Wearing Emotions on Your Sleeve...Literally
Imagine if your emotions and feelings could be measured, tracked and included in a data graph. I'm sure you've heard the saying 'wearing your heart on your sleeve' to indicate that someone expresses their emotions freely or exposes their true emotions without caution. This can be good in that you become open and vulnerable when showing your true feelings but can jade areas like composure in situations where you might be frustrated or irritated. I tend to be fairly open with my emotions. There are a few stories about the origin of the saying going back to the Middle Ages. Emperor Claudius II felt unattached men make better warriors so he outlawed marriage. To alleviate some of the grievances, every year during the Roman festival honoring Juno, he'd allow temporary coupling where men drew names to determine who would be their lady friend for the year. The man would wear her name on his sleeve for the festival. Around the same time, when knights performed jousting matches, they'd dedicate their match to a lovely lady of the court. By wearing her hanky around his arm, he was signaling that he was defending her honor. And in Shakespeare's Othello, Iago confesses, For when my outward action doth demonstrate The native act and figure of my heart In complement extern, ’tis not long after But I will wear my heart upon my sleeve For daws to peck at. I am not what I am. – Othello, Act 1, Scene 1, 61–65 Whatever the origin, humans are emotional creatures. We typically make choices based on emotion, even though we'd like to think it was a rational decision. We may try to hide our emotions as to not upset or reveal something to another person. Often called a Poker Face. But imagine if your emotions and feelings could be measured, tracked and included in a data graph. Other than a polygraph. Daydream no more. There are now wearables that track your emotions. This is not your father's old-skool mood ring but devices that read your current emotional state and attempts to sooth and lower stress levels by encouraging deep breaths and relaxation techniques to get you through the haze. Sensors that gather skin temperature, sweat gland activity and blood pulse along with movement gauge your activity level. From that, it generates a graph on your mobile phone so you can see when your stress levels peaked and the mood at the time. You can see real time or over the course of the day. Emotional analysis in your pocket...or sleeve if you got one of those runner's arm band things. I'm sure someone will create a shirt that has color changing sleeve threads depending on a person's emotional state. The Iagonaut. This is not the future but today. A Fitbit captured the moment of a broken heart during a relationship ending phone call. This man was wearing his Fitbit when the unexpected call came and his daily graph tells the whole story: Koby (@iamkoby) shared his heart wrenching moment (and graph) on Twitter and it saturated the internet. The red arrow indicates the moment that the news hit him. Instantly, his heart rate jumped from 72 to 88 beats per minute and stayed high for the rest of the day. Clearly this healthy, athletic person was under duress and if you couldn't tell by the yellow peak marks, he had trouble sleeping that night. Talk about exposing your emotions with technology. Would you share your sleeve with the world? ps Related: Fitbit captures exact moment man's heart breaks The Origins of Wearing Your Heart on Your Sleeve Forget fitness, this wearable tracks your emotions Connecting the Threads The Digital Dress Code Wearables Head to Tail Gartner Says Worldwide Wearable Devices Sales to Grow 18.4 Percent in 2016 Technorati Tags: iot,wearables,emotions,humans,stress,sensors,silva,f5 Connect with Peter: Connect with F5:
Mazar Bot Overview
Discovered in early 2016, Mazar Bot is spread by sending SMS text messages, via a URL shortener service. Mazar Bot targetedmultiple banks specifically in the German-Austrian region according to attacks that wereencountered in early July 2017. This malware, seen on Android devices,permits itself to access the following device permissions: From Spam to Infection Mazar Bot is used in spam campaigns to gain access to users within a specific region, much like spear phishing. In many cases, the attack isspread via SMS, fake webpages, or email spam. First the malware tricks the user into clicking the link, and then immediately after, the user will face a login page request designed specifically formobile devices. Once the malware has received the needed login information itdisplays installation info and gives an explanation on how to use and install the upcoming application. At this stage users can still question why they should be downloading another app. In order to hide from this suspicion, a php file named “apk-playstore.php” provides some assistance. Mazar Botexplains to the user how to download and use the app. Prompts the user to press the specific link button Gives screen shots that walk through the installation...this allowsthe device to install the application from unknown sources Runsthe application immediately after installation Infection Chain After the malicious application is installed on the end user device, it asks to activate it as device administrator. In most cases the malicious application icon would be deleted and Command and Control communication will commence immediately afterwards. The ongoing communication between device and server would pull device information and look for specific targeted applications. The second stage of communication grants a user infected device with a unique ID for Database maintenance and support