How to verify whether a website is legitimate or not?:

jueves, 16 de mayo de 2024

Revolution in the SIEM Market: Key Acquisitions, Mergers, and Innovations Shape the Future of SecOps

Chronicle is now Google Security Operations. Say goodbye to legacy SIEMS

As cloud deployments for infrastructure, applications, and security have gained popularity, SecOps has had to evolve. Although many SIEM vendors claimed to offer cloud-native solutions, these were often superficial adjustments rather than genuine innovations addressing cloud security needs. At RSA 2019, Microsoft introduced "Azure Sentinel" (now Microsoft Sentinel) and Google introduced "Chronicle" (now Google Security Operations). Despite their progress, both have yet to fully address issues of coverage, effectiveness, and timeliness.

domingo, 7 de abril de 2024

Europol report highlights the presence of numerous dangerous crime gangs across the EU.

Europol's first report on the most threatening criminal networks active in the EU, unveils the presence of 821 dangerous criminal gangs across the EU, primarily engaged in drug trafficking and other illicit activities. These organizations operate transnationally, posing significant challenges to law enforcement. Efforts to combat them require enhanced coordination and initiatives to protect legal officials from intimidation and bribery.

There is a special section dedicated to Cyber-Attacks (pag 36) that highlights the disruption of lockbit ransomware group as case example:

Few points to highlight from the report:

  • Agile: The most threatening criminal networks exhibit remarkable agility. (pag 10).
  • LBS: Legal Business Structures. 86% of the most threatening criminal networks make use of LBS.
  • Some sectors particularly at risk; all sectors potentially affected: Three sectors are particularly affected by criminal infiltration or abuse: construction, hospitality and logistics (i.e. transport and import/export companies).  The data show clearly that LBS are infiltrated or misused by criminal networks across almost all sectors, including tourism, recycling, wellness and sports, retail and cultural associations.The data show clearly that LBS are infiltrated or misused by criminal networks across almost all sectors, including tourism, recycling, wellness and sports, retail and cultural associations.
  • The most threatening criminal networks in the EU use real estate as one of the main industries to launder their illicit profits (41 %).
  • Main nationalities of the criminal networks are: Albania, Belgium, France, Germany, Italy, the Netherlands, Poland, Spain, Türkiye and Ukraine. Most criminal networks are made up of both EU and non-EU nationals.
  • 82% focus on one criminal activity, such as drug trafficking or organised property crime. The remaining 18% are truly poly-criminal networks active in multiple main crime areas.
  • Frauds (mainly investment and romance): is the second most common activity of the most threatening criminal networks. (pag 30).
  • Money laundering activities take place in more than 80 countries.  (pag 45)

Pag 45

  • The criminal networks that use countermeasures against law enforcement strategically as part of their day-to-day operations mostly use technologies such as encrypted applications or devices (EncroChat or SkyECC) on which they use code language to communicate.

  • Cyber expertise required: Cyber-service and technological solution providers offer critical support to networks involved in fraud schemes. Specifically, they devise mass mailing and phishing campaigns, create fake websites, advertisements and social media accounts, and support other cyber-based processes related to investment frauds and online fraud schemes. Networks involved in cyber-attacks play a critical role in programming malware, ransomware and hosting botnets. These individuals also occupy a crucial position in networks engaged in drug trafficking, extortion and racketeering and money laundering. They support the networks by advising them on online means for the movement of money and cryptocurrency payments (pag 56).

Pag 57

This report marks a significant milestone in enhancing our comprehension of the primary characteristics of criminal networks posing the highest risk to EU's internal security. It represents the first comprehensive evaluation at the EU level from the perspective of criminal actors, drawing upon recent data provided by EU Member States and third countries. Each of the 821 identified highly threatening criminal networks exhibits unique traits, including composition, structure, criminal activities, territorial influence, longevity, cooperation methods, and other factors. However, what distinguishes one network as more threatening than another are key capabilities encapsulated in the ABCD model: Agile, Borderless, Controlling, Destructive.

jueves, 4 de abril de 2024

Key insights from the report by the Cyber Safety Review Board on the Microsoft Exchange Online incident of Summer 2023

What: a threat actor compromised the Microsoft Exchange Online mailboxes of 22 organizations and over 500 individuals around the world.

Who: The actor—known as Storm-0558 and assessed to be affiliated with the People’s Republic of China

How: —accessed the accounts using authentication tokens that were signed by a key Microsoft had created in 2016.

When: In May and June 2023

Why: in pursuit of espionage objectives— This intrusion compromised senior United States government representatives working on national security matters, including the email accounts of Commerce Secretary Gina Raimondo, United States Ambassador to the People’s Republic of China R. Nicholas Burns, and Congressman Don Bacon.

Context: SEV-0 rating intrusion. The hightes urgency level. This meant that the incident required robust comunication, visibility, and coordination across Microsoft and up to its most senior leadership, including its Board of Directors.

