Keyes Security Blog
Cybersecurity researcher Mordechai Guri from Israel's Ben Gurion University of the Negev recently demonstrated a new kind of malware that could be used to covertly steal highly sensitive data from air-gapped and audio-gapped systems using a novel acoustic quirk in power supply units that come with modern computing devices.

Dubbed 'POWER-SUPPLaY,' the latest research builds on a series of techniques leveraging electromagnetic, acoustic, thermal, optical covert channels, and even power cables to exfiltrate data from non-networked computers.

"Our developed malware can exploit the computer power supply unit (PSU) to play sounds and use it as an out-of-band, secondary speaker with limited capabilities," Dr. Guri outlined in a paper published today and shared with The Hacker News.

"The malicious code manipulates the internal switching frequency of the power supply and hence controls the sound waveforms generated from its capacitors and transformers."

"We show that our technique works with various types of systems: PC workstations and servers, as well as embedded systems and IoT devices that have no audio hardware. Binary data can be modulated and transmitted out via the acoustic signals."

Using Power Supply as an Out-of-Band Speaker

Air-gapped systems are considered a necessity in environments where sensitive data is involved in an attempt to reduce the risk of data leakage. The devices typically have their audio hardware disabled so as to prevent adversaries from leveraging the built-in speakers and microphones to pilfer information via sonic and ultrasonic waves.

It also necessitates that both the transmitting and receiving machines be located in close physical proximity to one another and that they are infected with the appropriate malware to establish the communication link, such as through social engineering campaigns that exploit the target device's vulnerabilities.

POWER-SUPPLaY functions in the same way in that the malware running on a PC can take advantage of its PSU and use it as an out-of-band speaker, thus obviating the need for specialized audio hardware.

"This technique enables playing audio streams from a computer even when audio hardware is disabled, and speakers are not present," the researcher said. "Binary data can be modulated and transmitted out via the acoustic signals. The acoustic signals can then be intercepted by a nearby receiver (e.g., a smartphone), which demodulates and decodes the data and sends it to the attacker via the Internet."

Put differently, the air-gap malware regulates the workload of modern CPUs to control its power consumption and the switching frequency of the PSU to emit an acoustic signal in the range of 0-24kHz and modulate binary data over it.

Air-Gap Bypass and Cross-Device Tracking

The malware in the compromised computer, then, not only amasses sensitive data (files, URLs, keystrokes, encryption keys, etc.), it also transmits data in WAV format using the acoustic sound waves emitted from the computer's power supply, which is decoded by the receiver — in this case, an app running on an Android smartphone.

According to the researcher, an attacker can exfiltrate data from audio-gapped systems to the nearby phone located 2.5 meters away with a maximal bit rate of 50 bit/sec.

One privacy-breaking consequence of this attack is cross-device tracking, as this technique enables the malware to capture browsing history on the compromised system and broadcast the information to the receiver.

As a countermeasure, the researcher suggest zoning sensitive systems in restricted areas where mobile phones and other electronic equipment are banned. Having an intrusion detection system to monitor suspicious CPU behavior, and setting up hardware-based signal detectors and jammers could also help defend against the proposed covert channel.

With air-gapped nuclear facilities in Iran and India the target of security breaches, the new research is yet another reminder that complex supply chain attacks can be directed against isolated systems.

"The POWER-SUPPLaY code can operate from an ordinary user-mode process and doesn't need hardware access or root-privileges," the researcher concluded. "This proposed method doesn't invoke special system calls or access hardware resources, and hence is highly evasive."


As organizations adapt or change their enterprise collaboration capabilities to meet “telework” requirements, many organizations are migrating to Microsoft Office 365 (O365) and other cloud collaboration services. Due to the speed of these deployments, organizations may not be fully considering the security configurations of these platforms.

This Alert is an update to the Cybersecurity and Infrastructure Security Agency's May 2019 Analysis Report, AR19-133A: Microsoft Office 365 Security Observations, and reiterates the recommendations related to O365 for organizations to review and ensure their newly adopted environment is configured to protect, detect, and respond against would be attackers of O365.

Technical Details

Since October 2018, the Cybersecurity and Infrastructure Security Agency (CISA) has conducted several engagements with customers who have migrated to cloud-based collaboration solutions like O365. In recent weeks, organizations have been forced to change their collaboration methods to support a full “work from home” workforce.

O365 provides cloud-based email capabilities, as well as chat and video capabilities using Microsoft Teams. While the abrupt shift to work-from-home may necessitate rapid deployment of cloud collaboration services, such as O365, hasty deployment can lead to oversights in security configurations and undermine a sound O365-specific security strategy.

