EDPS-ENISA Conference: Towards assessing the risk in personal data breaches Location: Bruxelles, Belgium Date: April 4, 2019 https://www.enisa.europa.eu/events/edps-

enisa-conference/edps-enisa-conference-

towards-accessing-the-risk-in-personal-data-

breaches

EDPS and ENISA organize a conference that aims to touch upon current state of play in personal data breach notification, both from the perspectives of the regulators and data controllers/processors while addressing the aspect of risk assessment. The conference aims to address the aspect of personal data breaches under the General Data Protection Regulation (GDPR) - (EU) 2016/679 and the Regulation (EU) 2018/1725 for the processing of personal data by EU Institutions and bodies. Particular focus will be put on exploring the notion and different levels of risk to the rights and freedoms of data subjects.

Cyber-Crime Conference 2019 Location: Rome, Italy Date: April 17, 2019 https://www.ictsecuritymagazine.com/event

i/cyber_crime_conference_2019/presentazi

one The 10th edition of the Cyber Crime Conference will take place on 17 April 2019 in the splendid setting of the Technical Auditorium, the Confindustria congress center in the EUR district of Rome.

This tenth edition will open with a Round Table dedicated to Blockchain Security.

The Blockchain is an emerging evolving technology designed to be secure and democratic based on four fundamental concepts: decentralization, transparency, encryption and immutability.

In terms of security, the Blockchain is considered a potential solution for the management of Big Data, financial instruments, Supply Chain and more.

Cybersecurity Mediterranean Congress - 2nd

Edition

Light in the Dark

In these years, besides the term cybersecurity, more and more often we hear about Deep Web and Dark Web. Often confusing these terms that we associate with criminal activities. We need to clarify that with the term Deep Web we indicate contents present on the network and not indexed by the usual search engines (like Google, Bing, etc. ..); with Dark Web we indicate, instead, the set of contents accessible publicly, but hosted in websites whose IP address is hidden. Anyone who knows the address can access these web sites. The network that makes up this closed network is called darknet. Giving a dimension to this world is fundamental to contextualize the phenomenon. According to industry experts the public and visible network has a content that can be found, using the classic search engines, that represents, more or less, the 4% of the contents of the world wide web (WWW). The Deep Web, instead, represents the 96% of the contents of the WWW. Much larger than the public web, the most popular Darknet are anoNet, TOR (The Onion Router), The Invisible Internet, Project (I2P), Freenet. Among these, the TOR Network is the most popular, this infrastructure makes it possible to anonymize internet access for its users and precisely these pseudo-anonymity conditions make it an attractive element for organizations dedicated to cybercrime, along with the fact that the TOR Network it is difficult for Law Enforcement to monitor in large scale. These networks offer all kinds of services that can facilitate illegal practices. The dark web is a particularly interesting place for all those communities of malware developers. In the different black markets that are hosted it is easy to find malicious codes

and useful services for the personalization and distribution of malware, APT ecc. The Darknets are always used to hide the command and control structures of botnets. The Command & Controls hidden in TOR Networks are difficult to identify, guaranteeing success to botnet managers. Secrecy is the main key point on the dark web, and many forums are difficult to find and have access without knowledge. It’s also time consuming, due to the big amount or information, separate the actionable intelligence from noise. That’s the reason why there’s a big request of dark web researchers and services that may provide us intelligence reports. Dark web monitoring is a smart action of your SOC/CERT that may help your organization to gather tangible threat intelligence and increase your cybersecurity defenses. The GCSEC Foundation believes that we should invest more in the field of cyber intelligence and the theme of knowledge of these networks and access this information must be known by all operators in the sector. On this front, with the CERT - STAR program, it has launched a series of seminars involving exercises and trainings in order to increase the skills of those working in the cyber security sector. In particular, on the DarkNet, a specific session will be dedicated on April the 4th in order to make clear an issue that must be fully integrated into the security strategies of the organizations. Enjoy the lecture… Nicola Sotira General Manager GCSEC

events

editorial

2019 March

A dive in the deep Dark Web

by Aldo Di Mattia - Principal System Engineer, Team Leader Centre/South Italy di Fortinet

Breach and Attack Simulation – Know Your Enemy By Maya Schirmann - Marketing, XM Cyber

What commonly known as Web is only the surface, and it refers to a very small part of the "www" or the so-called web surfing: approximately 4%.

Studies reveal that today content indexed by search engines, such as Google or

others, are the 4% representing a very small part of web sites.

