Review: Group-IB Fraud Hunting Platform

Today’s Internet is a hectic place. A lot of different web technologies and services are “glued together” and help users shop online, watch the newest movies, or stream the newest hits while jogging. But these (paid) services are also constantly threatened by attackers – and no company, no matter how big, is completely immune. Take the recent Twitter compromise as an example: the attackers hijacked a number of influential Twitter accounts, including those belonging to … More

The post Review: Group-IB Fraud Hunting Platform appeared first on Help Net Security.

Review: Specops Password Policy

Specops Password Policy is a powerful tool for overcoming the limitations of the default password policies present in Microsoft Active Directory environments. To be fair, Microsoft did revise and upgrade the default password policy and introduced additional, granular fine-tuning options over the years, but for some enterprise environments that’s still not enough, so Specops Password Policy to the rescue!


For the purpose of this review, the installation was done on a server containing all necessary services: Specops Sentinel – a password filter that is installed on all domain controllers, and Specops Password Policy admin tools. Keep in mind that this can be split onto different servers if needed. If you purchased Breached Password Protection, you’ll need to install Specops Arbiter as well.

The setup process is smooth, and you can expect to be up and running within the hour. As you can see from the image below, the standard requirements are modest and should not be a problem for any enterprise environment that requires such a solution.

Specops Password Policy review

Figure 1. Specops Password Policy minimum requirements

Password policy templates

When you start with Specops Password Policy Domain Administration, you’ll notice four predefined password policy templates you can choose from:

Specops Password Policy review

Figure 2. Specops Password Policy Domain Administration including default templates

These templates are convenient for a fast setup but, naturally, you can take them to another level by customizing them. If you’re working in an environment that needs to meet specific regulatory standards, the provided templates can be a lifesaver. Even if you can’t or don’t want to use these policies, you can use them as a base to strengthen your policy or create a policy compatible with your environment.

Let’s create a new, blank policy to see what the process looks like. Creating one will take you to the Group Policy editor:

Specops Password Policy review

Figure 3. Specops Password Policy inside the Group Policy editor

If you find it familiar, it’s because it is the same environment where you would change your default password policy inside Active Directory. The one key difference here is that Specops Password Policy applies password settings to the user part of group policy rather than computer. This makes more sense as it’s the users that generally set bad passwords rather than machines.

After testing the options and thinking how this would fit into my network, I have to commend Specops for not unnecessarily complicating things and choosing to go with a workflow most system administrators are familiar with.


When I opened Specops Password Policy inside the Group Policy editor, I was pleasantly surprised to see that it supports the use of passphrases. More importantly, it also offers assistance for handling them (something that Active Directory does not). You can use regular expressions so that you can define what a passphrase means to your organization i.e. 3 words, with at least 6 characters in each word, no words should be repeated, and no patterns should be used 111111 222222 etc.

Specops Password Policy review

Figure 4, 5. Passphrase support and password options

The General Settings menu offers familiar settings for anyone that’s used to working with the Group Policy Editor in an Active Directory environment. A neat addition here is the “client message” option, which allows you to create a custom message to be shown on the Active Directory logon screen in case the password policy requirements are not met.

Specops Password Policy review

Figure 6. General Settings with options and client message notification

Password options

The Password Expiration tab offers a wealth of options, including the maximum password age, password expiration notifications, and so on. A key feature here is the length-based password aging rule. This means that the longer the password the longer the user gets to keep it. It can be real incentive to encourage users to move to passphrases.

Specops Password Policy review

Figure 7. Options for password expiration rules and password expiration notifications

The Password Rules menu brings additional password rules granularity which should allow for virtually any password policy scenario. Worth noting is that the use of dictionaries with forbidden words is possible either by creating a custom dictionary or downloading dictionaries provided by Specops.

Specops Password Policy review

Figure 8. Regulating password rules requirements in one place

Specops Password Policy review

Figure 9. Additional protection from users trying to subvert the password policy

Breached Password Protection

A great set of options are found under Breached Password Protection. In a nutshell, it allows the system to compare an Active Directory password to a list of known breached passwords. As might be expected, passwords are hashed in the process.

If a password is discovered in the breached password list, the action triggers the delivery of notifications/alerts.

Specops Password Policy review

Figure 10. Breached Password Protection Complete API

Specops Password Policy review

Figure 11. Breached Password Protection Express List

With the API, Specops Password Policy supports both email and SMS notifications. When using the Express List (a downloadable passwords list) you can use only email notifications.

I realize there’s a narrow application for it, but I would like to see support for custom SMS gateways in future versions, as large enterprises might find this useful. Specops Software tells me that since there’s no extra cost involved for using the SMS notification feature they’ve never been asked to provide a custom SMS platform.

What’s new?

The latest version of Specops Password Policy comes with several powerful new features, Powershell CMDlets and a security scanner.

Leaked password scanning

While Powershell support is nothing new to Specops Password Policy, the latest version brings us powerful new CMDlets:

  • Get-SppPasswordExpiration and Get-PasswordPolicyAffectingUser are user-related CMDlets enabling checks which until now could not be requested nor scripted trough Powershell. I found them rather useful during troubleshooting while trying to discern why a certain policy was not working as intended. Using CMDlets with pretty self-explanatory names is much faster than going through the menus of a newly installed application.
  • Get-SppPasswordExpiration checks for the password expiration date, returning the date and reliability of the password.
  • Get-PasswordPolicyAffectingUser – if you ever handled a multi-policy environment, you know that something simple as knowing the exact policies applied to the user can be the difference between solving an issue or entering a virtually endless troubleshooting loop. You just need to provide the username in sAMAccountName or userPrincipalName format for which the CMDlet returns GpoID, GpoName, and the password policy name.
  • Start-PasswordPolicyLeakedPasswordScanning – As evident from the name, it starts scanning for leaked passwords in your Active Directory environment. Even though this feature is present in the Domain Admin tool, this CMDlet is useful as it can be scripted and delayed, which is ideal for administrators working in large environments. After running the CMDlet, all users that are non-compliant to the policy will be notified on the next logon to change their password. Leaked passwords scanning requires the Specops Breached Password Protection license.

