Home Tags Intrusion Prevention System (IPS)

Tag: Intrusion Prevention System (IPS)

Report: Apple is planning a major iPhone overhaul for the fall

One 4.7-inch phone, one 5.5-inch phone, and something totally new.

Lazarus Under The Hood

Today we'd like to share some of our findings, and add something new to what's currently common knowledge about Lazarus Group activities, and their connection to the much talked about February 2016 incident, when an unknown attacker attempted to steal up to $851M USD from Bangladesh Central Bank.

Amazon Discounts its Fire Tablet Bundle an Additional $27.98 With This...

Through this Saturday, sink the 16GB Fire Tablet bundle's already discounted price to just $59.99 using the code FIREBUNDLE at checkout -- a significant deal considering its typical $107.97 value.

The bundle includes the latest 16GB Fire 7" Tablet with special offers ($69.99), Amazon cover ($24.99), and Nupro screen protector ($12.99).

Amazon's newest Fire tablet features a rich 7" IPS display and a 1.3 GHz quad-core processor.
Integrated Alexa service lets you ask away with a button press. Enjoy millions of movies, TV shows, songs, Kindle e-books, apps and games, and enjoy them uninterrupted with Fire's long lasting 7-hour battery.
See this deal on Amazon before it expires by adding to cart and applying FIREBUNDLE at checkout. To read this article in full or to leave a comment, please click here

In-the-wild exploits ramp up against high-impact sites using Apache Struts

Hackers are still exploiting the bug to install malware on high-impact sites.

Moto G5 Plus hands-on: Solid camera, stock Android, sweet price—sign me...

Moto G5 Plus continues the trend of selling last year's tech at under half the price.

Moto G5 hands-on: A solid, metal-ish budget phone with removable battery

Moto G5 gets a fingerprint reader, metal back, and the same svelte £170 price.

Fileless attacks against enterprise networks

This threat was originally discovered by a bank’s security team, after detecting Meterpreter code inside the physical memory of a domain controller (DC). Kaspersky Lab participated in the forensic analysis, discovering the use of PowerShell scripts within the Windows registry.

Additionally it was discovered that the NETSH utility as used for tunnelling traffic from the victim’s host to the attacker´s C2.

Megaviral Meitu “beauty” app’s data grab is anything but skin-deep

reader comments 36 Share this story Enlarge / Our editor, Sebastian, finally achieves self actualisation through technology. Sebastian Anthony A Chinese app which allegedly makes selfies look more attractive—or more like an anime character, at any rate—has a dark secret: it demands permissions for far more personal data than it needs, including users' IMEIs, phone numbers, and GPS coordinates. Meitu, an app which has been out for years on both iOS and Android in China, has shot to fame outside the country in the last few weeks, due to the "beauty" filters it can apply to people's selfies.

Among other functions, it can sharpen people's jaws, put a sparkle in their eyes, and smooth out and lighten their skin. The result? Meitu-filtered pictures are suddenly everywhere.

The backlash, however, has been just as swift. Almost as soon as infosec bods became aware of it, they found numerous serious privacy flaws and avenues for potential leaks of personal data. One eagle-eyed researcher found the Android version of the app asked users for dozens of intrusive permissions, and sends the data to multiple servers in China—including a user's calendar, contacts, SMS messages, external storage, and IMEI number. Take a look at the entire list of permissions from the the Meitu app. pic.twitter.com/AkSw2Z50T7 — FourOctets (@FourOctets) January 19, 2017 The permissions are also out there as well pic.twitter.com/d3GuAVfM7t — FourOctets (@FourOctets) January 19, 2017 The Android version of the app is agreed to be the more insecure, as the OS allows it to seek significantly more permissions, but according to digital forensics expert Jonathan Zdziarski, the app secretly checks to see if a user's iPhone is jailbroken—presumably to see if it can use that information to gather additional data. On its website, the company boasts 1.1 billion installs, as well as 456 million active monthly users around the world. What it doesn't do, however, is give any indication at all about what it does with all the data it collects. Most observers believe the data is being harvested to sell to advertisers.

As Zdziarski added on Twitter, "if you like being the target of marketing and big data, by all means run Meitu.
I’m sure whoever’s buying their data will thank you." "Why would anybody want these IDs?" asked Matthew Garrett of CoreOS. "The simple answer is that app authors mostly make money by selling advertising, and advertisers like to know who's seeing their advertisements.

The more app views they can tie to a single individual, the more they can track that user's response to different kinds of adverts and the more targeted (and, they hope, more profitable) the advertising towards that user. "Using the same ID between multiple apps makes this easier, and so using a device-level ID rather than an app-level one is preferred.