From this point, two terms derive that are typically used synonymously but not in this case: one is the Deep Web, which represents exactly the remaining 96% of sites that simply are not indexed and cannot be found by common engines searcher, or sites that are password protected.

To access the Deep Web, the "submerged" world, it is necessary to know the user's address by heart or to have specific credentials.

Inside the Deep Web, there is the world of Dark Web. It is also a non-indexed content, but to access it you need an additional element. A specific software that allows you to enter in the so-called DarkNet.

The most famous and widespread software is called TOR. To access it you need a specific browser, Firefox, released by TOR for a dedicated version.

The reason why the world needs to have a DarkNet is explained by its name. It is also identified with the acronym stands for "The Onion Router".

Onion Routers are precisely used because the encryption in the DarkNet is based a multilevel encryption – exactly like an onion.

Even not encoded site (http, https) inside TOR is encrypted with multiple levels encryption.

The goal is to ensure that single message, and its content, are visible only to client

and server, consequently to who delivers a determinate content and to who needs to use it, excluding any others within the network.

Another feature of DarkNet is that no one in the network can see real IP addresses that in the Internet world identify the client and where it is physically connected

Location: Florence, Italy Date: May 9-10, 2019 https://gcsec.org/cybersecurity-

mediterranean-congress/ The Second Edition of the Cybersecurity Mediterranean Congress will be held in Florence, organized in collaboration with the GCSEC Foundation, Thales under the aegis of ITU, and under the patronage of the Swiss Embassy in Italy

ItaliaSec Summit Location: Rome, Italy Date: May 14-15, 2019 https://cyberseries.io/italiasec/

ItaliaSec returns to Rome for the third edition. It’s an annual forum for the leading experts in information security, for both the public administration and the enterprises, in the Financial, Retail, Energetic, Chemical, Pharmaceutical, Manufacturing, Food, Health and Transportation field. Among the key topics for 2019: the interaction between the CISO and the Board, the process of ICT risk management and how to structure it in an organic way, the ROI on IT security investments, the creation of a corporate security culture, the cyber security of Operation Technology systems in a context of Industry 4.0

Vulnerable Docker Hosts Actively Abused in

Cryptojacking Campaigns

https://www.bleepingcomputer.com/news/security/vulnerable-docker-hosts-actively-abused-in-cryptojacking-campaigns/ Hundreds of vulnerable and exposed Docker

hosts are being abused in cryptojacking

campaigns after being compromised with the

help of exploits designed to take advantage of

the CVE-2019-5736 runc vulnerability

discovered last month. The CVE-2019-5736

runc flaw triggers a container escape and it

allows potential attackers to access the host

filesystem upon execution of a malicious

container, overwrite the runc binary present

on the system, and run arbitrary commands

on the container's host system.

While the container breakout security flaw

found in runC was patched the same day by

multiple vendors (e.g., Amazon, Google, and

Docker), and one of the runC maintainers

published a patch designed to fix the issue. Following the disclosure of the vulnerability

on February 11, there were approximately

3,951 Docker daemons exposed and, as

discovered by Imperva's Vitaly

Simonovich and Ori Nakar, the number

remained pretty much constant with roughly

4,042 being reachable at this moment.

in this issue

news

A dive in the deep Dark Web by Aldo Di Mattia - Principal System Engineer, Team Leader Centre/South Italy di Fortinet

(provider, country, city, etc.) or data that allow everyone, including Law Enforcement, to track hosts.

This is the main reason for which TOR and the other DarkNet exist in the world: make services invisible, therefore masking IPs and its identity and encrypting contents.

This is a way to access services without leaving a trace: from TOR is therefore possible to see the rest of the world, but not vice versa.

The Dark Web is not an unhealthy place by itself, but is mainly used to spread illegal contents.

For example, in certain states specific censored sites are accessible through TOR. Some of these, like Facebook, have opened a site in TOR to provide access for those who live under regimes that apply censorship on this type of sites.

Another example of "good" sites that offer services on TOR is ProPubblica, an independent and non-profit platform. Its aim is to denounce abuses made by governments, companies, institutions: the onion structure guarantees the complete anonymity to protect readers.

A million dollar business

Several studies show that the major contents spread within the Dark Web are certainly financial frauds with subdomains related to credit cards cloning, eBay and PayPal accounts, up to home banking services account.

