indicators of compromise and business metrics. If the board isn’t able to understand the impact that not having a threat intelligence team will have on the bottom line, they’re less likely to see it as worth the cost.

Cybersecurity and Threat Intelligence Are Different Disciplines

Don’t expect to plug a cybersecurity specialist into the role of threat intelligence analyst, as the jobs require different skill sets. An example I use to illustrate the difference is scientists and engineers. Scientists, like threat intelligence analysts, spend much of their time researching a subject over time to learn its behavior, motivation and technique. They then publish their findings so others can apply that research in a practical way. Engineers, like cybersecurity specialists, apply the knowledge gained by scientists to the real world by building machines or writing code to produce the desired effect and then maintaining that machine or code over time. Be aware of the difference when staffing up your threat intel team. Not everyone in cybersecurity is meant to be a threat analyst and vice versa.

Good Intel Is Hard to Find

This is a topic I’ve addressed before, but there are a lot of different threat intelligence feeds available today and each of them claims to provide the best, most comprehensive intel on the latest cyberthreats. In an effort to make sure they don’t miss hearing about the latest threat, threat intelligence teams will subscribe to multiple intelligence feeds. But in the intelligence game, it’s quality, not quantity that counts. The value of any threat intel is in its applicability to your network. For example, if you’re organization is responsible for cybersecurity at a large manufacturing facility, you need to be concentrating your threat intelligence spend on feeds that specifically track manufacturing cyberthreats. This will allow you to focus on the threats most likely to impact the organization, and it will free up the budget spent on unnecessary feeds for better use elsewhere.

view counter

Scott Simkin is a Senior Manager in the Cybersecurity group at Palo Alto Networks. He has broad experience across threat research, cloud-based security solutions, and advanced anti-malware products. He is a seasoned speaker on an extensive range of topics, including Advanced Persistent Threats (APTs), presenting at the RSA conference, among others. Prior to joining Palo Alto Networks, Scott spent 5 years at Cisco where he led the creation of the 2013 Annual Security Report amongst other activities in network security and enterprise mobility. Scott is a graduate of the Leavey School of Business at Santa Clara University.

Previous Columns by Scott Simkin:

Tags:


SecurityWeek RSS Feed

A piece of Android spyware recently analyzed by researchers with the RedNaga Security team seemed to be yet another Hacking Team spying tool but, according to more recent revelations, another Italian company is its likely source.

Researcher Tim Strazzere, with help of his colleagues, analyzed the sample received practically directly from the target (who wished to remain anonymous), and discovered that the spyware:

  • Asks for practically every permission
  • Can hide itself from the launcher, ensure persistence, mute all audio on the device, turn the GPS on and off, take screenshots or record what can be seen on the screen, record video and audio, reply to or forward messages, lay low while the user is using the device, executed code, exfiltrate data, and so on.
  • Likely masquerades as an update for a Google service, as the target is shown phrases such as “Servizi Google” (Google Service) and “Aggiornamento effettuato con successo” (Successful Update).

What made him think that this might be the work of Hacking Team is the fact that the spyware contacts two IP address located in an address space used by previously known HackingTeam families.

The use of Italian in encrypted strings and SSL certificates is another circumstantial piece of evidence that seemed to point in that direction.

But two former Hacking Team employees and Citizen Lab researcher Bill Marczak believe that particular company was not involved in the creation of this malware.

The former analyzed the code and found it nothing like spyware samples developed by Hacking Team. The latter told Motherboard that the spyware’s infrastructure isn’t linked to Hacking Team’s – and he should know, as he’s been tracking it for a while.

But a mention in the SSL certificate used by one of the servers contains a string that might point to the right source: “Raxir”.

OPIS

Raxir is the name of an Italian company, started in 2013 and housed at tech incubator “Citta’ Della Scienza” in Naples, Italy.

According to this description, the company develops software for investigations and intelligence gathering, its software can only be used by government and law enforcement agencies.

Currently, it is only being used by those entities in Italy, as well as by the Second University of Naples (“Seconda Università degli Studi di Napoli”), but the “company has ties with Germany, and would like to reach foreign markets, and especially emerging economies/countries.”

According to Marczak’s findings – a server whose digital certificate contains the string “ProcuraNapoliRaxirSrv” – it seems that Raxir’s products are being used by the Naples’ office of the prosecutor.

Both Hacking Team and Raxir did not answer Motherboard’s request for comment on the matter.


Help Net Security

Internet of Things (IoT)—an emerging network of devices (e.g., printers, routers, video cameras, smart TVs) that connect to one another via the Internet, often automatically sending and receiving data

Recently, IoT devices have been used to create large-scale botnets—networks of devices infected with self-propagating malware—that can execute crippling distributed denial-of-service (DDoS) attacks. IoT devices are particularly susceptible to malware, so protecting these devices and connected hardware is critical to protect systems and networks.

On September 20, 2016, Brian Krebs’ security blog (krebsonsecurity.com) was targeted by a massive DDoS attack, one of the largest on record, exceeding 620 gigabits per second (Gbps).[1] An IoT botnet powered by Mirai malware created the DDoS attack. The Mirai malware continuously scans the Internet for vulnerable IoT devices, which are then infected and used in botnet attacks. The Mirai bot uses a short list of 62 common default usernames and passwords to scan for vulnerable devices. Because many IoT devices are unsecured or weakly secured, this short dictionary allows the bot to access hundreds of thousands of devices.[2] The purported Mirai author claimed that over 380,000 IoT devices were enslaved by the Mirai malware in the attack on Krebs’ website.[3]

In late September, a separate Mirai attack on French webhost OVH broke the record for largest recorded DDoS attack. That DDoS was at least 1.1 terabits per second (Tbps), and may have been as large as 1.5 Tbps.[4]

The IoT devices affected in the latest Mirai incidents were primarily home routers, network-enabled cameras, and digital video recorders.[5] Mirai malware source code was published online at the end of September, opening the door to more widespread use of the code to create other DDoS attacks.

In early October, Krebs on Security reported on a separate malware family responsible for other IoT botnet attacks.[6] This other malware, whose source code is not yet public, is named Bashlite. This malware also infects systems through default usernames and passwords. Level 3 Communications, a security firm, indicated that the Bashlite botnet may have about one million enslaved IoT devices.[7]

With the release of the Mirai source code on the Internet, there are increased risks of more botnets being generated. Both Mirai and Bashlite can exploit the numerous IoT devices that still use default passwords and are easily compromised. Such botnet attacks could severely disrupt an organization’s communications or cause significant financial harm.

Software that is not designed to be secure contains vulnerabilities that can be exploited. Software-connected devices collect data and credentials that could then be sent to an adversary’s collection point in a back-end application.

Cybersecurity professionals should harden networks against the possibility of a DDoS attack. For more information on DDoS attacks, please refer to US-CERT Security Publication DDoS Quick Guide and the US-CERT Alert on UDP-Based Amplification Attacks.

Mitigation

In order to remove the Mirai malware from an infected IoT device, users and administrators should take the following actions:

  • Disconnect device from the network.
  • While disconnected from the network and Internet, perform a reboot. Because Mirai malware exists in dynamic memory, rebooting the device clears the malware [8].
  • Ensure that the password for accessing the device has been changed from the default password to a strong password. See US-CERT Tip Choosing and Protecting Passwords for more information.
  • You should reconnect to the network only after rebooting and changing the password. If you reconnect before changing the password, the device could be quickly reinfected with the Mirai malware.

Preventive Steps

In order to prevent a malware infection on an IoT device, users and administrators should take following precautions:

  • Ensure all default passwords are changed to strong passwords. Default usernames and passwords for most devices can easily be found on the Internet, making devices with default passwords extremely vulnerable.
  • Update IoT devices with security patches as soon as patches become available.
  • Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.[9]
  • Purchase IoT devices from companies with a reputation for providing secure devices.
  • Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
  • Understand the capabilities of any medical devices intended for at-home use. If the device transmits data or can be operated remotely, it has the potential to be infected.
  • Monitor Internet Protocol (IP) port 2323/TCP and port 23/TCP for attempts to gain unauthorized control over IoT devices using the network terminal (Telnet) protocol.[10]
  • Look for suspicious traffic on port 48101. Infected devices often attempt to spread malware by using port 48101 to send results to the threat actor.


US-CERT Alerts

OPISLike it or loathe it, email is here to stay. Despite the ubiquity of file sharing services like OneDrive and Google Docs, email remains a fast and convenient way for users to review, communicate and collaborate. Almost 25 years since the first email attachment was sent, businesses around the globe remain heavily dependent on using email to send their files. Indeed, according to research firm Radicati, business emails are set to reach 116.4 billion a day before the end of 2016.

It’s no wonder then, that email represents a major security threat vector. Because, as long as organisations use email to send and receive files, malicious email attachments will continue to plague corporate inboxes. Cyber criminals have consistently proved adept at exploiting the ‘click first, think second’ behaviours of email-users, which have the potential to open the door to malware, or unintentionally expose the business to data loss.

Protecting the enterprise against such vulnerabilities is no easy task. Email threats aimed at exploiting risky user behaviours have evolved into highly sophisticated phishing and spam campaigns, targeted zero-hour attacks and data theft initiatives. But with 91% of hacks starting with a targeted email attack, organisations need to be certain that the actions they take will truly protect their users, data and assets.