Specops Password Policy review

Figure 12. All available Specops Password Policy CMDlets

Looking after your passwords

Specops Software maintains a comprehensive list of leaked passwords based on numerous sources. It contains billions of passwords and is often updated.

Breached Password Protection can be configured with two settings: Breached Password Protection Complete and Breached Password Protection Express.

The Complete setting comes with a master list of leaked passwords that are stored in the cloud. If a user changes their password to one that can be found on the list, a notification is sent via email or SMS, and they are forced to change their password the next time they log in. For this, you’ll need .Net 4.7.1 and Windows Server 2012 R2 or later, with an installation of Specops Arbiter and an API key.

Breached Password Protection Express downloads a subset of the list of leaked passwords, updated usually every 6 months. This also means administrators will need to manually check for updates and initiate a download of the updated list. Users are also immediately prevented from changing their password to a password found in the leaked list.

Length based password expiration

Specops has found a way to reward security-conscious users by extending the timeframe for mandated password change.

Specops Password Policy review

Figure 13. The longer the password, the later it expires

Users can be notified of their upcoming mandated password change. As the timeframe for mandated password change is dictated by password length, notifying users is of great importance as it can help user to prepare in advance. The notification can be shown to the users using regular Active Directory resources, on the logon screen or via email. For both methods you can define the number of days before a mandated password change notification is shown or sent.

Password Auditor

This is a security scanner for Active Directory, and it’s such a simple yet invaluable tool. It is included in Specops Password Policy and is available as standalone freeware. It groups all possible password security issues found inside your Active Directory. This at-a-glance overview essentially points out all the things you need to worry about, and it’s the place to discover quickly if there’s a problem you might not be aware of like a password being on a leaked list.

Specops has chosen smart way of aggregating important areas around password security and polices, showing the most relevant issues and offering quick insight of potential issues.

Specops Password Policy review

Figure 14. A closer look at expiring passwords

Once you’re aware of all the issues, you can quickly focus on what’s critical. I find this to be an easy way to audit your Active Directory environment for a variety of issues at the same time.


After testing Specops Password Policy for a week in a variety of scenarios, I can definitely say we’re talking about a formidable solution. Not only does it make the process of strengthening the password policies better while being simple to use, but it can detect and resolve issues you might not be aware of in the first place.

I can highly recommend Specops Password Policy for any Active Directory environment, and I would go as far as to say it’s a necessity for complex environments dealing with compliance regulations, as well as specific password policy requirements. This solution can raise security level on any Active Directory environment, and you can’t argue about the benefits of better security, can you?

Review: Netsparker Enterprise web application scanner

Vulnerability scanners can be a very useful addition to any development or operations process. Since a typical vulnerability scanner needs to detect vulnerabilities in deployed software, they are (generally) not dependent on the language or technology used for the application they are scanning.

This often doesn’t make them the top choice for detecting a large number of vulnerabilities or even detecting fickle bugs or business logic issues, but makes them great and very common tools for testing a large number of diverse applications, where such dynamic application security testing tools are indispensable. This includes testing for security defects in software that is being currently developed as a part of a SDLC process, reviewing third-party applications that are deployed inside one’s network (as a part of a due diligence process) or – most commonly – finding issues in all kinds of internally developed applications.

We reviewed Netsparker Enterprise, which is one of the industry’s top choices for web application vulnerability scanning.

Netsparker Enterprise is primarily a cloud-based solution, which means it will focus on applications that are publicly available on the open internet, but it can also scan in-perimeter or isolated applications with the help of an agent, which is usually deployed in a pre-packaged Docker container or a Windows or Linux binary.

To test this product, we wanted to know how Netsparker handles a few things:

1. Scanning workflow
2. Scan customization options
3. Detection accuracy and results
4. CI/CD and issue tracking integrations
5. API and integration capabilities
6. Reporting and remediation efforts.

To assess the tool’s detection capabilities, we needed a few targets to scan and assess.

After some thought, we decided on the following targets:

1. DVWA – Damn Vulnerable Web Application – An old-school extremely vulnerable application, written in PHP. The vulnerabilities in this application should be detected without an issue.
2. OWASP Juice Shop simulates a modern single page web application with a REST API backend. It has a Javascript heavy interface, websockets, a REST API in the backend, and many interesting points and vulnerabilities for testing.
3. Vulnapi – A python3-based vulnerable REST API, written in the FastAPI framework running on Starlette ASGI, featuring a number of API based vulnerabilities.


After logging in to Netsparker, you are greeted with a tutorial and a “hand-holding” wizard that helps you set everything up. If you worked with a vulnerability scanner before, you might know what to do, but this feature is useful for people that don’t have that experience, e.g., software or DevOps engineers, who should definitely use such tools in their development processes.

Review Netsparker Enterprise

Initial setup wizard

Scanning targets can be added manually or through a discovery feature that will try to find them by matching the domain from your email, websites, reverse IP lookups and other methods. This is a useful feature if other methods of asset management are not used in your organization and you can’t find your assets.

New websites or assets for scanning can be added directly or imported via a CSV or a TXT file. Sites can be organized in Groups, which helps with internal organization or per project / per department organization.

Review Netsparker Enterprise

Adding websites for scanning

Scans can be defined per group or per specific host. Scans can be either defined as one-off scans or be regularly scheduled to facilitate the continuous vulnerability remediation process.

To better guide the scanning process, the classic scan scope features are supported. For example, you can define specific URLs as “out-of-scope” either by supplying a full path or a regex pattern – a useful option if you want to skip specific URLs (e.g., logout, user delete functions). Specific HTTP methods can also be marked as out-of-scope, which is useful if you are testing an API and want to skip DELETE methods on endpoints or objects.

Review Netsparker Enterprise

Initial scan configuration

Review Netsparker Enterprise

Scan scope options

One feature we quite liked is the support for uploading the “sitemap” or specific request information into Netsparker before scanning. This feature can be used to import a Postman collection or an OpenAPI file to facilitate scanning and improve detection capabilities for complex applications or APIs. Other formats such as CSV, JSON, WADL, WSDL and others are also supported.

