To TOR or Not to TOR?

Recent mass shootings in Christchurch, Poway, and El Paso, as well as the lesser-known attack on a synagogue in Halle, Germany all have something in common other than being acts of violence. The perpetrators all had an online presence on a forum known as "8chan".

After the El Paso attack, 8chan was dropped by service providers and went offline. The shooter in Halle couldn't announce the attack on the forum; however, it was still live-streamed, similar to the attack in Christchurch. The attacker also used the name "anon", short for anonymous, a typical username used for privacy in forums such as 8chan.

8Chan has since rebranded as "8kun" and is back online as of November 3rd, 2019. The screenshot below shows 8kun's landing page in TOR.

Screenshot: 8kun Landing Page in TOR (Authentic8 Blog)

Forums such as 8kun are not only a gathering place for users to gain inspiration to commit attacks.  They also serve as dissemination points for manifestos furthering the spread of this type of terrorism.

The Christchurch

What’s the ROI of Threat Hunting?

How can IT security threat hunters measure success? That is one of the core questions raised by the new SANS 2019 Threat Hunting Survey, which was co-sponsored by Authentic8.

*

The  answer may lie in a strategy and tool selection that avoids mission and  cost creep, and results in measurable effects - and savings - to prove  it.

That’s our main takeaway from this year’s Threat Hunting Survey. Co-authors Mathias Fuchs and Joshua Lemon capture the different  needs and challenges within organizations that are just starting their cyber threat hunting program, versus those who are honing their skills and programs.

Definitions of Threat Hunting

What is threat hunting? The SANS survey results document a wide variety of methodologies, spending  priorities, tools deployed, training needs - and opinions about what  constitutes effective threat hunting practices.

"Many organizations use an alert-driven approach to threat hunting or use indicators of compromise [IoCs] to guide their hunts," says Mathias Fuchs, a SANS instructor and threat

Operation “Shields Up”: Web Isolation in the U.S. Military

How can government organizations, private enterprises, and academic institutions minimize the cybersecurity and privacy risks associated with accessing the internet from desktop or mobile devices?

Valuable pointers come from the defense sector. A new case study, titled Shields Up: How a Military Unit Simultaneously Increased Network Access and Decreased Cyber Risk [PDF], showcases how Authentic8's remote browser isolation technology enabled a U.S. military unit to implement internet policies for personal web access, without increasing the risk of introducing any malware or malicious code into the unclassified network.

The growing need to access publicly available information (PAI) on the web and to leverage the internet for both official and personal business (check out my post on "morale browsing") is making secure access to the broader network a necessity for more military personnel.

"Shields Up" shows how remote browser isolation with Silo Cloud Browser is supporting this change process. Silo enables and secures responsible web use in organizations for which the security risks

October Is Malvertising Awareness Month

Large-scale malvertising campaigns have pushed more than a billion malware and spam-laden ads through online advertising networks onto "secure" web browsers. Ad-blocking software fails to stem the tide.

*

In case you were wondering - yes, you're right: October's official designation still is Cybersecurity Awareness Month. For bystanders, web publishers, and the victims of malicious ads, though, it turned into unofficial "Malvertising Awareness Month" rather quickly.

That's because news broke that cyber criminals had hit major browsers (Chromium/Chrome, Safari, Opera, Edge) with a broadscale malvertising campaign. Dubbed eGobbler by threat hunters, it generated more than a billion malicious advertising ad impressions over the past months.

The Mechanics: How Does Malvertising Work?

The not-so-secret sauce of malvertising campaigns is that they piggyback on legitimate online advertising networks and popular websites to push malware, such as ransomware exploit kits, onto millions of unsuspecting targets at once.

The malicious code then gets downloaded and executed by the web browser on the victim's computer. Game over.

Interview: HTTPS Interception, TLS Fingerprinting, and the Browser

Use HTTPS, they said. Make sure your browsers shows that green padlock, they said. You’ll be safe, nobody can eavesdrop, they said.

IT security teams and threat hunters, who are familiar with the inherent security weakness of the web’s underlying protocols, know better.

The problem with HTTPS internet connections is similar to the problem with VPN. Or, as Larry Loeb put it in his post HTTPS: Beware the False Sense of Security on this blog: “[U]sers think that it does more than it actually does.”

For starters, a basic HTTPS connection gets established when the browser (client) connects directly to an origin server to send requests and download content protected by TLS-based  encryption. Still, this communication is vulnerable to interception.

The reason is simple. Often, the browser doesn’t connect directly with the web server serving the website. Instead, data gets routed through a proxy or middlebox, a.k.a. "monster-in-the-middle" (MITM). HTTPS interception, for benign or malign reasons,