Unfortunately, standard anti-virus (AV) software can only go so far, as a recent incident graphically illustrates. In August, a public domain AV signature provider wrongfully categorised all Microsoft .doc files as a virus. This led to a large number of legitimate Microsoft Word documents being blocked from transmission when they encountered an AV layer.

In order to maintain an acceptable balance between user productivity and user safety, many vendors took the decision to disable the piece of AV technology that was blocking documents affected by these false positives. This meant that documents could be transmitted to their intended recipients, where an AV system would have, in theory, defended users from malicious attachments.

It wasn’t long before cyber criminals picked up on this enticing opportunity and began creating malware files whose signatures changed and morphed in order to evade signature-based AV solutions. This resulted in surge in the number of .doc files being transmitted over email – at which time our security analytics found that approximately 80% of the files were malicious.

It’s a sobering example of how criminals are constantly monitoring the security industry in an effort to find vulnerabilities and opportunities to exploit – in this case, the reduced security for .doc attachments. It also highlights why organisations need to use multiple layers of protection. Because in this case, the false positives ‘loophole’ meant there was a greater need for non-signature based defences.

Protecting the organisation against email-enabled attacks is no easy task when users across the enterprise are opening up hundreds of emails every day. But with hackers constantly on the look out for ways of working around signature-based technologies, businesses need to ensure their email security is one step ahead.

That means adopting multi-layered threat protection and prevention technologies alongside ‘good hygiene’ employee training and email best practices:

1. Advanced detection and intrusion prevention

Sandboxing is a valuable technical control that delivers a powerful line of defence. Scanning emails at the endpoint is a good start, but attachments should be scanned again before opening so that the files and URLs can be analysed. Ideally, all incoming mail should be automatically scanned in real-time, with any suspicious attachments being forwarded to a cloud-based sandbox environment where they can be executed and thoroughly analysed to identify potentially suspicious and malicious behaviour. This guarantees that even sophisticated pieces of malware can do no harm to digital assets, as only safe files will be forwarded to users.

2. Monitor unusual spikes in file transmissions

Minimising the fallout of a potential malware attack is a priority. That means gaining full visibility of any identified malware activity, so that infected users can be automatically quarantined to prevent malware from spreading within the network, or creating unwanted communications to the outside world.

3. End user education

Representing the enterprise’s first line of defence, the workforce needs to be educated about their responsibilities when it comes to protecting customer and colleague data. Often viewed by security experts as the weakest link, employees are a target for hackers who know there are specific times when people are most susceptible to attack – at the start or end of the day, when the pressure is on to ‘get out the door’ or ‘get stuff done’ – and will send out bursts early in the morning and late in the afternoon.

For this reason, training needs to be an ongoing endeavour during which staff members are trained on how to spot a suspicious email and what to do if they receive one. This isn’t a once a year task – employees need to be regularly updated with the latest threats and approaches used by cyber criminals.

4. Stay on top of version control

Installing the latest versions of operating systems, applications and email platforms should be an essential good housekeeping practice, as vendors regularly release security patches that can help reduce exposure to some attacks.

5. Limit user access to critical IT systems

More often than not, user devices and business-critical databases are located within the same internal network. This means that infected devices could potentially going about their malicious ways while remaining undetected for a long time. Segmentation is a very effective way for businesses to detect malicious activity and contain the fall out of any attack. Data leakage prevention starts with inhibiting data collection.

Dealing with today’s modern and persistent email threats means reliance on antivirus protection or existing intrusion prevention systems is no longer enough. Today’s enterprise needs advanced threat detection technologies that not only detect targeted attacks, but provide sophisticated technical controls to detect and extract malware before it enters the organisation. Whether an organisation operates a cloud or on-premises email platform, email security is a multi-layered affair that involves taking a holistic approach to educating and protecting users and ensuring the enterprise network is constantly monitored and safe.


Help Net Security

BlackBerry and mobile security firm Zimperium have announced that Zimperium's zIPS threat protection system now integrates with the Blackberry EMM, which comprises Good Technology and BES12 enterprise mobile management systems (EMMs).

Because EMMs do not generally include protection against malware and hacker threats, users typically require a separate threat protection system to run with the mobility management system.

Following BlackBerry's purchase of Good Technology and Watchdox , "This is part of a continuing drive for us to provide a complete security solution for the mobile ecosphere," BlackBerry's CSO David Kleidermacher told SecurityWeek. "We do not believe that enterprises should have to shop around for bits and pieces of the solution, but should be able to come to a single supplier for a complete integrated solution."

zIPS is a behavioral analysis system. "We look at three areas," said John Michelsen, Zimperium's Chief Product Officer: "the device, the network, and the applications that run on the device." zIPS continuously monitors for aberrant behavior. "We're checking to see if there has been any exploitation or device tampering; whether there is a network attack in progress such as a man-in-the-middle attack or problems with SSL; or whether there is any malicious activity from any of the apps."

The process is 99% about behavior. "We're the only vendor in mobile," claimed Michelsen, "that had already discovered, had already detected, every fundamental device exploit -- whether it came over Safari payload in iOS, like Trident/Pegasus did; or whether it was StageFright, which was exploited by a maliciously crafted multi-media file sent to an Android device; or malicious apps that download and detonate on the device -- we are the only software that could detect every one of those before they were identified and disclosed."

But being able to detect malicious behavior does not in itself protect against that behavior. Consider ransomware -- detecting the encryption process and determining it is malicious is not enough; the process needs to be stopped immediately. While zIPS itself is primarily behavioral analysis, "There are a number of things we can do on the device immediately," said Michelsen. "We have a cloud-based configuration system called zConsole." It provides security teams with visibility across all devices; and it is where the admin defines what he wants zIPS to do in the event of bad behavior. 

"In many cases," he continued, "we have the ability to do lots of good things without any help from third party software. But it's not complete -- especially in the enterprise context." Here the enterprise will have sensitive data on the users' phones, including company information, company apps and company connectivity. Depending on what activity zIPS detects, the enterprise might for example want to remove the user's entitlement to SharePoint because the hacker could use the phone to read the entire SharePoint repository that the user is able to access. 

"So one of the things the enterprise will want to do that we cannot do ourselves is remove that entitlement. That's why," he added, "we integrate with the EMMs like BlackBerry, and why we integrate to ecosystems like Good. Good gives us the integration between the zIPS app and the Good Technology platform that allows us to trigger remediation immediately in the Good ecosystem."

zIPS has support for all of the major EMMs. The primary ones, said Michelsen, "are BES, AirWatch, Citrix and MobileIron -- with Microsoft improving." The advantage of working with BlackBerry is the market range it covers. "Good itself is not a management system per se," he added: "it's a containerization system." This is particularly attractive to companies that get privacy push back from staff -- Good co-exists on the user's device rather than takes over the management of that device. BES is more of an EMM. Customers, however, can have Good or BES; or both -- and zIPS integrates with whichever configuration.

Gartner recently rated BlackBerry as a top EMM solution currently available. If BlackBerry without zIPS was good, BlackBerry with zIPS is even stronger.

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:

Tags:


SecurityWeek RSS Feed

In this episode, we talk with Mike Tierney, who is the brand-new CEO at Veriato. In our conversation we talk through a primer on insider threat, and use the great example of hosting a dinner party.

Mike has loads of nuggets of wisdom from his experience and we're certain that if you're a seasoned insider threat professional, or just thinking about the topic and wondering if you can do anything to protect your company - this show will be a good primer for furthering your discussion and learning.

Listen in, comment and share with your colleagues! Our show is always safe for the office and educational.

Talk back! Use our Twitter hashtag #DtSR to discuss this episode, ask questions, or suggest other topics or guests for the future!

Direct download: DtSR_Episode_212_-_Insider_Threat_Primer.mp3
Category:Enterprise Security -- posted at: 12:00am CDT