For the red team, loading links and information from Fiddler, Burp or ZAP session files is supported, which is useful if you want to expand your automated scanning toolbox. One limitation we encountered is the inability to point to an URL containing an OpenAPI definition – a capability that would be extremely useful for automated and scheduled scanning workflows for APIs that have Swagger web UIs.

Scan policies can be customized and tuned in a variety of ways, from the languages that are used in the application (ASP/ASP.NET, PHP, Ruby, Java, Perl, Python, Node.js and Other), to database servers (Microsoft SQL server, MySQL, Oracle, PostgreSQL, Microsoft Access and Others), to the standard choice of Windows or Linux based OSes. Scan optimizations should improve the detection capability of the tool, shorten scanning times, and give us a glimpse where the tool should perform best.

Integrating Netsparker

The next important question is, does it blend… or integrate? From an integration standpoint, sending email and SMSes about the scan events is standard, but support for various issue tracking systems like Jira, Bitbucket, Gitlab, Pagerduty, TFS is available, and so is support for Slack and CI/CD integration. For everything else, there is a raw API that can be used to tie in Netsparker to other solutions if you are willing to write a bit of integration scripting.

Review Netsparker Enterprise

Integration options

One really well-implemented feature is the support for logging into the testing application, as the inability to hold a session and scan from an authenticated context in the application can lead to a bad scanning performance.

Netsparker has the support for classic form-based login, but 2FA-based login flows that require TOTP or HOTP are also supported. This is a great feature, as you can add the OTP seed and define the period in Netsparker, and you are all set to scan OTP protected logins. No more shimming and adding code to bypass the 2FA method in order to scan the application.

Review Netsparker Enterprise

Authentication methods

What’s more, Netsparker enables you to create a custom script for complex login flows or javascript/CSS heavy login pages. I was pleasantly surprised that instead of reading complex documentation, I just needed to right click on the DOM elements and add them to the script and press next.

Review Netsparker Enterprise

Custom scripting workflow for authentication

If we had to nitpick, we might point out that it would be great if Netsparker also supported U2F / FIDO2 implementations (by software emulating the CTAP1 / CTAP2 protocol), since that would cover the most secure 2FA implementations.

In addition to form-based authentication, Basic NTLM/Kerberos, Header based (for JWTs), Client Certificate and OAuth2-based authentication is also supported, which makes it easy to authenticate to almost any enterprise application. The login / logout flow is also verified and supported through a custom dialog, where you can verify that the supplied credentials work, and you can configure how to retain the session.

Review Netsparker Enterprise

Login verification helper

Scanning accuracy

And now for the core of this review: what Netsparker did and did not detect.

In short, everything from DVWA was detected, except broken client-side security, which by definition is almost impossible to detect with security scanning if custom rules aren’t written. So, from a “classic” application point of view, the coverage is excellent, even the out-of-date software versions were flagged correctly. Therefore, for normal, classic stateful applications, written in a relatively new language, it works great.

From a modern JavaScript-heavy single page application point of view, Netsparker correctly discovered the backend API interface from the user interface, and detected a decently complex SQL injection vulnerability, where it was not enough to trigger a ‘ or 1=1 type of vector but to adjust the vector to properly escape the initial query.

Netsparker correctly detected a stored XSS vulnerability in the reviews section of the Juice Shop product screen. The vulnerable application section is a JavaScript-heavy frontend, with a RESTful API in the backend that facilitates the vulnerability. Even the DOM-based XSS vulnerability was detected, although the specific vulnerable endpoint was marked as the search API and not the sink that is the entry point for DOM XSS. On the positive side, the vulnerability was marked as “Possible” and a manual security review would find the vulnerable sink.

One interesting point for vulnerability detection is that Netsparker uses an engine that tries to verify if the vulnerability is exploitable and will try to create a “proof” of vulnerability, which reduces false positives.

On the negative side, no vulnerabilities in WebSocket-based communications were found, and neither was the API endpoint that implemented insecure YAML deserialization with pyYAML. By reviewing the Netsparker knowledge base, we also found that there is no support for websockets and deserialization vulnerabilities.

That’s certainly not a dealbreaker, but something that needs to be taken into account. This also reinforces the need to use a SAST-based scanner (even if just a free, open source one) in the application security scanning stack, to improve test coverage in addition to other, manual based security review processes.

Reporting capability

Multiple levels of detail (from extensive, executive summary, to PCI-DSS level) are supported, both in a PDF or HTML export option. One nice feature we found is the ability to create F5 and ModSecurity rules for virtual patching. Also, scanned and crawled URLs can be exported from the reporting section, so it’s easy to review if your scanner hit any specific endpoints.

Review Netsparker Enterprise

Scan results dashboard

Review Netsparker Enterprise

Scan result details

Instead of describing the reports, we decided to export a few and attach them to this review for your enjoyment and assessment. All of them have been submitted to VirusTotal for our more cautious readers.

Netsparker’s reporting capabilities satisfy our requirements: the reports contain everything a security or AppSec engineer or a developer needs.

Since Netsparker integrates with JIRA and other ticketing systems, the general vulnerability management workflow for most teams will be supported. For lone security teams, or where modern workflows aren’t integrated, Netsparker also has an internal issue tracking system that will let the user track the status of each found issue and run rescans against specific findings to see if mitigations were properly implemented. So even if you don’t have other methods of triage or processes set up as part of a SDLC, you can manage everything through Netsparker.


Netsparker is extremely easy to set up and use. The wide variety of integrations allow it to be integrated into any number of workflows or management scenarios, and the integrated features and reporting capabilities have everything you would want from a standalone tool. As far as features are concerned, we have no objections.

The login flow – the simple interface, the 2FA support all the way to the scripting interface that makes it easy to authenticate even in the more complex environments, and the option to report on the scanned and crawled endpoints – helps users discover their scanning coverage.

Taking into account the fact that this is an automated scanner that relies on “black boxing” a deployed application without any instrumentalization on the deployed environment or source code scanning, we think it is very accurate, though it could be improved (e.g., by adding the capability of detecting deserialization vulnerabilities). Following the review, Netsparker has confirmed that adding the capability of detecting deserialization vulnerabilities is included in the product development plans.