of campaign activity. The moment the user would interact with a legitimate bank application, Mazar Bot will cause an overlay and would display another fake page for harvesting more credentials. Interesting observation: Mazarbot (in each of the phishing campaigns) has created tailor-made applications designed specifically to attack a designated bank/organization. For each targeted application, it also creates a specific subdomain, probably for masking and tricking users which were connected to the fake login site. Strings, the C&C connection The interesting part of the apk containssome specific C&C related strings. These strings give an overview of the malware behavior and abilities that it contained. The combination of strings highly support the claim that fraudsters behind the malware plan each campaign specifically for a bank application per campaign. The features presented in the string represent device control and communication interception, allowing access into device cached memory, grabbing personal data, sending SMS, locking device, putting device into sleep mode, reporting and logging all Input/output actions, maintenance of this configuration is represented by unique ID, given by the server. Accepting Credit Cards Additionally, in the strings section, fraudsters are trying their luck by targeting Google play. The overlay that will popup to the user in mid interaction with Google play or Whatsapp, will ask for: Card number CVC Expiration Month+Year Card holder name Credit card type Phone number First, Last Name Phishing SitesStatistics Researched by Kyle Paris According to attacks we've encountered in early July,there wasn't anydistinctive region target for hacked servers. The interesting patterns we did identifywere compiled from groups of 8-10 phishing links with every attack.Each link main domain was slightlydifferent, either by number or a letter, while the subdomain and subfolder remained the same. Here is a table comparing phishing links groups with theirdomain name: Group 1 Group 2 update9091.pw id78087.pw update9092.pw id78086.pw update9093.pw id78080.pw update9094.pw id78084.pw update9095.pw id78083.pw update9096.pw id78088.pw update9097.pw id78085.pw update9098.pw id78089.pw
F5 Anti-Fraud Solutions: Frictionless Protection for the Masses
Anti-Fraud Solutions: Why F5? In 2013, F5 Networks grew its security portfolio to include advanced Anti-Fraud services with the acquisition of the Israeli-based security company Versafe. At the RSA Conference in San Francisco this week, we have a section of our F5 booth dedicated to the Anti-Fraud solution where we are talking about the technology, answering questions and demonstrating the capabilities all week. If you cannot make it to the conference or even if you attended but missed us at our booth, that’s not a problem. I’ll fill you in on some of the details. First, just walking around the RSA Conference, it’s clear that there is no shortage of anti-fraud solutions on the market. The number is mind blowing and continuously growing. As new threats emerge, new technologies are introduced to combat them. But if you look at the approaches each company takes, they are often quite different. So that begs the question: why F5? Well, from a feature and function standpoint, we cover a wide range of web-based fraud detection and protection capabilities. The WebSafe solution, which protects web-based applications, safeguards against various forms of malicious activity including phishing attacks, Man-In-The-Middle, Man-In-The-Browser and Trojan activity such as web injections, form hijacking, page modifications and transaction modification. But what makes the solution unique is that it enables 100% coverage of the user base in a completely clientless manner, without impacting the user experience. We inject our obfuscated code via an iRule, into the web application code as part of the response data. In other words, the solution is completely frictionless, which is key differentiator number one. And because the solution leverages common browser-based technologies, we protect users who are navigating from all types of devices: laptops, PCs, tablets, smart TVs, mobile devices, etc. As long as the user is navigating with a standard web browser, they will be protected. This is key differentiator number two. From a deployment standpoint, today the WebSafe solution is implemented via an iRule on an F5 device (either physical or virtual), so there is no need to introduce changes to the web applications our customers are looking to protect from online fraud. This saves time when deploying the solution because there is no need to engage web development resources which are often outsourced or already engaged in critical projects. Our ability to deploy without these web application changes equates to savings and is key value proposition number three. As a matter of fact, many F5 customers can leverage their current F5 investment and deploy the Anti-Fraud services on their existing infrastructure, requiring no additional hardware investment: differentiator number four. Lastly, WebSafe provides protection against online fraud without a client install and with no change in the online users’ experience. Introducing CAPTCHAs, popups, etc is often too intrusive to the end user, so we are looking to protect the users without introducing friction in the process. Summary If you are at the RSA Conference, stop by booth 1801. We would be happy to demonstrate our Anti-Fraud solution and help to enhance your fraud protection capabilities. If you are not at RSA, look for further details here. We will be posting more details about F5’s Anti-Fraud solutions throughout the coming weeks.
