Your daily round-up of some of the other stories in the news
from News in brief: NASA sends probe to the Sun; subway gets phone coverage; Facebook pushes back
Wednesday, May 31, 2017
China’s new cybersecurity law rattles tech giants
But look no further than Russia for some idea of how US companies will be affected.
from China’s new cybersecurity law rattles tech giants
from China’s new cybersecurity law rattles tech giants
Wolf in sheep’s clothing: a SophosLabs investigation into delivering malware via VBA
SophosLabs gets under the skin of the bad guys' latest attempt to drop ransomware on to your PCs
from Wolf in sheep’s clothing: a SophosLabs investigation into delivering malware via VBA
from Wolf in sheep’s clothing: a SophosLabs investigation into delivering malware via VBA
It Ain’t Woodstock Anymore
What was originally thought to be the result of a phishing attack, WannaCry turned out to emanate from something else entirely. It was a flaw in the implementation of a common network protocol instead. The good news is that while a shock to the 200,000 plus users whose day was rudely interrupted, the SMB protocol […]
The post It Ain’t Woodstock Anymore appeared first on Netswitch Technology Management.
from It Ain’t Woodstock Anymore
Microsoft Operations Management Suite Integration with Veeam Management Pack v8 Update
Veeam Management Pack (MP) for System Center v8 Update 4 is now generally available (GA). read more
from Microsoft Operations Management Suite Integration with Veeam Management Pack v8 Update
from Microsoft Operations Management Suite Integration with Veeam Management Pack v8 Update
2017 International Cryptographic Module Conference and FDE cPPs
From May 17th to 19th, I had the pleasure of attending the Fifth International Cryptographic Module Conference (ICMC 2017 http://icmconference.org/ ) with my colleague, Alexander Mazuruc. Alex usually attends this conference (https://www.winmagic.com/blog/2013/10/29/almost-famous/) which focuses on cryptographic modules and FIPS 140 (https://en.wikipedia.org/wiki/FIPS_140-2) type issues, but this year there were 8 tracks on related subjects such as … Continue reading "2017 International Cryptographic Module Conference and FDE cPPs"
The post 2017 International Cryptographic Module Conference and FDE cPPs appeared first on Trusted Computing Group.
from 2017 International Cryptographic Module Conference and FDE cPPs
Ben’s Book of the Month: Review of “CISO Desk Reference Guide: A Practical Guide for CISOs”
While the classic prepare 3 envelopes joke revolves around a CEO, it’s quite appropriate for a CISO. For many CISO, their career path is a slow and steady one where they deliberately progress into that role. For others, they often quickly obtain the role due to a major security breach that requires that envelope #3 be opened. In the CISO Desk Reference Guide: A Practical Guide for CISOs (CISO DRG 978-0997744118), authors Bill Bonney, Gary Hayslip and Matt Stamper have written a tactical guide that can help the soon to be or new CISO get up and running. Each of the three have been in the…
from Ben’s Book of the Month: Review of “CISO Desk Reference Guide: A Practical Guide for CISOs”
from Ben’s Book of the Month: Review of “CISO Desk Reference Guide: A Practical Guide for CISOs”
Stockpiled
via the eponymous Iain Thomson, whilst plying his trade at El Reg, comes this astonishing tale of the profoundly stupifying incompetence at Microsoft Corporation (NasdaqGS: MSFT) in regards to the Redmond, Washington software leveiathan's askew morality... This time, focused on the company's complaints targeting the National Security Agency's stockpiling of exploitation bits, yet also, dancing the stockpile two-step... Simply astounding.
"Most crucially, it's more than a little grating for Microsoft, its executives, and its PR machine, to be so shrill about the NSA stockpiling zero-day exploits when the software giant is itself nesting on a pile of fixes – critical fixes it's keeping secret unless you pay it top dollar. Suddenly, it's looking more like the robber baron we all know, and less like the white knight in cyber armor" - via Iain Thomson writing at El Reg
from Stockpiled
Information Security Events For June
Here are information security events in North America this month: Cyber Security Summit Seattle 2017 : June 1 in Seattle, WA, USA Techno Security & Forensics Investigations Conference 2017 : June 4 to 7 in Myrtle Beach, SC, USA MetricStream GRC Summit 2017 : June 4 to 7 in Oxon Hill, MD, [...]
