Cyber Security News: 2016

Saturday, December 31, 2016

US government subcontractor leaks confidential military personnel data

The leak exposed personal data including Social Security numbers to the assigned posts of critical members of the US military, some of whom hold the highest levels of security clearance.

from US government subcontractor leaks confidential military personnel data

US government subcontractor leaks confidential military personnel data

AWS re:Invent 2016 – WS Shield, A Managed DDoS Protection Service

Permalink

from AWS re:Invent 2016 – WS Shield, A Managed DDoS Protection Service

AWS re:Invent 2016 – WS Shield, A Managed DDoS Protection Service

Permalink

from AWS re:Invent 2016 – WS Shield, A Managed DDoS Protection Service

Information Security Events For January

Here are information security events in North America this month: FloCon 2017 : January 9 to 12 in San Diego, CA, USA ICS Security Conference (S4x17) 2017 : January 10 to 12 in Miami Beach, FL, USA Suits and Spooks DC 2017 : January 11 to 12 in Arlington, VA, USA […]

The post Information Security Events For January appeared first on Infosec Events.

from Information Security Events For January

New Year’s resolutions from the Avast dogs

Avast is full of dog lovers, and as such, we aspire to “…to be the person my dog thinks I am.” This inspirational quote, attributed to Victorian author Mary Ann Evans, who went by the pen name George Eliot (Silas Marner and Middlemarch), speaks to our best friend’s unconditional love and non-judgmental acceptance.

from New Year’s resolutions from the Avast dogs

Friday Squid Blogging: Will Fish and Chips Become Squid and Chips?

BBC.com reports that squid are proliferating around the North Sea, and speculates that they will become an increasingly common British dinner. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

from Friday Squid Blogging: Will Fish and Chips Become Squid and Chips?

Grizz’d

With the publishing of an exacting and erudite critique of the recent Joint Analysis Report on Grizzly Steppe...

from Grizz’d

AWS re:Invent 2016 – Cyber Resiliency, Surviving the Breach

Permalink

from AWS re:Invent 2016 – Cyber Resiliency, Surviving the Breach

Friday, December 30, 2016

Fox News: Obama response to Russian hacking does not go far enough, say experts

from Fox News: Obama response to Russian hacking does not go far enough, say experts

Friday Squid Blogging: Will Fish and Chips Become Squid and Chips?

Grizz’d

With the publishing of an exacting and erudite critique of the recent Joint Analysis Report on Grizzly Steppe...

from Grizz’d

Cryptosmith Video Series

The Cryptosmith video series uses animation to explain well-known crypto techniques. This should help more people understand crypto technology. This is particularly important as people rely more and more on mobile and Internet security mechanisms. Aside from protecting online commerce and financial activities, many professionals are realizing that their daily activities require strong protection. After … Continue reading Cryptosmith Video Series →

from Cryptosmith Video Series

News in brief: US raps Russian hacking; internet clampdowns ‘cost $2.4bn’; AR move to track lost items

Your daily round-up of some of the other stories in the news

from News in brief: US raps Russian hacking; internet clampdowns ‘cost $2.4bn’; AR move to track lost items

Building an Internet of Things Risk Model in the Wake of Mirai

For many of us, Internet of Things (IoT) security has been nothing more than a cocktail party conversation. It sounds interesting but doesn’t necessarily affect our work or personal lives even if our job includes cybersecurity. While it is clearly a concern for operators of medical devices or industrial control systems, it seems less relevant for the typical enterprise or consumer. After all, even if we had a networked TV, refrigerator, or fitness tracker, the potential damage that could be done seems minimal. However, some of the recent distributed denial of service (DDoS) attacks coordinated…

from Building an Internet of Things Risk Model in the Wake of Mirai

Friday Squid Blogging: Will Fish and Chips Become Squid and Chips?

BBC.com reports that squid are proliferating around the North Sea, and speculates that they will become an increasingly common British dinner.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

from Friday Squid Blogging: Will Fish and Chips Become Squid and Chips?

AWS re:Invent 2016 – Cyber Resiliency, Surviving the Breach

Permalink

from AWS re:Invent 2016 – Cyber Resiliency, Surviving the Breach

Uber, Apple Maps and location tracking: what’s really going on?

Uber sparked privacy fears with its always-on tracking of iPhone users' location - but it's got an explanation

from Uber, Apple Maps and location tracking: what’s really going on?

Will SUSE Bring SBCs to Datacenters?

SUSE's November release of SLES for the Raspberry Pi might eventually bring a new breed of server to server rooms and datacenters. read more

from Will SUSE Bring SBCs to Datacenters?

Windows Defender Advanced Threat Protection (ATP) White Paper From Microsoft

Windows Defender ATP provides the power of the cloud, machine learning, and big data in conjunction with the Windows Defender client that is part of Windows 10 to help your organization protect your critical customer data. read more

from Windows Defender Advanced Threat Protection (ATP) White Paper From Microsoft

KillDisk: from disk-wiping to ransomware

CyberX reports that KillDisk, already associated with cybersabotage, is now also being used as a basis for ransomware, demanding a hefty 222 bitcoin in ransom. NEW KILLDISK MALWARE BRINGS RANSOMWARE INTO INDUSTRIAL DOMAIN Commentary by Catalin Cimpanu for Bleeping Computer: KillDisk Disk-Wiping Malware Adds Ransomware Component. Commentary by David Bisson for Tripwire: KillDisk Wiper Malware Evolves into Ransomware. […]

from KillDisk: from disk-wiping to ransomware

Happy new year! Here’s our look back at the year on Naked Security

Our experts have covered a huge range of subjects in the past 12 months: here's our look at the top topics of 2016

from Happy new year! Here’s our look back at the year on Naked Security

Anup Ghosh appears on ABC World News to discuss alleged Russian hacking

Anup Ghosh appears on ABC World News to discuss alleged Russian hacking

from Anup Ghosh appears on ABC World News to discuss alleged Russian hacking

Malware distributed as fake security software

An article by Catalin Cimpanu for Bleeping Computer: It’s Almost 2017 and Users Are Still Getting Infected with Malware via Fake AV Software includes instances of a Remote Access Trojan and ransomware distributed as fake security software including Goldeneye/Petya and Stampado. David Harley

from Malware distributed as fake security software

ABC News: President Obama Forcefully Responds to Alleged Russian Hacking

Hedge fund turns to AI to navigate through the maze

Trading by algorithms is nothing new, but one fund is looking to extend its use of AI into managing the business

from Hedge fund turns to AI to navigate through the maze

The shocking failure of the FBI to warn the DNC that it had been hacked

Seems to me that I go to more effort when I fix relatives' computers than the FBI goes to protect a front runner in the US presidential election.

from The shocking failure of the FBI to warn the DNC that it had been hacked

Some notes on IoCs

Obama "sanctioned" Russia today for those DNC/election hacks, kicking out 35 diplomats, closing diplomatic compounds, seizing assets of named individuals/groups. They also published "IoCs" of those attacks, fingerprints/signatures that point back to th...

from Some notes on IoCs

Who helped Russia “hack” the US election? It might have been you…

As the United States kicks out 35 Russian intelligence officers after alleged election-related hacks, there are clear lessons that businesses and internet users can learn to make life harder for the attackers next time.

from Who helped Russia “hack” the US election? It might have been you…

IoT: The Internet of Threats

We talked about our continuing failure to identify the exploitation of legitimacy or even the source or nature of our attackers in our last post. That was one of five attacker-defender disruptions necessary to change the current course of this never-ending cybersecurity war. Our confusion about the identity and purpose of the enemy, combined with […]

from IoT: The Internet of Threats

What to Expect at CES 2017

Why wait for news on the next big thing in technology, when you can get a sneak peek at the hottest, up-and-coming consumer tech and innovations at CES 2017? For the last 50...read more

The post What to Expect at CES 2017 appeared first on Webroot Threat Blog.

from What to Expect at CES 2017

Stop calling everything a “hack”

Nevada state government's website was leaking thousands of social security numbers, and highly sensitive personal data. They said it was a hack. Spoiler alert: It wasn't.

from Stop calling everything a “hack”

The Evolution of the Financial Services CIO Since Y2K

The role of the chief information officer (CIO) has undergone substantial changes in less than two decades, progressing from a rare position within an organization to the heart of the executive boardroom. The pace at which technology has evolved has driven much of this growth, and today’s financial organizations now lean on their CIO to keep data safe while also keeping pace with industry advances. Let’s take a look back at the evolution of security within the financial services CIO’s role and some of changes that have brought...

from The Evolution of the Financial Services CIO Since Y2K

Thursday, December 29, 2016

An Open Letter to Android or “Android, You Are Shit!”

Dear Android:

I know you are an operating system and probably cannot (yet?) read on your own. However, recent events compelled me to write this letter to you; an idea for it literally came to me in a dream.

You see, I have carried an Android phone in my pocket since 2010, for almost six years. First Sony Experia X10 (eventually running a venerable Android 2.3.7), then another phone and then finally a Google Nexus 4 and now Google Nexus 5X (sporting Android 7.1.1). At some point, I traded an iPad for a Google Nexus 9. A [sort of] Android Amazon Fire is my living room Android. I have convinced my wife to start using Android as well and she became a fan too. This represents a multi-year love affair with you, dear Android.