Yuck a RAT infestation! How concerned are you?
You’ve gotta hate RATs! They are the most disgusting and opportunistic survivors of all time. RATs dwell amongst us occupying our area of activity, causing great damage, viruses and losses. It may sound as if I am speaking of the wild species Rattus Rattus (the common black rat) that invades and spreads disease, but you know that I am not. Like the animal, Remote Access Trojan (RAT) malware bring about deep concern and anxiety. RATs compromise computers, using back door technology to gain administrative control. This form of malware is intended to gain computer access, redistribute itself, establish a botnet, and do serious damage. The success of RAT usages enables criminals to steal from or wreak havoc on an individual or an entire company. Are you bothered or concerned about RATs too? With RATs ‘cyber thieves’ gain unsuspected control over a victim’s computer to execute malicious exploits. It monitors behavior; accesses confidential information; alters or locks files systems and more. Furthermore, RATs allow cybercriminals to steal valuable information including your identity and even execute fraud. Primarily used to exploit credit cards, personal information and bank accounts, RATs have also become known as a weapon for extortion, where bad actors take valuable files, photos and videos for blackmail or ransom. As you can imagine, tools of this type are extremely dangerous. Bad actors are very focused on efforts to develop, enhance and update under ground software, which is then given away free or sold on the black market to even the most inexperienced hackers for free or as little as $20[1]. Certainly, there are some more advanced RATs that go for $300 or more. According to one Dell report, attackers are always looking for RATS, and willing to pay a premium for those that are easily available and fully undetectable by anti-virus software and antimalware programs. Common RATs we’ve seen today Back Orifice Blackshade PC Invader Beast Heseber BOT AlienSpy Dark Comet Havex KjW0rm Sakula As an essential element of today’s attackers toolset, RATs are most effective in their purpose and totally invisible to the victim. RAT’s can be spread to victims outside of IT/Security control, most often via spam, spear phishing and social engineering attacks. Each victim computer can then be used to infect others computers (or networks), collecting valuable information stored, infiltrating corporate data systems and instrumenting the building of dangerous network of cyber-soldiers. Sound interesting? Generally RATs have capabilities that enable them to open legitimate ports, mimic remote administrative tools commonly used by IT organizations, and employ sophisticated techniques that evade security measures. They are contained inside heavily packed binaries that are dropped in the later stages of the malware’s payload execution, making them the very hard to detect using anti-virus and anti-malware programs. Scary isn’t it. A RAT that has also enabled criminals to permeate your infrastructure could have infected the very computer upon which you are reading this blog post. Where is the challenge with security? So what do you do about RATs? What protective actions should you take? Antivirus software seems to be the popular first choice of defense against all malware types. Although such solutions may detect viruses, many more complex and stealthy crypter forms of malware can escape antivirus scans and sandboxing. Operations or Security may also be a bit challenged at identifying and protecting against remote administrative Trojans before they cause substantial damage. Some organizations lack sufficient security/fraud expertise or a skilled team to conduct ongoing proactive research to discover malware or to thoroughly analyze it. Maintaining visibility into attacks on client-devices is an even greater challenge for many companies and may be a point of contention, as to who is responsible, if it will be dependent upon end-user involvement or if it is even necessary. As you ponder this keep in mind, RATs affect no one specific, but everyone, as the monetization of credentials and information continue to increase in value. Stopping RATs in their tracks To take action and fight off RATs, many leading organizations are turning to technologies adopted by the retail, and financial services industries to protect against online fraud. Such solutions go beyond anti-virus solutions to provide real-time visibility into compromised client-devices and threats targeting customer end-users. These companies do not want to be burdened with managing security for every device, but want to be assured all users are protected. Using JavaScript code