Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

V Poznámkovém bloku byla přes 20 let vážná bezpečnostní díra. Teď ji Microsoft zalepil

Zive.cz - bezpečnost - 21 Srpen, 2019 - 07:00
V Poznámkovém bloku – jedné z nejjednodušších aplikací, která je součástí základní softwarové výbavy operačních systémů Windows – byla odhalena vážná bezpečnostní díra. Objevil ji expert Google Project Zero Tavis Ormandy, následně ji potvrdil i Microsoft. Podle publikovaných informací bylo možné ...
Kategorie: Hacking & Security

Microsoft Offers $30K Rewards For Chromium Edge Beta Flaws

Threatpost - 20 Srpen, 2019 - 23:27
Microsoft released the beta of its new Chromium-based Edge - and it is offering rewards of up to $30,000 for researchers to hunt out vulnerabilities in the browser.
Kategorie: Hacking & Security

Fortnite Ransomware Masquerades as an Aimbot Game Hack

Threatpost - 20 Srpen, 2019 - 22:29
Attackers are taking aim at Fortnite's global community of 250 million gamers.
Kategorie: Hacking & Security

iOS 12.4 jailbreak released after Apple 'accidentally un-patches' an old flaw

The Hacker News - 20 Srpen, 2019 - 21:30
A fully functional jailbreak has been released for the latest iOS 12.4 on the Internet, making it the first public jailbreak in a long time—thanks to Apple. Dubbed "unc0ver 3.5.0," the jailbreak works with the updated iPhones, iPads and iPod Touches by leveraging a vulnerability that Apple previously patched in iOS 12.3 but accidentally reintroduced in the latest iOS version 12.4.
Kategorie: Hacking & Security

Use This Privacy Tool to View and Clear Your 'Off-Facebook Activity' Data

The Hacker News - 20 Srpen, 2019 - 21:29
Well, here we have great news for Facebook users, which is otherwise terrible for marketers and publishers whose businesses rely on Facebook advertisement for re-targeted conversations. Following the Cambridge Analytica scandal, Facebook has taken several privacy measures in the past one year with an aim to give its users more control over their data and transparency about how the social
Kategorie: Hacking & Security

How to Prepare for Misconfigurations Clouding the Corporate Skies

Threatpost - 20 Srpen, 2019 - 21:25
With cloud misconfigurations rampant in cloud storage and IaaS environments, adding security layers to identify them is crucial for securing sensitive data.
Kategorie: Hacking & Security

How Google adopted BeyondCorp: Part 2 (devices)

Google Security Blog - 20 Srpen, 2019 - 18:11
Posted by Matt McDonald, Software Engineer, and Sebastian Harl, Software Engineer 


Intro

This is the second post in a series of four, in which we set out to revisit various BeyondCorp topics and share lessons that were learnt along the internal implementation path at Google.

The first post in this series focused on providing necessary context for how Google adopted BeyondCorp. This post will focus on managing devices - how we decide whether or not a device should be trusted and why that distinction is necessary. Device management provides both the data and guarantees required for making access decisions by securing the endpoints and providing additional context about it.

How do we manage devices?

At Google, we use the following principles to run our device fleet securely and at scale:
  • Secure default settings at depth with central enforcement
  • Ensure a scalable process
  • Invest in fleet testing, monitoring, and phased rollouts
  • Ensure high quality data
Secure default settings

Defense in depth requires us to layer our security defenses such that an attacker would need to pass multiple controls in an attack. To uphold this defensive position at scale, we centrally manage and measure various qualities of our devices, covering all layers of the platform;
  • Hardware/firmware configuration
  • Operating system and software
  • User settings and modifications
We use automated configuration management systems to continuously enforce our security and compliance policies. Independently, we observe the state of our hardware and software. This allows us to determine divergence from the expected state and verify whether it is an anomaly.

Where possible, our platforms use native OS capabilities to protect against malicious software, and we extend those capabilities across our platforms with custom and commercial tooling.

Scalable process

Google manages a fleet of several hundred thousand client devices (workstations, laptops, mobile devices) for employees who are spread across the world. We scale the engineering teams who manage these devices by relying on reviewable, repeatable, and automated backend processes and minimizing GUI-based configuration tools. By using and developing open-source software and integrating it with internal solutions, we reach a level of flexibility that allows us to manage fleets at scale without sacrificing customizability for our users. The focus is on operating system agnostic server and client solutions, where possible, to avoid duplication of effort.

Software for all platforms is provided by repositories which verify the integrity of software packages before making them available to users. The same system is used for distributing configuration settings and management tools, which enforce policies on client systems using the open-source configuration management system Puppet, running in standalone mode. In combination, this allows us to easily scale infrastructure and management horizontally as described in more detail and with examples in one of our BeyondCorp whitepapers, Fleet Management at Scale.

All device management policies are stored in centralized systems which allow settings to be applied both at the fleet and the individual device level. This way policy owners and device owners can manage sensible defaults or per-device overrides in the same system, allowing audits of settings and exceptions. Depending on the type of exception, they may either be managed self-service by the user, require approval from appropriate parties, or affect the trust level of the affected device. This way, we aim to guarantee user satisfaction and security simultaneously.