In fact, dear Android, I often had to defend you from packs from rabid Apple fanboys, generally with good results - I either won or we had a draw. Over the years, I had to defend my mobile technology choices from many people: “No, it is NOT an iPhone, it is a Nexus”, “Yes, I chose Android because I like it more than iPhone, not because it is cheaper”, “Yes, I think Google Now is way more useful than Siri”, etc, etc. I’ve counter-attacked with arguments about “closed Apple ecosystem”, “one stupid button” and “overpriced devices.” As a person who follows information technology, I am aware of Android many strengths such as better background processes and multi-tasking, security improvements, flexible user interface, Google Now integration, etc.

However, as I am writing this, my beloved Nexus 5X is no longer with me. In fact, recent events have triggered some soul-searching and ultimately this letter. While doing my soul-searching, I realized that my love affair with you, Android, has some strong dysfunctional notes. You see, I think I always suspected that you are shit.

Over the years, I’ve been using my Android devices carefully and thoughtfully – I never rooted them, never sideloaded apps [well, not to my main personal phone], and I even tried to minimize my use of non-Google applications, etc. However, as I recall my experiences with Android over the last six years, I am saddened to report that you, Android, never really worked quite right.

In fact, I distilled my reasons to calling you “shit” to one key point: I have never really trusted you, because you have never worked reliably enough to earn such trust.

Indeed, my Sony phone will sometimes crash and reboot, or freeze (“battery out” was the only cure). I of course explained it by “growing pains of Android, the new mobile OS”…after all you were just in v.2., practically a baby. My Nexus 4 used to crash and shut down as well; apps will often drain the battery to zero without any warning. Furthermore, even nowadays, my Google Nexus 9 tablet (running Android 7.1.1) will occasionally just shut down out of the blue – I just had to restart it earlier today. A few days before my Nexus 5X untimely death - just 1 year and 9 days after purchase, the phone rebooted when I launched a Camera app. Such random reboots and crashes were not common with my Nexus 5X, but they did happen periodically. And then finally, my Nexus 5X entered an endless reboot loop a few days after the 7.1.1 OTA update and now has to be replaced. No troubleshooting steps helped.

OK, Google, you want to blame the hardware, perhaps? My experiences over the last 6 years sap the energy from this argument. I used the hardware from 3 different makers, all running Android, all having stability problems.

You see, Android, I don’t care about improved malware protection, faster UI and about the fact that you are “really Linux.” I don’t care about your growing market share. An OS that cannot stay up is shit OS. And, you, my dear OS friend, is shit.

In fact, as my employer gave me an iPhone (first 4S and now 5S), a peculiar pattern of behavior developed in my life: if I absolutely, positively had to call an Uber on a dark and stormy night, I will stash my work iPhone in my back pocket, just in case. If I have to show a boarding pass to a permanently angry TSA agent, I will print it or use an iPhone. In fact, I was not even aware of this “if it has to happen – use iPhone” pattern until my wife asked me about why I was printing another boarding pass and I said “Ok, I guess I can use an iPhone for that” – and so I realized that I just won’t trust my Android device with this.

Dear Android, you may be a full-featured OS now, but you are just not mission critical. In fact, you are the opposite of that – you are iffy. And the only reason for why a version SEVEN (not version TWO with growing pains, mind you) will not achieve this reliability is obvious to me – you are shit.

Android, I’ve never really trusted you and I don’t trust you now. I’ve lived with you since your version 2.1 to a current 7.1.1. The only way you can still have "growing pains" after so many years is that you are a shit OS.

Despite all that, dear Android, I will take one more chance with you. When my Google Nexus 5X is repaired and then hopefully continues working for a while, I will stick to using you. But, sorry, no promises beyond that point!

Respectfully ... but distrustfully,

Dr. Anton Chuvakin

(as a consumer, NOT as a technology analyst!)

About me: http://www.chuvakin.org

from An Open Letter to Android or “Android, You Are Shit!”

Stop calling everything a “hack”

Dynamic Security Assessment: The Process and Functions

As we wind down the year, let’s get back into some forward looking research and get back into a concept we know will be more important in 2017. As described in the first post of the Dynamic Security Assessment series, there are clear limitations to the current means of security testing. But before we start talking about solutions, we should lay out the requirements for our vision of dynamic security assessment.

Ongoing: Infrastructure is dynamic and therefore a point in time testing isn’t going to be sufficient. That’s one of the key issues with traditional vulnerability testing, in that a point in time assessment can be obsolete before the report hits your inbox.
Current: Every organization also faces fast moving and innovative adversaries leveraging ever changing attack tactics and techniques. Thus to provide relevant and actionable findings, the testing environment must be up to date and factor in these new tactics.
Non-disruptive: The old security testing adage of Do no harm still holds. Any kind of assessment function cannot take down systems or impact operations in any way.
Automated: No security organization (that we know of anyway) has enough people to begin with, so expecting them to constantly assess the environment isn’t realistic. So in order to make assessment feasible as a sustainable capability, it needs to be mostly automated.
Evaluate alternatives: When a potential attack is identified, you’ll need to validate and then fix/remediate it. You shouldn’t be shooting in the dark, so it’s important to be able to see the impact of potential changes/workarounds to first figure out if the fix would stop the attack, and then figure out the best option if there are multiple.

Dynamic Security Assessment Process

Per usual, we start our research by focusing on process, as opposed to shiny technology widgets. The process here is pretty straight forward.

Deployment: The first step is to deploy the assessment devices. You could refer to them as agents or sensors or anything really. The fact is you’ll need some kind of presence both inside and outside the network to launch attacks and track the results.
Define Mission: Once deployed, you’ll need to figure out what a typical attacker would want to access in your environment. This could be a formal threat modeling process, or you could start with asking the simple question of “What could be compromised that would cost the CEO/CFO/CIO/CISO his/her job? Everything is important when you ask someone responsible for it, but to truly define the adversary’s most likely target, look at what will most drastically impact your business negatively.
Baseline/Triage: Next you need to get an initial sense about the vulnerability and exploitability of the environment by using a library of attacks to achieve the mission. Usually there are critical issues identified that require all hands on deck immediately. Once you get through that initial triage/remediation of the potential attacks, then you’ll have your initial baseline of activity.
Ongoing Assessment: Then you start assessing the environment on an ongoing basis. The automated feed of new attack tactics and targets are used to ensure you are looking for the latest attacks being seen in the wild. When the assessment engine finds something, administrators are alerted to successful attack paths/patterns for validation and then an determination of the criticality of the potential attack. This process needs to go on continuously since things change in your environment. From minute to minute.
Fix: This tends to be a step performed by the operations team and is somewhat opaque to the assessment process. But here the critical issues are fixed/remediated.
Verify Fixes: The final step in the process is to validate the issues were actually fixed. The job is not completed until you can verify that the fix is operational and effective.

Yes, it seems a lot like every other security assessment methodology you’ve seen. What needs to happen hasn’t really changed, since you need to figure out your exposures, understand the criticality, fix them, and then make sure they are fixed. What’s different is the technology that will be used for the assessment. This is where the industry has made significant strides to improve the accuracy and usefulness of the assessment.

Assessment Engine

The centerpiece of DSA is what we’ll call assessment engine. It’s really about understanding what is possible in the environment to determine the universe of possible attacks and then figure out which would be most damaging. This effectively reduces the detection window, since you don’t know if the attack has even been used on you, and helps you to prioritize remediation efforts by focusing on what could really work against your defenses.

You feed the assessment engine with the topology of the network since the attackers need to gain presence in the network and then move laterally to achieve their mission. Once equipped with a map of the network, existing security controls are factored in, so the engine knows if the devices are vulnerable to specific attacks. For instance, you’ll want to define the access control points (firewalls) and threat detection (intrusion prevention) points in the network and what kinds of controls run on the endpoints. This is a critical point because attacks almost always involve both network and endpoint attacks. So your assessment engine must be able to simulate both types of attacks.

Then the assessment engine can start figuring out what can be attacked and how. The best practices of attackers are distilled into algorithms to simulate how an attack could happen across multiple networks and devices. To illuminate the concept a bit, think the attack lifecycle/kill chain. The simulation does reconnaissance from both inside and outside the network to see what is visible and where to move next in search of its target.

It’s important to have presence and gather data from both inside and outside the network, since attackers will use both. Sometimes they get lucky and are invited in by unsuspecting employees, but other times they look for weaknesses in the perimeter defenses and applications. Everything is fair game and should be subject to DSA.

Then the simulation should deliver the attack to see what would compromise the specific device. With an idea of the controls on the device, you know what attacks will work. Using what is learned from recon activities, an attack path can be inferred from the entry point to the target. These paths represent lateral movement within the environment and the magic of the dynamic assessment is to figure out how the attacker would move within the environment, without hurting anything.

Finally, you’ll want to assess the ability of the attacker to exfiltrate the data, so the assessment environment will try to get past the egress filters with the payload.