Information Security Podcasts

</head><body id="readabilityBody"> </p> <p>%PDF-1.6 %äãÏÒ 1 0 obj [/PDF/ImageB/ImageC/ImageI/Text] endobj 4 0 obj <</Length 5 0 R /Filter/FlateDecode >> stream xœ endstream endobj 5 0 obj 8 endobj 6 0 obj <</Subtype/Image /Width 150 /Height 150 /BitsPerComponent 8 /ColorSpace/DeviceRGB /Filter/FlateDecode /Length 7 0 R >> stream xœígx]ŵ÷!!›póá^¾¼onè á’¼¸@hƒ &6„zÁÀIè6ظɲ-˲%Y]Vï½Z½ËjVï½Ë²lÉr’ûþgÖÞsf—st$ ‰÷³=Gçì}ÊþíµÖÍ̞ùßÿ=¿ßÎoç·óÛùíüv~;¿ßÎosޞjk﬩­/.-ËÍ/ŒOLŽKHŽOŠ‰KŒŽM€EÅÄGFÇEDņGÆÀÂ"¢³sóaûË*êšpøää‘sý;þ…¶écÇúúªkëò ŠSÓ3SÒ2RR÷%§¦'¥¤'&§%$ ¥Æ'¦Ø14<*$ ,’,($ †7))-ëìꞜœ<׿òŸm;yêÔÀà`]}#\,3+7#3g_FvzFVÚ¾,Sˆx”’Ãㄤ”ø4ŽJƒÃ‚BaØ­¨¤´£³ëÌ™3çúׇ·S§N WVUçææä îeåäefç ˆY9YÙyx>'¯ûäååçåãùþ2tÎ:…œ@ASÑ? æ·7(;'ï<Ê9m_~ùåÁƒãÈP…%ŒHAˆˆpâ’â’²Òýå°XiYqÉþ¢âÒ¢Råû ê<~Ë<484BÑ×?–•Û××®OÏ·z;}útOoyE•ŽHAa10••WÂ+*À°þ…YXˆ"‡Â7‘4]÷†È}üÂ#£Tל>ï’Ú ì !tD`eåUªkkjêªkêð ê@Í7 QÄXDW¢·ïހÀ|¹cÇfÎõ™;÷ÛéÓgÚ;:C&@5µu MP/0T ç"R. ½|üaˆêǎ;×gñÜlÐ=½} "pà/56575·66µ€à· "B+4R¤qo@peÕ\ŠçúŒ~£ÛÈÈh}}#p"õ -­íÜÚš[Zç€âyáŸèéåóðòñðdæã»72:6" ¥DtjzÆÙ@¤b)R@ôôöójmm;×çõ›ØŽÍ̀b$ pÔp …@ kkïhmë°bfVNDd´¯_Àf‡­«×¬]õ—÷ædŸ­]¿~ÃfW7$ 50š+DªAWD/ß„Ääééés}Ž¿® eÂððáA–è›;;»;»z cPsÙ1'7?4,b‡³Ë~2Wd¶íãO>Å•àíãrÞ~ˆpFè$ Gq§OEeÕ¹>Ù¿Í?ÞÖÖÑÐØL8ðà»z»º{f…˜_Päãë¿æÓu6¼òÖÊ'þôâ²Wž¾ý™mö­úÏvûò«¯úú…CØ ã¯mˆyù.»\§§Ôpædkñ•,¹ò‚¯ºàÁ«/xèê–’]sÁÃ’á_z;`7ìŒCp aå@q1€&|Ùø¹[·CÙΈˆJÝ=¼‹JJq ŸkóÜNž< 4¡ÀhxddxdthxÄÄä”´›¶Áýæ©E?yðj„ì!"uí¿¿ö‚e?g¶üç.ÿÅ…»Ž›úïò_`eO‚qøC*P•&>׉åºÏ7BºÌ 184冀ˆˆzêÔésMcn®:hN!‡‚ µ±°¨dÓf ;d+8ÅO–¨à«ÔàS„Œ`=z³?üòÂÇ`×3{ÜŠÑ«Ø ;ÓQ€é/T *M|G g_üâãFŽÁa¶!Rù/ b¤’sÅÞ ø¦¦¦ETăѱƒÇ·±¾¡i»ÓN,¹þñ».yà*Åãdp‚Ú~©Àzâ¿™=yÃ…OÁ~uáa¿fö´dô^ÂØ ;ÓQ„•€M%÷J| ¸¤Nü8lÙp¶!"¢ ˆÐ9€ø폨ø†GQ±·¯ÿÐÄaØø¡ Sˆ cdÇÒ9ÅIœêhDíIÎtžý¿Ÿåö܍°ïÁž7‰í‰Cžápñ&TÐ|ä: Jî’—</p> <p>hbàÛ‘ÉÎC‡xTì<:<9 ›8<em>< ß)1Saw­Âî:pÌ}TjŒ‡uË^æöÊÿ0•Ûk·êž§hș⭚ÏÞ¨¢T½RqIž(UüɃס–Ñ8ãn÷ï4D|Ÿ#GŽ"¯A±"ßôô1dCSˆí]H"²Î¼lé L«È~GiŽ±»%/îq8Ãßþ7½À½ì%Áú춬 »Ùë£çiìü'+}é–‹š„’åy€\I”ÄW]ô3TrPÝ°Ñྋ™t™ž;„ÁËffŽ;6c ±¤´ì£×ˆ_ˆÄÂ&i•¥×hüîIbÇC¥î•[,Ôˆè¼ûíVÂîøÁ›6 ;`7ìü†Àʁ š„’%°:Ž"®rƒ ºì•§ÅÏY½fíÞÀ¨˜øY!"'BÞ 2é25…° ×DÈ­|3…˜¾/CÎz¬0®GZå×éØ1§C¨D{Y€ãNôºŠŒ¸¼uÇÅoÝyñŸ™]ò6Ù]cÏÓ>؇¨L9Ð×µ(™Wr—4áxÝ…¤sTg¼þñ»…3"¢Bº|W âÓOœ<É_? "Á?~ü„ºé É bJÖ[r•%lB<°|§cG¡Rõ8œJ ,Ö;ÜÞ…ÝÍl•£WßU÷û®‹9S…&ÞÖ‚òVö¡ŠKj9âKB²Š ú û!—=ü+¹Àm—=ƒCOœ8y® âsÏœ9ƒŠ‚ƒÃàj¦ƒÅ¯C¬DNR,Ë¥°ù4Ïwzv</em></p> <p><em><¸¿ª¢¯¿ dÒˆK\Eå scÍãÌø6:̘Ê6vp“v¦Ã‡GG¡+z{Ÿpû{¥–ãJ®]Wˆ *9ãSŠ¼a5#~2û¢ŸÉU¿ËnwkEÛ)T Nà7Ÿrúôé¶6Ö㈤(ñP&!ÊÁSÅw•Š‰OœÏßȲÞË·8„{Jø¬²£ '\Ž£;8ÓÑDÄǬö=áþ!eLŽ¯ËΨfFüüJ‹ñþËïy~¹=ÂFôbÄÆ'"1ñ)==}ˆs-­pÁnülüp#ÄŒŒ,}ðTðqÝB‰O-¼RxíÖŠÚjÆÎßȈÀGìdp4ãcãÌ*vH5ö/½dŠ²§§¿qÏG,]Êßæ5ˆT¹3òˆjø„¢6œúúšBý‰ûËʿ÷ªÆ¦–¦æV@c'P±¬¼Â€ïJ->%ñ)¢gcÅíHõ  àé âÌoqÜ&ÊvV÷‘òÔãSKªV²"8«ë vÚyhVj¶iâÍò¦§¦5ûúžÄîSjáŒoßÅ"*j‘M ruºøJÔ‰¢Øwزîg4B¥š¾ŽXʺݏ«­k¨«oD¤œm#ÄаÑhÆZ]¨l_FÊSÉŠ÷½ªâ“zïÜ‚føT¹b…‘"·Ã‡›ë¯œŸÐÕ××_XXˆ ö•´"û“žÿÛ÷iœQŽ¨zˆBØP‰ÁŠýËþ•H+î{¼L!î ¡!‹ªÐKáÚÍÍ-5µõ€ J ¡2ÄŠÊ*ñ=Y›çý—+eû£¼p ´4«««KKKQ ˆñ¾ Ä÷­AdÂF)1Pìã‡?¦ªžE†»‡·)D1Œ?/¿p¡$ ç±²ªºê@ ¢ìêîÑA¬®©ñ󲥿’ÒW/HîÏ)e;Sà$ ]´øpN@p|ÂõLØ8…ÑáÙÌBSEYVV¶ÿþŽŽS‚ˆ-RÒ¢" ¥Nä-6BÕP,}àŠë¿[ÄR1PJ†ˆX*n¨™šš:7$ „t©¨<ˆM͝]ÝÔš-CtÚ±S–`ñóÁ«ôéïß V8@ÈQîøpN::;mà3u=…mjG¸ÙD‰ü[^^ˆMMMÖ ˆ[¬AdêT­_¾E‘¦"!bé¶íÎòl¢¸+ª¸¤ôì݈äN7÷`ÔoÍ–!æäækô§!~*ê‰~Åm¬~ëÖŠŇsÒÙÙi ܼ­½S±ÅÚë:{kjj©¬¨Äææf bÿ€Q §¼Ä`u"µØ0Us‹šo`Jà%–ʺg„ˆXJ÷'ú¥ª°iY ¢Ž­Ù2ÄÏÖ®·4¿þ¤òÇÏï='ÒßmL³!ý1Æر¢UU¢m‚:OÔQm±áª†%Dc,½ÿrÑÚæà¸]7ï A„IJòŠ³qC8 ®>k 6·°¶PÄ”Ôt1ÎS¦?Y¿ƒ6~jÒŸ„ïC†ïÇŸ<ÐÙÙ%)OCð”#§.l9:yT¶©#dSS_šdf9¤¥¹åÀj‚8+Á¯ŒÂæ=QìKªÆKÕâºôák/XråO¼NHxœ"|“n÷FÝqòäü;ñ¿øâÀ*)-DȨPjЖ!Zq@¡?¥ø)ÒÔáŸãûˆá»t5'¨-¬á“sÜ¬àŽªfJ“Ž­©©…J#ˆ8cöBP!¾/ Ê Q©-º”j¸¤ÝO[·g DqÏ>NõWóª Ù˜'àzÅ%û±¶*¦U1#3[€úS-´éð-úñÇ÷ߥkƒ ¦Ée6K-óY,½‰±‘%Í’«.Y|µÈ†tW”"jCš=#m_æ©S§æá†ø†ÃÃ#…E¥EÅ¥ˆ¢¨©KB†¸mûÈÌ-l|éOmü$ õ"ð]úéx´Q|ŠÆ1=>«ì,°¦¦MGG!«¢œkkëfffæ1Î÷ߌ±”t)~>IJÙpç.Wã\p JS  '>|x®-¥Ô[[ßPPXˆ4S"Ô© RÔ: "`HJñSJ—®¾Å—~¶¤‹Ôâ›°Ÿ`'HM6£šòŒåÀÀ@CCƒžØÓÓ348„¯sôèQÄ"{ J ‘ÅRE—šº!²áb– Emh:¡Ÿ˜Çæ@u 2Úœ‚øôôta1M©TRS[‚:ˆ~þ–PvÀ'ŒÈéOKü>‹^úÙƒŒ Yüäø&'fç73›)(q`gª‰</em></p> <p></body></div> <div><html xmlns="http://www.w3.org/1999/xhtml"><head><title/></head><body id="readabilityBody"> </p> <p>%PDF-1.6 %äãÏÒ 1 0 obj [/PDF/ImageB/ImageC/ImageI/Text] endobj 4 0 obj <</Length 5 0 R /Filter/FlateDecode >> stream xœ endstream endobj 5 0 obj 8 endobj 6 0 obj <</Subtype/Image /Width 150 /Height 150 /BitsPerComponent 8 /ColorSpace/DeviceRGB /Filter/FlateDecode /Length 7 0 R >> stream xœígx]ŵ÷!!›póá^¾¼onè á’¼¸@hƒ &6„zÁÀIè6ظɲ-˲%Y]Vï½Z½ËjVï½Ë²lÉr’ûþgÖÞsf—st$ ‰÷³=Gçì}ÊþíµÖÍ̞ùßÿ=¿ßÎoç·óÛùíüv~;¿ßÎosޞjk﬩­/.-ËÍ/ŒOLŽKHŽOŠ‰KŒŽM€EÅÄGFÇEDņGÆÀÂ"¢³sóaûË*êšpøää‘sý;þ…¶écÇúúªkëò ŠSÓ3SÒ2RR÷%§¦'¥¤'&§%$ ¥Æ'¦Ø14<*$ ,’,($ †7))-ëìꞜœ<׿òŸm;yêÔÀà`]}#\,3+7#3g_FvzFVÚ¾,Sˆx”’Ãㄤ”ø4ŽJƒÃ‚BaØ­¨¤´£³ëÌ™3çúׇ·S§N WVUçææä îeåäefç ˆY9YÙyx>'¯ûäååçåãùþ2tÎ:…œ@ASÑ? æ·7(;'ï<Ê9m_~ùåÁƒãÈP…%ŒHAˆˆpâ’â’²Òýå°XiYqÉþ¢âÒ¢Råû ê<~Ë<484BÑ×?–•Û××®OÏ·z;}útOoyE•ŽHAa10••WÂ+*À°þ…YXˆ"‡Â7‘4]÷†È}üÂ#£Tל>ï’Ú ì !tD`eåUªkkjêªkêð ê@Í7 QÄXDW¢·ïހÀ|¹cÇfÎõ™;÷ÛéÓgÚ;:C&@5µu MP/0T ç"R. ½|üaˆêǎ;×gñÜlÐ=½} "pà/56575·66µ€à· "B+4R¤qo@peÕ\ŠçúŒ~£ÛÈÈh}}#p"õ -­íÜÚš[Zç€âyáŸèéåóðòñðdæã»72:6" ¥DtjzÆÙ@¤b)R@ôôöójmm;×çõ›ØŽÍ̀b$ pÔp …@ kkïhmë°bfVNDd´¯_Àf‡­«×¬]õ—÷ædŸ­]¿~ÃfW7$ 50š+DªAWD/ß„Ääééés}Ž¿® eÂððáA–è›;;»;»z cPsÙ1'7?4,b‡³Ë~2Wd¶íãO>Å•àíãrÞ~ˆpFè$ Gq§OEeÕ¹>Ù¿Í?ÞÖÖÑÐØL8ðà»z»º{f…˜_Päãë¿æÓu6¼òÖÊ'þôâ²Wž¾ý™mö­úÏvûò«¯úú…CØ ã¯mˆyù.»\§§Ôpædkñ•,¹ò‚¯ºàÁ«/xèê–’]sÁÃ’á_z;`7ìŒCp aå@q1€&|Ùø¹[·CÙΈˆJÝ=¼‹JJq ŸkóÜNž< 4¡ÀhxddxdthxÄÄä”´›¶Áýæ©E?yðj„ì!"uí¿¿ö‚e?g¶üç.ÿÅ…»Ž›úïò_`eO‚qøC*P•&>׉åºÏ7BºÌ 184冀ˆˆzêÔésMcn®:hN!‡‚ µ±°¨dÓf ;d+8ÅO–¨à«ÔàS„Œ`=z³?üòÂÇ`×3{ÜŠÑ«Ø ;ÓQ€é/T *M|G g_üâãFŽÁa¶!Rù/ b¤’sÅÞ ø¦¦¦ETăѱƒÇ·±¾¡i»ÓN,¹þñ».yà*Åãdp‚Ú~©Àzâ¿™=yÃ…OÁ~uáa¿fö´dô^ÂØ ;ÓQ„•€M%÷J| ¸¤Nü8lÙp¶!"¢ ˆÐ9€ø폨ø†GQ±·¯ÿÐÄaØø¡ Sˆ cdÇÒ9ÅIœêhDíIÎtžý¿Ÿåö܍°ïÁž7‰í‰Cžápñ&TÐ|ä: Jî’—</p> <p>hbàÛ‘ÉÎC‡xTì<:<9 ›8<em>< ß)1Saw­Âî:pÌ}TjŒ‡uË^æöÊÿ0•Ûk·êž§hș⭚ÏÞ¨¢T½RqIž(UüɃס–Ñ8ãn÷ï4D|Ÿ#GŽ"¯A±"ßôô1dCSˆí]H"²Î¼lé L«È~GiŽ±»%/îq8Ãßþ7½À½ì%Áú춬 »Ùë£çiìü'+}é–‹š„’åy€\I”ÄW]ô3TrPÝ°Ñྋ™t™ž;„ÁËffŽ;6c ±¤´ì£×ˆ_ˆÄÂ&i•¥×hüîIbÇC¥î•[,Ôˆè¼ûíVÂîøÁ›6 ;`7ìü†Àʁ š„’%°:Ž"®rƒ ºì•§ÅÏY½fíÞÀ¨˜øY!"'BÞ 2é25…° ×DÈ­|3…˜¾/CÎz¬0®GZå×éØ1§C¨D{Y€ãNôºŠŒ¸¼uÇÅoÝyñŸ™]ò6Ù]cÏÓ>؇¨L9Ð×µ(™Wr—4áxÝ…¤sTg¼þñ»…3"¢Bº|W âÓOœ<É_? "Á?~ü„ºé É bJÖ[r•%lB<°|§cG¡Rõ8œJ ,Ö;ÜÞ…ÝÍl•£WßU÷û®‹9S…&ÞÖ‚òVö¡ŠKj9âKB²Š ú û!—=ü+¹Àm—=ƒCOœ8y® âsÏœ9ƒŠ‚ƒÃàj¦ƒÅ¯C¬DNR,Ë¥°ù4Ïwzv</em></p> <p><em><¸¿ª¢¯¿ dÒˆK\Eå scÍãÌø6:̘Ê6vp“v¦Ã‡GG¡+z{Ÿpû{¥–ãJ®]Wˆ *9ãSŠ¼a5#~2û¢ŸÉU¿ËnwkEÛ)T Nà7Ÿrúôé¶6Ö㈤(ñP&!ÊÁSÅw•Š‰OœÏßȲÞË·8„{Jø¬²£ '\Ž£;8ÓÑDÄǬö=áþ!eLŽ¯ËΨfFüüJ‹ñþËïy~¹=ÂFôbÄÆ'"1ñ)==}ˆs-­pÁnülüp#ÄŒŒ,}ðTðqÝB‰O-¼RxíÖŠÚjÆÎßȈÀGìdp4ãcãÌ*vH5ö/½dŠ²§§¿qÏG,]Êßæ5ˆT¹3òˆjø„¢6œúúšBý‰ûËʿ÷ªÆ¦–¦æV@c'P±¬¼Â€ïJ->%ñ)¢gcÅíHõ  àé âÌoqÜ&ÊvV÷‘òÔãSKªV²"8«ë vÚyhVj¶iâÍò¦§¦5ûúžÄîSjáŒoßÅ"*j‘M ruºøJÔ‰¢Øwزîg4B¥š¾ŽXʺݏ«­k¨«oD¤œm#ÄаÑhÆZ]¨l_FÊSÉŠ÷½ªâ“zïÜ‚føT¹b…‘"·Ã‡›ë¯œŸÐÕ××_XXˆ ö•´"û“žÿÛ÷iœQŽ¨zˆBØP‰ÁŠýËþ•H+î{¼L!î ¡!‹ªÐKáÚÍÍ-5µõ€ J ¡2ÄŠÊ*ñ=Y›çý—+eû£¼p ´4«««KKKQ ˆñ¾ Ä÷­AdÂF)1Pìã‡?¦ªžE†»‡·)D1Œ?/¿p¡$ ç±²ªºê@ ¢ìêîÑA¬®©ñ󲥿’ÒW/HîÏ)e;Sà$ ]´øpN@p|ÂõLØ8…ÑáÙÌBSEYVV¶ÿþŽŽS‚ˆ-RÒ¢" ¥Nä-6BÕP,}àŠë¿[ÄR1PJ†ˆX*n¨™šš:7$ „t©¨<ˆM͝]ÝÔš-CtÚ±S–`ñóÁ«ôéïß V8@ÈQîøpN::;mà3u=…mjG¸ÙD‰ü[^^ˆMMMÖ ˆ[¬AdêT­_¾E‘¦"!bé¶íÎòl¢¸+ª¸¤ôì݈äN7÷`ÔoÍ–!æäækô§!~*ê‰~Åm¬~ëÖŠŇsÒÙÙi ܼ­½S±ÅÚë:{kjj©¬¨Äææf bÿ€Q §¼Ä`u"µØ0Us‹šo`Jà%–ʺg„ˆXJ÷'ú¥ª°iY ¢Ž­Ù2ÄÏÖ®·4¿þ¤òÇÏï='ÒßmL³!ý1Æر¢UU¢m‚:OÔQm±áª†%Dc,½ÿrÑÚæà¸]7ï A„IJòŠ³qC8 ®>k 6·°¶PÄ”Ôt1ÎS¦?Y¿ƒ6~jÒŸ„ïC†ïÇŸ<ÐÙÙ%)OCð”#§.l9:yT¶©#dSS_šdf9¤¥¹åÀj‚8+Á¯ŒÂæ=QìKªÆKÕâºôák/XråO¼NHxœ"|“n÷FÝqòäü;ñ¿øâÀ*)-DȨPjЖ!Zq@¡?¥ø)ÒÔáŸãûˆá»t5'¨-¬á“sÜ¬àŽªfJ“Ž­©©…J#ˆ8cöBP!¾/ Ê Q©-º”j¸¤ÝO[·g DqÏ>NõWóª Ù˜'àzÅ%û±¶*¦U1#3[€úS-´éð-úñÇ÷ߥkƒ ¦Ée6K-óY,½‰±‘%Í’«.Y|µÈ†tW”"jCš=#m_æ©S§æá†ø†ÃÃ#…E¥EÅ¥ˆ¢¨©KB†¸mûÈÌ-l|éOmü$ õ"ð]úéx´Q|ŠÆ1=>«ì,°¦¦MGG!«¢œkkëfffæ1Î÷ߌ±”t)~>IJÙpç.Wã\p JS  '>|x®-¥Ô[[ßPPXˆ4S"Ô© RÔ: "`HJñSJ—®¾Å—~¶¤‹Ôâ›°Ÿ`'HM6£šòŒåÀÀ@CCƒžØÓÓ348„¯sôèQÄ"{ J ‘ÅRE—šº!²áb– Emh:¡Ÿ˜Çæ@u 2Úœ‚øôôta1M©TRS[‚:ˆ~þ–PvÀ'ŒÈéOKü>‹^úÙƒŒ Yüäø&'fç73›)(q`gª‰</em></p> <p></body></html></div> <p><img src="http://pixel.quantserve.com/pixel/p-89EKCgBk8MZdE.gif" border="0" height="1" width="1" /><br /> <a rel="nofollow" href="https://www.sans.org/reading-room/whitepapers/threathunting/threat-intelligence-is-effectively-37282">SANS Information Security Reading Room</a></p> <!