The U.S. Department of Homeland Security (DHS) has issued the findings and recommendations report of the Cyber Safety Review Board (CSRB) concerning the review of the summer 2023 Microsoft Exchange Online Intrusion. This report is invaluable from all perspectives, particularly for professionals working in the CyberDetection field.

Following an initial review of the report, below are some of the key insights gleaned:

  • Biggest risk of using cloud infrastructure

Pag 11

  • Must-have custom detection to alert on potential anomalous access to mailboxes

Pag 14

Pag 16

Pag 17

  • 2 main mistakes that left the cloud vulnerable to intrusions
Microsoft's failure to implement automated signing key rotation and lack of an alerting system for aging keys in its consumer MSA identity infrastructure left it vulnerable to intrusions, as read on:

Pag 11

  • The criticality of storing log data for threat hunting or forensic analysis

Pag 15

Pag 16

Pag 25

  • Victim notification via email is a flawed system

Pag 18

  • Out of the 46 different hypotheses being investigated, which one ranked as the top one?
  • Pag 20

    • Microsoft's security culture was deemed inadequate, supported by substantial evidence and analysis.

    Pag 22

    • Given the reported $17.4 billion in revenue for the third quarter of 2023 (Azure), this sentence is alarming from a business standpoint.
    Pag 22

    • Microsoft customers lack crucial information necessary to conduct their own risk assessments regarding the security of Microsoft Cloud environments.
    Pag 23


    • To prioritize security improvements over feature developments.

    Pag 24

    • Course of business of pay per advanced logging capabilities should stop.
    Pag 24

    Microsoft has not yet determined how Storm-0558 obtained the 2016 MSA key and says that it is continuing to investigate. 


    lunes, 1 de abril de 2024

    Securing hybrid environments: maximizing cybersecurity and cost efficiency with SIEM over EDR

    In today's hybrid environments, where organizations operate a mix of on-premises and cloud infrastructure, cybersecurity teams face daunting challenges in monitoring and securing their digital assets. While both Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) solutions play crucial roles in defending against cyber threats, understanding their respective advantages is essential for maximizing cybersecurity effectiveness. This article explores the complexities of operating SIEM in hybrid environments, introduces the EDR topic, and highlights the advantages of SIEM over EDR in this context.

    Source of the picture

    Complexities of operating SIEM in hybrid environments

    • Data integration challenges: Integrating security data from disparate sources across hybrid environments, including on-premises servers and cloud platforms, poses significant challenges for SIEM operations. Ensuring seamless data ingestion, normalization, and correlation across diverse environments is essential for effective threat detection and response.
    • Compliance and Governance Complexity: Managing compliance requirements across hybrid environments requires robust monitoring, reporting, and auditing capabilities. SIEM solutions must support compliance with regulations spanning multiple cloud providers and geographic regions, adding complexity to governance and risk management processes. For instance: regional instances of SIEM data only for Switzerland, APAC or restricted EMEA regions poses unique challenges to data governance.
    • Network Visibility: Hybrid environments encompass complex network architectures, including virtual private clouds, multi-cloud deployments, and interconnected on-premises networks. Maintaining visibility into network traffic (without incurring on high costs) and communication patterns is essential for detecting and mitigating threats effectively.

    EDR solutions focus on monitoring and securing endpoints, such as desktops, laptops, servers, and mobile devices, against advanced threats and malware. EDR platforms provide real-time visibility into endpoint activities, enabling rapid detection, investigation, and response to security incidents at the endpoint level. While EDR solutions excel in endpoint-focused threat detection and response, their scope is limited compared to the broader visibility offered by SIEM.

    In the dynamic landscape of hybrid environments, achieving robust cybersecurity while managing costs is paramount for organizations. One strategy to balance these priorities involves leveraging SIEM solutions over EDR, particularly by harnessing the concept of security-relevant telemetry.

    Security-relevant telemetry refers to the collection of essential security data, such as logs, network traffic, and endpoint activities, that are indicative of potential threats. By focusing on telemetry that directly contributes to threat detection and response, organizations can optimize their cybersecurity investments and avoid unnecessary data collection, usually tied to compliance related activities, that may inflate costs.

    Security-relevant telemetry provides contextual insight into security events and incidents, enabling more accurate threat detection and response. By correlating telemetry data across diverse sources, including on-premises servers and cloud platforms, organizations can gain a holistic view of their hybrid environment's security posture without the need for additional security tools or solutions.

    SIEM solutions offer centralized visibility into security-relevant telemetry across hybrid environments, enabling organizations to monitor and analyze essential security data in real-time. By aggregating and correlating telemetry data from diverse sources, SIEM enhances threat detection capabilities while minimizing costs associated with managing multiple security tools or platforms.