Nevertheless, we can highly recommend Netsparker.

Review: Practical Vulnerability Management: A Strategic Approach to Managing Cyber Risk

review practical vulnerability management

Andrew Magnusson started his information security career 20 years ago and he decided to offer the knowledge he accumulated through this book, to help the reader eliminate security weaknesses and threats within their system.

As he points out in the introduction, bugs are everywhere, but there are actions and processes the reader can apply to eliminate or at least mitigate the associated risks.

The author starts off by explaining vulnerability management basics, the importance of knowing your network and the process of collecting and analyzing data.

He explains the importance of a vulnerability scanner and why it is essential to configure and deploy it correctly, since it gives valuable infromation to successfully complete a vulnerabilty management process.

The next step is to automate the processes, which prioritizes vulnerabilities and gives time to work on more severe issues, consequently boosting an organization’s security posture.

Finally, it is time to decide what to do with the vulnerabilities you have detected, which means choosing the appropriate security measures, whether it’s patching, mitigation or systemic measures. When the risk has a low impact, there’s also the option of accepting it, but this still needs to be documented and agreed upon.

The important part of this process, and perhaps also the hardest, is building relationships within the organization. The reader needs to respect office politics and make sure all the decisions and changes they make are approved by the superiors.

The second part of the book is practical, with the author guiding the reader through the process of building their own vulnerability management system with a detailed analysis of the open source tools they need to use such as Nmap, OpenVAS, and cve-search, everything supported by coding examples.

The reader will learn how to build an asset and vulnerability database and how to keep it accurate and up to date. This is especially important when generating reports, as those need to be based on recent vulnerability findings.

Who is it for?

Practical Vulnerability Management is aimed at security practitioners who are responsible for protecting their organization and tasked with boosting its security posture. It is assumed they are familiar with Linux and Python.

Despite the technical content, the book is an easy read and offers comprehensive solutions to keeping an organization secure and always prepared for possible attacks.

Review: Web Security for Developers: Real Threats, Practical Defense

Review Web Security

Malcolm McDonald, with his 20 years of experience in programming, poured his knowledge into this book to offer comprehensive information about everything a developer needs to know to do their job properly and thoroughly.

After a short lesson in internet history, the author puts the reader in the shoes of the attacker and explains how simple it is to hack a website, as well as how easy it is to obtain and apply hacking tools.

The author proceeds to offer basic knowledge about how the internet, browsers, web servers and programmers work.

Every following chapter explains major vulnerabilities and how to fix them, but also the various types of attacks, describing the damage they can cause. To help the reader better understand these processes, the author added coding examples.

Luckily, tools needed to help secure a website are also freely accessible and easily implemented.

As he points out, the goal is not only to protect a website but also to make it safe for the users. This means, besides preventing major system compromises, it is crucial to simultaneously protect users’ data by securely storing it, requesting authentication and implementing encryption.

Who is this book for?

Whether you’re just starting out in your career as a web developer or are a seasoned pro, Web Security for Developers: Real Threats, Practical Defense will provide all the necessary information about the possible and imminent threats you will face and how to prepare yourself and your team to avoid them.

Although the content is very technical and covers coding and programming topics, the book reads easily and provides essential knowledge to aspiring web developers.

Review: Cyber Warfare – Truth, Tactics, and Strategies

review cyber warfare

Dr. Chase Cunningham holds a Ph.D. and M.S. in computer science from Colorado Technical University and a B.S. from American Military University focused on counter-terrorism operations in cyberspace. He is a retired U.S. Navy chief with more than 20 years’ experience in cyber forensic and cyber analytic operations, and has spent time in work centers within the NSA, CIA, FBI, and other government agencies.

He has served as a director of cyber threat intelligence operations at Armor and was the computer network exploitation lead for Telecommunication Systems and the chief of cyber analytics for Decisive Analytics. He is currently a cybersecurity principal analyst at Forrester.

Cyber Warfare – Truth, Tactics, and Strategies

To help the reader understand the scale of today’s cyber threats, the author explains the history behind them and how they kept pace with the evolution of information and communications technologies, as they became an essential part of out everyday lives.

Many future battles will be fought with cyber weapons, narrowing the resources and capabilities gap that long existed between rich and poor nations. All of them can now effectively bring their enemy down.

The author describes the flaws of the networks we have built, why cybersecurity is a never ending pursuit and specifically why perimeter-based security is no longer a good option in the era of remote working and BYOD.

He digs deep into the reality of today, from the use of social media with malicious intent by exploiting the power of influence, to the abuse of deepfakes, AI, ML, and misinformation.

He emphasizes the importance of strategy in cyber warfare. Just like warfare in the physical space, a change in tactics is essential. One must adapt to new circumstances posed by the cyber enemy.

To help the reader better understand this issue, he correlates cyber attack tactics and techniques with real life (military) examples from the Iraq War.

The author also illustrates tools and technologies that can be useful to boost the security posture of an organization and help respond quickly and effectively to a potential cyber threat.

Though not in the traditional sense, this is a war, and only those who are well prepared and have a good strategy in place will be left standing.

The book ends with a list of major cyber incidents throughout 2019.

Who is it for?

Cybersecurity experience is assumed, so the book is primarily aimed at cybersecurity professionals who are interested in gaining knowledge about how to improve their organization’s cyber resilience and be prepared for possible threats.

It’s also a great read for those who are concerned about their security in the digital world, especially when it comes to social media. It’s an issue that affects all of us and the author has provided essential information in a very comprehensive way.

80% of consumers trust a review platform more if it displays fake reviews

Many people are using COVID-19 quarantine to get projects done at home, meaning plenty of online shopping for tools and supplies. But do you buy blind? Research shows 97% of consumers consult product reviews before making a purchase.

fake reviews

Fake reviews are a significant threat for online review portals and product search engines given the potential for damage to consumer trust. Little is known about what review portals should do with fraudulent reviews after detecting them.