CISA continues to see instances where entities are not implementing best security practices in regard to their O365 implementation, resulting in increased vulnerability to adversary attacks.


The following list contains recommended configurations when deploying O365:

Enable multi-factor authentication for administrator accounts: Azure Active Directory (AD) Global Administrators in an O365 environment have the highest level of administrator privileges at the tenant level. This is equivalent to the Domain Administrator in an on-premises AD environment. The Azure AD Global Administrators are the first accounts created so that administrators can begin configuring their tenant and eventually migrate their users. Multi-factor authentication (MFA) is not enabled by default for these accounts. Microsoft has moved towards a “Secure by default” model, but even this must be enabled by the customer. The new feature, called “Security Defaults,”[1] assists with enforcing administrators’ usage of MFA. These accounts are internet accessible because they are hosted in the cloud. If not immediately secured, an attacker can compromise these cloud-based accounts and maintain persistence as a customer migrates users to O365.

Assign Administrator roles using Role-based Access Control (RBAC): Given its high level of default privilege, you should only use the Global Administrator account when absolutely necessary. Instead, using Azure AD’s numerous other built-in administrator roles instead of the Global Administrator account can limit assigning of overly permissive privileges to legitimate administrators.[2] Practicing the principle of “Least Privilege” can greatly reduce the impact if an administrator account is compromised.[3] Always assign administrators only the minimum permissions they need to do conduct their tasks.

Enable Unified Audit Log (UAL): O365 has a logging capability called the Unified Audit Log that contains events from Exchange Online, SharePoint Online, OneDrive, Azure AD, Microsoft Teams, PowerBI, and other O365 services.[4] An administrator must enable the Unified Audit Log in the Security and Compliance Center before queries can be run. Enabling UAL allows administrators the ability to investigate and search for actions within O365 that could be potentially malicious or not within organizational policy.

Enable multi-factor authentication for all users: Though normal users in an O365 environment do not have elevated permissions, they still have access to data that could be harmful to an organization if accessed by an unauthorized entity. Also, threat actors compromise normal user accounts in order to send phishing emails and attack other organizations using the apps and services the compromised user has access to.

Disable legacy protocol authentication when appropriate: Azure AD is the authentication method that O365 uses to authenticate with Exchange Online, which provides email services. There are a number of legacy protocols associated with Exchange Online that do not support MFA features. These protocols include Post Office Protocol (POP3), Internet Message Access Protocol (IMAP), and Simple Mail Transport Protocol (SMTP). Legacy protocols are often used with older email clients, which do not support modern authentication. Legacy protocols can be disabled at the tenant level or at the user level. However, should an organization require older email clients as a business necessity, these protocols will presumably not be disabled. This leaves email accounts accessible through the internet with only the username and password as the primary authentication method. One approach to mitigate this issue is to inventory users who still require the use of a legacy email client and legacy email protocols and only grant access to those protocols for those select users. Using Azure AD Conditional Access policies can help limit the number of users who have the ability to use legacy protocol authentication methods. Taking this step will greatly reduce an organization’s attack surface.[5]

Enable alerts for suspicious activity: Enabling logging of activity within an Azure/0365 environment can greatly increase the owner’s effectiveness of identifying malicious activity occurring within their environment and enabling alerts will serve to enhance that. Creating and enabling alerts within the Security and Compliance Center to notify administrators of abnormal events will reduce the time needed to effectively identify and mitigate malicious activity.[6] At a minimum, CISA recommends enabling alerts for logins from suspicious locations and for accounts exceeding sent email thresholds.

Incorporate Microsoft Secure Score: Microsoft provides a built-in tool to measure an organization’s security posture with respect to its O365 services and offer enhancement recommendations.[7] These recommendations provided by Microsoft Secure Score do NOT encompass all possible security configurations, but organizations should still consider using Microsoft Secure Score because O365 service offerings frequently change. Using Microsoft Secure Score will help provide organizations a centralized dashboard for tracking and prioritizing security and compliance changes within O365.

Integrate Logs with your existing SIEM tool: Even with robust logging enabled via the UAL, it is critical to integrate and correlate your O365 logs with your other log management and monitoring solutions. This will ensure that you can detect anomalous activity in your environment and correlate it with any potential anomalous activity in O365.[8]

Solution Summary

CISA encourages organizations to implement an organizational cloud strategy to protect their infrastructure assets by defending against attacks related to their O365 transition and better securing O365 services.[9] Specifically, CISA recommends that administrators implement the following mitigations and best practices:

  • Use multi-factor authentication. This is the best mitigation technique to protect against credential theft for O365 administrators and users.
  • Protect Global Admins from compromise and use the principle of “Least Privilege.”
  • Enable unified audit logging in the Security and Compliance Center.
  • Enable Alerting capabilities.
  • Integrate with organizational SIEM solutions.
  • Disable legacy email protocols, if not required, or limit their use to specific users.