To be clear, it’s not possible to really mimic what a human attacker can and would do when presented with specific and changing defenses. Your red team/pen testing activities play that role. Obviously you can’t pen test everything at all times, so the dynamic security assessment capability allows you to identify areas of concern and then use a human to validate and determine the most appropriate work around.

But this isn’t an either/or proposition. The answer is really both. The DSA algorithms provide a probabilistic view of your attack surface and help understand the most likely paths an attacker would use to access the target information and exfiltrate the data. To use a software testing analogy, this function is akin to increasing the code coverage of the application test. Humans can’t factor and try every path and attack every device, but the machine can and does.

Threat Intelligence

If we refer back to the requirements, the simulation/analytics engine takes care of most of what needs to be done. It provides ongoing, non-disruptive, automated assessment of your entire environment. The only thing missing is keeping the tool current, and that’s where threat intelligence (TI) comes into play.

Integration of new attacks into the assessment engine allows these new tactics and targets to factor into the assessment. If you are facing a sophisticated adversary, you know what they’ll be throwing at you, based on what other organizations are seeing. Basically you feed the assessment engine with new methods and let it crank the numbers. If a new attack would be successful, you’ll know about it – optimally before it is successful in your environment.

Keep in mind that automation is critical to a sustainable and useful assessment function. You don’t have time to keep the tool updated and manually run the new tests. And you’ve got more leeway with assessment, since you wouldn’t disrupt the environment with a faulty update. You may get some false positives (which would be annoying), but you wouldn’t lose half your network as when an endpoint or network security control update goes awry.

Visualization

Finally, once you have an attack that could potentially be successful, you’ll want to be able to dig into the specifics. The modern way of doing that is through visualization. You’ll want to be able to see the path of the attacker and which devices could be compromised. Drilling down into the specific devices and what the assessment engine showed were possible attacks can be instructive to identify both faulty controls or weak configurations.

The visualization is key to weighing alternative fixes to figure out which would be most efficient. By assessing how different controls would impact the simulated attack, you can identify quickly which remediation path is best.

If it seems that a dynamic security assessment capability sounds like what vulnerability management tolls should have evolved into, you’d be right. As opposed to looking at devices individually and providing summary data/dashboards about how quickly you are fixing vulnerabilities, the DSA engine puts those vulnerabilities into context. It’s not just about what can be attack, but how the attack would be part of a campaign to access the target and steal the information.

We’ll wrap up the series by applying these techniques to a realistic attack scenario. Since we’ve found defining requirements and discussing tech is fun and all, but the concepts resonate much better when used within a specific situation that you may see. Or more likely have already seen.

- Mike Rothman (0) Comments Subscribe to our daily email digest

from Dynamic Security Assessment: The Process and Functions

Session Stealer Script Used In OpenCart

With so many open-source ecommerce platforms available in the market, selling online is an appealing and easy option for any store owner. In a few clicks you can set up an online storefront and sell your products. While the process to get the site up m...

from Session Stealer Script Used In OpenCart

Most Exploited Vulnerabilities: by Whom, When, and How

Top Ten Vulnerabilities included in Exploit Kits Which are the most exploited vulnerabilities by hackers in 2016? Who used them and how? Let’s start from a study conducted by the threat...

Go on to the site to read the full article

from Most Exploited Vulnerabilities: by Whom, When, and How

The State of Web Applications’ Vulnerabilities in 2016

Part of our job on the Imperva web application security team is supplying inclusive mitigation to new security vulnerabilities in web applications as soon as they become public. Imperva continually gathers information regarding new vulnerabilities...

from The State of Web Applications’ Vulnerabilities in 2016

AWS re:Invent 2016 – Deep Dive, Security and Governance Across a Multi-Account Strategy

Permalink

from AWS re:Invent 2016 – Deep Dive, Security and Governance Across a Multi-Account Strategy

News in brief: marijuana breach; Amazon moots airships; Firefox winds down for XP, Vista

Your round-up of some of the other stories in the news today

from News in brief: marijuana breach; Amazon moots airships; Firefox winds down for XP, Vista

Advanced Persistent Security: A Cyberwarfare Approach to Implementing Adaptive Enterprise Protection, Detection, and Reaction Strategies

Advanced persistent threats (APT) have gotten significant amounts of press over the last few years. When I first scanned the title of this book, I assumed it was on that topic. While Advanced Persistent Security: A Cyberwarfare Approach to Implementing Adaptive Enterprise Protection, Detection, and Reaction Strategies (Syngress 978-0128093160) does details APT, that’s not the main focus. The books notion of advanced persistent security means ensuring that security is built into every aspect of a system. This goes from endpoint to server, and covers everything in between. In the book, authors…

from Advanced Persistent Security: A Cyberwarfare Approach to Implementing Adaptive Enterprise Protection, Detection, and Reaction Strategies

Updated Office.com Portal Begins Rolling out for all Users

The process of updating the Office 365 web portal began back in April of this year and now they are rolling those updates out to all subscribers. read more

from Updated Office.com Portal Begins Rolling out for all Users

Effects of the 2011 DigiNotar Attack

Nice article on the 2011 DigiNotar attack and how it changed security practices in the CA industry.

from Effects of the 2011 DigiNotar Attack

Guest post: Whose genes are they anyway?

The case of identical twins with different views about having their genome sequenced raises a series of privacy issues

from Guest post: Whose genes are they anyway?

Events for the week of Jan 1-7, 2017

Jan 20175-8: International CES - Las Vegas, NV (@intlces) If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com). Full listing of upcoming events can be found at ...

from Events for the week of Jan 1-7, 2017

What is the difference between Fixed, Ignored and False Positive?

When checking vulnerabilities, you have the option of marking a vulnerability as either Fixed, Ignored or False Positive. Fixed should be used when the vulnerability has been fixed by the developers. If the vulnerability is detected again, it will be re-opened and marked as Rediscovered. Ignored should be used for vulnerabilities when you know about […]

The post What is the difference between Fixed, Ignored and False Positive? appeared first on Acunetix.

from What is the difference between Fixed, Ignored and False Positive?

SSD Advisory – ZendMail Remote Code Execution Vulnerability

Vulnerability Summary The following report describes a remote code execution vulnerability found in ZendMail. The vulnerability allows an attacker injecting additional parameters to the sendmail binary via the From address. Credit An independent security researcher Dawid Golunski (https://legalhackers.com/) has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program Vulnerability Details “Zend\Mail provides generalized functionality … Continue reading SSD Advisory – ZendMail Remote Code Execution Vulnerability →

from SSD Advisory – ZendMail Remote Code Execution Vulnerability

Ransomware demands more victims for freedom

Popcorn Time is taking ransomware to a new level of devilish trickery by asking victims to give up two of their friends for a chance to rid their own computers of the virus. In cyber security this level of diabolical blackmail represents a new and scary trend for hackers.

The post Ransomware demands more victims for freedom appeared first on Health Security Solutions.

from Ransomware demands more victims for freedom

Wednesday, December 28, 2016

The Top 17 Security Predictions for 2017

from The Top 17 Security Predictions for 2017

ABC News: Retaliation for Russian Election Hack Could Be Announced Thursday

from ABC News: Retaliation for Russian Election Hack Could Be Announced Thursday

The Top 17 Security Predictions for 2017

from The Top 17 Security Predictions for 2017

IoT saves lives but infosec wants to change that

The cybersecurity industry mocks/criticizes IoT. That's because they are evil and wrong. IoT saves lives. This was demonstrated a couple weeks ago when a terrorist attempted to drive a truck through a Christmas market in German. The truck has an Intern...

from IoT saves lives but infosec wants to change that

Docker data security – going from zero to hero

If you are already developing on Docker, you already know why interest is so high. The combination of faster application delivery and evolution that it makes possible, easily scalable microservices, reusable standard images, and the possibility of reducing system licensing and management costs is nearly irresistible if you’ve adopted a DevOps strategy. And a compelling reason to adopt one if you are not. For a look at just how hot Docker is, take a look at the Google trends search […]

The post Docker data security – going from zero to hero appeared first on Data Security Blog | Vormetric.

from Docker data security – going from zero to hero

Start in Infosec

Instead of making yet another post about how to start in information security I have put together a collection of all the ones that people have done before. Right now this is a raw list, but I will go through and read each one. Once that is done, I&rsq...

from Start in Infosec

Surreptitious Offspring

News, via CNET writer Alfred Ng, of a nefarious child, a sleeping mother, and a budding addiction to electron...

from Surreptitious Offspring

Surreptitious Offspring

News, via CNET writer Alfred Ng, of a nefarious child, a sleeping mother, and a budding addiction to electron...

from Surreptitious Offspring

AWS re:Invent 2016 – Architecting Security and Governance Across a Multi-Account Strategy

Permalink

from AWS re:Invent 2016 – Architecting Security and Governance Across a Multi-Account Strategy

News in brief: Amazon asked for Echo data; Facebook in new fake news row; airline systems ‘insecure’

Catch up with some of the other security stories in the news

from News in brief: Amazon asked for Echo data; Facebook in new fake news row; airline systems ‘insecure’

AWS re:Invent 2016 – Architecting Security and Governance Across a Multi-Account Strategy

Permalink

from AWS re:Invent 2016 – Architecting Security and Governance Across a Multi-Account Strategy

Hollywood Cyber vs. Vegas Cyber

You can go one of two ways with depicting cybersecurity in movies and TV shows: you can depict it so seriously that every technical mistake generates an outraged howl from the infosec pros, or you can romanticize it so that it becomes a cult classic. On the one side, you have the complaints about CSI:Cyber; on the other, you have every picture of Angelina Jolie on rollerblades. You have neuroalternative people with colored hair saying, “If I can just get into the mainframe … there!” and then you have people lining up at RSAC to have their picture taken with Rami Malek. There’s Hollywood…

from Hollywood Cyber vs. Vegas Cyber

Closing the gender gap in tech with RGSoC

The last couple of years saw a growth in diversity- and women-focused tech events and programs; suddenly, everyone seems to be worried about diversity in our industry. But why is diversity in technology something we should care about?