A research looks at how consumers respond to potentially fraudulent reviews and how review portals can leverage this information to design better fraud management policies.

“We find consumers have more trust in the information provided by review portals that display fraudulent reviews alongside nonfraudulent reviews, as opposed to the common practice of censoring suspected fraudulent reviews,” said Beibei Li of Carnegie Mellon University.

“The impact of fraudulent reviews on consumers’ decision-making process increases with the uncertainty in the initial evaluation of product quality.”

Fake reviews aid decision making

A study conducted by Li alongside Michael Smith, also of Carnegie Mellon University, and Uttara Ananthakrishnan of the University of Washington, says consumers do not effectively process the content of fraudulent reviews, whether it’s positive or negative. This result makes the case for incorporating fraudulent reviews and doing it in the form of a score to aid consumers’ decision making.

Fraudulent reviews occur when businesses artificially inflate ratings of their own products or artificially lower the ratings of a competitor’s product by generating fake reviews, either directly or through paid third parties.

“The growing interest in online product reviews for legitimate promotion has been accompanied by an increase in fraudulent reviews,” continued Li. “Research shows about 15%-30% of all online reviews are estimated to be fraudulent by various media and industry reports.”

Platforms don’t have a common way to handle fraudulent reviews. Some delete fraudulent reviews (Google), some publicly acknowledge censoring fake reviews (Amazon), while other portals, such as Yelp, go one step further by making the fraudulent reviews visible to the public with a notation that it is potentially fraudulent.

This study used large-scale data from Yelp to conduct experiments to measure trust and found 80% of the users in our survey agree they trust a review platform more if it displays fake review information because businesses are less likely to write fraud reviews on these platforms.

Transparency over censorship

Meanwhile, 85% of users in our survey believe they should have a choice in viewing truthful and fraudulent information and the platforms should leave the choice to consumers to decide whether they use fraudulent review information in determining the quality of a business.

The study also finds that consumers tend to trust the information provided by platforms more when the platform distinguished and displayed fraudulent reviews from nonfraudulent reviews, as compared to the more common practice of censoring suspected fraudulent reviews.

“Our results highlight the importance of transparency over censorship and may have implications for public policy. Just as there are strong incentives to fraudulently manipulate consumer beliefs pertaining to commerce, there are also strong incentives to fraudulently manipulate individual beliefs pertaining to public policy decisions,” concluded Li.

When this fraudulent activity information is made available to all consumers, platforms can effectively embed a built-in penalty for businesses that are caught writing fake reviews.

A platform may admit to users that there is fraud on its site, but that is balanced by an increase in trust from consumers who already suspected that some reviews may be fraudulent and now see that something is being done to address it.

Review: Kill Chain: The Cyber War on America’s Elections

Kill Chain: The Cyber War on America's Elections

Kill Chain is an HBO documentary made and produced by Simon Arizzone, Russell Michaels and Sarah Teale.

Kill Chain: Inside the documentary

Arizzone and Michaels already worked on a documentary in 2006 called Hacking Democracy, which was about uncovering voting machines vulnerabilities and about how votes were manipulated, leading to George W. Bush winning the elections (2004).

And here we are again in 2020 talking about the same problem and uncovering the same old security holes inside the machines that are supposed to be secure and reliable, since they have the essential role of ensuring democracy is being practiced properly.

The authors gathered various experts, including Harri Hursti, a hacker and election security expert, to talk about their view and knowledge of the U.S. election system.

Hursti already warned about the hackability of the election machines in 2006. Now, once again, he went on a mission to expose the susceptibility of the U.S. election system by analyzing the machines currently in use, but also the discarded ones which he easily got hold of through eBay. As if that weren’t enough, the purchased ones still contained voting data.

He then decided to test the hackability of the machines by allowing hackers at the DEF CON hacker convention to try to access them. The task was shockingly easy and every single machine has been successfully breached, which meant anyone could effortlessly manipulate the election results.

The authors also interviewed a hacker that goes by “CyberZeist”, who claimed to have accessed the Alaska voting system website with little effort. Had he been backed by an organization with an agenda, the repercussions would have been much greater.

The documentary gives you the technical information about how a kill chain works and a hacker’s potential motivation, whether it’s personal satisfaction and gain or political reasons. It also sheds light on how technology is supposed to make things faster and easier but how, in the end, it can be easily manipulated.

Does it hit the spot?

This is an eye-opening and captivating documentary accompanied by an eerie soundtrack that complements the seriousness of the issue well. The technical parts are well explained and comprehensible to the average viewer.

A great number of politicians and decision-makers continue to dismiss warnings and refuse to pass bills that would guarantee a secure and protected election system. Experts are worried, but without political backup, there’s not much they can do about it. Hopefully, this documentary will make U.S. citizens worry about the outcomes of future elections and push them to demand changes.

Here’s a trailer for the documentary:

[embedded content]

Review: Cybersecurity – Attack and Defense Strategies

Cybersecurity Attack and Defense Strategies

Yuri Diogenes, a professor at EC-Council University and Senior Program Manager at Microsoft, and Dr. Erdal Ozkaya, a prominent cybersecurity professional, advisor, author, speaker and lecturer, published the second edition of their acclaimed book “Cybersecurity – Attack and Defense Strategies”.

Cybersecurity – Attack and Defense Strategies

The book emphasizes, first and foremost, the necessity of every enterprise being aware of its threat landscape and its weakest points, and thus implement the right methods to boost its security posture.

This book will teach you how to identify unusual behaviors within your organization and use incident response methods by applying blue team and read team strategies.

You will also learn about the importance of a good cybersecurity strategy and how to develop it.

The authors explain common hacker tactics, techniques and procedures and the processes of a cyber attack, with a detailed description of tools commonly used during a cyberattack.

The book contains a lot of practical examples that can be applied/tested in a virtual lab. You’ll learn how to avoid wireless attacks and credential theft, how to protect a network, how to avoid phishing incidents, how to protect operating systems, how to avoid mobile phone attacks, details about the most common cloud hacking tools, and so on.