-- /article-content --> </div> <div class="cleared"></div> <div class="romeo-postfootericons romeo-metadata-icons"><span class="romeo-postcategoryicon"><span class="categories">Posted in</span> <a href="http://www.ineedachick.com/category/uncategorized/" rel="category tag">Uncategorized</a></span> | <span class="romeo-posttagicon"><span class="tags">Tagged</span> <a href="http://www.ineedachick.com/tag/effectively/" rel="tag">Effectively</a>, <a href="http://www.ineedachick.com/tag/intelligence/" rel="tag">intelligence</a>, <a href="http://www.ineedachick.com/tag/threat/" rel="tag">threat</a></span> | <span class="romeo-postcommentsicon"><a href="http://www.ineedachick.com/threat-intelligence-what-it-is-and-how-to-use-it-effectively/#respond" rel="nofollow">Leave a comment</a></span></div> </div> <div class="cleared"></div> </div> </div> <div class="romeo-box romeo-post post-1428 post type-post status-publish format-standard has-post-thumbnail hentry category-uncategorized tag-seriously tag-election tag-hack tag-takes tag-threat tag-u-s" id="post-1428"> <div class="romeo-box-body romeo-post-body"> <div class="romeo-post-inner romeo-article"> <div class="romeo-postmetadataheader"><h2 class="romeo-postheader"><a href="http://www.ineedachick.com/fbi-takes-threat-of-u-s-election-hack-seriously/" rel="bookmark" title="FBI Takes Threat of U.S. Election Hack ‘Seriously’">FBI Takes Threat of U.S. Election Hack ‘Seriously’</a></h2><div class="romeo-postheadericons romeo-metadata-icons"><span class="romeo-postdateicon"><span class="date">Published</span> <span class="entry-date" title="7:41 am">September 11, 2016</span></span> | <span class="romeo-postauthoricon"><span class="author">By</span> <span class="author vcard"><a class="url fn n" href="http://www.ineedachick.com/author/craig-butler/" title="View all posts by Craig Butler">Craig Butler</a></span></span></div></div><div class="avatar alignleft"><a href="http://www.ineedachick.com/fbi-takes-threat-of-u-s-election-hack-seriously/" title="FBI Takes Threat of U.S. Election Hack ‘Seriously’"><img width="68" height="40" src="http://www.ineedachick.com/wp-content/uploads/2016/09/picture-86-1.png" class="attachment-128x128 size-128x128 wp-post-image" alt="" title="FBI Takes Threat of U.S. Election Hack ‘Seriously’" /></a></div> <div class="romeo-postcontent"> <!-- article-content --> <div> <p><span class="c10"><strong>The FBI is taking "very seriously" the possibility a foreign country is trying to meddle with America's electoral process and even influence voting outcomes, the agency's director James Comey said Thursday.</strong></span></p> <p><span class="c10">US agencies, companies and individuals are frequently targeted by overseas hackers, and Democratic presidential nominee Hillary Clinton's campaign has accused Moscow of hacking into Democratic National Committee (DNC) emails.</span></p> <p><span class="c10">The recent breach of DNC data, along with other electronic intrusions, has raised concerns about cyber incidents that could affect the outcome of the US presidential race, or other contests.</span></p> <p><span class="c10">FBI agents "take very seriously the notion that a state actor is messing someway in our electoral process -- whether that is to disrupt, to influence, to sow discord, or to create doubt," Comey said at a Washington security summit, without specifically mentioning Russia.</span></p> <p><span class="c10">The FBI is "working very hard" to understand the size and scope of any hacking attempts, he said, but tried to reassure the public that the old-fashioned way of tallying ballots in many states protects them from hackers.</span></p> <p><span class="c10">"The actual vote counting in this country tends to be kind of clunky, in a way that's a blessing because it makes it more resilient," he said.</span></p> <p><span class="c10">Director of National Intelligence James Clapper on Wednesday said Russia hacks US computer networks "all the time."</span></p> <div class="ad_in_content c12"> <p><img src="http://www.securityweek.com/sites/all/modules/ad/serve.php?o=image&a=1296" height="0" width="0" alt="view counter" /></p> </p></div> <div class="sharethis"> <div class="c8"><img class="c7" src="http://www.ineedachick.com/wp-content/uploads/2016/09/RSS-Icon-9.png" /></div> </p></div> <div class="author_content"> <div class="author_text"> <p><img src="http://www.ineedachick.com/wp-content/uploads/2016/09/picture-86-1.png" alt="" title="" width="68" height="40" class="imagecache imagecache-auth_story" /></p> <p> © AFP 2016</p></div> </p></div> <div class="author-terms"> <div class="terms"><img height="14" width="16" alt="" src="http://www.ineedachick.com/wp-content/uploads/2016/09/tag_icon-9.jpg" /><strong>Tags:</strong> </p> <ul class="links"> <li class="taxonomy_term_23 first">Cyberwarfare</li> <li class="taxonomy_term_33 last">NEWS & INDUSTRY</li> </ul> </div></div> <p> <noscript> </noscript></div> <p><img src="http://pixel.quantserve.com/pixel/p-89EKCgBk8MZdE.gif" border="0" height="1" width="1" /><br /> <a rel="nofollow" href="http://feedproxy.google.com/~r/Securityweek/~3/yTVcrX1K-Tw/fbi-takes-threat-us-election-hack-seriously">SecurityWeek RSS Feed</a></p> <!-- /article-content --> </div> <div class="cleared"></div> <div class="romeo-postfootericons romeo-metadata-icons"><span class="romeo-postcategoryicon"><span class="categories">Posted in</span> <a href="http://www.ineedachick.com/category/uncategorized/" rel="category tag">Uncategorized</a></span> | <span class="romeo-posttagicon"><span class="tags">Tagged</span> <a href="http://www.ineedachick.com/tag/seriously/" rel="tag">'Seriously'</a>, <a href="http://www.ineedachick.com/tag/election/" rel="tag">Election</a>, <a href="http://www.ineedachick.com/tag/hack/" rel="tag">hack</a>, <a href="http://www.ineedachick.com/tag/takes/" rel="tag">takes</a>, <a href="http://www.ineedachick.com/tag/threat/" rel="tag">threat</a>, <a href="http://www.ineedachick.com/tag/u-s/" rel="tag">U.S.</a></span> | <span class="romeo-postcommentsicon"><a href="http://www.ineedachick.com/fbi-takes-threat-of-u-s-election-hack-seriously/#respond" rel="nofollow">Leave a comment</a></span></div> </div> <div class="cleared"></div> </div> </div> <div class="romeo-box romeo-post post-1178 post type-post status-publish format-standard hentry category-uncategorized tag-devices tag-increasing tag-infrastructure tag-mitigations tag-network tag-recommended tag-ta16250a tag-threat" id="post-1178"> <div class="romeo-box-body romeo-post-body"> <div class="romeo-post-inner romeo-article"> <div class="romeo-postmetadataheader"><h2 class="romeo-postheader"><a href="http://www.ineedachick.com/ta16-250a-the-increasing-threat-to-network-infrastructure-devices-and-recommended-mitigations/" rel="bookmark" title="TA16-250A: The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations">TA16-250A: The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations</a></h2><div class="romeo-postheadericons romeo-metadata-icons"><span class="romeo-postdateicon"><span class="date">Published</span> <span class="entry-date" title="6:39 am">September 8, 2016</span></span> | <span class="romeo-postauthoricon"><span class="author">By</span> <span class="author vcard"><a class="url fn n" href="http://www.ineedachick.com/author/drew/" title="View all posts by Drew">Drew</a></span></span></div></div> <div class="romeo-postcontent"> <!