Fleet testing, monitoring, and phased rollouts

Applying changes at scale to a large heterogeneous fleet can be challenging. At Google, we have automated test labs which allow us to test changes before we deploy them to the fleet. Rollouts to the client fleet usually follow multiple stages and random canarying, similar to common practices with service management. Furthermore, we monitor various status attributes of our fleet which allows us to detect issues before they spread widely.

High quality data

Device management depends on the quality of device data. Both configuration and trust decisions are keyed off of inventory information. At Google, we track all devices in centralized asset management systems. This allows us to not only observe the current (runtime) state of a device, but also whether it’s a legitimate Google device. These systems store hardware attributes as well as the assignment and status of devices, which lets us match and compare prescribed values to those which are observed.

Prior to implementing BeyondCorp, we performed a fleet-wide audit to ensure the quality of inventory data, and we perform smaller audits regularly across the fleet. Automation is key to achieving this, both for entering data initially and for detecting divergence at later points. For example, instead of having a human enter data into the system manually, we use digital manifests and barcode scanners as much as possible.

How do we figure out whether devices are trustworthy?

After appropriate management systems have been put in place, and data quality goals have been met, the pertinent security information related to a device can be used to establish a "trust" decision as to whether a given action should be allowed to be performed from the device.


High level architecture for BeyondCorp

This decision can be most effectively made when an abundance of information about the device is readily available. At Google, we use an aggregated data pipeline to gather information from various sources, which each contain a limited subset of knowledge about a device and its history, and make this data available at the point when a trust decision is being made.
Various systems and repositories are employed within Google to perform collection and storage of device data that is relevant to security. These include tools like asset management repositories, device management solutions, vulnerability scanners, and internal directory services, which contain information and state about the multitude of physical device types (e.g., desktops, laptops, phones, tablets), as well as virtual desktops, used by employees at the company.

Having data from these various types of information systems available when making a trust decision for a given device can certainly be advantageous. However, challenges can present themselves when attempting to correlate records from a diverse set of systems which may not have a clear, consistent way to reference the identity of a given device. The challenge of implementation has been offset by the gains in security policy flexibility and improvements in securing our data.

What lessons did we learn?
As we rolled out BeyondCorp, we iteratively improved our fleet management and inventory processes as outlined above. These improvements are based on various lessons we learned around data quality challenges.

Audit your data ahead of implementing BeyondCorp

Data quality issues and inaccuracies are almost certain to be present in an asset management system of any substantial size, and these issues must be corrected before the data can be utilized in a manner which will have a significant impact on user experience. Having the means to compare values that have been manually entered into such systems against similar data that has been collected from devices via automation can allow for the correction of discrepancies, which may interrupt the intended behavior of the system.

Prepare to encounter unforeseen data quality challenges

Numerous data incorrectness scenarios and challenging issues are likely to present themselves as the reliance on accurate data increases. For example, be prepared to encounter issues with data ingestion processes that rely on transcribing device identifier information, which is physically labeled on devices or their packaging, and may incorrectly differ from identifier data that is digitally imprinted on the device.

In addition, over reliance on the assumed uniqueness of certain device identifiers can sometimes be problematic in the rare cases where conventionally unique attributes, like serial numbers, can appear more than once in the device fleet (this can be especially exacerbated in the case of virtual desktops, where such identifiers may be chosen by a user without regard for such concerns).

Lastly, routine maintenance and hardware replacements performed on employee devices can result in ambiguous situations with regards to the "identity" of a device. When internal device components, like network adapters or mainboards, are found to be defective and replaced, the device's identity can be changed into a state which no longer matches the known inventory data if care is not taken to correctly reflect such changes. 

Implement controls to maintain high quality asset inventory

After inventory data has been brought to an acceptable correctness level, mechanisms should be put into place to limit the ability for new inaccuracies to be introduced. For example, at Google, data correctness checks have been integrated into the provisioning process for new devices so that inventory records must be correct before a device can be successfully imaged with an operating system, ensuring that the device will meet required data accuracy standards before being delivered to an employee.
Next time
In the next post in this series, we will discuss a tiered access approach, how to create rule-based trust and the lessons we’ve learned through that process.

In the meantime, if you want to learn more, you can check out the BeyondCorp research papers. In addition, getting started with BeyondCorp is now easier using zero trust solutions from Google Cloud (context-aware access) and other enterprise providers.

Thank you to the editors of the BeyondCorp blog post series, Puneet Goel (Product Manager), Lior Tishbi (Program Manager), and Justin McWilliams (Engineering Manager).
Kategorie: Hacking & Security

Google nebude poskytovat operátorům informace o pokrytí. Ochrana soukromí má přednost

Zive.cz - bezpečnost - 20 Srpen, 2019 - 18:00
V březnu 2017 spustil Google svou službu Mobile Network Insights. V podstatě šlo o vytváření mapy, ze které mohli mobilní operátoři vyčíst informace o síle signálu a rychlosti datových přenosů v různých lokalitách. Ačkoli samotný záměr nezní nijak kontroverzní, firma nakonec tuto funkci ...
Kategorie: Hacking & Security

Apple iOS update ends in jailbroken iPhones (if that’s what you want)

Sophos Naked Security - 20 Srpen, 2019 - 17:55
Programmers call it "regresssion" - when fixing a new bug unfixes an old one - and it's a jailbreakers dream!