The post Information Security Events For June appeared first on Infosec Events.
from Information Security Events For June
Drilling Into CSVs — Teaser Trailer
I used reading a directory of CSVs as the foundational example in my recent post on idioms. During my exchange with Matt, Hadley and a few others — in the crazy Twitter thread that spawned said post — I mentioned that I’d personally “just use Drill”. I’ll use this post as a bit of a... Continue reading →
from Drilling Into CSVs — Teaser Trailer
from Drilling Into CSVs — Teaser Trailer
Post-Quantum RSA
Interesting research on a version of RSA that is secure against a quantum computer:
Post-quantum RSA
Daniel J. Bernstein, Nadia Heninger, Paul Lou, and Luke Valenta
Abstract: This paper proposes RSA parameters for which (1) key generation, encryption, decryption, signing, and verification are feasible on today's computers while (2) all known attacks are infeasible, even assuming highly scalable quantum computers. As part of the performance analysis, this paper introduces a new algorithm to generate a batch of primes. As part of the attack analysis, this paper introduces a new quantum factorization algorithm that is often much faster than Shor's algorithm and much faster than pre-quantum factorization algorithms. Initial pqRSA implementation results are provided.
from Post-Quantum RSA
8 Tripwire Talks to Not Miss at Infosecurity Europe 2017
Tripwire is so excited for everything it has planned for Infosecurity Europe 2017. In particular, it’s really looking forward to all the speakers it has lined up for the conference. Here are eight talks in particular that attendees to this year’s event won’t want to miss! Assessing Your AWS Cloud with Tripwire Speaker: Ben Layer, […]… Read More
The post 8 Tripwire Talks to Not Miss at Infosecurity Europe 2017 appeared first on The State of Security.
from 8 Tripwire Talks to Not Miss at Infosecurity Europe 2017
Invisible Threat 1969-12-31 18:00:00
Comments and Opinions I’m happy to defend, or debate, any opinions that I express here. Trolling will be met with counter-trolling if I’m feeling spry, but it is more likely to be ignored. I’m not married to my ideas, so I’m...
from Invisible Threat 1969-12-31 18:00:00
from Invisible Threat 1969-12-31 18:00:00
Invisible Threat 1969-12-31 18:00:00
Twitter Github LinkedIn
from Invisible Threat 1969-12-31 18:00:00
from Invisible Threat 1969-12-31 18:00:00
DLP in the Cloud
Posted under: Research and Analysis
It’s been quite a while since we’ve updated our data loss prevention (DLP) research. It’s not that DLP doesn’t continue to be an area of focus (it does), rather there have been a lot of other shiny things that have kept our attention of late. Yeah, like cloud. Well it turns out a lot of organizations are using this cloud thing now, and that means they inevitably have questions about if and how their existing controls (like DLP) map into this new world.
So as we update our Understanding and Selecting DLP paper, we’d be remiss if we didn’t include a discussion about how potential leakage in cloud-based environments should be handled. Yet, let’s not get the cart ahead of the horse. First we need to define what we mean by cloud and applicable use cases for DLP.
Now we could bust out the Cloud Security Alliance guidance and hit you over the head with a bunch of cloud definitions. But suffice it to say, from a data access standpoint you are most likely dealing with:
- SaaS: Software as a Service (SaaS) is the new back office. That means you have critical data in a SaaS environment, whether you know about it or not, and it should be protected.
- Cloud File Storage: These offerings allow you to extend a device’s file system to the cloud, replicating and syncing between devices and facilitating the sharing of data. Yes, these services are a form of SaaS (and Platform as a Service), but given the amount of critical data in these networks and the fact they work differently than your typical SaaS application, we’ll treat these differently.
- IaaS: Infrastructure as a Service (IaaS) is the new data center. That means many of your critical applications (and data) will be moving to a cloud service provider, most likely Amazon Web Services, Microsoft Azure, or Google Cloud Platform. And inspection of data traversing a cloud-based application is well… different, and that means protecting said data is also… different.