The IMEI is the most stable ID on Android devices, persisting even across factory resets." However, developer Brianna Wu disagreed, and seems to believe the data is being collected for more sinister reasons than invasive advertising.
She claimed Meitu was "predatory," adding: "It's not just a consumer issue, but a national security issue." Whatever their views on the purpose of Meitu's data collection, however, everyone seems to be in agreement about one thing: think very carefully about your personal security before downloading and using the app. Update A Meitu spokesperson claimed to CNET that, because the company is headquartered in China, it was necessary to include the data collection code in the app to circumvent the country's blockage of tracking services from the likes of Apple and Google's app stores.
It said: To get around this, Meitu employs a combination of third-party and in-house data tracking systems to make sure the user data tracked is consistent.

Furthermore, the data collected is sent securely, using multilayer encryption to servers equipped with advanced firewall, IDS and IPS protection to block external attacks. This post originated on Ars Technica UK Listing image by Sebastian Anthony

Comodo Firewall 10

The firewall component in modern versions of Windows is quite effective, so the market for third-party personal firewall utilities is shrinking. Paying for a personal firewall seems especially silly when Windows has one built in.

Comodo Firewall 10 is free, and it does a lot more than the basics.
In addition to protecting your PC against attacks from the Internet and controlling how programs utilize your Internet connection, it includes a secure browser, sandbox-style virtualization, a Host Intrusion Protection System, and more.
It performs all expected personal firewall tasks, but not all of the bonus features worked

Comodo's main competition is Check Point ZoneAlarm Free Firewall 2017, and there are quite a few similarities between the two.

Both companies also offer a free antivirus, for starters.

And you can also get a combined firewall and antivirus from both. With ZoneAlarm, you can convert either the antivirus or firewall to the combined product with just a click. With Comodo, you upgrade to the free edition of Comodo Internet Security.

Shared with Antivirus

The majority of Comodo Firewall's features are also found in Comodo Antivirus 10.
I'll refer you to my review of the antivirus for full details on these features. Here's a summary.

Both Comodo products offer a new, attractive user interface with two similar themes named Lycia and Arcadia.

These two feature a big status panel at left and four button panels at right; they just use slightly different colors and icons.

Those who prefer the previous edition's look can choose the Modern theme.
If you're nostalgic for really old editions of Comodo, the Classic theme gets you that look.
In addition, the main window for both products can display either a Basic View or an Advanced View; the latter puts more statistics and action items in easy reach.

While both Comodo products are free, they also both push you to pay in one way or another. Unless you carefully read all screens and popups, you'll find that without realizing it you've agreed to change all of your browsers to use Yahoo as home page, new tab, and default search engine. You'll see messages offering help from the GeekBuddy tech support system, and indeed a GeekBuddy agent will happily chat with you. However, if you want the tech to perform any kind of remote repair or remediation, you'll have to pay.

Comodo Firewall does not in itself include an antivirus component, but its File Rating component checks files against Comodo's cloud database when you access them.
If the database identifies a process as malware, or as a potentially unwanted program, Comodo terminates the process and pops up a notification. You also get a popup offering GeekBuddy services.

File Rating is also a feature of the antivirus, but in testing I found that other protection layers always kicked in before File Rating had a chance.

Both the firewall and the antivirus can automatically sandbox programs that aren't recognized by the database. However, this feature is enabled by default in the antivirus, disabled in the firewall.

A sandboxed program runs in a virtual environment, unable to permanently change important system areas. When you empty the sandbox, all virtualized changes vanish. You can actively launch any program in the sandbox, or open a fully virtualized desktop, isolated from the regular desktop.
It's similar to the SafePay desktop in Bitdefender Antivirus Plus 2017.

The main feature of the virtualized desktop is the Comodo Dragon browser.

By virtualizing your online transactions, you protect them from manipulation by other processes.

The Dragon browser includes a useful collection of bonus apps, among them a media downloader, a price-comparison tool, and a tool for quickly sharing or searching text from Web pages.

Both Comodo products include a Host Intrusion Prevention System (HIPS), but it's disabled by default in the antivirus, enabled in the firewall.

This is not a tool for foiling attempts to exploit vulnerabilities in the operating system and popular programs. Rather, when it detects suspicious behavior by a program, it asks you what to do. You can allow the behavior, block it, or choose to treat the program in question as an installer.
I tested it with a collection of utilities that share certain behaviors with malware.

Comodo only blocked the installer for one, and when I opted to treat it as an installer, I had no further problem.

The HIPS quite reasonably cast suspicious on a test utility that launches Internet Explorer and forces it to open malware-hosting URLs.

