Saturday, September 24, 2022

Recommendation for Random Bit Generator Constructions: Third Public Draft of NIST SP 800-90C Available for Comment

 The National Institute of Standards and Technology (NIST) has released the third public draft of NIST Special Publication (SP) 800-90C, Recommendation for Random Bit Generator (RBG) Constructions.

The NIST SP 800-90 series of documents supports the generation of high-quality random bits for cryptographic and non-cryptographic use. SP 800-90A specifies several deterministic random bit generator (DRBG) mechanisms based on cryptographic algorithms. SP 800-90B provides guidance for the development and validation of entropy sources. SP 800-90C specifies constructions for the implementation of random bit generators (RBGs) that include DRBG mechanisms as specified in SP 800-90A and that use entropy sources as specified in SP 800-90B.

This draft includes constructions for three classes of RBGs:

  • An RBG1 construction provides random bits from a device that is initialized from an external RBG.
  • An RBG2 construction includes an entropy source that is available on demand.
  • An RBG3 construction includes an entropy source that is continuously accessed to provide output with full entropy.

SP 800-90C includes a note to readers, guidance for accessing and handling the entropy sources in SP 800-90B, specifications for the initialization and use of the three RBG constructions that incorporate the DRBGs from SP 800-90A, and guidance on health testing and implementation validation using NIST's Cryptographic Algorithm Validation Program (CAVP) and the Cryptographic Module Validation Program (CMVP) that is jointly operated by NIST and the Canadian Centre for Cyber Security (CCCS).

Note that an initial public draft of an associated document, NIST IR 8427, Discussion on the Full Entropy Assumption of the SP 800-90 Series, is also available for public comment.

The public comment period for NIST SP 800-90C is open through December 7, 2022. See the publication details for a copy of the draft and instructions for submitting comments.

NOTE: A call for patent claims is included on page iv of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.

Read More

Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight: NIST IR 8286C

 NIST has released NIST Internal Report (IR) 8286C, Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight. This report completes the cybersecurity risk management (CSRM) and enterprise risk management (ERM) integration cycle described throughout the NIST IR 8286 series.

NIST IR 8286C describes methods for combining risk information from across the enterprise, including notional examples for aggregating and normalizing the results from cybersecurity risk registers (CSRRs) while considering risk parameters, criteria, and business impacts. The resulting integration and normalization of risk information informs enterprise-level risk decision-making and monitoring, which helps create a comprehensive picture of the overarching cyber risk. The report describes the creation of an enterprise risk profile (ERP) that supports the comparison and management of cyber risks along with other risk types.

NIST IR 8286C pairs with several other reports:

The NIST IR 8286 series enables risk practitioners to integrate CSRM activities more fully into the broader enterprise risk processes. Because information and technology comprise some of the enterprise’s most valuable resources, it is vital that directors and senior leaders have a clear understanding of cybersecurity risk posture at all times. It is similarly vital that those identifying, assessing, and treating cybersecurity risk understand enterprise strategic objectives when making risk decisions.

The authors of the NIST IR 8286 series hope that these publications will spark further industry discussion. As NIST continues to develop frameworks and guidance to support the application and integration of information and technology, many of the series’ concepts will be considered for inclusion.

Read More

Rewards plus: Fake mobile banking rewards apps lure users to install info-stealing RAT on Android devices

 Our analysis of a recent version of a previously reported info-stealing Android malware, delivered through an ongoing SMS campaign, demonstrates the continuous evolution of mobile threats. Masquerading as a banking rewards app, this new version has additional remote access trojan (RAT) capabilities, is more obfuscated, and is currently being used to target customers of Indian banks. The SMS campaign sends out messages containing a link that points to the info-stealing Android malware. The malware’s RAT capabilities allow the attacker to intercept important device notifications such as incoming messages, an apparent effort to catch two-factor authentication (2FA) messages often used by banking and financial institutions. The malware’s ability to steal all SMS messages is also concerning since the data stolen can be used to further steal users’ sensitive info like 2FA messages for email accounts and other personally identifiable information (PII).

This diagram illustrates the typical infection chain of this Android malware. The infection starts from an SMS message that contains a malicious link that leads to the malicious APK.
Figure 1. Typical SMS campaign attack flow

Our investigation of this new Android malware version started from our receipt of an SMS message containing a malicious link that led us to the download of a fake banking rewards app. The fake app, detected as TrojanSpy:AndroidOS/Banker.O, used a different bank name and logo compared to a similar malware reported in 2021. Moreover, we found that this fake app’s command and control (C2) server is related to 75 other malicious APKs based on open-source intelligence. Some of the malicious APKs also use the same Indian bank’s logo as the fake app that we investigated, which could indicate that the actors are continuously generating new versions to keep the campaign going.