DLP is predicated upon scanning data at rest and inspecting and enforcing policies on data in motion, there isn’t a lot of applicability to IaaS. Why? Because there really aren’t endpoints per se in a IaaS environment. Data will be within either structured (like a database) or unstructured (a filesystem) datastores. Data protection for structured datastores defaults to application-centric methods, and unstructured cloud file systems are really just cloud file storage (covered later). So trying to insert DLP agents within an application stack isn’t really the most efficient or effective means of protecting that application.
Additionally in IaaS, traditional network DLP approaches don’t work very well in IaaS either. You have limited visibility into the cloud network and to inspect traffic, you need to route the traffic through an inspection point and that can negatively impact the architecture of the cloud, specifically elasticity and anywhere access. Moreover, a greater percentage of cloud network traffic is encrypted, so even with access to the network traffic inspecting it at scale presents many implementation challenges.
Thus we’ll scope this Cloud DLP discussion around SaaS and cloud file storage.
Cloud versus Traditional Data Protection
Clearly cloud is different, but what exactly does that mean? If we boil it down to its fundamental core, you still have to do the same functions whether the data resides in a 20 year old mainframe or within the ether of multi-cloud and SaaS environments. In order to protect the data, you have to know where it is (discover), how it’s being used (monitor), enforce policies to govern what is allowed and by whom and additional security controls (protect).
When looking at Cloud DLP a lot of users equate protection to encryption but that’s a massive topic with a lot of complexities in SaaS. The best idea is to check out our recent research on Multi-Cloud Key Management. There will be a lot of detail in the paper, but suffice it to say that managing keys across various cloud and on-prem environments presents a significantly more complicated key management environment, and you’ll need rely more on your provider and architect data protection and encryption directly into the cloud technology stack.
Now thinking about discovery, do you remember in the olden days – like 7 years ago – when your critical data was either in your data centers or on devices that you controlled? To be clear, it wasn’t easy to find all of your critical data, but at least you knew where to look. You could search all of your file servers and databases for critical data, profile/fingerprint that data and then look for it on your devices and egress points on the network.
But as critical data started moving to SaaS applications and cloud file storage (sometimes embedded within SaaS apps), controlling data loss became more challenging because the data didn’t always traverse an egress point. Ergo the emergence of Cloud Access Security Brokers (CASB) to figure out which cloud services were in use and then you’d understand (kind of) where you critical data may be. At least you had a place to look, right?
Enforcement of the data usage policies is also a bit different in that you don’t control the SaaS apps, nor do you have an inspection/enforcement point on the network where you can look for sensitive data and block it from leaving your network. You’ve consistently heard about the lack of visibility in the cloud and this is another example where the cloud really messes with how you used to do security.
So what’s the answer? It’s found in 3 letters that you should be pretty familiar with. A. P. I.
APIs are your friend
That’s right, many SaaS apps and cloud file storage services provide APIs which allow you to interact with their environments and provide visibility and some measure of enforcement for your data protection policies. Basically, many DLP offerings have integrated with the leading SaaS and cloud file storage offerings and provide you with the ability to:
- Know when files are uploaded to the cloud and analyze them.
- Know who is doing what with the files.
- Encrypt or otherwise protect the files.
As you can see, you don’t need to see the data pass by, as long as the API reliably tells you new data has been moved into their environment. So the key in using DLP solutions in the cloud is to ensure integration with APIs available for those services.
So what happens when you don’t (or can’t) have APIs to provide integration with the cloud environments? You need to see the data somehow, and that’s where a Cloud Access Security Broker (CASB) comes into play.
Co-existence with CASB
CASBs have lots of functions, including providing visibility of cloud service usage within your environment. The CASB can also inspect traffic directed to these cloud services by running the traffic through a proxy. Of course, this can add some inefficiencies by routing traffic unnaturally through the proxy, but the impact will be dependent on the latency and response time requirements of the application. Many CASB tools can also connect to cloud providers directly over API to evaluate activity without requiring a proxy. This is more-dependent on the cloud provider having an API with the needed capabilities than limitations with the CASB products, which is why proxy-mode is often needed.