It's worth noting that ZoneAlarm's OSFirewall feature functions in much the same way. When I fully enabled the OSFirewall feature, ZoneAlarm flagged behaviors by both good and bad programs.

While Comodo Firewall isn't an antivirus itself, it includes the option to create an antivirus rescue disk, and the process of creating this disk is quite easy. You can also use it to launch Comodo's cleanup-only tool to wipe out persistent malware.

Firewall Features

As you can see, this product has a lot in common with Comodo Antivirus, but don't worry; there are plenty of firewall-specific functions too.

Each time you connect to a new network, it asks whether it's a home, work, or public network. When you're connected to a public network, Comodo puts all the system's ports in stealth mode, meaning they can't be seen from outside.
It's true that Windows Firewall also accomplishes this feat, but Comodo does it just as well. Unlike Windows Firewall, Comodo lets enthusiasts get an alert on each unsolicited connection attempt.

As noted earlier, Comodo's HIPS feature does not try to block attacks that exploit vulnerabilities in the OS or critical files.

The same is true of ZoneAlarm.
Symantec Norton Security Premium is the champ in this area.
In testing, it blocked more exploits than any other recent product, and it did so at the network level, before the exploit even reached the test system.

When the firewall detects an attempted network connection by a new program, it asks you what to do about it. You can choose to allow the attempt, block it, or treat the suspect program as a browser or FTP client.
If you choose to block access, you can also terminate the program, or terminate it and reverse its actions.

Testing Comodo with my hand-coded browser, I found the firewall query appeared only after three distinct warnings from the HIPS.
I also tried a few leak tests, programs that attempt to evade firewall control by manipulating or masquerading as trusted programs.

These triggered plenty of HIPS warnings, as well as firewall warnings.
I had to turn off the File Rating component for this test, because it terminated them as potentially unwanted programs.

While Comodo's HIPS and firewall popups aren't as overwhelming as they were a few versions ago, they still give the user a lot to consider. Most user really won't know whether a program should be allowed to access the DNS/RPC Client service, or access a protected COM interface.

The firewall components in Norton and Kaspersky Internet Security track suspicious behaviors, but perform their own internal analysis rather than expecting the user to make complex security decisions.

ZoneAlarm pioneered the concept that a personal firewall must defend itself against attack.
If malware can disable firewall protection programmatically, the protection isn't worth much, right? I couldn't find any Registry entry that would serve as an off switch for Comodo Firewall, and when I tried to terminate its process I got an Access Denied message.

Security products typically rely on one or more Windows services as well—Comodo has four.
I found that I could stop three of them, but not the fourth, the most essential one. However, I managed to set its startup mode to Disabled. On reboot, Comodo offered to fix the problem, after which it was fine.
Still, I'm happier with a product like ZoneAlarm or Norton that simply prevents all modification of its Windows services.

Website Filtering

Many antivirus products include a browser-protection component that helps steer users away from malicious or fraudulent URLs.

Comodo Antivirus does not. However, the firewall adds a component called Website Filtering. My contact at the company explained that Website Filtering blocks access to URLs found in Comodo's malicious URL database, but does not attempt to block phishing sites.

To evaluate this component's efficacy, I launched the malicious URL blocking test that I apply to each antivirus.

This test uses a feed of very new malware-hosting URLs supplied by MRG-Effitas.
I use URLs discovered in the last day or two, so they're very new.
I launch each one and note whether the product blocked access to the dangerous URL, wiped out the malicious payload, or completely ignored the danger.

Normally I keep at this test until I have data for 100 malware-hosting URLs. However, after processing 50 without any response from Comodo, I quit.
I suspect that Comodo's blacklist database of malicious URLs isn't updated frequently enough to detect the most recent dangers.

By contrast, Avira Antivirus blocked 93 percent of the URLs in this test.

Does the Job

Comodo Firewall 10 does everything a personal firewall should do, stealthing ports against outside attack and preventing betrayal from within by programs misusing your Internet connection.
In addition, it offers sandboxing, a secure browser, HIPS, reputation-based file rating, and more. However, some of these bonus features are too techie for the average user, and they don't all contribute to the task of a personal firewall.

Our Editors' Choice in the dwindling collection of free personal firewalls is Check Point ZoneAlarm Free Firewall 2017.
It, too, handles all the basic tasks, and it resists direct attack better than Comodo.
It does offer a collection of bonus features as well, but most are easier for the average user to comprehend.

For the tech expert, Comodo can be great, make no mistake.

But ZoneAlarm is better suited for the average user.

Back to top

PCMag may earn affiliate commissions from the shopping links included on this page.