Analysis demonstrate also that real price lists exist: for example, an online banking account is sold from 200 to 500 dollars (depending on the balance on the account); a PayPal or eBay account can be purchased for about 800 dollars.

There is therefore a real resale of accounts, or spendable bank account. Fake documents are sold as another common service within the dark web too. In recent years among most popular services catching on there are certainly malwares, botnets and DDoS attacks, and even in this case there are price lists: a falsified certificate (identity card or driving license) goes from 10 to 35 dollars, a malware that allows to have a remote access is rated between 350 and 400 dollars, the code of a banking malware goes from 900 to 1500 dollars, 24h DDoS attack, therefore rental botnets, can be worth 1,500 dollars.

The most common services within the Dark Web consequently are related to the sale of malware and service attacks. In terms of problems and criticalities, the main two serious ones are child pornography and terrorism: from an analysis of redirected suspicious pages in the DarkNet, about 1/3 avoid malware distribution, a 1 / 3 are sites for anonymizing navigation, and the other third part are child pornography content sites.

Another component, with a very small but certainly crucial percentage, is represented by terrorism. DarkNet is used indeed to influence and talk to Western jihadists, or to spread information on how to buy weapons through the Dark Web.

Other two products most sold in the dark web are: weapons and drugs. It is an expanding economy, considering that the popular black market “Silk Road” gained 22 million dollars business only in 2012, just one year after its birth. These data are exponentially growing.

Companies now can count on Fortinet protection: FortiGate makes available the TOR network IP database addresses (exit-node and relay-node) as well as other anonymization proxies.

This list of dynamic objects can be used directly in firewall policies to block the redirection to these networks and used to block the access from these networks to your services provided on Internet. It is also possible to block or monitor traffic using application control profiles to and from anonymization systems, which in this case is identified by application-level signatures.

Quantum physics could protect the grid from

hackers – maybe

https://www.wired.com/story/quantum-physics-protect-grid/?mbid=social_twitter&utm_brand=wired&utm_campaign=wired&utm_medium=social&utm_social-type=owned&utm_source=twitter Cybersecurity experts have sounded the alarm for years: Hackers are ogling the US power grid. The threat isn’t merely hypothetical—a group affiliated with the Russian government gained remote access to energy companies’ computers, the Department of Homeland Security published last March. In some cases, the hackers could even directly send commands to mess with hardware, which meant they could have cut off the power entirely to customers’ homes. To shut these hackers out, utility companies need better security. One group of physicists think they have a patch: quantum-encrypted power stations. The Ursnif Gangs keep Threatening Italy https://securityaffairs.co/wordpress/82921/malware/ursnif-threatening-italy.html Malware researchers at Cybaze-Yoroi ZLab team uncovered a new Ursnif malware campaign that reached several organizations across Italy. The Ursnif trojan confirms itself as one of the most active malware threats in cyberspace, even during the past days, when new attack attempts reached several organizations across Italy. Cybaze-Yoroi ZLab team dissected its infection chain to keep tracking the evolution of this persistent malware threat, analyzing its multiple stages, each one with the purpose to evade detection, sometimes leveraging system tools to achieve its final objective: run the Ursnif payload. European Commission recommends common EU approach to the security of 5G networks https://ec.europa.eu/digital-single-market/en/news/european-commission-recommends-common-eu-approach-security-5g-networks The European Commission has recommended a set of operational steps and measures to ensure a high level of cybersecurity of 5G networks across the EU. Fifth generation (5G) networks will form the future backbone of our societies and economies, connecting billions of objects and systems, including in critical sectors such as energy, transport, banking, and health, as well as industrial control systems carrying sensitive information and supporting safety systems. Democratic processes, such as elections, increasingly rely on digital infrastructures and 5G networks, highlighting the need to address any vulnerabilities and making the Commission's recommendations all the more pertinent ahead of the European Parliament elections in May.

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

― Sun Tzu, The Art of War

For millennia, military strategists around the world have recognized that thinking like the enemy is one of the best ways to anticipate what they’re going to do and so defeat them. With the numbers of attacks rising year-over-year, traditional lines of defense just aren’t good enough anymore. Breaches appear everywhere, with attackers steadily advancing, and no organization should neglect approaches that look at their defenses from the viewpoint of the attacker.

Proactive security strategies

A large numbers of organizations are coming to see that a proactive security strategy is one of the best defenses. You need to see where the threats are coming from, how they can move within your network, where the vulnerabilities in your defenses are, find them and close them before cyber attackers take advantage of them.