injected into each session, fraud detection solutions like WebSafe easily detect the presence of Trojans and specifically identify backdoor connections without client-side install or end-user involvement. Admins are then alerted of the risk and can immediately take action to mitigate any threats. Furthermore, login page form fields can be obfuscated and credentials encrypted while data is still active in the browser. Spyware becomes useless at capturing confidential login information that is not fully protected by SSL. F5 WebSafe is unique from other anti-fraud solutions in its ability to detect RATs and even other notorious malware types like Dyre. Read more about WebSafe to understand how it can be used to protect your organization against employee credential theft. Remember, RATs are everywhere, nesting and growing in numbers. As with any pest infestation it is vitally important to recognize its presence of RATs early, exterminate them and protect your self from any resurgence. Visit F5 Web Fraud Protection Solution page for more information on F5 WebSafe and talk to an F5 rep about today. Feel free to shoot me a line to share your experience with RATs infecting your user-base and the complexity of such you’ve encountered. [1] Article: “Driving in the illegal underground hacking market”, Security Affair December 2014. A recap of the Dell Dell Secure Works Counter Threat Unit (CTU) published a new report on the evolution of the hacking underground marketplaces.
F5 and Versafe: Because Mobility Matters
#F5 #security #cloud #mobile #context Context means more visibility into devices, networks, and applications even when they're unmanaged. Mobility is a significant driver of technology today. Whether it's mobility of applications between data center and cloud, web and mobile device platform or users from corporate to home to publicly available networks, mobility is a significant factor impacting all aspects of application delivery but in particular, security. Server virtualization, BYOD, SaaS, and remote work all create new security problems for data center managers. No longer can IT build a security wall around its data center; security must be provided throughout the data and application delivery process. This means that the network must play a key role in securing data center operations as it “touches” and “sees” all traffic coming in and out of the data center. -- Lee Doyle, GigaOM "Survey: SDN benefits unclear to enterprise network managers" 8/29/2013 It's a given that corporate data and access to applications need to be protected when delivered to locations outside corporate control. Personal devices, home networks, and cloud storage all introduce the risk of information loss through a variety of attack vectors. But that's not all that poses a risk. Mobility of customers, too, is a source of potential disaster waiting to happen as control over behavior as well as technology is completely lost. Industries based on consumers and using technology to facilitate business transactions are particularly at risk from consumer mobility and, more importantly, from the attackers that target them. If the risk posed by successful attacks - phishing, pharming and social engineering - isn't enough to give the CISO an ulcer, the cost of supporting sometimes technically challenged consumers will. Customer service and support has become in recent years not only a help line for the myriad web and mobile applications offered by an organization, but a security help desk, as well, as consumers confused by e-mail and web attacks make use of such support lines. F5 and Security F5 views security as a holistic strategy that must be able to dig into not just the application and corporate network, but into the device and application, as well as the networks over which users access both mobile and web applications. That's where Versafe comes in with its unique combination of client-side intelligent visibility and subscription-based security service. Versafe's technology employs its client-side visibility and logic with expert-driven security operations to ensure real-time detection of a variety of threat vectors common to web and mobile applications alike. Its coverage of browsers, devices and users is comprehensive. Every platform, every user and every device can be protected from a vast array of threats including those not covered by traditional solutions such as session hijacking. Versafe approaches web fraud by monitoring the integrity of the session data that the application expects to see between itself and the browser. This method isn’t vulnerable to ‘zero-day’ threats: malware variants, new proxy/masking techniques, or fraudulent activity originating from devices, locations