These commissions do not affect how we test, rate or review products.

To find out more, read our complete terms of use.

Comodo Antivirus 10

Some antivirus vendors release a new version every year, with or without the coming year as part of the product name. Others, like Comodo, follow a simple version-number scheme, releasing a new version when it's ready. With Comodo Antivirus 10 the com...

Exposed MongoDB installs being erased, held for ransom

Security researcher Victor Gevers, co-founder of the GDI Foundation, a non-profit dedicated to making the internet safer, is urging administrators to check their MongoDB installations, after finding nearly two hundred of them wiped and being held for ransom. On Monday morning, Gevers said he’d discovered 196 instances of a MongoDB installation exposed to the public that’s been erased and held for ransom. UPDATE: The count reached nearly 2,000 databases as of 4:00 p.m. The person behind the attacks is demanding 0.2 BTC ($202.89) as payment, and requiring system administrators email proof of ownership before the files are restored.

Those without backups are left in a bind. Gevers has sent dozens of notifications to affected victims and on Twitter has responded to at least two requests for assistance after administrators learned of the issue. In each observed attack, the message remains the same – pay up or lose your data.
It’s possible the attacker is finding open MongoDB installs via basic scanning or Shodan, Gevers said.
It’s also possible they’re finding MongoDB installs that are vulnerable to various exploits, including one that allows remote authenticated users to obtain internal system privileges. Victor Gevers / SRAGAN If so, then administrators are caught in the middle of a rat race between Gevers and “Harak1r1” - the person responsible for the attacks.

Asked for his thoughts and advice, Gevers shared the notification letter he is sending to identified victims. In it, he advises that they protect the MongoDB installs by blocking access to port 27017 or limit access to the server by binding local IPs.

Administrators can also chose to restart the database with the “–auth” option, after they’ve assigned users access. In addition, he offers the following tips: Check the MongDB accounts to see if no one added a secret (admin) user. Check the GridFS to see if someone stored any files there. Check the logfiles to see who accessed the MongoDB (show log global command). “Criminals often target open databases to deploy their activities like data theft/ransom.

But we also have seen cases were open servers like these are used for hosting malware (like ransomware), botnets and for hiding files in the GridFS,” the notification letter explains. In late 2015, there were approximately 35,000 MongoDB installations on the internet. Most of these installations were insecure and publicly available, and combined stored nearly 700TB of data. Configuration errors in MongoDB have led to a number of major data breaches, including the Hello Kitty data breach that exposed 3.3 million people. A short time later, CSO Online was the first to report on the existence of an exposed MongoDB that contained 191 million voter records with the help of researcher Chris Vickery and Databreaches.net. This was followed by a story detailing the existence of a second voter database a week later. Last April, a poorly configured MongoDB installation exposed the personal details on 93 million Mexican voters. MongoDB is a favorite among some IT professionals, but if it isn’t configured properly and secured, this popular platform can be the source of a lot of pain within an organization.

The official documentation for MongoDB contains a security checklist, and administrators are encouraged to follow it completely. This story, "Exposed MongoDB installs being erased, held for ransom" was originally published by CSO.

Wick Hill Feature: Delivering Secure Wi-Fi

Tony Evans from Wick Hill (part of the Nuvias Group) highlights the risks of Wi-Fi and provides some advice for delivering a secure hotspot

The fact that Wi-Fi stands for Wireless Fidelity hints at how long Wi-Fi has been around, but it was only in 1999 that the Wi-Fi Alliance formed as a trade association to hold the Wi-Fi trademark, under which most products are sold.

Today, Wi-Fi is on the top of the list of must-haves for businesses of all types and sizes. People will simply vote with their feet if good and, usually free, Wi-Fi is not available.

But this demand for anytime, anyplace connectivity can mean that some of us are prepared to jump onto Wi-Fi hotspots at cafes, hotel, airports or company guest networks, with only a fleeting consideration of security – a fact that has not gone unnoticed by cyber criminals.

There are over 300,000 videos on YouTube alone explaining how to hack Wi-Fi users with tools easily found online.

Risks from unprotected Wi-Fi:

Wi-Fi Password Cracking
Wireless access points that still use older security protocols such as WEP, make for easy targets because these passwords are notoriously easy to crack. Hotspots that invite us to log in by simply using social network credentials are increasingly popular, as they allow businesses to use demographic information such as age, gender and occupation to target personalised content and advertisements.

Without encryption, Wi-Fi users run the risk of having their private communications intercepted, or packet sniffed, by cyber snoops while on an unprotected network.