-- article-content --> <div id="ncas-content"> <h3>Systems Affected</h3> <div class="field field-name-field-alert-systems-affected field-type-text-long field-label-hidden field-items field-item even"> <p>Network Infrastructure Devices<br /> </p> </p></div> <h3>Overview</h3> <div class="field field-name-field-alert-overview field-type-text-long field-label-hidden field-items field-item even"> <p>The advancing capabilities of organized hacker groups and cyber adversaries create an increasing global threat to information systems. The rising threat levels place more demands on security personnel and network administrators to protect information systems. Protecting the network infrastructure is critical to preserve the confidentiality, integrity, and availability of communication and services across an enterprise.</p> <p>To address threats to network infrastructure devices, this Alert provides information on recent vectors of attack that advanced persistent threat (APT) actors are targeting, along with prevention and mitigation recommendations.<br /> </p> </p></div> <h3>Description</h3> <div class="field field-name-body field-type-text-with-summary field-label-hidden field-items field-item even"> <p>Network infrastructure consists of interconnected devices designed to transport communications needed for data, applications, services, and multi-media. Routers and firewalls are the focus of this alert; however, many other devices exist in the network, such as switches, load-balancers, intrusion detection systems, etc. Perimeter devices, such as firewalls and intrusion detection systems, have been the traditional technologies used to secure the network, but as threats change, so must security strategies. Organizations can no longer rely on perimeter devices to protect the network from cyber intrusions; organizations must also be able to contain the impact/losses within the internal network and infrastructure.</p> <p>For several years now, vulnerable network devices have been the attack-vector of choice and one of the most effective techniques for sophisticated hackers and advanced threat actors. In this environment, there has never been a greater need to improve network infrastructure security. Unlike hosts that receive significant administrative security attention and for which security tools such as anti-malware exist, network devices are often working in the background with little oversight—until network connectivity is broken or diminished. Malicious cyber actors take advantage of this fact and often target network devices. Once on the device, they can remain there undetected for long periods. After an incident, where administrators and security professionals perform forensic analysis and recover control, a malicious cyber actor with persistent access on network devices can reattack the recently cleaned hosts. For this reason, administrators need to ensure proper configuration and control of network devices.</p> <h4>Proliferation of Threats to Information Systems</h4> <h4><em>SYNful Knock</em></h4> <p>In September 2015, an attack known as SYNful Knock was disclosed. SYNful Knock silently changes a router’s operating system image, thus allowing attackers to gain a foothold on a victim’s network. The malware can be customized and updated once embedded. When the modified malicious image is uploaded, it provides a backdoor into the victim’s network. Using a crafted TCP SYN packet, a communication channel is established between the compromised device and the malicious command and control (C2) server. The impact of this infection to a network or device is severe and most likely indicates that there may be additional backdoors or compromised devices on the network. This foothold gives an attacker the ability to maneuver and infect other hosts and access sensitive data.</p> <p>The initial infection vector does not leverage a zero-day vulnerability. Attackers either use the default credentials to log into the device or obtain weak credentials from other insecure devices or communications. The implant resides within a modified IOS image and, when loaded, maintains its persistence in the environment, even after a system reboot. Any further modules loaded by the attacker will only exist in the router’s volatile memory and will not be available for use after the device reboots. However, these devices are rarely or never rebooted.</p> <p>To prevent the size of the image from changing, the malware overwrites several legitimate IOS functions with its own executable code. The attacker examines the functionality of the router and determines functions that can be overwritten without causing issues on the router. Thus, the overwritten functions will vary upon deployment.</p> <p>The attacker can utilize the secret backdoor password in three different authentication scenarios. In these scenarios the implant first checks to see if the user input is the backdoor password. If so, access is granted. Otherwise, the implanted code will forward the credentials for normal verification of potentially valid credentials. This generally raises the least amount of suspicion. Cisco has provided an alert on this attack vector. For more information, see the Cisco SYNful Knock Security Advisory.</p> <p>Other attacks against network infrastructure devices have also been reported, including more complicated persistent malware that silently changes the firmware on the device that is used to load the operating system so that the malware can inject code into the running operating system. For more information, please see Cisco's description of the evolution of attacks on Cisco IOS devices.</p> <h4><em>Cisco Adaptive Security Appliance (ASA)</em></h4> <p>A Cisco ASA device is a network device that provides firewall and Virtual Private Network (VPN) functionality. These devices are often deployed at the edge of a network to protect a site’s network infrastructure, and to give remote users access to protected local resources.</p> <p>In June 2016, NCCIC received several reports of compromised Cisco ASA devices that were modified in an unauthorized way. The ASA devices directed users to a location where malicious actors tried to socially engineer the users into divulging their credentials.</p> <p>It is suspected that malicious actors leveraged CVE-2014-3393 to inject malicious code into the affected devices. The malicious actor would then be able to modify the contents of the Random Access Memory Filing System (RAMFS) cache file system and inject the malicious code into the appliance’s configuration. Refer to the Cisco Security Advisory Multiple Vulnerabilities in Cisco ASA Software for more information and for remediation details.</p> <p>In August 2016, a group known as “Shadow Brokers” publicly released a large number of files, including exploitation tools for both old and newly exposed vulnerabilities. Cisco ASA devices were found to be vulnerable to the released exploit code. In response, Cisco released an update to address a newly disclosed Cisco ASA Simple Network Management Protocol (SNMP) remote code execution vulnerability (CVE-2016-6366). In addition, one exploit tool targeted a previously patched Cisco vulnerability (CVE-2016-6367). Although Cisco provided patches to fix this Cisco ASA command-line interface (CLI) remote code execution vulnerability in 2011, devices that remain unpatched are still vulnerable to the described attack. Attackers may target vulnerabilities for months or even years after patches become available.</p> </p></div> <h3>Impact</h3> <div class="field field-name-field-alert-impact field-type-text-long field-label-hidden field-items field-item even"> <p>If the network infrastructure is compromised, malicious hackers or adversaries can gain full control of the network infrastructure enabling further compromise of other types of devices and data and allowing traffic to be redirected, changed, or denied. Possibilities of manipulation include denial-of-service, data theft, or unauthorized changes to the data.