    Prioritizing SIEM's security-relevant telemetry over EDR allows organizations to optimize their cybersecurity investments by focusing resources on data that directly contribute to threat detection and response. By eliminating unnecessary data collection and analysis, organizations can reduce operational costs associated with managing and maintaining security tools, ultimately maximizing cost efficiency in hybrid environments.

    Organizations should conduct a thorough assessment of their security telemetry needs and rationalize data collection efforts to focus on security-relevant telemetry. This involves identifying critical security data sources and configuring SIEM solutions to prioritize telemetry that aligns with threat detection and response objectives.

    To maintain cost efficiency over time, organizations should continuously optimize their telemetry collection and analysis processes based on evolving cybersecurity requirements and threat landscapes. This includes refining correlation rules, adjusting data retention policies, and leveraging automation to streamline telemetry management operations.

    While both SIEM and EDR solutions are essential components of a robust cybersecurity strategy, organizations operating in hybrid environments can benefit significantly from leveraging the advantages offered by SIEM over EDR. By providing centralized visibility, comprehensive threat detection, and seamless integration with cloud environments, SIEM empowers organizations to effectively monitor, detect, and respond to security threats across diverse on-premises and cloud infrastructure. As organizations continue to navigate the complexities of hybrid environments, investing in robust SIEM solutions will be essential for maximizing cybersecurity effectiveness and safeguarding against evolving threats.

    martes, 9 de enero de 2024

    Denunciar una página fraudulenta

    Plugin de chrome avisando sobre una web fraudulenta avisando de una web fraudulenta

    Plugin de chrome avisando sobre una web fraudulenta que usa personajes famosos

    Sitio web fraudulento

    Si caiste en una estafa online, toma medidas rapidas.

    • Recopila pruebas
    • Denuncia a las autoridades
    • Utiliza para alertar a otros usuarios.

    Ejemplos de webs fraudulentas, de conocidas marcas:

    miércoles, 7 de diciembre de 2022

    ChatGPT still can't let us know whether a website is fraudulent or not

    Note: See at the bottom for more updates on this topic of ChatGPT.

    ChatGPT, the general purpose chatbot released by the cutting-edge project OpenAI is making headlines everywhere. Let's just leave random ones for the record and to check it out later on.

    ChatGPT is fine-tuned from a model in the GPT-3.5 series, which finished training in early 2022. 

    It was trained using Reinforcement Learning from Human Feedback (RLHF). 

    With all the buzzword, I tried a few simple questions:

    What I learnt?:

    • I have no idea about AI. This article is just to grasp some concepts.
    • The fluency devised from answers all over the world is an illusion that stems from the combination of massive amounts of data, immense computing power, and novel processing techniques.
    • One of the more popular use cases seems to be to generate essays. Though there is already Openai detector PoC.
    • The robot is not connected to the Internet therefore his knowledge stops at 2021-09 (at the time of writing this article).
    • The technology is impressive but still has its limitations, as seen above.
    • Still far away from the Singularity (see below)

    While ago I read the book "Life 3.0" Being human in the age of Artificial Intelligence by Max Tegmark.

    Below some random paragraphs that I had marked in the book:

    Intellectual property rights are sometimes hailed as the mother of creativity and invention. However, Marshall Brain points out that many of the finest examples of human creativity -from scientific discoveries to creation of literature, art, music and design - were motivated not bv a desire for profit but by other human emotions, such as curiosity, an urge to create, or the reward of peer appreciation. Money didn't motivate Einstein to invent special relativity theory any more than it motivated Linux Torvalds to create the free Linux operating system. In contrast, many people today fail to realize their full creative potential because they need to devote time and energy to less creative activities just to earn a living. By freeing scientists, artists, inventors and designers from their chores and enabling them to create from genuine desire, Marshall Brain's utopian society enjoys higher levels of innovations than today and correspondingly superior technology and standard of living.

    Since we can't completely dismiss the possibility that we'll eventually build human-level AGI, let's devote this chapter to exploring what that might lead to. Let's begin ty tackling the elephant in the room: Can AI really take over the world, or enable humans to do so?

    If you roll your eyes when people talk of gun-toting Terminator style robots taking over, then you're spot-on.: this is a really unrealistic and silly scenario. These Hollywood robots aren't that much smarter than us, and they don't even succeeded. In my opinion, the danger with the Terminator story isn't that it will happen, but that it distracts from the real risks and opportunities presented by AI. To actually get from today to AGI-powered world takeover requires three logical steps:

    • Step 1: Build human-level AGI.
    • Step 2: Use this AGI to create superintelligence
    • Step 3: use or unleash this superintelligence to take over the world 

    Update: 12/12/2022

    jueves, 31 de marzo de 2022

    MITRE publishes 11 strategies of a world-class cybersecurity operations center

    MITRE has published 11 Strategies of a World-Class Cybersecurity Operations Center, a practical book for enhancing digital defense for security operations center (SOC) operators. Ref

    “Operating without commercial conflicts of interest, we’re working to arm a worldwide community of cyber defenders with vital information to thwart network intruders,” said Wen Masters, vice president, cyber technologies, MITRE. “We draw from a wealth of deep technical expertise at MITRE to address the ever-evolving challenges in cybersecurity. The authors of 11 Strategies of a World-Class Cybersecurity Operations Center bring forth the best principles and practices within MITRE to help the entire cyber ecosystem leverage up their defenses and operations.”