Given the CASB vendors are inspecting traffic, they can claim to provide DLP-like functions for traffic they see heading for cloud environments. Obviously DLP on your CASB is not going to provide any visibility or enforcement for on-prem data. Thus your decision point involves determining whether you want a consistent policy across both on-prem and cloud environments. Or whether separate solutions to monitor the content is sufficient.
There isn’t a right or a wrong answer for this decision, really more depending on whether the policies you implement on your internal networks map to the data moving to SaaS and cloud file storage.
Consistency in Workflows
Once an alert triggers, where the data resides doesn’t impact the processes your internal folks use to verify the potential leak and then to assess the damage. Thus any workflow you have in place to handle data leakage should be extensible to wherever the data resides. Of course, the tools to perform these processes will be different and your access to the systems potentially compromised is radically different. Meaning you have no access to SaaS systems that are potentially compromised. Either way, once you have a verified leak it’s time for your incident response process to kick in.
So yes, trying to prevent data leaks in SaaS and cloud file storage can be very challenging. That being said, like with most things cloud, the first place to start is to revisit your processes and the technologies in place to see whether your existing environment can handle the cloud.
Yet the one thing we know is that there will be more cloud in use tomorrow than there is today, so the sooner you get your arms around protecting your content – regardless of where it resides – the better it is for your organization.
- Mike Rothman (0) Comments Subscribe to our daily email digestfrom DLP in the Cloud
Skype for Business 2015 – Skype for Business 2015 Mediation server SIP Trunk Ports
Let us talk about the Skype for Business 2015 Mediation server; keep in mind this can apply to Lync 2013 as well. One of the areas when talking about enterprise voice that will surely come up is “SIP Trunks”. So let’s j...
from Skype for Business 2015 – Skype for Business 2015 Mediation server SIP Trunk Ports
from Skype for Business 2015 – Skype for Business 2015 Mediation server SIP Trunk Ports
To Upgrade or Not To Upgrade – Windows Server 2016
Considering an upgrade to Windows Server 2016? Here is a resource from Microsoft to help you with information to evaluate that possible decision. read more
from To Upgrade or Not To Upgrade – Windows Server 2016
from To Upgrade or Not To Upgrade – Windows Server 2016
NolaCon 2017, FuzzyNop’s ‘Embrace the Bogeyman: Tactical Fear Mongering for Those Who Penetrate’
Permalink
from NolaCon 2017, FuzzyNop’s ‘Embrace the Bogeyman: Tactical Fear Mongering for Those Who Penetrate’
from NolaCon 2017, FuzzyNop’s ‘Embrace the Bogeyman: Tactical Fear Mongering for Those Who Penetrate’
Personal Security Guide – WiFi Network
This is the third part in our series on personal security that offers methods to strengthen your overall security posture. By taking a holistic approach to security, you are protecting your website against attack vectors due to poor security practices in various aspects of your digital life. This post shares some insight on how to secure your network.
When we talk about a network, we mean the way you connect to the internet.
Continue reading Personal Security Guide – WiFi Network at Sucuri Blog.
from Personal Security Guide – WiFi Network
News in brief: no laptop ban from EU for now; China warns on new laws; bug bounty scheme for DHS
Your daily round-up of some of the other stories in the news
from News in brief: no laptop ban from EU for now; China warns on new laws; bug bounty scheme for DHS
from News in brief: no laptop ban from EU for now; China warns on new laws; bug bounty scheme for DHS
Tuesday, May 30, 2017
Inmates Secretly Build and Network Computers while in Prison
This is kind of amazing:
Inmates at a medium-security Ohio prison secretly assembled two functioning computers, hid them in the ceiling, and connected them to the Marion Correctional Institution's network. The hard drives were loaded with pornography, a Windows proxy server, VPN, VOIP and anti-virus software, the Tor browser, password hacking and e-mail spamming tools, and the open source packet analyzer Wireshark.
Another article.