Categories:

Malwarebytes news

Tags: female executives gender equality gender gap philanthropy Rail Girls Summer of Code RGSoC tech technology women that code

(Read more...)

from Closing the gender gap in tech with RGSoC

Smart TV Hit by Android Ransomware

Software engineer Darren Cauthon tweeted about how: ‘Family member’s tv is bricked by Android malware. #lg wont disclose factory reset. Avoid these “smart tvs” like the plague.’ To put this into some perspective, this isn’t a recent model: he explains that ‘It was one of the first google tvs.’ (Google TV is no longer supported, and […]

from Smart TV Hit by Android Ransomware

How secure is your law firm? New charges highlight vulnerabilities

"A wake-up call for law firms around the world" Do you know how secure your law firm is? According to the Manhattan U.S. Attorney, many are not secure enough: Ye...

from How secure is your law firm? New charges highlight vulnerabilities

Mixing biology with technology: what could possibly go wrong?

Biology and technology are moving closer and experts are wondering if this poses a new security threat

from Mixing biology with technology: what could possibly go wrong?

Nevada accidentally leaks thousands of medical marijuana dispensary applications

The data includes their dates of birth, home addresses, citizenship, and driving license and social security numbers of the applicants.

from Nevada accidentally leaks thousands of medical marijuana dispensary applications

Nevada accidentally leaks thousands of medical marijuana dispensary applications

‘Meltdown’ over international cybersecurity agreement

Updating Wassenaar Agreement rules could harm cybersecurity thanks to new definition of tools as 'weapons'

from ‘Meltdown’ over international cybersecurity agreement

How Signal Is Evading Censorship

Signal, the encrypted messaging app I prefer, is being blocked in both Egypt and the UAE. Recently, the Signal team developed a workaround: domain fronting.

Signal's new anti-censorship feature uses a trick called "domain fronting," Marlinspike explains. A country like Egypt, with only a few small internet service providers tightly controlled by the government, can block any direct request to a service on its blacklist. But clever services can circumvent that censorship by hiding their traffic inside of encrypted connections to a major internet service, like the content delivery networks (CDNs) that host content closer to users to speed up their online experience -- or in Signal's case, Google's App Engine platform, designed to host apps on Google's servers.

"Now when people in Egypt or the United Arab Emirates send a Signal message, it'll look identical to something like a Google search," Marlinspike says. "The idea is that using Signal will look like using Google; if you want to block Signal you'll have to block Google."

The trick works because Google's App Engine allows developers to redirect traffic from Google.com to their own domain. Google's use of TLS encryption means that contents of the traffic, including that redirect request, are hidden, and the internet service provider can see only that someone has connected to Google.com. That essentially turns Google into a proxy for Signal, bouncing its traffic and fooling the censors.

This isn't a new trick (Tor uses it too, for example), but it does work.

from How Signal Is Evading Censorship

Tuesday, December 27, 2016

A Cyber Look at the 2017 National Defense Authorization Act

On December 23, 2016, President Obama signed into law the National Defense Authorization Act for Fiscal Year 2017, authorizing $611 (or $619) Billion dollars primarily for the Department of Defense. While the left leaners are focusing on the inclusion of the anti-propaganda (we'll talk about this in its proper place - if you are in a hurry, you can jump there by clicking Section 1287, the Global Engagement Center), we're going to take a holistic view of the Cyber Stuff found in the 969 page appropriations bill. As an academic who runs a research center focused on cyber security and cyber crime, please forgive me if I also include some of the R & D and Education stuff that may be more workforce development focused rather than "pure cyber."

The Act is divided into five Divisions. We'll focus on a few sub-titles within those divisions, which I'll place for you here. I'll certainly get lazy and abbreviate, so feel free to refer to the full text of National Defense Authorization Act as signed for "official wording":

Division A - Department of Defense Authorizations
- Title V - Military Personnel Policy
  - Subtitle A - Officer Personnel Policy
    - Sec. 509 - Pilot programs on direct commissions to cyber positions
  - Subtitle F - National Commission on Military, National, and Public Service
  - - Sections 551-557
- Title IX - DOD Organization and Management
  - Subtitle C - Joint Chiefs of Staff and Combatant Command Manners
    - Sec 923 - Establishment of unified combatant command for cyber operations
- Title XI - Civilian Personnel Matters
  - Subtitle A - DOD Matters Generally
    - Sec 1103 - Training for employment personnel of DoD on matters relating to authorities for recruitment and retention at U.S. Cyber Command
    - Sec 1104 - Public-private talent exchange
- Title XVI - Strategic Programs, Cyber, and Intelligence Matters
  - Subtitle C - Cyberspace-related Matters
    - Sec1641 - special emergency procurement authority to facility defense against or recovery from cyber attack
    - Sec 1643 - Cyber mission forces matters
    - Sec 1644 - requirement to enter into agreements relating to use of cyber opposition forces
    - Sec 1645 - cyber protection support for DoD personnel in positions highly vulnerable to cyber attack
    - Sec 1647 - advisory committee on industrial security and industrial base policy
    - Sec 1649 - Evaluation of cyber vulnerabilities on F-35 aircraft and support systems
    - Sec 1650 - Evaluation of cyber vulnerabilities of DoD critical infrastructure
    - Sec 1651 - strategy to incorporate Army reserve component cyber protection teams into DoD cyber mission force
    - Sec 1652 - Strategic Plan for DISA
    - Sec 1653 - plan for infosec continuous monitoring capability and comply-to-connect policy
    - Sec 1654 - reports on deterrence of adversaries in cyberspace
    - Sec 1655 - Sense of Congress on cyber resiliency of the networks and communication systems of the National Guard
- Title XVIII
- - Subtitle E - Improving Cyber Preparedness for Small Business
  - - Sec 1841 - Small Business Development Center Cyber Strategy and outreach
    - Sec 1842 - Role of small business development centers in cybersecurity and preparedness
    - Sec 1843 - Additional cybersecurity assistance for small business development centers
- TITLE XIX - Department of Homeland Security Coordination
- - Sec 1912 - Cybersecurity strategy for DHS
  - Sec 1913 - EMP and GMD planning, R&D, and protection and preparedness
Division B - Military Construction Authorizations
Division C - Department of Energy National security Authorizations
Division D - Funding Tables
Division E - Uniform Code of Military Justice Reform
Digging in more deeply, we'll give you page numbers to allow you to jump right to the meat of what interests you most . . .

p.70, Sec 240 - Strategy for Improving Electronic and Electromagnetic Spectrum Warfare Capabilities
By April 1, 2017, the Under Secretary for Acquisition, Technology, and Logistics needs to define a strategy in this area, which includes determining how to protect "programs that support or enable cyber operations" from electronic warfare, and describes how to conduct field testing in large-scale simulated exercises, with a budget submitted for 2018 on how to do that. There already exists an Electronic Warfare Executive Committee thta will oversee this activity.

p.110, Sec 509 - Pilot Programs on Direct Commissions to Cyber Positions
Each secretary of a military department may carry out a pilot program to recruit cyber professionals who have appropriate educational levels and physical qualifications to serve in the military directly into the ranks at an officer level in a cyber specialty area. Pilots are authorized to run from Jan 1, 2017 through Dec 31, 2022, with status reports submitted in 2020.

p.131, Subtitle F - National Commission on Military, National, and Public Service
A full review of the military selective service process ("the draft") should be considered, with part of the scope (see 551(b)(3)) being "the feasibility and advisability of modifying the military selective service process in order to obtain for military, national, and public service individuals with skills for which the Nation has a critical need, without regard to age or sex" -- the skills listed here are "medical, dental, and nursing skills, language skills, and science, technology, engineering, and mathematics (STEM) skills."

Could this mean in the future that we could be drafting hackers? And not just for traditional military service!   551(a)(2) says "consider methods to increase participation in military, national, and public service in order to address national security and other public service needs of the Nation."

Those terms are defined in 551(c) as:
"military service" - active service in one of the uniformed services
"national service" - civilian employment in Federal or State government in a field in which the Nation and the public have critical needs.
"public service" - "civilian employment in any non-governmental capacity, including with private for-profit organizations and non-profit organizations (including with appropriate faith-based organizations), that pursues and enhances the common good and meets the needs of communities, the States, or the Nation in sectors related to security, health, care for the elderly, and other areas considered appropriate by the Commission for purposes of this subtitle."