Rogue Hotspots
Cyber criminals can set up a spoof access point near your hotspot with a matching SSID that invites unsuspecting customers to log in leaving them susceptible to unnoticed malicious code injection.
In fact, it is possible to mimic a hotspot using cheap, portable hardware that fits into a backpack or could even be attached to a drone.

Planting Malware
There are common hacking toolkits to scan a Wi-Fi network for vulnerabilities, and customers who join an insecure wireless network may unwittingly walk away with unwanted malware.

A common tactic used by hackers is to plant a backdoor on the network, which allows them to return at a later date to steal sensitive information.

Data Theft
Joining an insecure wireless network puts users at risk of losing documents that may contain sensitive information.
In retail environments, for example, attackers focus their efforts on extracting payment details such as credit card numbers, customer identities and mailing addresses.

Inappropriate and Illegal Usage
Businesses offering guest Wi-Fi risk playing host to a wide variety of illegal and potentially harmful communications.

Adult or extremist content can be offensive to neighbouring users, and illegal downloads of protected media leave the businesses susceptible to copyright infringement lawsuits.

Bad Neighbours
As the number of wireless users on the network grows, so does the risk of a pre-infected client entering the network. Mobile attacks, such as Android’s Stagefright, can spread from guest to guest, even if the initial victim is oblivious to the threat.

Best practices
There are established best practices to help secure your Wi-Fi network, alongside a drive, from companies such as WatchGuard, to extend well-proven physical network safeguards to the area of wireless, providing better network visibility to avoid blind spots.

Implementing the latest WPA2 Enterprise (802.1x) security protocol and encryption is a must, while all traffic should, at a minimum, be inspected for viruses and malware, including zero day threats and advanced persistent threats.

Application ID and control will monitor and optionally block certain risky traffic, while web content filtering will prevent unsuspecting users from accidentally clicking a hyperlink that invites exploitation, malware and backdoors to be loaded into your network.

The use of strong passwords, which are changed frequently, should be encouraged, along with regular scanning for rogue Access Points (APs) and whitelisting MAC addresses, when possible.

WatchGuard’s latest cloud-managed wireless access points also have built-in WIPS (Wireless Intrusion Prevention System) technology to defend against unauthorised devices, rogue APs and malicious attacks, with close to zero false positives.

While WIDs (Wireless Intrusion Detection Systems) are common in many Wi-Fi solutions, WIDs require manual intervention to respond to potential threats.

This may be OK for large organisations with IT teams that can manage this, however WIPs is a fully-automated system, which makes it far more attractive to SMEs and organisations such as schools and colleges.

Using patented, Marker Packet wireless detection technology, WatchGuard WIPS differentiates between nearby external access points and rogue access points.
If a rogue access point is detected, all incoming connections to that access point are instantly blocked. WIPS also keeps a record of all clients connecting to the authorised access points, so if a known device attempts to connect to a malicious access point, the connection is instantly blocked. WIPS will also shut down denial-of-service attacks by continuously looking for abnormally high amounts of de-authentication packets.

Wi-Fi as a marketing tool
While Wi-Fi networks have traditionally been viewed as part of the IT infrastructure and the responsibility of the IT department, the latest Wi-Fi systems deliver more than just connectivity, which makes them an attractive proposition for customer services and marketing departments.

For example, the WatchGuard Wi-Fi Cloud provides visibility into marketing data, including insights into footfall and customer demographics and also makes it possible to have direct communication with individual customers in the form of SMS, MMS or social networks.

And with customised splash pages, businesses can personalise the customer Wi-Fi experiences by offering promotional opportunities or surveys and promoting all-important branding.

It is clear that Wi-Fi is here to stay and is becoming much more than simply a way to get online. While the rapid speed of Wi-Fi adoption has led to a disconnect between physical and wireless security, this is now changing and there is no longer any excuse for providing insecure Wi-Fi.


About Wick Hill
Established in 1976, value added distributor Wick Hill specialises in secure IP infrastructure solutions.

The company sources and delivers best-of-breed, easy-to-use solutions through its channel partners, with a portfolio that covers security, performance, access, networking, convergence, storage and hosted solutions.

Wick Hill is particularly focused on providing a wide range of value-added support for its channel partners.

This includes strong lead generation and conversion, technical and consultancy support, and comprehensive training. Wick Hill has its headquarters in the UK and offices in Germany and Austria. Wick Hill also offers services to channel partners in fourteen EMEA countries and worldwide, through its association with Zycko, as part of Nuvias Group, the pan-EMEA, high value distribution business, which is redefining international, specialist distribution in IT.

For further press information, please contact Annabelle Brown on 01326 318212, email pr@wickhill.com Wick Hill https://www.wickhill.com