or users who haven’t yet accumulated digital fraud fingerprints. Continuous Delivery Meets Continuous Security Versafe's solution can accomplish such comprehensive coverage because it's clientless,relying on injection into web content in real time. That's where F5 comes in. Using F5 iRules, the appropriate Versafe code can be injected dynamically into web pages to scan and detect potential application threats including script injection, trojans, and pharming attacks. Injection in real-time through F5 iRules eliminates reliance on scanning and updating heterogeneous endpoints and, of course, relying on consumers to install and maintain such agents. This allows the delivery process to scale seamlessly along with users and devices and reasserts control over processes and devices not under IT control, essentially securing unsecured devices and lines of communication. Injection-based delivery also means no impact on application developers or applications, which means it won't reduce application development and deployment velocity. It also enables real-time and up-to-the-minute detection and protection against threats because the injected Versafe code is always communicating with the latest, up-to-date security information maintained by Versafe at its cloud-based, Security Operations Center. User protection is always on, no matter where the user might be or on what device and doesn't require updating or action on the part of the user. The clientless aspect of Versafe means it has no impact on user experience. Versafe further takes advantage of modern browser technology to execute with no performance impact on the user experience, That's a big deal, because a variety of studies on real behavior indicates performance hits of even a second on load times can impact revenue and user satisfaction with web applications. Both the web and mobile offerings from Versafe further ensure transaction integrity by assessing a variety of device-specific and behavioral variables such as device ID, mouse and click patterns, sequencing of and timing between actions and continuous monitoring of JavaScript functions. These kinds of checks are sort of an automated Turing test; a system able to determine whether an end-user is really a human being - or a bot bent on carrying out a malicious activity. But it's not just about the mobility of customers, it's also about the mobility - and versatility - of modern attackers. To counter a variety of brand, web and domain abuse, Versafe's cloud-based 24x7x365 Security Operations Center and Malware Analysis Team proactively monitors for organization-specific fraud and attack scheming across all major social and business networks to enable rapid detection and real-time alerting of suspected fraud. EXPANDING the F5 ECOSYSTEM The acquisition of Versafe and its innovative security technologies expands the F5 ecosystem by exploiting the programmable nature of its platform. Versafe technology supports and enhances F5's commitment to delivering context-aware application services by further extending our visibility into the user and device domain. Its cloud-based, subscription service complements F5's IP Intelligence Service, which provides a variety of similar service-based data that augments F5 customers' ability to make context-aware decisions based on security and location data. Coupled with existing application security services such as web application and application delivery firewalls, Versafe adds to the existing circle of F5 application security services comprising user, network, device and application while adding brand and reputation protection to its already robust security service catalog. We're excited to welcome Versafe into the F5 family and with the opportunity to expand our portfolio of delivery services. More information on Versafe: Versafe Versafe | Anti-Fraud Solution (Anti Phishing, Anti Trojan, Anti Pharming) Versafe Identifies Significant Joomla CMS Vulnerability & Corresponding Spike in Phishing, Malware Attacks Joomla Exploit Enabling Malware, Phishing Attacks to be Hosted from Genuine Sites 'Eurograbber' online banking scam netted $47 millionActiveSync don't work correctly for iphone mobile device