Does that mean I could be drafted to go help a State government secure their network? or perhaps even helping a small business Defense Industrial Base supplier to get secure? It's too soon to know, but it is very interesting that such a review is being ordered. Given the budget realities in both categories of employers (states and small DIBs) many companies have "unsecurable" networks unless some outside resource is somehow provided!

The Commission is ordered to produce a report to the President, within 7 months of its commencement, that includes such elements as:
(C)(2)
(A) do we need a draft registration system at this time?
(B) what is the best way of getting our critical skills and abilities personnel needs met for all three target areas -- Military, National, and Private
(C) How do we "foster among [our] youth an increased sense of service and civic responsibility in order to enhance the aquisition by the Nation of critically needed skills through education and training?"
(D) How do we increase willingness of our youth to consider military, national, or public service
(E) How do we increase interest, education, and employment in our critical fields (including STEM, national security, cyber, linguistics and foreign language, health care and medical professions)
(F) What incentives could be offered to help hire them?

p.272 - Sec 813 Use of Lowest Price Technically Acceptable Source Selection Process
(C)(1) calls attention to the fact that we are idiots if we send our needs for cyber security to the lowest bidder every time. (it actually says "information technology services, cybersecurity services, systems engineering and technical assistance services, advanced electronic testing, audit or audit readiness services, or other knowledge-based professional services;"

p. 344 - Sec 902 Responsibilities of the Chief Information Officer of the DoD
(I) makes it clear that the CIO "has the responsibilities for policy, oversight, and guidance for the architecture and programs related to the networking and cyber defense architecture of the Department." THANK YOU!

p.358 - Sec 923 Establishment of Unified Combatant Command for Cyber Operations
You are probably thinking "Wait! We already have a Cyber Command!" See below Sec. 1642, but basically our currenct Cyber Command is at a lower level than a "Unified Combatant Command" and that is quite significant. This establishes a general/admiral level Unified Command version of Cyber Command and gives them "The principal function of the command is to prepare cyber operations forces to carry out assigned missions."

Under "(b) Assignment of Forces" it says "Unless otherwise directed by the Secretary of Defense, all active and reserve cyber operation forces of the armed forces stationed in the United States shall be assigned to the cyber command." BUT . . . any Cyber Operation carried out in any geography will be conducted "under the command of the commander of the unified combatant command in whose geographic area the activity or mission is to be conducted" (unless otherwise directed by the Presidet or the Secretary of Defense.)

Which sounds like, if we are going the cyber equivalent of "guns hot" anywhere in the world, see your standard org chart. Am I right? Need the help of mil-speak experts to get this part sorted.

(2)(A) makes the commander of this unit "subject to the authority, direction, and control of the Principal Cyber Advisor" and specifies their scope of operation as:
(i) Developing strategy, doctrine, and tactics
(ii) Preparing and submitting budget for cyber ops and cyber command
(iii) exercising authority, direction, and control of funds for --
        (I) cyber command
        (II) cyber ops assigned to other unified combatant commands
(iv) training and certification
(v) conducting specialized courses of instruction for commissioned and noncommissioned officers
(vi) validating requirements
(vii) establishing priorities
(viii) ensuring interoperability of equipment and forces
(ix) formulating and submitting requirements for intelligence support
(x) monitoring promotion of cyber operations forces ...

The "Principal Cyber Advisor" (PCA) is not defined in this bill, but comes from the National Defense Authorization Act of 2014, which established that we should have a Principal Cyber Advisor and that they work in the Office of the Under Secretary of Defense for Policy. Currently the PCA is Eric Rosenbach, who is also Chief of Staff for the Office of the Secretary of Defense. His Deputy PCA is Major General Burke E. "Ed" Wilson. (You may know Mr. Rosenbach as the author of "Find, Fix, Finish: Inside the Counterterrorism Campaigns that Killed bin Laden and Devastated Al Qaeda").

p. 445 - Sec 1103 - Training for employment personnel of DoD on matters related to authorities for recruitment and retention at U.S. Cyber Command
This section says:
If you're an HR person or a supervisor in the Cyber Command, you really ought to know enough about what Cyber people do so that you don't mess up the new Command by hiring bumbling idiots who happen to be able to check all the right cyber-sounding boxes." (That is not an exact quote.) Have to say, I'm a big fan of this section!

p. 446 - Sec. 1104 - Public-Private Talent Exchange
"The Secretary of Defense may, with the agreement of a private-sector organization and the consent of the employee, arrange for the temporary assignment of an employee to such private-sector organization, or from such private-sector organization to a DoD organization."

I can see HUGE benefits both ways here ... I can imagine that Cyber Command may want to put someone in a Silicon Valley or well-run Financial Services company to learn how they deal with risk at scale. At the same time, there may be a private-sector company who faces a risk they can't possibly understand without being brought "in house" and shown some things from a DoD perspective that could really cause a near-miraculous advance in the sponsoring company's ability to defend their company or sector from nation-state actors.

It looks like they have the right hooks in ... including that after a DoD person does a stint in a private sector company, they have to serve at least twice that length of time back in DoD. The DoD person also counts the time served as government service for purposes of benefits and promotion. The personnel swap can be for periods of three months to two years, renewable for a total of up to four years.

p.448 - Sec. 1105 - Temporary and Term Appointments in the Competitive Service in the DoD & Sec 1106 - Direct-Hire Authority for the DoD for Post-Secondary Students and Recent Graduates
Section 1105 establishes that if the only way to fill a critical skill is to offer someone non-standard government pay, the SecDef has the ability to do that.

Section 1106 says the SecDef can direct hire up to 15% of their total hires for professional and administrative occupations at GS-11 or below, including people who are currently enrolled as full-time students who have completed at least one year towards a degree.

p. 457 - Sec 1124 - Pilot program on Enhanced Pay Authority for Certain Research and Technology positions in the Science and Technology Reinvention Laboratories of the DoD
This section authorizes up to 150% of base salary to be offered to recruit and retain talented researchers to the DoD labs.

p. 488 - Sec 1225 - Modification of Annual report on Military Power of Iran
Future reports on Iran's Cyber capabilities, should specifically address their propensity and ability to use proxies and other actors to mask their cyber operations, as well as including their ability to attack non-government entities within the US, and how they cooperate and use assistance from other state and non-state actors.

p. 560 - Sec 1292 - Enhancing Defense and Security Cooperation with India
(E) we agree to "collaborate with the Government of India to develop mutually agreeable mechanisms to verify security of defense articles, defense services, and related technology, such as appropriate cyber security and end use monitoring arrangements."

Title XVI - Strategic Programs, Cyber, and Intelligence Matters

p.601 - Sec 1641 - Special Emergency Procurement Authority to Facilitate the Defense Against or Recovery from a Cyber Attack
The same government code (Title 41 US Code § 1903) that allows us to help companies and citizens in case of a nuclear, biological, chemical, or radiological attack can also be used for cyber attacks. (See: https://www.law.cornell.edu/uscode/text/41/1903 ).

p.602 - Sec 1642 - Limitation on Termination of Dual-Hat Arrangement for Commander of the United States Cyber Command
Interested parties should go read the original, but this addresses the question of whether the head of U.S. Cyber Command should also be the Director of the NSA, and basically says that the two missions should be linked until such time as U.S. Cyber Command is sufficiently established to be able to fly solo without a sudden and dramatic loss of capability as they try to stand up a non-NSA linked version of Cyber Command.

p.603 - Sec 1643 - Cyber Mission Forces Matters; Sec 1644 - Requirement to Enter into Agreements Relating to Use of Cyber Opposition Forces;
1643 says that To help get the new mission stood up, several waivers of the normal hiring rules are implemented, including Direct Hire Authority for positions up to the GG or GS-15 level. They also are going to implement an accelerated training program to get the necessary skills implemented for military, civilian, and contractor personnel, as soon as they all agree on what those necessary skills should be.