To become proactive on the security front, it’s vital that you identify in advance the vectors of attack that will be utilized and remediate security issues as they are created and before they are exploited. For that, you need a continuously running campaign of tests running against your current defenses with simulations in your real environment: that’s where breach and attack simulation comes in.

Generally, an organization won’t realize where exactly it was vulnerable in terms of its defenses until the attack comes, by which time it’s too late to fix these vulnerabilities. If you are continually testing your security, you can uncover the attack paths and remedy these failings before attackers find out about them. Proactive <vs> Reactive.

Moving to ongoing security testing

Networks are dynamic, security systems are extremely complex, and IT demands are changing constantly, adding new systems, software, hardware, new levels of security, of permissions etc. All this takes time and money, and to protect investments, automated security testing is a very efficient solution.

If you are continuously and automatically testing your security posture, not only will you know that your defenses are prepared and in place, you can also improve your security posture by identifying the areas that are vulnerable to attack.

The introduction of breach and attack simulation

Cybersecurity, for many firms, has started to resemble a military drill. It really is a war zone out there, and only the latest proactive practices and processes will keep you from

defeat. The military keeps their soldiers on their toes by continuously running wargames; cybersecurity experts should be doing the same by running simulated cyber-attacks.

What XM Cyber’s automated cyber-attack simulation provides

> With red team operations running continuous campaigns, simulated cyber attacks will show you attack paths and weaknesses in your IT systems and your network.

> Running continuous campaigns helps identify vulnerabilities as changes happen in your network, it is not a point in time testing methodology.

> You will receive an actionable remediation plan with the critical issues to be fixed in order to avoid lateral movement to your critical assets.

Employing a simulation testing like HaXM by XM Cyber means that you always know how well your defenses are working, and if there are any security issues. You will be able to identify holes in your defenses before the attackers do, protecting your most vital assets and strengthening your security posture to repel them.

Breach and Attack Simulation – Know Your Enemy By Maya Schirmann - Marketing, XM Cyber

Thomas J. Holt, Olga Smirnova, Yi-Ting Chua, Data Thieves in Action. Examining the International Market for Stolen Personal Information, New York 2016 (Palgrave Macmillan), 164 pp.

This scientific research, with abundant bibliographic resources, has the advantage of offering an in-depth study and fully documented work to all readers to discover where stolen data ends and why - especially for economic or medical data - data have become so attractive. This research offers a precise range of data values on the market, supported by drawn the values of many of them in the deep/dark web and compared to citizens and countries.

From the "price list" analysis of all the possible types of data (from credit cards, in order to the country and bank where it was issued, to the fullx which also includes PIN codes, up to complex exploits in the systems of money-transfer) we immediately realize how significant are revenues of criminals operating in the sector.

Next are analyzed the economic costs and risks faced by each actor. Fines and shame for the victim of data loss of a thousand of dollars risk-free market for data resellers and instead several problems for buyers of stolen data: they can make millions or be victims at the same time of scams.

The advantage of this work lies in making us understand that, however illegal and complex this activity is, it also depends on the classic business system - where the trust between the seller and the buyer counts – on the frequent variations in prices and therefore on the possible benefits depending on languages, countries, macro-economy and many other parameters.

By refining the research, the authors explain a very complicated social organization of the illegal data market ecosystem. In summary, this volume will certainly make history: without succeeding the impossible - or giving a credible estimate of the annual losses for the real economy directly generated by data theft - allows a first well-researched immersion in this criminal world, making us understand how it works, its patterns of interactions, and the nature of the relationships between its various actors.

PROGRAM

CERT STAR is a program of closed meetings dedicated to CERTs and SOCs aimed to enhance competences, improve cooperation and experiences exchange. During the meetings, core security topics like threat hunting, incident prevention and response, intelligence and digital forensics are analysed at technical operational level. Meetings include practical exercises and use of tools and instruments. 2019 Calendar 28 February - APT and Cyber Range 04 April - Dark Web 11 June - Threat intelligence and Digital forensics 12 September - Application Security 07 November - End Point Security 03 December - Meeting with executive Location Hotel Radisson Blue – Via Filippo Turati, 171Roma For more information send an email to info@gcsec.org

Data Thieves in Action. Examining the International Market for Stolen Personal Information Thomas J. Holt, Olga Smirnova, Yi-Ting Chua

GCSEC - Global Cyber Security Center

Viale Europa, 175 - 00144 Rome - Italy

https://www.gcsec.org