Cross-sector collaboration aims to strengthen Singapore's cyber security capabilities

StarHub has announced plans to grow the local cyber security ecosystem at the launch of its Cyber Security Centre of Excellence (COE). It’s teamed with five industry partners, four IHLs.

StarHub and the COE partners will jointly invest S$200 million over the next five years to support a sustainable cyber security ecosystem.

According to the telco’s news release, StarHub today launched its new Cyber Security Center of Excellence (COE), and announced that StarHub and its partners will undertake initiatives to develop talent, innovation, and industry collaboration to bolster local cyber security.

Five industry partners, namely Blue Coat, Cyberbit, EY, Fortinet and Wedge Networks, and four institutes of higher learning (IHL), including Nanyang Polytechnic (NYP), Republic Polytechnic, Temasek Polytechnic and Singapore University of Technology and Design have thus far joined the COE.

StarHub shares that it plans to rope in more industry and IHL partners to the COE to drive value and results.

To help cyber security professionals enhance their knowledge and career development, StarHub plans to work with leading centres for professional development in cyber security to design and offer relevant training courses. StarHub is also committed to addressing the shortage of cyber security talent in Singapore by training at least 300 specialists on different cyber related capabilities and skill sets over the next five years. It is teaming up with the four IHLs and the Cyber Security Agency of Singapore (CSA) to enhance cyber security training curriculum and programmes, and to collaborate on research and development.

As a first step, StarHub and NYP have jointly established a lab on NYP campus to provide hands-on training for students of Cyber Security & Forensics. These students will subsequently have the opportunity to learn directly from experienced cyber security professionals during their internship placements at StarHub or its industry partners.

Meanwhile, Professor Yitzhak Ben-Israel has been appointed as the advisor to the COE. He is a member of Singapore’s Research, Innovation and Enterprise Council, as well as the International Advisory Panel for Singapore's National Cybersecurity Research and Development Programme. Ben-Israel is also Singapore’s Agency for Science, Technology & Research, and heads the Security Studies programme at Tel Aviv University.

1 in 6 emails contains a virus: study

After Locky, here comes KePanger, PowerWare and Petya. According to a current analysis by Retarus security experts, 17% of all incoming email messages are blocked due to a suspected virus. The security experts are currently observing a significantly higher incidence of the crypto trojan Locky, as well as new variations. This corresponds to a fivefold rise in comparison with the previous month and can be explained primarily by the large increase in ransomware.

On average, in March, one in six emails sent to mailboxes used for business purposes contained a virus. In total, this means just as many infected messages occurred per hour as occurred per month in 2015 on average.

The analysis by the Retarus experts revealed that this can be explained by the huge rise in the incidence of crypto trojans. Whilst in February only around 3% of all incoming emails were infected, the number of messages filtered in March due to viruses had already risen to 17%. The reason: During this period, numerous additional versions of the virus appeared after the first Locky threat wave.

As crypto trojans can morph their structure quickly and frequently and, as a result, are able to assume the most diverse forms at lightning speed, ransomware is not detected immediately by every virus scanner. Nevertheless, security can be increased using professional cloud services. Specialized email security services access several scanners in parallel, thereby continuously expanding their filter rules, which means they can always offer the latest protection levels. Additional mechanisms, such as a four-level virus scan, also increase the likelihood of identifying and blocking extortion trojans in good time.

Heightened vigilance is essential
To ensure the best possible protection from attacks by Locky and similar ransomware, email users must be highly vigilant. Retarus recommends that users deactivate the automatic execution of embedded macro code in Office programs and that macros should only be activated if they are absolutely essential and where the corresponding documents originate from known sources.

In principle, users should only open email attachments if the sender or the process described in the email is trustworthy. So that potentially affected data can be restored quickly and - wherever possible - without losses, important data should be backed up on a regular basis. Here it should be noted that Locky can also attack external data media if this is permanently connected to the computer.

Caution is also advised in the event of an extremely slow processor response, elevated hard drive activity without a detectable reason, or files with the extension .locky on the hard drive. To close existing gaps in security, the latest versions of virus scanners should always be installed and regular patches performed.

Blackhat Asia 2016

Glad to be back at this amazing conference. I attended the last one held in 2015, with access to all briefings and the session content are intriguing and scary at the same time.