Chrome users ignoring warnings to change breached passwords

Sophos Naked Security - 20 Srpen, 2019 - 17:45
If you were told that the password you had just entered was known to have been compromised in a data breach, what would you do?

Scammers use bogus search results to fool voice assistants

Sophos Naked Security - 20 Srpen, 2019 - 17:41
The Better Business Bureau reports that scammers have worked out how to game search results for company customer support telephone numbers.

Serious Security: Phishing in the cloud – the freemium way

Sophos Naked Security - 20 Srpen, 2019 - 17:34
Here's an interesting phishing trick. It's a way for crooks to get lots of customised web links without doing any programming.

Apple iOS Patch Blunder Opens Updated iPhones to Jailbreaks

Threatpost - 20 Srpen, 2019 - 17:22
Apple accidentally re-introduced a vulnerability in its latest operating system, iOS 12.4, that had been previously fixed in iOS 12.3.
Kategorie: Hacking & Security

Adwind Spyware-as-a-Service Attacks Utility Grid Operators

Threatpost - 20 Srpen, 2019 - 17:09
A phishing campaign targeting utility grid operators uses a PDF attachment to deliver spyware.
Kategorie: Hacking & Security

Už je to tu zase: co nejdříve aktualizujte VLC Media Player! Nová verze opravuje 14 chyb

Zive.cz - bezpečnost - 20 Srpen, 2019 - 17:00
Neuplynul ani měsíc od poslední kauzy, týkající se aplikace VLC Media Player, a máme tu další varování. Zatímco posledně nebyla chyba v programu, ale na straně bezpečnostních expertů, tentokrát je situace vážnější. Nezisková organizace VideoLAN, stojící za vývojem přehrávače VLC, vydala novou ...
Kategorie: Hacking & Security

How Activity Logs Help WordPress Admins Better Manage Website Security

The Hacker News - 20 Srpen, 2019 - 15:05
Managing a WordPress website can sap a lot of your time and energy, which otherwise you'd spend on managing your business. If you're looking to cut down on the hours, you spend troubleshooting WordPress technical and security problems, better managing and monitoring your website and users, or your customers, you need a WordPress activity log plugin. This post explains how to use the WP Security
Kategorie: Hacking & Security

CySA+: Examination Process

InfoSec Institute Resources - 20 Srpen, 2019 - 15:02

Introduction Like other CompTIA certifications, the CompTIA Cybersecurity Analyst (CySA+) exam is provided by CompTIA’s global testing partner, Pearson VUE. Pearson VUE provides computer-based testing across the globe.  Once you are fully prepared and ready to take your CySA+ certification exam, you need to visit Pearson VUE’s website to locate an authorized test center near […]

The post CySA+: Examination Process appeared first on Infosec Resources.

CySA+: Examination Process was first posted on August 20, 2019 at 8:02 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

CySA+ requirements

InfoSec Institute Resources - 20 Srpen, 2019 - 15:01

Introduction Before applying for the CompTIA Cybersecurity Analyst (CySA+) certification exam, a candidate must confirm whether they are eligible or likely to meet the right requirements. The candidates who do not meet the CySA+ requirements are not allowed to apply for the CySA+ certification.  In this article, we will delve into the minimum requirements for […]

The post CySA+ requirements appeared first on Infosec Resources.

CySA+ requirements was first posted on August 20, 2019 at 8:01 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

Reverse Engineering Packed Malware

InfoSec Institute Resources - 20 Srpen, 2019 - 15:00

Introduction In this article, you’ll get a better understanding of what a packed executable is and how to analyze and unpack malware. Finally, you’ll get to know the top packers used in malware. What are packed executables? It’s an executable that has been compressed firstly to minimize its file size, but often to complicate the […]

The post Reverse Engineering Packed Malware appeared first on Infosec Resources.

Reverse Engineering Packed Malware was first posted on August 20, 2019 at 8:00 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

CySA+: Exam policies and appeal procedures

InfoSec Institute Resources - 20 Srpen, 2019 - 15:00

Introduction Conducting exams effectively, efficiently and in line with regulations is a daunting task. CompTIA, the vendor of the CompTIA Cybersecurity Analyst (CySA+) certification, is committed to ensuring that its certification exams are valued and respected in the marketplace.  To enhance the integrity of its CySA+ certification, CompTIA takes certain security measures and ensures that […]

The post CySA+: Exam policies and appeal procedures appeared first on Infosec Resources.

CySA+: Exam policies and appeal procedures was first posted on August 20, 2019 at 8:00 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security
Syndikovat obsah