</p> <p>Intruders with infrastructure privilege and access can impede productivity and severely hinder re-establishing network connectivity. Even if other compromised devices are detected, tracking back to a compromised infrastructure device is often difficult.</p> <p>Malicious actors with persistent access to network devices can reattack and move laterally after they have been ejected from previously exploited hosts.<br /> </p> </p></div> <h3>Solution</h3> <div class="field field-name-field-alert-solution field-type-text-long field-label-hidden field-items field-item even"> <h4>1.    Segregate Networks and Functions</h4> <p>Proper network segmentation is a very effective security mechanism to prevent an intruder from propagating exploits or laterally moving around an internal network. On a poorly segmented network, intruders are able to extend their impact to control critical devices or gain access to sensitive data and intellectual property. Security architects must consider the overall infrastructure layout, segmentation, and segregation. Segregation separates network segments based on role and functionality. A securely segregated network can contain malicious occurrences, reducing the impact from intruders, in the event that they have gained a foothold somewhere inside the network.</p> <h5><em>Physical Separation of Sensitive Information</em></h5> <p>Local Area Network (LAN) segments are separated by traditional network devices such as routers. Routers are placed between networks to create boundaries, increase the number of broadcast domains, and effectively filter users’ broadcast traffic. These boundaries can be used to contain security breaches by restricting traffic to separate segments and can even shut down segments of the network during an intrusion, restricting adversary access.</p> <h5>Recommendations:</h5> <ul> <li>Implement Principles of Least Privilege and need-to-know when designing network segments.</li> <li>Separate sensitive information and security requirements into network segments.</li> <li>Apply security recommendations and secure configurations to all network segments and network layers.</li> </ul> <h5><em>Virtual Separation of Sensitive Information        </em></h5> <p>As technologies change, new strategies are developed to improve IT efficiencies and network security controls. Virtual separation is the logical isolation of networks on the same physical network. The same physical segmentation design principles apply to virtual segmentation but no additional hardware is required. Existing technologies can be used to prevent an intruder from breaching other internal network segments.</p> <h5>Recommendations:</h5> <ul> <li>Use Private Virtual LANs to isolate a user from the rest of the broadcast domains.</li> <li>Use Virtual Routing and Forwarding (VRF) technology to segment network traffic over multiple routing tables simultaneously on a single router.</li> <li>Use VPNs to securely extend a host/network by tunneling through public or private networks.</li> </ul> <h4>2.    Limit Unnecessary Lateral Communications</h4> <p>Allowing unfiltered workstation-to-workstation communications (as well as other peer-to-peer communications) creates serious vulnerabilities, and can allow a network intruder to easily spread to multiple systems. An intruder can establish an effective “beach head” within the network, and then spread to create backdoors into the network to maintain persistence and make it difficult for defenders to contain and eradicate.</p> <h5>Recommendations:</h5> <ul> <li>Restrict communications using host-based firewall rules to deny the flow of packets from other hosts in the network. The firewall rules can be created to filter on a host device, user, program, or IP address to limit access from services and systems.</li> <li>Implement a VLAN Access Control List (VACL), a filter that controls access to/from VLANs. VACL filters should be created to deny packets the ability to flow to other VLANs.</li> <li>Logically segregate the network using physical or virtual separation allowing network administrators to isolate critical devices onto network segments.<br /> </li> </ul> <h4>3.    Harden Network Devices</h4> <p>A fundamental way to enhance network infrastructure security is to safeguard networking devices with secure configurations. Government agencies, organizations, and vendors supply a wide range of resources to administrators on how to harden network devices. These resources include benchmarks and best practices. These recommendations should be implemented in conjunction with laws, regulations, site security policies, standards, and industry best practices. These guides provide a baseline security configuration for the enterprise that protects the integrity of network infrastructure devices. This guidance supplements the network security best practices supplied by vendors.</p> <h5>Recommendations:</h5> <ul> <li>Disable unencrypted remote admin protocols used to manage network infrastructure (e.g., Telnet, FTP).</li> <li>Disable unnecessary services (e.g. discovery protocols, source routing, HTTP, SNMP, BOOTP).</li> <li>Use SNMPv3 (or subsequent version) but do not use SNMP community strings.</li> <li>Secure access to the console, auxiliary, and VTY lines.</li> <li>Implement robust password policies and use the strongest password encryption available.</li> <li>Protect router/switch by controlling access lists for remote administration.</li> <li>Restrict physical access to routers/switches.</li> <li>Backup configurations and store offline. Use the latest version of the network device operating system and update with all patches.</li> <li>Periodically test security configurations against security requirements.</li> <li>Protect configuration files with encryption and/or access controls when sending them electronically and when they are stored and backed up.<br /> </li> </ul> <h4>4.    Secure Access to Infrastructure Devices</h4> <p>Administrative privileges on infrastructure devices allow access to resources that are normally unavailable to most users and permit the execution of actions that would otherwise be restricted. When administrator privileges are improperly authorized, granted widely, and/or not closely audited, intruders can exploit them. These compromised privileges can enable adversaries to traverse a network, expanding access and potentially allowing full control of the infrastructure backbone. Unauthorized infrastructure access can be mitigated by properly implementing secure access policies and procedures.</p> <h5>Recommendations:</h5> <ul> <li>Implement Multi-Factor Authentication – Authentication is a process to validate a user’s identity. Weak authentication processes are commonly exploited by attackers. Multi-factor authentication uses at least two identity components to authenticate a user’s identity. Identity components include something the user knows (e.g., password); an object the user has possession of (e.g., token); and a trait unique to the specific person (e.g., biometric).</li> <li>Manage Privileged Access – Use an authorization server to store access information for network device management. This type of server will enable network administrators to assign different privilege levels to users based on the principle of least privilege. When a user tries to execute an unauthorized command, it will be rejected. To increase the strength and robustness of user authentication, implement a hard token authentication server in addition to the AAA server, if possible. Multi-factor authentication increases the difficulty for intruders to steal and reuse credentials to gain access to network devices.