The authors highlight the importance of a well constructed security policy, which should include clearly defined procedures, standards, guidelines and best practices. Of course, these rules are only effective if you educate your staff, but should minimize the likelihood of your organization falling victim to compromise.

To boost performance and improve security, they point out the correct planning and implementation of network segmentation, but also that of a variety of active sensors that monitor unusual activities and threats.

The final chapters cover the procedures of an incident investigation and a recovery process, which give you insights on how to maintain business continuity and implement disaster recovery best practices.

Who is it for?

This is clearly a book aimed at IT professionals who are familiar with penetration testing, Windows and Linux operating systems, and are acquainted with the concept of information security. The content is evidently technical, but the language is clear and comprehensible.

It’s an excellent read for those who want the have all the essential information about how to protect their organization, all in one place. Besides getting detailed practical examples, the book offers various links to web sites to further broaden your knowledge.

Review: Specops Key Recovery

Mobile device use continues to grow, while an increasingly mobile and remote workforce depends heavily on laptops. To secure those devices, organizations need to implement client-side security controls.

One of the more pressing risks linked to the use of mobile devices is the possibility of device loss or theft. If a device is lost, sensitive data (e.g., documents, account passwords) might get extracted and exposed.

One solution for this problem is full disk encryption, and one of the most popular systems is Microsoft BitLocker, which is part of every Windows 10 installation.

What happens when one of your users forgets their full disk encryption passphrase, or if this hasn’t been set up, simply plugs in new hardware that triggers a BitLocker Recovery Mode? If your organization uses Microsoft Active Directory and has set up the environment to store the recovery keys in AD, a system administrator can restore that machine.

Of course, the user will still need to contact their organization’s helpdesk, which will need to verify their identity in order to share the recovery key. Common problems with this scenario are issues with verifying the identity of the user and increased workload for the system administrators/helpdesk personnel.

Introducing Specops Key Recovery

Specops Software realized these problems and offers an interesting solution: Specops Key Recovery, a self-service tool for recovering BitLocker recovery keys.

Instead of contacting the helpdesk, which needs a way to verify the identity of a person over the phone (a hard problem to solve with high confidence given the lack of physical presence), Specops Key Recovery offers a cloud centric self-service portal.

An infographic from Specops illustrates the concept:

Review Specops Key Recovery

The user’s perspective (enrollment)

The user enrolls or can be pre-enrolled into the service. Pre-enrollment is achieved when an administrator selects identity services that leverage existing Active Directory details. When a user is pre-enrolled this means that he/she does not have to enroll but rather when a lock out occurs can utilize the system to authenticate identity and retrieve a recovery key.

However, it’s best practice to extend additional identity services to users to minimize failure for example if an identity service is unavailable. Enrollment will require the user to successfully login and enroll with any combination of identity services extended to them by their system admin. The solution supports a number of identity services that can serve as multi-factor authentication options, depending on the authentication policy set by the administrator. These include:

a. SMS (mobile code)
b. Windows Identity
c. Authenticators: Google, Microsoft, Specops
d. Service logins: Google, Facebook, LinkedIn, Live, Tumblr, Twitter
e. Other: Specops Fingerprint, Secret questions, Manager Identification

Administrators can vary the enrollment policy from the authentication policy to ensure that users have additional options when authenticating. Each service can be assigned a security weight reflected by stars. This depicts the security assurance level assigned to each service for example the screenshot below depicts Mobile Code as having a weight of two stars versus Security Questions which has a weight of one. Weights ensure that users are provided with options but that the alternatives are not sacrificing security as the required authentication weight will still have to be satisfied.

This screenshot of the administration interface illustrates the choices/flexibility:

Review Specops Key Recovery

The user’s perspective (use)

In the event of an encryption lock out, users are greeted with the infamous BitLocker Recovery screen:

Review Specops Key Recovery

Specops Key Recovery makes it possible for the user to visit a self-service portal via another device (e.g., a mobile phone) and verify their identity using a number of authentication factors provided by the previously enrolled identity services.

Review Specops Key Recovery

After proving their identity, they can enter the first 8 characters from the recovery key ID, press “Continue” and get the Bitlocker recovery key:

Review Specops Key Recovery

Review Specops Key Recovery

So, in a nutshell: enrolled users can recover access to their machine without having to ask the helpdesk for assistance. This is a cost savings but at the same time does not sacrifice security as users have to verify their identity before recovering access. This is what Specops Key Recovery does very well.

The sysadmin’s perspective (installation, setup, management)

To operate Specops Key Recovery, a sysadmin needs to set up multiple elements:

1. Register an account on the Specops cloud service.
2. Install the Specops Authentication Gatekeeper Administration tool on their Domain Controller (DC).
3. Set up the group policy to store the recovery passwords and key packages in the Active Directory Domain Services (AD DS).
4. Configure the service according to their required policies.

We particularly liked the fact that during account registration Specops Key Recovery insists on enabling 2-factor authentication (2FA). It’s SMS-based 2FA, but that’s still better than no 2FA, and you can swap it with something else later on. It’s also great that the system checks for common blacklisted passwords, adds a reCAPTCHA to curb automated attacks (which can be enforced or disabled), and has a default level logging and reports.

Review Specops Key Recovery

Review Specops Key Recovery

The cloud user management component is the solutions service desk. It allows the IT helpdesk to verify users’ identities using the same MFA factors they enrolled with before performing sensitive tasks such as recovering keys or resetting passwords. The interface also presents helpdesk users with details such as enrollment and authentication information. For example:

Review Specops Key Recovery

From the AD-tooling side of things, installation is straightforward and the documentation covers the entire process in enough detail that any junior system administrator could set the system up.

If we really wanted to nitpick, we could suggest that the documentation or the tool itself could help admins set up the group policy to store the recovery passwords and key packages in the AD DS.

Review Specops Key Recovery

Final verdict

If you have a large, distributed and remote workforce, you will benefit from the increased security and convenience offered by the solution.

Although we only illustrated the key recovery option, the Specops Authentication platform also offers additional account management features like password reset, change, and account unlocking – all utilizing the same multi-factor authentication engine. One important feature that stands out for those with a global workforce is geo-blocking, which may prove to be helpful in a number of situations.