1644 gives the new unit until September 2017 to establish rules of engagement with each of the other Unified Combatant Commands including how to train and make ready for service any personnel who will be conducting cyber opposition operations.

p.605 - Sec 1645 and Following
1645 says that "At Risk" personnel should be identified and trained in how to use and operate personal electronic devices and accounts in a secure manner.   This could also be known as the "Hey! Don't use your AOL Account for Government Business!" training.

p.605 - Sec 1646 - Limitation on Full Deployment of Joint Regional Security Stacks
This section refers to a technology being developed by DISA, the Defense Information Systems Agency, that deploys a suite of equipment that handles Firewall, Intrusion Detection and Prevention, Enterprise Management, and Virtual Routing and Forwarding, as well as many network security capabilities. Each stack also provides the ability to do big data analytics. There are currently eleven CONUS and five OCONUS sites being developed. For more details on the program, see the DISA website on the JRSS initiative. What this section says is that we won't go live with JRSS until all of the proper tests and acceptance checks have been conducted and properly trained personnel are ready to operate the stacks.

p.606 - Sec 1647 - Advisory Committee on Industrial Security and Industrial Base Policy
This committee will meet "at least annually" until 2022 to review the security standards for cleared facilities, especially with regards to information and networking security, including physical security and equipment installation and infosec and cyber defense policies, practices and reporting of incidents. The committee will have five non-government and five government members.

p.607 - Sec 1649 - Evaluation of Cyber vulnerabilities of F-35 Aircraft and Support Systems
Perhaps the most important part of this section is the call to "Establish Department-wide information repositories to share findings relating to the evaluation and mitigation of cyber vulnerabilities" not just on the F-35 and related support systems, but on all major weapons systems of the DoD. This section also authorizes the creation of specialty tools and systems to assist in the identification of such vulnerabilities.

p.608 - Sec 1650 - Evaluation of Cyber Vulnerabilities of DoD Critical Infrastructure
This section calls for every base and every military installation to have a thorough review of the identification and mitigation of all cyber vulnerabilities of major weapon systems and critical infrastructure. The program will work through one of the covered research laboratories to establish a pilot aimed at improving the defense of control systems, increasing the resilience of military installations, and preventing or mitigating high-consequence cyber attacks. The pilot will also help to inform future requirements for the development of new control systems.   As with Sec 1649, the development of any new required tools is authorized, as is the establishment of information repositories to share DoD-wide findings from these assessments.

p.610 - Sec 1651 - Strategy to Incorporate Army Reserve Component Cyber Protection Teams into DoD Cyber Mission Force
This plan calls for a report to Congress within 180 days on how Army National Guard units can be used to support State and civil operations in National Guard status under USC Title 32. In many cases the Army National Guard employs people who have cyber security responsibilities, skills and talents as a result of their civilian-time jobs. This plan received a great deal of attention in the past couple years with headlines such as "Pentagon to Recruit Thousands for Cybersecurity Reserve Force" but this call for a report points to the fact that it is still very unclear what the actual mission would be and how these forces would or could be deployed. That same article points out that as of late 2015, Cyber Command was still more than 3,000 positions short of their full requested staff. For more on the 133 "Cyber Teams" that the DoD hopes to fill, see the DoD Special Report on the Three Primary Cyber Missions from defense.gov. In the DoD Special Report, 68 of the Teams are referred to as Cyber Protection Teams, which, according to the 2015 DoD Cyber Strategy, "will augment traditional defensive measures and defend priority DoD networks and systems against priority threats."

(Skipping here the development of a DISA Strategic Plan)

p.611 - Sec 1653 - Plan for Information Security Continuous Monitoring Capability and Comply-to-Connect Policy: Limitation on Software Licensing
The Comply to Connect policy is a new DoD wide statement that if you are connecting a device to a DoD network, that device and its operator are aware of and agree to comply with all DoD security and licensing policies. Teeth are added to make sure that .mil stays in compliance with all software licenses through monitoring of the number of stations where software is installed.

p.613 - Sec 1654 - Reports on Deterrence of Adversaries in Cyberspace
Both the President and the Joint Chiefs will have to report to Congress any and all cyber threats by our adversaries and a description of the various military and non-military ways to address those threats, along with the relevant authorities and legal standards that allow such actions.

p. 663 - Sec 1841 - Improving Cyber Preparedness for Small Businesses; Sec 1842 - Role of Small Business Development Centers in Cybersecurity and Preparedness; Sec 1843 - Additional Cybersecurity Assistance for Small Business Development Centers

In a rather unusual directive in the DoD appropriation, Congress calls for the Small Business Administration and the Department of Homeland Security to work collaboratively to develop a cyber strategy for small business development centers "to be known as the Small Business Development Center Cyber Strategy."   In case you are wondering what a Small Business Development Center is, they are defined in 15 USC § 648 - the Small Business Development Center Program.

The program calls for SBDCs to partner with ISACs and similar organizations and unlocks certain DHS funds to help develop training programs to ensure that small businesses are aware of cyber threat indicators and cyber training programs. (For my Alabama readers, the Alabama Small Business Development Center network has offices at Innovation Depot in Birmingham and many universities across the state.)    In 2016, SBA estimated that $115M in funds would be available for all fifty states. While the current bill doesn't add more funding directly, it does request that a strategy be created that includes how existing cyber programs at DHS and other Federal agencies could channel existing funds through the SBDCs to maximize impact. The SBA and DHS have one year to submit their strategy to Congress. Let's make sure they include the InfraGard program as a resource in that plan!

p.684 - Sec 1912 - Cybersecurity Strategy for the Department of Homeland Security

Congress requires DHS to provide a Cybersecurity strategy that includes consideration of their 2011 cybersecurity strategy, their 2014-2018 DHS Strategic Plan, and the most recent Quadrennial Homeland Security Review (currently that would be the 2014 Quadrennial Homeland Security Review). The strategy should include how they fulfill section 227 requirements of the Homeland Security Act, their cybersecurity investigations capabilities, their plans for cybersecurity R&D, and their plans for engaging with international cybersecurity partners. 90 days after the strategy, they are to produce for Congress an implementation plan with strategic objectives, projected timelines, and metrics.

p.684 - Sec 1913 - EMP and GMD Planning Research and Development and Protection and Preparedness

There are several natural and man-made risks to our electrical infrastructure. The new trend is to designate electromagnetic pulses from man-made sources, such as nuclear devices, as EMPs, but to refer to solar storms or other naturally occurring equivalent risks as geomagnetic disturbances (GMD). The Department of Energy has worked with several electrical groups on plans in these areas, such as the Joint EMP Resilience Strategy published in July 2016 or the September 2016 FERC Reliability Standard for Transmission Systems during GMDs. In 2010, FERC released a major 197 page study on the cybersecurity impacts a GMD could have called Geomagnetic Storms and their Impacts on the U.S. Power Grid. The current bill calls for continued R&D in these areas, with regular reporting to Congress as well as the inclusion of such threats in future training and outreach as well as resiliency planning tests and events.

p. 547 - Sec 1287 - Global Engagement Center (Under Title XII - Matters Relating to Foreign Nations, Subtitle H -- Other Matters)
This section orders the Department of State to stand up a "Global Engagement Center" the purpose of which is "to lead, synchronize, and coordinate efforts of the Federal Government to recognize, understand, expose, and counter foreign state and non-state propaganda and disinformation efforts aimed at undermining United States national security interests.

The Center shall carry out the following functions (which I list here in full, due to the high interest):

(1) Integrate interagency and international efforts to track and evaluate counterfactual narratives abroad that threaten the national security interests of the United States and United States allies and partner nations.

(2) Analyze relevant information, data, analysis, and analytics from United States Government agencies, United States allies and partner nations, think tanks, academic institutions, civil society groups, and other nongovernmental organizations.

(3) As needed, support the development and dissemination of fact-based narratives and analysis to counter propaganda and disinformation directed at the United States and United States allies and partner nations.

(4) Identify current and emerging trends in foreign propaganda and disinformation in order to coordinate and shape the development of tactics, techniques, and procedures to expose and refute foreign misinformation and disinformation and proactively promote fact-based narratives and policies to audiences outside the United States.

(5) Facilitate the use of a wide range of technologies and techniques by sharing expertise among Federal departments and agencies, seeking expertise from external sources, and implementing best practices.

(6) Identify gaps in United States capabilities in areas relevant to the purpose of the Center and recommend necessary enhancements or changes.

(7) Identify the countries and populations most susceptible to propaganda and disinformation based on information provided by appropriate interagency entities.

(8) Administer the information access fund established pursuant to subsection (f).

(9) Coordinate with United States allies and partner nations in order to amplify the Center's efforts and avoid duplicatoin.

(10) Maintain, collect, use, and disseminate records (as such term is defined in section 552a(a)(4) of title 5, United States Code) for research and data analysis of foreign state and non-state propaganda and disinformatoin efforts and communications related to public diplomacy efforts intended for foreign audiences. Such research and data analysis shall be reasonably tailored to meet the purposes of this paragraph and shall be carried out with due regard for privacy and civil liberties guidance and oversight.

The bill then goes on to authorize $60,000,000 to be transferred from DoD to State to fund such a Center.

from A Cyber Look at the 2017 National Defense Authorization Act

Long Beach Looks for Next Stage in CISO Evolution

Long Beach, Calif., isn’t following in the footsteps of so many other cities when it comes to its cybersecurity strategies. Where many government organizations are hiring a chief information security officer (C...

from Long Beach Looks for Next Stage in CISO Evolution

Who Are These Masked Attackers?

We talked about our lack of visibility into the attack horizon and the fact that we can’t predict future attacks in our last post. That was one of five attacker-defender disruptions necessary to change the current course of this never-ending cybersecurity war. This post addresses our continuing failure to identify the exploitation of legitimacy or […]

from Who Are These Masked Attackers?

One Chip to Protect Them All…

Fascinating screed, detailing a so-called Chip to Protect the Internet of Things... Indeed.