</li> <li>Manage Administrative Credentials – Although multi-factor authentication is highly recommended and a best practice, systems that cannot meet this requirement can at least improve their security level by changing default passwords and enforcing complex password policies. Network accounts must contain complex passwords of at least 14 characters from multiple character domains including lowercase, uppercase, numbers, and special characters. Enforce password expiration and reuse policies. If passwords are stored for emergency access, keep these in a protected off-network location, such as a safe.<br /> </li> </ul> <h4>5.    Perform Out-of-Band Management</h4> <p>Out-of-Band (OoB) management uses alternate communication paths to remotely manage network infrastructure devices. These dedicated paths can vary in configuration to include anything from virtual tunneling to physical separation. Using OoB access to manage the network infrastructure will strengthen security by limiting access and separating user traffic from network management traffic. OoB management provides security monitoring and can implement corrective actions without allowing the adversary who may have already compromised a portion of the network to observe these changes.</p> <p>OoB management can be implemented physically or virtually, or through a hybrid of the two. Building additional physical network infrastructure is the most secure option for the network managers, although it can be very expensive to implement and maintain. Virtual implementation is less costly, but still requires significant configuration changes and administration. In some situations, such as access to remote locations, virtual encrypted tunnels may be the only viable option.</p> <h5>Recommendations:</h5> <ul> <li>Segregate standard network traffic from management traffic.</li> <li>Enforce that management traffic on devices only comes from the OoB.</li> <li>Apply encryption to all management channels.</li> <li>Encrypt all remote access to infrastructure devices such as terminal or dial-in servers.</li> <li>Manage all administrative functions from a dedicated host (fully patched) over a secure channel, preferably on the OoB.</li> <li>Harden network management devices by testing patches, turning off unnecessary services on routers and switches, and enforcing strong password policies. Monitor the network and review logs Implement access controls that only permit required administrative or management services (SNMP, NTP SSH, FTP, TFTP).<br /> </li> </ul> <h4>6.    Validate Integrity of Hardware and Software</h4> <p>Products purchased through unauthorized channels are often known as “counterfeit,” “secondary,” or “grey market” devices. There have been numerous reports in the press regarding grey market hardware and software being introduced into the marketplace. Grey market products have not been thoroughly tested to meet quality standards and can introduce risks to the network. Lack of awareness or validation of the legitimacy of hardware and software presents a serious risk to users’ information and the overall integrity of the network environment. Products purchased from the secondary market run the risk of having the supply chain breached, which can result in the introduction of counterfeit, stolen, or second-hand devices. This could affect network performance and compromise the confidentiality, integrity, or availability of network assets. Furthermore, breaches in the supply chain provide an opportunity for malicious software or hardware to be installed on the equipment. In addition, unauthorized or malicious software can be loaded onto a device after it is in operational use, so integrity checking of software should be done on a regular basis.</p> <h5>Recommendations:</h5> <ul> <li>Maintain strict control of the supply chain; purchase only from authorized resellers.</li> <li>Require resellers to implement a supply chain integrity check to validate hardware and software authenticity.</li> <li>Inspect the device for signs of tampering.</li> <li>Validate serial numbers from multiple sources.</li> <li>Download software, updates, patches, and upgrades from validated sources.</li> <li>Perform hash verification and compare values against the vendor’s database to detect unauthorized modification to the firmware.</li> <li>Monitor and log devices, verifying network configurations of devices on a regular schedule.</li> <li>Train network owners, administrators, and procurement personnel to increase awareness of grey market devices.</li> </ul> <table align="center" border="1" cellpadding="0" cellspacing="0" class="general-table c1"> <caption><strong>Shadow Broker Exploits</strong></caption> <thead> <tr> <th scope="col"><strong>Vendor</strong></th> <th scope="col"><strong>CVE</strong></th> <th scope="col"><strong>Exploit Name</strong></th> <th scope="col"><strong>Vulnerability</strong></th> </tr> </thead> <tbody> <tr> <td>Fortinet</td> <td>CVE-2016-6909   </td> <td>EGREGIOUSBLUNDER</td> <td>Authentication cookie overflow</td> </tr> <tr> <td>WatchGuard   </td> <td>CVE-2016-7089</td> <td>ESCALATEPLOWMAN</td> <td>Command line injection via ipconfig</td> </tr> <tr> <td>Cisco</td> <td>CVE-2016-6366</td> <td>EXTRABACON</td> <td>SNMP remote code execution</td> </tr> <tr> <td>Cisco</td> <td>CVE-2016-6367</td> <td>EPICBANANA</td> <td>Command line injection remote code execution</td> </tr> <tr> <td>Cisco</td> <td>N/A</td> <td>BENIGNCERTAIN/PIXPOCKET   </td> <td>Information/memory leak</td> </tr> <tr> <td>TOPSEC</td> <td>N/A</td> <td>ELIGIBLEBACHELOR</td> <td>Attack vector unknown, but has an XML-like payload<br />beginning with <?tos length="001e.%8.8x"?</td> </tr> <tr> <td>TOPSEC</td> <td>N/A</td> <td>ELIGIBLEBOMBSHELL</td> <td>HTTP cookie command injection</td> </tr> <tr> <td>TOPSEC</td> <td>N/A</td> <td>ELIGIBLECANDIDATE</td> <td>HTTP cookie command injection</td> </tr> <tr> <td>TOPSEC</td> <td>N/A</td> <td>ELIGIBLECONTESTANT</td> <td>HTTP POST parameter injection</td> </tr> </tbody> </table> <p> </p> </p></div> <h3>References</h3> <div class="field field-name-field-alert-references field-type-link-field field-label-hidden clearfix"> <ul class="field-items"> <li class="field-item even">Cisco SYNful Knock Security Advisory</li> <li class="field-item odd">Cisco Security Advisory Multiple Vulnerabilities in Cisco ASA Software</li> <li class="field-item even">Cisco Evolution of Attacks on Cisco IOS Devices</li> <li class="field-item odd">Cisco IOS Software Integrity Assurance</li> <li class="field-item even">Information Assurance Advisory NO. IAA U/OO/802097-16 Mitigate Unauthorized Cisco ROMMON</li> <li class="field-item odd">Information Assurance Advisory NO. IAA U/OO/802488-16 Vulnerabilities in Cisco Adaptive Security Appliances</li> <li class="field-item even">Information Assurance Directorate Network Mitigations Package – Infrastructure</li> </ul> </div> <h3>Revisions</h3> <div class="field field-name-field-alert-revision-history field-type-text field-label-hidden clearfix"> <ul class="field-items"> <li class="field-item even">September 6, 2016: Initial release</li> </ul> </div> <p class="privacy-and-terms">This product is provided subject to this Notification and this Privacy & Use policy.</p> </p></div> <p><img src="http://pixel.quantserve.com/pixel/p-89EKCgBk8MZdE.gif" border="0" height="1" width="1" /><br /> <a rel="nofollow" href="http://www.us-cert.gov/ncas/alerts/TA16-250A">US-CERT Alerts</a></p> <!