Protecting against cyber threats during COVID-19 and beyond | Google Cloud Blog

Identity & Security

Protecting businesses against cyber threats during COVID-19 and beyond


No matter the size of your business, IT teams are facing increased pressure to navigate the challenges of COVID-19. At the same time, some things remain constant: Security is at the top of the priority list, and phishing is still one of the most effective methods that attackers use to compromise accounts and gain access to company data and resources. In fact, bad actors are creating new attacks and scams every day that attempt to take advantage of the fear and uncertainty surrounding the pandemic. 

It’s our job to constantly stay ahead of these threats to help you protect your organization. In February, we talked about a new generation of document malware scanners that rely on deep learning to improve our detection capabilities across over 300 billion attachments we scan for malware every week. These capabilities help us maintain a high rate of detection even though 63% of the malicious docs blocked by Gmail are different from day to day. 

To further help you defend against these attacks, today we’re highlighting some examples of COVID-19-related phishing and malware threats we’re blocking in Gmail, sharing steps for admins to effectively deal with them, and detailing best practices for users to avoid threats.

The attacks we’re seeing (and blocking)

Every day, Gmail blocks more than 100 million phishing emails. During the last week, we saw 18 million daily malware and phishing emails related to COVID-19. This is in addition to more than 240 million COVID-related daily spam messages. Our ML models have evolved to understand and filter these threats, and we continue to block more than 99.9% of spam, phishing, and malware from reaching our users. 

The phishing attacks and scams we’re seeing use both fear and financial incentives to create urgency to try to prompt users to respond. Here are some examples:

  • Impersonating authoritative government organizations like the World Health Organization (WHO) to solicit fraudulent donations or distribute malware. This includes mechanisms to distribute downloadable files that can install backdoors. In addition to blocking these emails, we worked with the WHO to clarify the importance of an accelerated implementation of DMARC (Domain-based Message Authentication, Reporting, and Conformance) and highlighted the necessity of email authentication to improve security. DMARC makes it harder for bad actors to impersonate the domain, thereby preventing malicious emails from reaching the recipient’s inbox, while making sure legitimate communication gets through.

1 Impersonating authoritative government organizations.jpg

  • This example shows increased phishing attempts of employees operating in a work-from-home setting.

2 phishing attempts of employees.jpg

  • This example attempts to capitalize on government stimulus packages and imitates government institutions to phish small businesses.

3 capitalize on government stimulus packages.jpg

  • This attempt targets organizations impacted by stay-at-home orders.

4 targets organizations.jpg

Improving security with proactive capabilities 

We have put proactive monitoring in place for COVID-19-related malware and phishing across our systems and workflows. In many cases, these threats are not new—rather, they’re existing malware campaigns that have simply been updated to exploit the heightened attention on COVID-19. 

As soon as we identify a threat, we add it to the Safe Browsing API, which protects users in Chrome, Gmail, and all other integrated products. Safe Browsing helps protect over four billion devices every day by showing warnings to users when they attempt to navigate to dangerous sites or download dangerous files. 

In G Suite, advanced phishing and malware controls are turned on by default, ensuring that all G Suite users automatically have these proactive protections in place.

G Suite.gif

These controls can: 

  • Route emails that match phishing and malware controls to a new or existing quarantine

  • Identify emails with unusual attachment types and choose to automatically display a warning banner, send them to spam, or quarantine the messages 

  • Identify unauthenticated emails trying to spoof your domain and automatically display a warning banner, send them to spam, or quarantine the messages 

  • Protect against documents that contain malicious scripts that can harm your devices 

  • Protect against attachment file types that are uncommon for your domain

  • Scan linked images and identify links behind shortened URLs

  • Protect against messages where the sender's name is a name in your G Suite directory, but the email isn't from your company domain or domain aliases

Best practices for organizations and users

Admins can look at Google-recommended defenses on our advanced phishing and malware protection page, and may choose to enable the security sandbox

Users should: 

  • Complete a Security Checkup to improve your account security

  • Avoid downloading files that you don’t recognize; instead, use Gmail’s built-in document preview

  • Check the integrity of URLs before providing login credentials or clicking a link—fake URLs generally imitate real URLs and include additional words or domains

  • Avoid and report phishing emails 

  • Consider enrolling in Google’s Advanced Protection Program (APP)—we’ve yet to see anyone that participates in the program be successfully phished, even if they’re repeatedly targeted 

At Google Cloud, we’re committed to protecting our customers from security threats of all types. We’ll keep innovating to make our security tools more helpful for users and admins and more difficult for malicious actors to circumvent.