This blog details our analysis of the recent version’s capabilities. We strongly advise users never to click on unknown links received in SMS messages, emails, or messaging apps. We also recommend seeking your bank’s support or advice on digital options for your bank. Further, ensure that your banking apps are downloaded from official app stores to avoid installing malware.

To read the full article at Microsoft click here

Malicious OAuth applications abuse cloud email services to spread spam

 Microsoft researchers recently investigated an attack where malicious OAuth applications were deployed on compromised cloud tenants and then used to control Exchange Online settings and spread spam. The investigation revealed that the threat actor launched credential stuffing attacks against high-risk accounts that didn’t have multi-factor authentication (MFA) enabled and leveraged the unsecured administrator accounts to gain initial access. The unauthorized access to the cloud tenant enabled the actor to create a malicious OAuth application that added a malicious inbound connector in the email server. The actor then used the malicious inbound connector to send spam emails that looked like they originated from the targets’ domain. The spam emails were sent as part of a deceptive sweepstakes scheme meant to trick recipients into signing up for recurring paid subscriptions.

Microsoft has been monitoring the rising popularity of OAuth application abuse. One of the first observed malicious usage of OAuth applications in the wild is consent phishing. Consent phishing attacks aim to trick users into granting permissions to malicious OAuth apps to gain access to user’s legitimate cloud services (mail servers, files storage, management APIs, etc.). In the past few years, Microsoft has observed that more and more threat actors, including nation-state actors, have been using OAuth applications for different malicious purposes – command-and-control (C2) communication, backdoors, phishing, redirections, and so on.

This recent attack involved a network of single-tenant applications installed in compromised organizations being used as the actor’s identity platform to perform the attack. As soon as the network was revealed, all the related applications were taken down and notifications to customers were sent, including recommended remediation steps.

This blog presents the technical analysis of this attack vector and the succeeding spam campaign attempted by the threat actor. It also provides guidance for defenders on protecting organizations from this threat, and how Microsoft security technologies detect it.

A diagram of the attack chain. It presents the flow of activity from left to right, starting with the attacker gaining access to its target tenant and leading to spam messages being sent to targets.
Figure 1. Overview of the attack chain. The time between application deployment and usage varied; there were cases where the actor took months before using the application.

Initial access

For the attack to succeed, the threat actor needed to compromise cloud tenant users with sufficient permissions that would allow the actor to create an application in the cloud environment and give it admin consent. The actor performed credential stuffing attacks against their targets, attempting to access users with the global admin role. The authentication attempts, which originated from a single IP address, were launched against the Azure Active Directory PowerShell application (app ID: 1b730954-1685-4b74-9bfd-dac224a7b894). The same application was later used to deploy the rest of the attack.

Based on the success ratio of the authentication attempts, it is inferred that the attacker used a dump of compromised credentials. The investigation also revealed that 86% of the compromised tenants had at least one admin with a real-time high risk score, which means they were flagged by Azure AD Identity Protection to be most likely compromised. It is also important to note that all the compromised admins didn’t have MFA enabled, which could have stopped the attack. These observations amplify the importance of securing accounts and monitoring for high-risk users, especially those with high privileges.

Deploying malicious OAuth application

Once the threat actor gained access to privileged users, their next step was to set up the malicious application. Based on analysis of the event user agent (Swagger-Codegen/ and how quickly the deployment of the application was done, it is likely that the actor ran a PowerShell script to perform the following Azure Active Directory (AAD) management activities in all targeted tenants:

  • Register a new single–tenant application with the naming convention of [domain name]_([a-zA-Z]){3} (for example: Contoso_GhY)
  • Add the legacy permission Exchange.ManageAsApp which can be used for app-only authentication of Exchange Online PowerShell module
  • Grant admin consent to the above permission
  • Give global admin and Exchange Online admin roles to the previously registered application
  • Add application credentials (key/certificate/both)  

The threat actor added their own credentials to the OAuth application, which enabled them to access the application even if the initially compromised global administrator changed their password.

The activities mentioned gave the threat actor control of a highly privileged application. It was observed that the threat actor did not always use the application right after it was deployed. In some cases, it took weeks or months before the application was utilized. Also, in organizations that didn’t monitor for suspicious applications, the applications were deployed for months and used multiple times by the threat actor.

To read the Full article on Microsoft click Here

CISA and NSA Publish Joint Cybersecurity Advisory on Control System Defense

 CISA and the National Security Agency (NSA) have published a joint cybersecurity advisory about control system defense for operational technology (OT) and industrial control systems (ICSs). Control System Defense: Know the Opponent is intended to provide critical infrastructure owners and operators with an understanding of the tactics, techniques, and procedures (TTPs) used by malicious cyber actors. This advisory builds on NSA and CISA 2021 guidance provided to stop malicious ICS activity against connect OT, and 2020 guidance to reduce OT exposure.