'The AWS-ECC508 is an add-on chip designed to make devices more secure—at least for developers using Amazon’s IoT cloud. Cloud services are an integral part of the Internet of Things, which is built around the concept of connected objects becoming ubiquitous in our environment, and which must therefore rely on large-scale computing infrastructure.' - via IEEE's Spectrum Magazine contributor Stephen Cass

from One Chip to Protect Them All…

Inability To See The Attack Horizon = High Risk

We talked about economic asymmetry in our last post. That was one of five attacker-defender disruptions necessary to change the current course of this never-ending cybersecurity war. This post addresses the problem found in our incredible lack of visibility into the attack horizon and the fact that we can’t predict future attacks … or even […]

from Inability To See The Attack Horizon = High Risk

Attacker-Defender Dynamics – Asymmetrical Economics

We talked about information asymmetry in our last post. That was one of five attacker-defender disruptions necessary to change the current course of this never-ending cybersecurity war. This post addresses the problem found in the ridiculous economies of cyberattacks, where we spend billions of dollars avoiding attacks by one guy in his bedroom with a […]

from Attacker-Defender Dynamics – Asymmetrical Economics

Removing Images from Google Local Business Listings

As a business owner, the last thing you want is for a potential customer to search Google for your business and find a lewd image.

The way your website appears to searchers is incredibly important to your brand reputation and trustworthiness. Search engine optimization (SEO) professionals constantly experiment with ways to satisfy Google’s secret and mysterious algorithm.

While some professionals study SEO to improve their content and play nice with Google, SEO can be used maliciously.

Continue reading Removing Images from Google Local Business Listings at Sucuri Blog.

from Removing Images from Google Local Business Listings

AWS re:Invent 2016 – Life Without SSH, Immutable Infrastructure in Production

Permalink

from AWS re:Invent 2016 – Life Without SSH, Immutable Infrastructure in Production

MarketWatch: A retaliatory hack is a risky way to respond to the Russian hack of the DNC

Permalink

from MarketWatch: A retaliatory hack is a risky way to respond to the Russian hack of the DNC

2016 Books

I read 28 Books in 2016.2016 favorite:"Dead Wake: The Last Crossing of the Lusitania," by Erik Larson2016 Most Educational:"The Right To Vote The Contested History Of Democracy In The United States," by Alexander Keyssar2016 Best Horror:"A Head Full of...

from 2016 Books

Security Risks of TSA PreCheck

Former TSA Administrator Kip Hawley wrote an op-ed pointing out the security vulnerabilities in the TSA's PreCheck program:

The first vulnerability in the system is its enrollment process, which seeks to verify an applicant's identity. We know verification is a challenge: A 2011 Government Accountability Office report on TSA's system for checking airport workers' identities concluded that it was "not designed to provide reasonable assurance that only qualified applicants" got approved. It's not a stretch to believe a reasonably competent terrorist could construct an identity that would pass PreCheck's front end.

The other step in PreCheck's "intelligence-driven, risk-based security strategy" is absurd on its face: The absence of negative information about a person doesn't mean he or she is trustworthy. News reports are filled with stories of people who seemed to be perfectly normal right up to the moment they committed a heinous act. There is no screening algorithm and no database check that can accurately predict human behavior -- especially on the scale of millions. It is axiomatic that terrorist organizations recruit operatives who have clean backgrounds and interview well.

None of this is news.

Back in 2004, I wrote:

Imagine you're a terrorist plotter with half a dozen potential terrorists at your disposal. They all apply for a card, and three get one. Guess which are going on the mission? And they'll buy round-trip tickets with credit cards and have a "normal" amount of luggage with them.

What the Trusted Traveler program does is create two different access paths into the airport: high security and low security. The intent is that only good guys will take the low-security path, and the bad guys will be forced to take the high-security path, but it rarely works out that way. You have to assume that the bad guys will find a way to take the low-security path.

The Trusted Traveler program is based on the dangerous myth that terrorists match a particular profile and that we can somehow pick terrorists out of a crowd if we only can identify everyone. That's simply not true. Most of the 9/11 terrorists were unknown and not on any watch list. Timothy McVeigh was an upstanding US citizen before he blew up the Oklahoma City Federal Building. Palestinian suicide bombers in Israel are normal, nondescript people. Intelligence reports indicate that Al Qaeda is recruiting non-Arab terrorists for US operations.

I wrote much the same thing in 2007:

Background checks are based on the dangerous myth that we can somehow pick terrorists out of a crowd if we could identify everyone. Unfortunately, there isn't any terrorist profile that prescreening can uncover. Timothy McVeigh could probably have gotten one of these cards. So could have Eric Rudolph, the pipe bomber at the 1996 Olympic Games in Atlanta. There isn't even a good list of known terrorists to check people against; the government list used by the airlines has been the butt of jokes for years.

And have we forgotten how prevalent identity theft is these days? If you think having a criminal impersonating you to your bank is bad, wait until they start impersonating you to the Transportation Security Administration.

The truth is that whenever you create two paths through security -- a high-security path and a low-security path -- you have to assume that the bad guys will find a way to exploit the low-security path. It may be counterintuitive, but we are all safer if the people chosen for more thorough screening are truly random and not based on an error-filled database or a cursory background check.

In a companion blog post, Hawley has more details about why the program doesn't work:

In the sense that PreCheck bars people who were identified by intelligence or law enforcement agencies as possible terrorists, then it was intelligence-driven. But using that standard for PreCheck is ridiculous since those people already get extra screening or are on the No-Fly list. The movie Patriots Day, out now, reminds us of the tragic and preventable Boston Marathon bombing. The FBI sent agents to talk to the Tsarnaev brothers and investigate them as possible terror suspects. And cleared them. Even they did not meet the "intelligence-driven" definition used in PreCheck.

The other problem with "intelligence-driven" in the PreCheck context is that intelligence actually tells us the opposite; specifically that terrorists pick clean operatives. If TSA uses current intelligence to evaluate risk, it would not be out enrolling everybody they can into pre-9/11 security for everybody not flagged by the security services.

Hawley and I may agree on the problem, but we have completely opposite solutions. The op-ed was too short to include details, but they're in a companion blog post. Basically, he wants to screen PreCheck passengers more:

In the interests of space, I left out details of what I would suggest as short-and medium-term solutions. Here are a few ideas:

Immediately scrub the PreCheck enrollees for false identities. That can probably be accomplished best and most quickly by getting permission from members, and then using, commercial data. If the results show that PreCheck has already been penetrated, the program should be suspended.

Deploy K-9 teams at PreCheck lanes.

Use Behaviorally trained officers to interact with and check the credentials of PreCheck passengers.

Use Explosives Trace Detection cotton swabs on PreCheck passengers at a much higher rate. Same with removing shoes.

Turn on the body scanners and keep them fully utilized.

Allow liquids to stay in the carry-on since TSA scanners can detect threat liquids.

Work with the airlines to keep the PreCheck experience positive.

Work with airports to place PreCheck lanes away from regular checkpoints so as not to diminish lane capacity for non-PreCheck passengers. Rental Car check-in areas could be one alternative. Also, downtown check-in and screening (with secure transport to the airport) is a possibility.

These solutions completely ignore the data from the real-world experiment PreCheck has been. Hawley writes that PreCheck tells us that "terrorists pick clean operatives." That's exactly wrong. PreCheck tells us that, basically, there are no terrorists. If 1) it's an easier way through airport security that terrorists will invariably use, and 2) there have been no instances of terrorists using it in the 10+ years it and its predecessors have been in operation, then the inescapable conclusion is that the threat is minimal. Instead of screening PreCheck passengers more, we should screen everybody else less. This is me in 2012: "I think the PreCheck level of airport screening is what everyone should get, and that the no-fly list and the photo ID check add nothing to security."

I agree with Hawley that we need to overhaul airport security. Me in 2010: "Airport security is the last line of defense, and it's not a very good one." We need to recognize that the actual risk is much lower than we fear, and ratchet airport security down accordingly. And then we need to continue to invest in investigation and intelligence: security measures that work regardless of the tactic or target.

from Security Risks of TSA PreCheck

Security Risks of TSA PreCheck

Former TSA Administrator Kip Hawley wrote an op-ed pointing out the security vulnerabilities in the TSA's PreCheck program: The first vulnerability in the system is its enrollment process, which seeks to verify an applicant's identity. We know verification is a challenge: A 2011 Government Accountability Office report on TSA's system for checking airport workers' identities concluded that it was "not...

from Security Risks of TSA PreCheck

Let’s talk about CFI: Microsoft Edition

We’re back with our promised second installment discussing control flow integrity. This time, we will talk about Microsoft’s implementation of control flow integrity. As a reminder, control flow integrity, or CFI, is an exploit mitigation technique that prevents bugs from turning into exploits. For a more detailed explanation, please read the first post in this […]

from Let’s talk about CFI: Microsoft Edition

Week 52 In Review – 2016

Resources VMware Security Advisories – vmware.com vSphere Data Protection (VDP) updates address SSH key-based authentication issue Techniques In Flight Hacking System – blog.ioactive.com What helped a lot to reduce that fear was to understand how things work in planes, and getting used to noises, bumps, and turbulence. This blog post is about understanding a bit more about how things work aboard an aircraft. More specifically, the In-Flight Entertainment Systems (IFE) developed by Panasonic Avionics. Other News Learning From A Year of Security Breaches – medium.com This year (2016) I accepted as much incident response work as I could. I spent about 300 hours responding to security incidents and data breaches this year as a consultant or volunteer.