Zooming Safe

Apr 17
Here are some things that you can do to protect yourself when using Zoom. Before the meeting: Disable autosaving chats Disable private chats / upload of animated GIFs Disable file transfer Disable screen sharing for non-hosts Disable remote control Disable annotations Use per-meeting ID, not personal ID Disable "Join Before Host" Enable "Waiting Room“ Use unique ID for large or public Zoom calls Enable password feature (keep password or create your own) During the meeting: Assign at least two co-hosts Mute all participants Lock the meeting, if all attendees are present Share screen with host-only or not at all If you get Zoombombombed: Remove problematic users and disable their ability to rejoin Lock the meeting to prevent additional Zoombombing Here are helpful links if you want to know more: releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic
With COVID-19 stimulus deposits being sent this week. Cybercriminals are using the COVID-19 pandemic to target consumers. Threats observed include: Phishing, using the subject of coronavirus or COVID- 19 as a lure. Malware distribution, using coronavirus or COVID-19 themed lures. Registration or new domain names containing wording related to coronavirus or COVID-19 and attacks against newly and often rapidly deployed remote access and teleworking infrastructure. Below are some links to COVID-19 related security advisories:

The New York Department of Financial Services sent out several guidance letters to industries in response to COVID-19.

The "Guidance to Department of Financial Services (“DFS”) Regulated Institutions Engaged in Virtual Currency Business Activity and Request for Assurance Relating to Operational and Financial Risk Arising from the Outbreak of the Novel Coronavirus (COVID-19)" addresses operational and financial risks that the state of NY seeks to assess from industries operating in the state.

NY is asking businesses to devise a plan and submit a letter of assurance containing the following at a minumum:

  1. Preventative measures tailored to the institution’s specific profile and operations to mitigate the risk of operational disruption, which should include identifying the impact on customers, and counterparts;
  2. A documented strategy addressing the impact of the outbreak in stages, so that the entity’s efforts can be appropriately scaled, consistent with the effects of a particular stage of the outbreak;
  3. Assessment of all facilities, systems, policies and procedures necessary to continue critical operations and services if members of the staff are unavailable for longer periods or are working off-site, including the effectiveness and security of remote access;
  4. An assessment of potential increased risk of cyber-attacks and fraud due to an outbreak;
  5. Employee protection strategies, critical to sustaining an adequate workforce during the outbreak, including employee awareness and steps that employees can take to reduce the likelihood of contracting COVID-19;
  6. Assessment of the preparedness of critical third-party service providers and suppliers;
  7. Development of a communication plan to effectively communicate with customers, counterparties and the public, and to deliver important news and instructions to employees, along with establishing forums for questions to be asked and addressed;
  8. Testing the plan to ensure its policies, processes and procedures are effective; and
  9. Governance and oversight of the plan, including identifying the critical members of a response team, to ensure ongoing review and updates to the plan, including the tracking of relevant information from government sources and the institution’s own monitoring program.

In addition to operational risks, business risk management plans in response to coronavirus should incorporate the following financial concerns:

  1. Assessment of the valuation of assets and investments that may be, or have been, impacted by COVID-19;
  2. Assessment of the overall impact of COVID-19 on the earnings, profits, capital, and liquidity of your institutions; and
  3. Assessment of reasonable and prudent steps to assist those adversely impacted by COVID-19.  See DFS Guidance to New York State Regulated Banks, Credit Unions and Licensed Lenders Regarding Support for Businesses Impacted by the Novel Coronavirus.

Specifically, the risk to virtual currency businesses during this time.

Businesses face a very real threat of bad actors attempting to take advantage of the disruption to operations and dispersion of personnel working remotely. If you or your business needs assistance keeping your cybersecurity posture during this crisis, the Keyes Security team is ready to provide you with professional consulting and vulnerability management.



Hello World!

Jan 27

As I write the first Keyes Security blog post entry, it is only fitting (as a developer and security professional) to kick things off by saying “Hello World” and discussing the origins of “Hello World” programs.

Brian Kernighan is the person who first used “hello  world” program as part of the BCPL programming language which was developed by Martin Richards. Brian Kernighan wrote the code for part of the I/O section of the BCPL manual. This is confirmed by Martin Richards himself, who can still be contacted at Cambridge. This code was used for early testing of the C compiler and made its way into Kernighan and Ritchie’s book. Later, it was one of the first programs used to test Bjarne Stroustrup’s C++ compiler. Later to become a standard for new programmers.

All the Best,