From a diagnostics standpoint, it’s easy enough to see if your Gatekeeper software is working on the DC, and the variety of supported identity services provides enough freedom/ flexibility for anyone to specify which service or method they trust and how much.

Customers will appreciate the fact that the web interface can be customized and the self-service portal can be integrated with the specific visual style of an organization.

By default, the application logs privileged events like key recovery to Windows events. Reporting is also available through a dashboard, where one can search for specific events. One thing I would love to see is the actual information about user logins to the cloud service in the event logs.

Specops Key Recovery helps system administrators and users: it removes complexity and successfully solves a common problem.

Review: Cyber Minds

Cyber Minds

Humans are an essential part of any enterprise and should be considered the foundation of its cybersecurity. That’s probably easier said than done, but Shira Rubinoff has some useful tips for you.

Aside from being a prominent cybersecurity executive, speaker, cybersecurity and blockchain advisor, and having built two cybersecurity companies, Rubinoff also has an educational background in psychology. That’s why Cyber Minds is very human-oriented, meaning she views cybersecurity through its interconnectivity with humans.

Inside Cyber Minds

Every enterprise should take care of its cybersecurity by taking care of every single employee and giving them the opportunity and the knowledge to practice good cyber hygiene within the company. A company’s cybersecurity is as strong as its weakest link and every executive must realize that.

The author emphasizes four essential steps to achieve cyber hygiene that every company should implement in their workforce development strategies:

  • Continuous training
  • Global awareness
  • Updated security and patching
  • Zero trust

After giving you these guidelines, she warns about the most common behaviors that could lead to a data breach and the psychology behind them.

The next chapters include interviews with cybersecurity professionals where they share their opinions and knowledge, as well as give you real-life examples.

They talk about the possible impact of blockchain on the future of cybersecurity, about cloud technology concerns, the biggest breaches, the trends in cybersecurity, how to keep IoT safe, and the benefits of introducing military elements into cybersecurity.

The author dedicates a chapter to AI and the fear that such technology induces. AI is, without a doubt, the technology of the future and will become part of our lives whether we want it or not. The question is, can it be trusted? Can we let it manage cybersecurity?

Who is it for?

The book aims at business leaders, to make them recognize the importance of cybersecurity and the fact that setting rules is not enough. Employees must be educated and, from a psychological point of view, feel as an essential link in the cybersecurity chain.

The language is simple and comprehensible, the author doesn’t use excessive technical language, and the book is a great read for those in the C-suite that want to have a broader perspective of their company’s cybersecurity posture.

Review: Enzoic for Active Directory

Seemingly every day news drops that a popular site with millions of users had been breached and its user database leaked online. Almost without fail, attackers try to use those leaked user credentials on other sites, making password stuffing one of the most common attacks today.

Users often use the same username/email and password combination for multiple accounts and, unfortunately, enterprise accounts are no exception. Attackers can, therefore, successfully use leaked credentials to access specific company resources.

For example: An attacker wants to target CompanyX and sees that 30 users that work in CompanyX also had their account credentials leaked following a recent breach (let’s say Zynga). Trying to enter those credentials into the company’s SharePoint, Exchange, VPN, and various web portals to see if they might gain access is a no-brainer for them.

This common occurrence has resulted in the launch of several commercial and free solutions that try to mitigate this specific risk. One of them is Enzoic for Active Directory.

About Enzoic for Active Directory and this review

“Enzoic for AD is a tool that integrates into Active Directory and enforces additional password rules to prevent users from using compromised credentials,” the product’s page says.

“Unlike products that only check passwords after they are saved, thus requiring subsequent reset by the user, Enzoic validates the password at the time it is being selected. Passwords are then continuously monitored to detect if they become compromised – with automated remediation and alerts. It helps organizations with NIST Password Guideline compliance in Active Directory.”

We tested the Enzoic for AD solution and this review will focus on the following main points:

1. Setup experience – The solution’s install process and setup process.
2. A cursory overview of the privacy implications of the solution – Since the solution has to query Enzoic’s cloud to verify if a password is contained in a breached set, we decided to check what is actually sent to the cloud.
3. Usefulness and coverage – The effectiveness of the solution when tested against multiple breached credentials lists.
4. Final thoughts and impressions.

Setup experience

The installer for Enzoic for AD is available in both EXE and MSI file format. The software is a plugin for Microsoft Active Directory, which needs to be installed on all AD servers in your organization to achieve coverage.

The installation process begins with a standard Windows install:

Enzoic for Active Directory

Enzoic for Active Directory needs to be configured. Which Users, Groups, Containers should be covered by its functionality to check for compromised password? Will the entire AD be covered? (For this test, we left the default “All Users in Active Directory” option.)

Enzoic for Active Directory

After confirming coverage, monitoring options can be configured. The options are:

1. Reject common passwords found in cracking dictionaries (or not).
2. Check passwords during password resets (or not).
3. Use fuzzy password matching (or not).

Enzoic for Active Directory

In the next step we needed to select the remediation action. The solution allows for the following options:

1. User must change password on next login.
2. User must change password on next login (delayed).
3. Disable account.
4. Disable account (Delayed).
5. Notify only (via email to the user and to a number of other accounts). E-mail is sent by Enzoic (through Amazon SES) and you cannot configure a specific email server to use.

Enzoic for Active Directory

Installation and configuration are simple and easy even for a beginner. After-setup configuration capabilities are also very easy to understand and to tweak.

They include the same options offered at setup-time, plus two additional ones. One allowed adding a custom password dictionary, which can include a word or parts of words that should not appear in a password (e.g., the name of your business). Another setting allowed password blocking based on similarity, according to a configurable distance value that defines how closely a new password can match a previous password.

Enzoic for Active Directory

Enzoic for Active Directory

After a quick mandatory server restart, we proceeded to test the usability of the application.