CISA and NSA encourage critical infrastructure owners and operations to review the advisory, [Control System Defense: Know the Opponent], and apply the recommended mitigations and actions. For more information on CISA’s resources and efforts to improve ICS cybersecurity, visit CISA’s role in industrial control systems webpage.

NIST IoT Cybersecurity Program Releases Two New Documents

 NIST’s Cybersecurity for the Internet of Things (IoT) program has released two new documents:

The new consumer profile reflects the next steps discussed in the summary report on the work done on the IoT cybersecurity labelling criteria portion of the work responding to Executive Order 14028. This profile builds on prior releases and the stakeholder feedback they generated.

NIST Proposes the Conversion of FIPS 198-1 (HMAC) to a NIST Special Publication

 As a part of the periodic review of NIST’s cryptographic standards and guidelines, NIST's Crypto Publication Review Board announced the review of FIPS 198-1 The Keyed-Hash Message Authentication Code (HMAC) in August 2021. In response, NIST received public comments.

NIST proposes to convert FIPS 198-1 to a NIST Special Publication (SP), and apply the following changes:

  • Update the HMAC specification to include block sizes for the SHA-3 family of hash functions
  • Include a discussion on truncation
  • Improve the editorial quality and update references

Conversion to an SP: NIST typically specifies fundamental cryptographic primitives—block ciphers, digital signatures algorithms, and hash functions—as FIPS publications, whereas other cryptographic schemes—modes of operation, message authentication codes, etc.—are published as a part of the NIST SP 800 series. (For more information, see Section 3 of NISTIR 7977.) To be consistent with that approach, NIST proposes to convert FIPS 198-1 to an SP.

In particular, NIST proposes to develop a draft SP for the HMAC specification, updated as described above, which would be released for public comment. When the SP is finalized and published, FIPS 198-1 would be withdrawn simultaneously.

Send comments on the decision proposal by October 20, 2022 to with “Comments on FIPS 198-1 decision proposal” in the subject line.  

Comments received in response to this request will be posted on the Crypto Publication Review Project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed. See the project site for additional information about the review process.

Read More

Friday, September 9, 2022

Initial Public Draft of NIST IR 8427 Available for Comment

 The National Institute of Standards and Technology (NIST) has released the initial public draft of NIST Interagency Report (IR) 8427, Discussion on the Full Entropy Assumption of the SP 800-90 Series. This document is being released at the same time as the third public draft of NIST Special Publication (SP) 800-90C, Recommendation for Random Bit Generator (RBG) Constructions, in support of the SP 800-90 series of publications.

The NIST SP 800-90 series supports the generation of high-quality random bits for cryptographic and non-cryptographic use. The security of a random number generator depends on the unpredictability of its outputs, which can be measured in terms of entropy. The NIST SP 800-90 series uses min-entropy to measure entropy. A full-entropy bitstring has an amount of entropy equal to its length. Full-entropy bitstrings are important for cryptographic applications, as these bitstrings have ideal randomness properties and may be used for any cryptographic purpose. Due to the difficulty of generating and testing full-entropy bitstrings, the SP 800-90 series assumes that a bitstring has full entropy if the amount of entropy per bit is at least 1 - ε, where ε is at most 2-32. NIST IR 8427 provides a justification for the selection of ε.

The public comment period for NIST IR 8427 is open through October 31, 2022. See the publication details for a copy of the draft and instructions for submitting comments.

Read More

Tuesday, September 6, 2022

Request for Additional Digital Signature Schemes for the Post-Quantum Cryptography Standardization Process

The Post-Quantum Cryptography (PQC) standardization process is continuing into a fourth round with the following key-encapsulation mechanisms (KEMs) still under consideration: BIKE, Classic McEliece, HQC, and SIKE. However, there are no remaining digital signature candidates under consideration. As such, NIST is requesting additional digital signature proposals to be considered in the PQC standardization process.

NIST is primarily interested in additional general-purpose signature schemes that are not based on structured lattices. For certain applications, such as certificate transparency, NIST may also be interested in signature schemes that have short signatures and fast verification. NIST is open to receiving additional submissions based on structured lattices but is intent on diversifying the post-quantum signature standards.  As such, any structured lattice-based signature proposal needs to significantly outperform CRYSTALS-Dilithium and FALCON in relevant applications and ensure substantial security properties in order to be considered for standardization.

Complete instructions on how to submit a candidate package, including the minimal acceptability requirements, are posted on the PQC: Digital Signature Schemes project page. The finalized evaluation criteria that will be used to assess the submissions are also posted at the same website. Submission packages must be received by NIST by June 1, 2023.