-- /article-content --> </div> <div class="cleared"></div> <div class="romeo-postfootericons romeo-metadata-icons"><span class="romeo-postcategoryicon"><span class="categories">Posted in</span> <a href="http://www.ineedachick.com/category/uncategorized/" rel="category tag">Uncategorized</a></span> | <span class="romeo-posttagicon"><span class="tags">Tagged</span> <a href="http://www.ineedachick.com/tag/devices/" rel="tag">Devices</a>, <a href="http://www.ineedachick.com/tag/increasing/" rel="tag">Increasing</a>, <a href="http://www.ineedachick.com/tag/infrastructure/" rel="tag">Infrastructure</a>, <a href="http://www.ineedachick.com/tag/mitigations/" rel="tag">Mitigations</a>, <a href="http://www.ineedachick.com/tag/network/" rel="tag">Network</a>, <a href="http://www.ineedachick.com/tag/recommended/" rel="tag">Recommended</a>, <a href="http://www.ineedachick.com/tag/ta16250a/" rel="tag">TA16250A</a>, <a href="http://www.ineedachick.com/tag/threat/" rel="tag">threat</a></span> | <span class="romeo-postcommentsicon"><a href="http://www.ineedachick.com/ta16-250a-the-increasing-threat-to-network-infrastructure-devices-and-recommended-mitigations/#respond" rel="nofollow">Leave a comment</a></span></div> </div> <div class="cleared"></div> </div> </div> <div class="romeo-box romeo-post post-890 post type-post status-publish format-standard has-post-thumbnail hentry category-crime tag-both tag-ransomwareasaservice tag-real tag-scam tag-shark tag-threat" id="post-890"> <div class="romeo-box-body romeo-post-body"> <div class="romeo-post-inner romeo-article"> <div class="romeo-postmetadataheader"><h2 class="romeo-postheader"><a href="http://www.ineedachick.com/shark-ransomware-as-a-service-a-real-threat-a-scam-or-both/" rel="bookmark" title="Shark Ransomware-as-a-Service: A real threat, a scam, or both?">Shark Ransomware-as-a-Service: A real threat, a scam, or both?</a></h2><div class="romeo-postheadericons romeo-metadata-icons"><span class="romeo-postdateicon"><span class="date">Published</span> <span class="entry-date" title="4:45 pm">August 16, 2016</span></span> | <span class="romeo-postauthoricon"><span class="author">By</span> <span class="author vcard"><a class="url fn n" href="http://www.ineedachick.com/author/ajith/" title="View all posts by Ajith">Ajith</a></span></span></div></div><div class="avatar alignleft"><a href="http://www.ineedachick.com/shark-ransomware-as-a-service-a-real-threat-a-scam-or-both/" title="Shark Ransomware-as-a-Service: A real threat, a scam, or both?"><img width="128" height="128" src="http://www.ineedachick.com/wp-content/uploads/2016/08/shark-project-webpage-150x150.jpg" class="attachment-128x128 size-128x128 wp-post-image" alt="" title="Shark Ransomware-as-a-Service: A real threat, a scam, or both?" /></a></div> <div class="romeo-postcontent"> <!-- article-content --> <div> <p>A new Ransomware-as-a-Service project has sprung up, and the “service providers” are allowing others to use it for free, but take a 20 percent cut out of every ransom that gets paid by the victims. The ransomware is called Shark.</p> <p><img src="http://www.ineedachick.com/wp-content/uploads/2016/08/shark-project-webpage.jpg" class="aligncenter" alt="Shark Ransomware-as-a-Service project" title="OPIS"/></p> <p>According to security researcher David Montenegro and Bleeping Computer, the project’s site is accessible to anyone who knows the address, and not just to Tor users. It’s a simple WordPress site, from where would-be criminals can download a .zip file containing the ransomware configuration builder (<em>Payload Builder.exe</em>), a warning note (<em>Readme.txt</em>), and the ransomware executable (<em>Shark.exe</em>).</p> <p>They are instructed to use the configuration builder to choose which folders and files the ransomware will encrypt, the users of which country to target, the amount of money they will ask of the victims, to input an email address to which a notification will be sent when the payload infects a machine.</p> <p>“When the configuration is entered, a base64 version of the configuration will be generated. This code is then used as an argument to the Shark.exe to specify that the custom configuration that should be used,” Lawrence Abrams explains.</p> <p>The Bitcoin address to which the payment will go is that of the original malware authors, who should take their 20 percent and forward the rest to the crooks that distribute this custom made version of it.</p> <p>Whether they actually keep their side of the bargain is still unknown.</p> <p>“Taking into account that Shark’s promotional campaign was based on spamming and getting banned from underground hacking forums like Megatop, this looks more like a scam than anything else, with some crook trying to fool cybercrime newcomers into distributing his malware and keeping all the profits,” Softpedia’s Catalin Cimpanu pointed out.</p> <p>The payload created through the builder seems to be working as promised. It encrypts files with the chosen file extensions and adds the <em>.locked extension</em> to the encrypted versions of the files. Malware researchers will hopefully soon create a decryption tool that will reverse that action.</p> <p>In the meantime, the ransomware is obviously not “undectecable by AV” as the authors claim. Symantec has added detection for it to its products, and they sure won’t be the only ones.</p> </p></div> <p><img src="http://pixel.quantserve.com/pixel/p-89EKCgBk8MZdE.gif" border="0" height="1" width="1" /><br /> <a rel="nofollow" href="http://feedproxy.google.com/~r/HelpNetSecurity/~3/ngOHQV_M2Hc/">Help Net Security</a></p> <!-- /article-content --> </div> <div class="cleared"></div> <div class="romeo-postfootericons romeo-metadata-icons"><span class="romeo-postcategoryicon"><span class="categories">Posted in</span> <a href="http://www.ineedachick.com/category/crime/" rel="category tag">Crime</a></span> | <span class="romeo-posttagicon"><span class="tags">Tagged</span> <a href="http://www.ineedachick.com/tag/both/" rel="tag">both</a>, <a href="http://www.ineedachick.com/tag/ransomwareasaservice/" rel="tag">RansomwareasaService</a>, <a href="http://www.ineedachick.com/tag/real/" rel="tag">real</a>, <a href="http://www.ineedachick.com/tag/scam/" rel="tag">scam</a>, <a href="http://www.ineedachick.com/tag/shark/" rel="tag">Shark</a>, <a href="http://www.ineedachick.com/tag/threat/" rel="tag">threat</a></span> | <span class="romeo-postcommentsicon"><a href="http://www.ineedachick.com/shark-ransomware-as-a-service-a-real-threat-a-scam-or-both/#respond" rel="nofollow">Leave a comment</a></span></div> </div> <div class="cleared"></div> </div> </div> <div class="romeo-box romeo-post"> <div class="romeo-box-body romeo-post-body"> <div class="romeo-post-inner romeo-article"> <div class="romeo-postcontent"> <!-- article-content --> <div class="navigation"> <div class="alignleft"><a href="http://www.ineedachick.com/tag/threat/page/2/" ><span class="meta-nav">←</span> Older posts</a></div> <div class="alignright"></div> </div> <!-- /article-content --> </div> <div class="cleared"></div> </div> <div class="cleared"></div> </div> </div> <div class="cleared"></div> </div> </div> </div> </div> <div class="cleared"></div> <div class="cleared"></div> </div> </div> <div class="romeo-footer"> <div class="romeo-footer-body"> <div class="romeo-footer-center"> <div class="romeo-footer-wrapper"> <div class="romeo-footer-text"> <a href="http://www.ineedachick.com/feed/" class='romeo-rss-tag-icon' title="I Need A Chick RSS Feed"></a> <p>Copyright © 2020. All Rights Reserved.</p> <div class="cleared"></div> <p class="romeo-page-footer"></p> </div> </div> </div> <div class="cleared"></div> </div> </div> <div class="cleared"></div> </div> <div id="wp-footer"> <script type='text/javascript' src='http://www.ineedachick.com/wp-includes/js/wp-embed.min.js?ver=5.0.3'></script> <!-- 64 queries. 1.346 seconds. --> </div> </body> </html>