A cursory overview of the privacy implications of the solution

“Trust but verify,” says an old proverb, so we decided to inject a CA certificate into our AD server, to be able to sniff the communications between our AD server and Enzoic’s servers to see what actually gets shared with Enzoic. We entered a very common password (administrator) and tried to verify it:

Enzoic for Active Directory

As you can see, that password was rejected, but let’s see what was shared on the wire:

Enzoic for Active Directory

In the request you can see that the application takes the input string “administrator” and hashes that value with MD5, SHA1 and SHA256 hashes and sends the first 40 bits of each hash to Enzoic’s cloud, which responds with the possible candidates to check. This is similar to the k-anonymity algorithm used by HaveIBeenPwned’s API service, which shares only the starting 20 bits of SHA1 hash output.

Enzoic for Active Directory

We did not actually try to reverse engineer the application, since this was a cursory review just to make sure that the actual passwords are not being sent to Enzoic’s cloud.

We also left our domain controller (DC) connected to the internet for 48 hours to see what kind of data (if any) is being sent to Enzoic. We found that the app shares some telemetry with the Enzoic cloud, namely the number of matches of breached passwords in the organization and number of users, probably for licensing purposes:

Enzoic for Active Directory

Enzoic for Active Directory

Usefulness and coverage

Next, we wanted to see how Enzoic for AD handles leaked passwords, so we covered a few scenarios that might be interesting to our readers:

  • Verifying if the application correctly detects passwords from common wordlists used by attackers.
  • Verifying if the application correctly detects passwords from common large-scale breaches (LinkedIn, RockYou).
  • Verifying if the application correctly detects passwords from very recent leaks (Zynga).

We decided to take a random sample from SecLists, the LinkedIn and RockYou leaks, and even fully random passwords that were a part of a breached set (e.g., *23P%GWtUPST2jQ&auUB7j542) were correctly identified. We also ran a random sample of passwords from other leaks (e.g., the Hak5 leak) and they were also correctly detected.

One thing that interested us was whether Enzoic for AD could detect passwords from recent leaks. (Un)fortunately, a week before this test the full user database from game company Zynga was leaked on the internet, so we decided to test Enzoic for AD with the newly available leaked passwords.

We sampled passwords randomly but also tried to find unique passwords that were contained in the Zynga breach but not in the sets we used previously. We found a couple of such passwords, and they were successfully detected as breached passwords by Enzoic for AD. Good job!

Looking to the future

We couldn’t test the breached password notification option, since that would require us to actually have users who are a part of an actual breach that is about to occur, which cannot be easily simulated.

Looking forward to the future, there are a few things that could be changed, but are in no way a deal-breaker from our perspective.

The first one is the sharing of three types of hashes and 40 bits of data per hash. We could argue this is excessive since the reference implementation for k-anonymity only shares 20 bits of a single hash.

Enzoic tells us that they chose that length of partial hash as a good balance between anonymity and performance. Keeping the number of candidate hashes returned to a more reasonable number and thus reducing latency for the call is an important concern, since many of their customers are very sensitive to latency.

They view the additional data sent as of minimal risk (keep in mind no usernames are shared and none of these requests are logged on their end). That said, they do have it on their roadmap to make the partial hash match length configurable in the future – with the trade-off that some users might have longer latencies when attempting a password change if this length is significantly reduced.

Secondly, when the user gets notified that a breached password was found, the notification could also contain the information in which breached set that password was found. This would be interesting to both users and security personnel in an organization. We are aware that this information cannot be shared with the user through the standard Windows interface, but it can be sent via email or stored in event logs.

Final verdict

Enzoic for Active Directory is a first-rate solution for ensuring that your users don’t select passwords that were part of a breach. Its coverage of leaked lists is very good, since any list we could legally obtain was correctly flagged by it. Installation is simple and configuration and maintenance are no hassle.

One excellent aspect of this tool is that even someone who is marginally acquainted with Active Directory and has zero experience with Enzoic’s solution can install and make the solution work out of the box. Definitely a 10/10 for user experience.

Review: Cyber Smart

Cyber Smart

Do you believe you’re not interesting or important enough to be targeted by a cybercriminal? Do you think your personal data doesn’t hold any value? Bart R. McDonough proves why those beliefs are wrong in his book Cyber Smart: Five Habits to Protect Your Family, Money, and Identity from Cyber Criminals.

McDonough, CEO and Founder of Agio, is a cybersecurity expert, speaker and author with more than 20 years of experience in the field, and this is his debut book.

Cyber Smart: Five Habits to Protect Your Family, Money, and Identity from Cyber Criminals

He starts by debunking the most common cybersecurity myths, like the one mentioned above. Whether you like it or not, you are important, and your data is important. Also, everything has a price.

McDonough explains all the possible risks and threats you could encounter in a connected world, who are the bad actors, what their goals are and, most importantly, their attack methods.

The author presents five golden rules – or, as he calls them, “Brilliance in the Basics” habits – you should be complying with to maintain a good cybersecurity hygiene: update your devices, enable two-factor authentication, use a password manager, install and update antivirus software, and back up your data.

The second half of the book gives you detailed and specific recommendations on how to protect your:

  • Identity
  • Children
  • Money
  • Email
  • Files
  • Social media
  • Website access and passwords
  • Computer
  • Mobile devices
  • Home Wi-Fi
  • IoT devices
  • Your information when traveling.

McDonough doesn’t use scare tactics that could possibly make you want to forego all technology and go live in the woods. On the contrary, he wants you to embrace it and understand that even if the online world poses so many threats, there’s a lot you can do to protect yourself.

Who is this book for?

You don’t need to be a cybersecurity professional to understand this book. Its language is simple and it offers many comprehensible everyday examples and detailed tips. It’s a book you should definitely have in your home library, also for future reference.

The author has a very clear message: don’t just sit back and hope bad actors will pass you over. Be proactive and take all the possible and necessary steps to secure your data and your devices.

Review: Foundations of Information Security

Computers have become an essential part of everyday life, but this widespread usage comes with serious risks, especially for organizations. To address the issue, the author, Dr. Jason Andress, an experienced security professional and researcher who has been writing about security for more than 10 years, wrote this very detailed book that guides the reader through the essentials of information security. Foundations of Information Security The book contains a total of 14 chapters which, as … More

The post Review: Foundations of Information Security appeared first on Help Net Security.