Read More

Friday, August 19, 2022

Submit Comments on FIPS 180-4

 NIST is in the process of a periodic review and maintenance of its cryptography standards and guidelines.   

This announcement initiates the review of Federal Information Processing Standard (FIPS) 180-4Secure Hash Standard (SHS), 2015.

NIST requests public comments on all aspects of FIPS 180-4. Additionally, NIST would appreciate feedback on the following two areas of particular concern:

  1. SHA-1. In recent years, the cryptanalytic attacks on the SHA-1 hash function have become increasingly severe and practical (see, e.g., the 2020 paper "SHA-1 is a Shambles" by Leurent and Peyrin). NIST, therefore, plans to remove SHA-1 from a revision of FIPS 180-4 and to deprecate and eventually disallow all uses of SHA-1. The Cryptographic Module Validation Program will establish a validation transition schedule.

*  How will this plan impact fielded and planned SHA-1 implementations?
*  What should NIST consider in establishing the timeline for disallowing SHA-1?

  1. Interface. The "Init, Update, Final" interface was part of the SHA-3 Competition submission requirements. Should a revision of FIPS 180-4 discuss the “Init, Update, Final” hash function interface?

 The public comment period is open through September 9, 2022. Comments may address the concerns raised in this announcement or other issues around security, implementation, clarity, risk, or relevance to current applications.  

Send comments to with “Comments on FIPS 180-4” in the Subject. 

For more information about the review process, visit the Crypto Publication Review Project page

Read More

Thursday, August 18, 2022

Microsoft has The Chief Information Security Officer (CISO) Workshop Training

 The Chief Information Security Office (CISO) workshop helps accelerate security program modernization with reference strategies built using Zero Trust principles.

The workshop covers all aspects of a comprehensive security program including strategic initiatives, roles and responsibilities, success metrics, maturity models, and more. Videos and slides can be found here.

This is free training

To learn more go here

Website i Found that great for

 Free and Affordable Training with a focus on DFIR/Blue Team. Search only the free resources or search everything at once.


great site by DFIR Diva: Overview | LinkedIn 

Microsoft Exam Readiness Zone

This is a great resource for those pursuing Microsoft certification.

Join our experts as they provide tips, tricks, and strategies for preparing for a Microsoft Certification exam. Our exam prep videos will help you identify the key knowledge and skills measured on the exam and how to allocate your study time. Each video segment corresponds to a major topic area on the exam. Our trainer will point out objectives that many test takers find difficult. In these videos, we include example questions and answers with explanations. We recommend that you watch these videos after you have completed training or had some practice. However, you can watch them at any point in your certification journey. We also provide additional exam preparation resources


Exam Readiness Zone | Microsoft Docs

Inside a data center

 Ever wonder what a Microsoft data center looks like i found this on the internet it is a great view and insight to data centers

We Live in the Cloud | Microsoft Story Labs

NCCoE Releases Draft Project Description for Mitigating AI Bias

Comment Now: NCCoE Draft Project Description for Mitigating AI Bias 

The National Cybersecurity Center of Excellence (NCCoE) has released a new draft project description, Mitigating AI/ML Bias in Context: Establishing Practices for Testing, Evaluation, Verification, and Validation of AI Systems. Publication of this project description begins a process to solicit public comments for the project requirements, scope, and hardware and software components for use in a laboratory environment.

We want your feedback on this draft to help refine the project. The comment period is now open and will close on September 16, 2022.

To tackle the complex problem of mitigating AI bias, this project will adopt a comprehensive socio-technical approach to testing, evaluation, verification, and validation (TEVV) of AI systems in context. This approach will connect the technology to societal values in order to develop guidance for recommended practices in deploying automated decision-making supported by AI/ML systems. A small but novel part of this project will be to look at the interplay between bias and cybersecurity and how they interact with each other.

The initial phase of the project will focus on a proof-of-concept implementation for credit underwriting decisions in the financial services sector. We intend to consider other application use cases, such as hiring and school admissions, in the future. This project will result in a freely available NIST SP 1800 Series Practice Guide.

Upcoming Workshop Update

Earlier this month, we announced a hybrid workshop on Mitigating AI Bias in Context on Wednesday, August 31, 2022. The workshop will now be virtual only via WebEx and will provide an opportunity to discuss this topic and work towards finalizing this project description. You can register by clicking on the above workshop link. We hope to see you there! 

We Want to Hear from You!

The public comment period for this draft is open through September 16, 2022. See the publication details for a copy of the draft and instructions for submitting comments.

We value and welcome your input and look forward to your comments.

Comment Now!