But as they say, no defense is 100% foolproof. They WILL get in anyhow, it's how long you take to to detect and respond.

Some highlights from Arsenal:

o   CrackMapExec

§  Aims to be a one-stop-shop for pentesting Active Directory environments! Think smbexec on steroids, combining the latest and greatest techniques for AD ownage in a single tool!

§  From enumerating logged on users and spidering SMB shares to executing psexec style attacks, concurrently auto-injecting Mimikatz/Shellcode/DLL's into memory using Powershell, dumping the NTDS.dit, querying and executing commands through MSSQL DB's and more!

§  The biggest improvements over the current tools are:

·         Pure Python script, no external tools required

·         Fully concurrent threading

·         Uses ONLY native WinAPI calls for discovering sessions, users, dumping SAM hashes etc...

·         Opsec safe (no binaries are uploaded to dump clear-text credentials, inject shellcode etc...)

§  Fully open-source and hosted on Github!

o   VirusTotal

§  A free online file and URL scanner that everyone knows.

§  However there are many free features that many users don't know about such as:

·         A free public API for anyone to automate file or URL analysis.

·         IP address and domain reputation. See malware files known to be associated with a particular IP address or domain, and history Passive DNS info

·         Sysinternals, Carbon black, etc. integrations

·         Static analysis of files, structural analysis of many file types (PE, ELF, APK, ZIP, RAR, MACHO, .NET, office, etc)

·         Sandbox dynamic analysis of PE, APK, Apple Mach-O, and applications.

·         ROMS, BIOS, and firmware files

·         SSDEEP, authentihash, imphash, and other similarity indexes

·         Certificate checks on signed files

·         Whitelisting of trusted files

·         Free desktop scanning applications for Windows, MAC, and open source for compilation on linux.

Had a short chat with the developer of CrackMapExec, he mentioned that this tool runs entirely in memory and does not have any footprint. It is basically undetectable, except that the only tell-tale signs of execution would be spikes in the CPU and RAM usage.

Demonstration of CrackMapExec by @byt3bl33d3r 

GitHub recovers from major outage; cause unknown

GitHub, a frequent target of distributed denial of service (DDoS) attacks, experienced a major outage early Tuesday morning, Eastern Time; however, the software development hosting service tweeted shortly thereafter that it identified the problem and that its online operations were running normally again.

As of press time, it is not publicly known if the outage stemmed from an internal error or from the latest in a series of external cyberattacks against the service. GitHub's site performance was noticeably impacted just this past Mar. 23 following a DDoS assault against the website.

Asked for an update and an explanation of the underlying issue, a member of GitHub's communications department directed SCMagazine.com to its online status page, which showed that from around 4:30 a.m. to 6 a.m. ET, app server availability ostensibly plummeted to zero percent, while response times spiked.

Travis Smith, senior security research engineer at cybersecurity software firm Tripwire, said in a statement emailed to SCMagazine.com. “While a drop in service such as this may be attributed to an operational malfunction internally at GitHub, it can't be ruled out that this was a targeted attack” against not just GitHub, but also “any number of their customers who leverage GitHub's service in production environments.”

GitHub experienced an especially severe DDoS attack in March 2015 — an attack that many researchers have attributed to state-sponsored Chinese hackers.

The typo that can get you hacked

Here’s another reason to be extra careful about what you type into your web browser.

Cybersecurity firm Endgame has unearthed a new spin on the good old “typosquatting” scam — the practice of purchasing domain names similar to legitimate websites (Think Gooogle.com) in hopes that a small keyboard snafu nets hackers access to your computer.

The new scam aims to install malware on devices after users accidentally type “.om” instead of “.com” after popular urls. Endgame discovered the scheme after one of its employees mistakenly typed “Netflix.om” instead of Netflix.com when attempting to watch the latest season of House of Cards earlier this month.

Per a company blog post:

“He did not get a DNS resolution error, which would have indicated the domain he 

typed doesn’t exist. Instead, due to the registration of “netflix.om” by a malicious 

actor, the domain resolved successfully. His browser was immediately redirected 

several times, and eventually landed on a ‘Flash Updater’ page with all the usual 

annoying (and to an untrained user, terrifying) scareware pop-ups.”