Hi, we have deployed last year an iapp exchange2010 that works well for all : owa, rpc, outlook anywhre, autodiscover and ActiveSync. now we have experiencing an issue with mobile device like iphone that is disconnected from ActiveSync somethimes without reason. (i see also that load balacing just for ActiveSync not works fine : 2 servers from 4 that don't receive match traffic like the other) thank you for your help. F5 version 11.4.1 HF9 see bellow the configuration : ltm pool /Common/EXchange_CAS.app/EXchange_CAS_combined_vs_as_pool { app-service /Common/EXchange_CAS.app/EXchange_CAS load-balancing-mode least-connections-member members { /Common/172.21.151.32:443 { address 172.21.151.32 } /Common/172.21.151.33:443 { address 172.21.151.33 app-service /Common/EXchange_CAS.app/EXchange_CAS } /Common/172.21.151.34:443 { address 172.21.151.34 } /Common/172.21.151.35:443 { address 172.21.151.35 } } monitor /Common/EXchange_CAS.app/EXchange_CAS_combined_vs_https_monitor } ltm rule /Common/EXchange_CAS.app/EXchange_CAS_combined_vs_persist_iRule { app-service /Common/EXchange_CAS.app/EXchange_CAS when HTTP_REQUEST { switch -glob [HTTP::path] { "/Microsoft-Server-ActiveSync*" { Direct all ActiveSync clients to a common pool; use HTTP cookie persistence persist cookie pool EXchange_CAS_combined_vs_as_pool } "/rpc/rpcproxy.dll" { Grab all requests for Outlook Anywhere; the following checks assign correct persistence methods. switch -glob [HTTP::header "User-Agent"] { "MSRPC" { This User-Agent section matches most versions of Outlook and Windows using Outlook Anywhere. The OutlookSession cookie is new to Outlook 2010. if { [HTTP::cookie exists "OutlookSession"] } { persist uie [HTTP::cookie "OutlookSession"] 3600 } else { persist uie [HTTP::header "Authorization"] 3600 } } "*Microsoft Office*" { This section matches some versions of Outlook 2007 on Windows XP persist uie [HTTP::header "Authorization"] 3600 } default { This section catches all other requests for Outlook Anywhere, and sets a persistence method that does not require the client to support HTTP cookies persist source_addr } } Finally, this assigns the Outlook Anywhere pool and turns off full HTTP parsing and compression. If the preceding clients should be sent to separate pools, the pool statement should be removed here, and a separate pool statement placed in each of the preceding logic branches. Other modules (APM, ASM, etc.) should be disabled here as well, if active for other traffic though this virtual server. pool EXchange_CAS_combined_vs_oa_pool CACHE::disable HTTP::disable COMPRESS::disable } "/xml/autodiscover.aspx" { Requests for Autodiscovery information. The selected pool might be unique, or might be the same as e.g. your pool for OWA or ActiveSync. In this example, we use the same pool that receives ActiveSync traffic. persist cookie pool EXchange_CAS_combined_vs_ad_pool } default { This final section takes all traffic that has not otherwise been accounted for and sends it to the pool for Outlook Web App persist cookie pool EXchange_CAS_combined_vs_owa_pool } } } } ltm virtual /Common/EXchange_CAS.app/EXchange_CAS_combined_vs_https_virtual { app-service /Common/EXchange_CAS.app/EXchange_CAS destination /Common/172.21.150.100:443 fallback-persistence /Common/EXchange_CAS.app/EXchange_CAS_source_address_persistence_profile ip-protocol tcp mask 255.255.255.255 persist { /Common/EXchange_CAS.app/EXchange_CAS_cookie_persistence_profile { default yes } } profiles { /Common/EXchange_CAS.app/EXchange_CAS_combined_vs_caching_profile { } /Common/EXchange_CAS.app/EXchange_CAS_combined_vs_clientssl { context clientside } /Common/EXchange_CAS.app/EXchange_CAS_combined_vs_http_profile { } /Common/EXchange_CAS.app/EXchange_CAS_combined_vs_oneconnect { } /Common/EXchange_CAS.app/EXchange_CAS_combined_vs_serverssl { context serverside } /Common/EXchange_CAS.app/EXchange_CAS_combined_vs_wan-optimized-compression_profile { } /Common/EXchange_CAS.app/EXchange_CAS_lan-optimized_tcp_profile { context serverside } /Common/EXchange_CAS.app/EXchange_CAS_wan-optimized_tcp_profile { context clientside } /Common/ntlm { } } rules { /Common/EXchange_CAS.app/EXchange_CAS_combined_vs_owa_append_iRule /Common/EXchange_CAS.app/EXchange_CAS_combined_vs_persist_iRule /Common/Exchange_hsts_ltm } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled }Lightboard Lessons: WebSafe and MobileSafe
The Web, while convenient and necessary for business, can be a dangerous and scary place. The good news is that F5 offers a security solution called WebSafe. WebSafe protects against sophisticated fraud threats, leverages advanced encryption, detects client-less malware, and analyzes session behavior in a single solution. MobileSafe is very much like WebSafe except it is uniquely designed and tuned for the mobile environment. The frosting on the cake for all this goodness is that WebSafe and MobileSafe alerts come to our F5 Security Operations Center (SOC) where our team of security experts are hard at work 24x7 to analyze all your threat data and help mitigate the threats to your business. How does WebSafe actually work? What about MobileSafe? Check out this edition of Lightboard Lessons to learn more! Related Resources: WebSafe Data Sheet MobileSafe Data Sheet