The post Week 52 In Review – 2016 appeared first on Infosec Events.

from Week 52 In Review – 2016

Ransomware Chronicle

This is a comprehensive report on ransomware-related events covering a time frame of May – December 2016. The incidents herein are visually broken down into categories, including new ransomware, updates of existing strains, decryptors released, and other noteworthy news. Security researchers and users interested in the ransomware subject can now use this all-in-one knowledgebase instead […]

from Ransomware Chronicle

AWS re:Invent 2016 – Security Automation, Spend Less Time Securing Your Applications

Permalink

from AWS re:Invent 2016 – Security Automation, Spend Less Time Securing Your Applications

Remove OSIRIS ransomware and decrypt .osiris extension files

A brand-new iteration of the deleterious Locky ransomware is out. Expert reports about the update started to appear on December 5, which is almost a fortnight after the ZZZZZ precursor surfaced. The latest tweak means that the files affected by Locky will now have the .osiris extension appended to them, hence the generic name of […]

from Remove OSIRIS ransomware and decrypt .osiris extension files

Monday, December 26, 2016

Doing More with More

These days an organization cannot afford “hidden” assets. Who would want to be unaware of, and thus under-utilize, an asset? Yet many organizations fail to leverage assets that essentially hide in plain sight. In these days of austerity, particularly for small-and-medium sized businesses, an organization’s best efforts take on a whole new meaning: It is no longer acceptable to take a position that, “Given the circumstances, we’re doing the best we can.”

from Doing More with More

Method or Madness?

“The dreams I have today become my blueprints for tomorrow.” Michael Peters Copyright © 2016 MichaelPeters.org. This Feed originated at MichaelPeters.org and YourPersonalCXO.com, the personal blog of Michael D. Peters and corporate site for Your Personal CXO, Inc. Please contact me at MichaelPeters.org or YourPersonalCXO.com if you would like to aggregate this content, quote, comment, […]

The post Method or Madness? appeared first on MichaelPeters.org.

from Method or Madness?

AWS re:Invent 2016 – Security Automation, Spend Less Time Securing Your Applications

Permalink

from AWS re:Invent 2016 – Security Automation, Spend Less Time Securing Your Applications

Auditors, Do Data Analytics or Die

If you’re an auditor, you need data analytic skills or you will die. Or put another way, if you don’t acquire them in the next 1-5 years, you will no longer be an auditor. Pretty bold statement, isn’t it? What … Continue reading →

from Auditors, Do Data Analytics or Die

Google’s Keys to Security, Pragmatism At It’s Finest

Read it (PDF) and be pleased that all-well-might-indeed-be-right-with-the-Universe, at least in user-land uni...

from Google’s Keys to Security, Pragmatism At It’s Finest

Weekly Cyber Risk Roundup: Unique Cyber-Attacks and Insider Theft

Yahoo remained as the top trending cybercrime target due to a data breach affecting more than a billion accounts. The breach is so large that regulators such as the FTC and SEC are facing uncharted territory when it comes to potential fines or other consequences related to the incident, Vice News reported. Looking beyond… Read More

from Weekly Cyber Risk Roundup: Unique Cyber-Attacks and Insider Theft

SSD Advisory – ZyXEL Multiple Vulnerabilities

Vulnerability Summary The following advisory describes four (4) vulnerabilities and default accounts / passwords in ZyXEL customized routers. TrueOnline is a major Internet Service Provider in Thailand that provides customized versions of routers to its customers, free of charge. The routers are manufactured by ZyXEL, and they run a special Linux distribution called “tclinux”. Several … Continue reading SSD Advisory – ZyXEL Multiple Vulnerabilities →

from SSD Advisory – ZyXEL Multiple Vulnerabilities

Sunday, December 25, 2016

Historical OSINT – Massive Black Hat SEO Campaign, Spotted in the Wild, Serves Scareware

In, a, cybercrime, ecosystem, dominated, by, hundreds, of, malicious, software, releases, cybercriminals, continue, actively, populating, their, botnet's, infected, population, with, hundreds, of, newly, added, socially, engineered, users, potentially,...

from Historical OSINT – Massive Black Hat SEO Campaign, Spotted in the Wild, Serves Scareware

Historical OSINT – Hundreds of Malicious Web Sites Serve Client-Side Exploits, Lead to Rogue YouTube Video Players

In, a, cybercrime, ecosystem, dominated, by, hundreds, of, malicious, software, releases, cybercriminals, continue, actively, populating, a, botnet's, infected, population, further, spreading, malicious, software, potentially, compromising, the, confid...

from Historical OSINT – Hundreds of Malicious Web Sites Serve Client-Side Exploits, Lead to Rogue YouTube Video Players

Historical OSINT – Koobface Gang Utilizes, Google Groups, Serves, Scareware and Malicious Software

In, a, cybercrime, ecosystem, dominated, by, malicious, software, releases, cybercriminals, continue, actively, populating, their, botnet's, infected, populating, successfully, affecting, hundreds, of, thousands, of, users, globally, potentially, expos...

from Historical OSINT – Koobface Gang Utilizes, Google Groups, Serves, Scareware and Malicious Software

SSD Advisory – EasyIO Multiple Vulnerabilities

Vulnerability Summary The following advisory describes three (3) vulnerabilities that allow to an attacker to gain unauthenticated remote code execution. EasyIO provides products for Building Energy Management Systems. Low costs, high energy savings. The three vulnerabilities found in EasyIO include: Unauthenticated remote code execution Unauthenticated database file download Authenticated directory traversal vulnerability The vulnerability affected … Continue reading SSD Advisory – EasyIO Multiple Vulnerabilities →

from SSD Advisory – EasyIO Multiple Vulnerabilities

Saturday, December 31, 2016

Friday, December 30, 2016

Thursday, December 29, 2016

Dynamic Security Assessment Process

Assessment Engine

Threat Intelligence

Visualization

Wednesday, December 28, 2016

Tuesday, December 27, 2016

p.70, Sec 240 - Strategy for Improving Electronic and Electromagnetic Spectrum Warfare Capabilities

p.110, Sec 509 - Pilot Programs on Direct Commissions to Cyber Positions

p.131, Subtitle F - National Commission on Military, National, and Public Service

p.272 - Sec 813 Use of Lowest Price Technically Acceptable Source Selection Process

p. 344 - Sec 902 Responsibilities of the Chief Information Officer of the DoD

p.358 - Sec 923 Establishment of Unified Combatant Command for Cyber Operations

p. 445 - Sec 1103 - Training for employment personnel of DoD on matters related to authorities for recruitment and retention at U.S. Cyber Command

p. 446 - Sec. 1104 - Public-Private Talent Exchange

p.448 - Sec. 1105 - Temporary and Term Appointments in the Competitive Service in the DoD & Sec 1106 - Direct-Hire Authority for the DoD for Post-Secondary Students and Recent Graduates

p. 457 - Sec 1124 - Pilot program on Enhanced Pay Authority for Certain Research and Technology positions in the Science and Technology Reinvention Laboratories of the DoD

p. 488 - Sec 1225 - Modification of Annual report on Military Power of Iran

p. 560 - Sec 1292 - Enhancing Defense and Security Cooperation with India

Title XVI - Strategic Programs, Cyber, and Intelligence Matters

p.601 - Sec 1641 - Special Emergency Procurement Authority to Facilitate the Defense Against or Recovery from a Cyber Attack

p.602 - Sec 1642 - Limitation on Termination of Dual-Hat Arrangement for Commander of the United States Cyber Command

p.603 - Sec 1643 - Cyber Mission Forces Matters; Sec 1644 - Requirement to Enter into Agreements Relating to Use of Cyber Opposition Forces;

p.605 - Sec 1645 and Following

p.605 - Sec 1646 - Limitation on Full Deployment of Joint Regional Security Stacks

p.606 - Sec 1647 - Advisory Committee on Industrial Security and Industrial Base Policy

p.607 - Sec 1649 - Evaluation of Cyber vulnerabilities of F-35 Aircraft and Support Systems

p.608 - Sec 1650 - Evaluation of Cyber Vulnerabilities of DoD Critical Infrastructure

p.610 - Sec 1651 - Strategy to Incorporate Army Reserve Component Cyber Protection Teams into DoD Cyber Mission Force

p.611 - Sec 1653 - Plan for Information Security Continuous Monitoring Capability and Comply-to-Connect Policy: Limitation on Software Licensing

p.613 - Sec 1654 - Reports on Deterrence of Adversaries in Cyberspace

p. 663 - Sec 1841 - Improving Cyber Preparedness for Small Businesses; Sec 1842 - Role of Small Business Development Centers in Cybersecurity and Preparedness; Sec 1843 - Additional Cybersecurity Assistance for Small Business Development Centers

p.684 - Sec 1912 - Cybersecurity Strategy for the Department of Homeland Security

p.684 - Sec 1913 - EMP and GMD Planning Research and Development and Protection and Preparedness

p. 547 - Sec 1287 - Global Engagement Center (Under Title XII - Matters Relating to Foreign Nations, Subtitle H -- Other Matters)

Monday, December 26, 2016

Sunday, December 25, 2016