After doing some more research, Endgame found the streaming service wasn’t the only popular url being “om’ed. Though some sites bearing that ending were legitimate, 319 .om domains appeared to have some type of scheme attached to them. (Fake Flash Updates, for instance, are commonly linked to a well-known malware named Genio that attaches itself to web browsers and mines for data.)

You can see a full list of the potentially dangerous domains here. It’s important to note you could also be in trouble if you typed the “c”, but misplaced the period. (Example: bestbuyc.om or cnnc.om.) This particular typosquatting game was easy for hackers to play, Endgame said, since “.om” is the country-specific domain name for Oman.

Protecting Yourself
Phishing and malware schemes are common attempts by scammers to get your personal information. For better Internet safety, it’s generally recommended you stick to trusted and encrypted websites (double-check, of course, the spelling of each address); refrain from clicking on links in unsolicited emails and keep your security software up to date.

It’s also good to monitor financial accounts regularly for fraud, and keep a close eye on your credit since a sudden drop in credit scores or unfamiliar line items on a credit report are signs identity theft is occurring. (You can do so by pulling your credit reports for free each year at AnnualCreditReport.com and viewing your credit scores for free each month on Credit.com.)  If have fallen victim to an Internet scam, you might also consider freezing your credit reports to keep new accounts from being opened in your name. And you can go here to learn what to do if you’ve already spotted identity theft on your credit report.

Surprise! Microsoft announces SQL Server on Linux

Microsoft has surprised the industry by announcing plans to bring SQL Server to Linux, a move that would accelerate the overall adoption of SQL Server.

“We are bringing the core relational database capabilities to preview today, and are targeting availability in mid-2017,” wrote Scott Guthrie, Executive Vice President, Cloud and Enterprise Group, Microsoft, in a blog.

Guthrie notes that SQL Server on Linux will provide customers with even more flexibility in their data solution.

“This is an enormously important decision for Microsoft, allowing it to offer its well-known and trusted database to an expanded set of customers,” said Al Gillen, group vice president, enterprise infrastructure, at IDC. “By taking this key product to Linux Microsoft is proving its commitment to being a cross platform solution provider. This gives customers choice and reduces the concerns for lock-in. We would expect this will also accelerate the overall adoption of SQL Server.”

“We believe our customers will welcome this news and are happy to see Microsoft further increasing its investment in Linux,” said Paul Cormier, President, Products and Technologies, Red Hat.  “As we build upon our deep hybrid cloud partnership, spanning not only Linux, but also middleware, and PaaS, we’re excited to now extend that collaboration to SQL Server on Red Hat Enterprise Linux, bringing enterprise customers increased database choice.”

“We are delighted to be working with Microsoft as it brings SQL Server to Linux,” said Mark Shuttleworth, founder of Canonical. “Customers are already taking advantage of Azure Data Lake services on Ubuntu, and now developers will be able to build modern applications that utilize SQL Server’s enterprise capabilities.”

The private preview of SQL Server on Linux is available already.

SQL Server 2016
Meanwhile, CEO Satya Nadella and other senior Microsoft leaders recently showcased Microsoft SQL Server 2016, the next release of the company’s flagship business analytics and data management platform, which will be generally available later this year.

Microsoft says SQL Server 2016 supports hybrid transactional/analytical processing, advanced analytics and machine learning, mobile BI, data integration, always encrypted query processing capabilities and in-memory transactions with persistence.

The new release’s security encryption capabilities enable data to always be encrypted at rest, in motion and in-memory to deliver maximum security protection.  In-memory database support for every workload with performance increases up to 30-100x.

SQL Server 2016 also offers business intelligence for every employee on every device – including new mobile BI support for iOS, Android and Windows Phone devices.

Advanced analytics using Microsoft’s new R support enables customers to do real-time predictive analytics on both operational and analytic data.

Microsoft also says that the SQL Server 2016 is available on Linux in private preview, making SQL Server 2016 more accessible to a broader set of users

Easy Migration
Microsoft also announced a new program to help more businesses move to SQL Server 2016. Businesses currently running applications or workloads on non-Microsoft paid commercial RDBMS platforms will be able to offset the costs of licensing, migration planning and training when moving to SQL Server 2016.  They will also be able to migrate their applications to SQL Server without having to purchase SQL Server licenses.