    Download PDF

    lunes, 6 de diciembre de 2021 in Riyadh, Saudi Arabia

    Vision 2030 is a unique transformative economic and social blueprint that is opening Saudi Arabia to the world. 

    "Our country is rich in its natural resources. We are not dependent solely on oil for our energy needs. Gold, phosphate, uranium, and many other valuable minerals are found beneath our lands. But our real wealth lies in the ambition of our people and the potential of our younger generation. They are our nation’s pride and the architects of our future."

    Saudi Vision 2030

    Under this program, @athack, the biggest infosec conference in Saudi Arabia was born. 

    It had a comprehensive agenda with speakers all over the world so the Saudis don´t need to go outside to see on stage to gurus like Bruce Schneier, successful entrepreneurs like Robert. M. Lee, the people hacker Jenny Radcliffe, or the Hacker Jayson E. Street.

    In total around 250 international security professionals worldwide were brought to the event. I had the extraordinary opportunity to assist to the @Hack Arsenal

    In the @Hack Arsenal area I had the chance along many other security researches to demoed the tools we are working on.

    The fraud in Arabia Saudi is aligned with the worldwide metrics, increasing constantly. 

    I did show some last minute examples with fraudulent websites which popped up in my Twitter stream as Advertisements of Fraudulent websites!

    Also with some Fraudulent websites in Arabic which I had no idea what they were about but someone from the public thankfully did clarify it to me :-)

    It seems the audience got interested in the topic. 

    After the session there were quite a few interesting questions and interactions with the audience:

    I have had the opportunity to met new and quite interesting people, to learn a bit more about other cultures and the Islam, and even I did an interview for the Saudi Federation for Cybersecurity, Programming and drones, one of the main organizers in partnership with other entities :)

    There is great young talent in Saudi Arabia and everyone has faith on the Saudi Vision 2030. Saudis know the importance of learning programming, soon it will be as important as learning to read and write. Part of their strategy is to create one programmer out of very 100 Saudi nationals by 2030, in addition to encouraging innovation and creativity and achieving global leadership. This was our grain of salt to support their vision. 

    Thank you toolswatch team and to all the arsenal presenters for such a great experience!

    I have to say it has been an impressive experience to visit the Kingdom of Saudi Arabia and to felt the warm and kindness of their people. Hats off to the organization of atHack!! 

    viernes, 29 de octubre de 2021

    Facebook refuses to drive scammers off its platform because it generates billions of dolars per year in revenue from Deceptive Facebook Ads

     The title of this post is the response to this other article "Facebook does not worry about the online counterfeiting fraud".

    Recently I became aware that Facebook (or Meta) has been served with a lawsuit accusing it of actively soliciting and assisting scammers for its own financial gain and to users detriment.  

    The whole document is worth a read for pearls like below:

    4. Facebook has done much more than passively create and maintain a platform on which scammers can brazenly target users with scams. According to internal Facebook documents, and current and former Facebook employees and contractors recently interviewed by various investigative journalists at prominent publications,4 Facebook actively solicits, encourages, and assists scammers in numerous ways. On the revenue side, according to these investigations, Facebook’s sales teams have presented at conferences heavily attended by known scammers, socialized with known scammers for business development purposes, and met revenue quotas by encouraging known scammers to continue buying Facebook ads. Facebook’s sales teams have also been aggressively soliciting ad sales in China and providing extensive training services and materials to China-based advertisers, despite an internal study showing that nearly thirty percent (30%) of the ads placed by China-based advertisers — estimated to account for $2.6 billion in 2020 ad sales alone — violated at least one of Facebook’s own ad policies. 

    5. On the enforcement side, according to these investigations, Facebook has affirmatively directed employees and contractors tasked with monitoring Facebook’s platform for deceptive ads to (i) ignore ads placed by hacked Facebook accounts and pages, as long as Facebook gets paid for these ads, and (ii) ignore violations of Facebook’s Ad Policies, especially by Chinabased advertisers (since Facebook “want[s] China revenue”). 

    6. In October 2020, the Federal Trade Commission (“FTC”) reported that about 94% of the complaints it collected concerning online shopping fraud on social media identified Facebook (or its Instagram site) as the source.5   

    Let's see how this lawsuit ends up.