Clearly there's a lot about prison security, or the lack thereof, that I don't know. This article reveals some of it.
from Inmates Secretly Build and Network Computers while in Prison
Shadow Brokers double down on zero-day subscription service
Should you dive in and help with the crowdfunding move to access the data they claim they have? It's not what we'd advise - but what do you think?
from Shadow Brokers double down on zero-day subscription service
from Shadow Brokers double down on zero-day subscription service
SAP JAVA Secure Storage
As we have already discussed ABAP Secure Storage in our blog, now it’s time to talk about Java Secure Storage. In general, the realization of Secure Storage in the Java stack resembles the ABAP’s one. It comes in two different types: Java Secure Storage in the file system and Java Secure Storage. Why can it […]
The post SAP JAVA Secure Storage appeared first on ERPScan.
from SAP JAVA Secure Storage
AI, L’obscurité
via the Massachusetts Institute of Technology's MIT Technology Review, comes this ssuperlative piece of AI re...
from AI, L’obscurité
from AI, L’obscurité
RSAC 2017 APJ: Trends in DevOps, Ransomware, IoT, and More
RSA Conference Asia Pacific & Japan 2017 takes place July 26-28 in Singapore, with additional pre-Conference offerings earlier in the week. As with the US, this year the Call for Speakers submission process netted a 30% increase in the number of submissions, creating a very challenging judging environment for our expert Program Committee. Several interesting trends emerged as the Program Committee looked at the submissions holistically as well as individually in curating the content programming, resulting in an agenda that promises to be the strongest yet for our delegates. Leading off the…
from RSAC 2017 APJ: Trends in DevOps, Ransomware, IoT, and More
from RSAC 2017 APJ: Trends in DevOps, Ransomware, IoT, and More
Surprise! Extortionists have no qualms about claiming they ‘hacked’ your business
No one likes to have their company hacked. But imagine how much more galling it would be to give in to the hackers' blackmail threats and pay a ransom for the movie not to be leaked online, only to discover later that the extortionists never had a copy...
from Surprise! Extortionists have no qualms about claiming they ‘hacked’ your business
from Surprise! Extortionists have no qualms about claiming they ‘hacked’ your business
Weekly Cyber Risk Roundup: More W-2 Breaches and Upcoming GDPR Challenges Organizations
Stolen W-2 information was back in the news this week due to reports of another W-2 breach as well as new data from IRS officials on the threat. The latest breach involves TALX, an Equifax subsidiary that provides online payroll, HR and tax services. KrebsOnSecurity reported that an undisclosed number of customers were affected when… Read More
from Weekly Cyber Risk Roundup: More W-2 Breaches and Upcoming GDPR Challenges Organizations
from Weekly Cyber Risk Roundup: More W-2 Breaches and Upcoming GDPR Challenges Organizations
Security of medical devices ‘is a life or death issue’, warns researcher
Concern rises as one study finds more than 8,000 vulnerabilities in seven pacemakers while another highlights wider issues in medical devices
from Security of medical devices ‘is a life or death issue’, warns researcher
from Security of medical devices ‘is a life or death issue’, warns researcher
As cloud competitors keep cutting prices, questions about how much total savings stack up
Nicole Henderson Deciding between cloud services is not an apple to apple comparison, but thinking of cloud pricing in terms of a basket of groceries can actually be helpf...
from As cloud competitors keep cutting prices, questions about how much total savings stack up
from As cloud competitors keep cutting prices, questions about how much total savings stack up
Judy malware campaign victimized as many as 36.5 million Android users
A malware campaign on Google Play has victimized as many as 36.5 million Android users with adware known as "Judy." David Bisson reports.
from Judy malware campaign victimized as many as 36.5 million Android users
from Judy malware campaign victimized as many as 36.5 million Android users
Who Are the Shadow Brokers?
In 2013, a mysterious group of hackers that calls itself the Shadow Brokers stole a few disks full of NSA secrets. Since last summer, they've been dumping these secrets on the Internet. They have publicly embarrassed the NSA and damaged its intelligence-gathering capabilities, while at the same time have put sophisticated cyberweapons in the hands of anyone who wants them. They have exposed major vulnerabilities in Cisco routers, Microsoft Windows, and Linux mail servers, forcing those companies and their customers to scramble. And they gave the authors of the WannaCry ransomware the exploit they needed to infect hundreds of thousands of computer worldwide this month.
After the WannaCry outbreak, the Shadow Brokers threatened to release more NSA secrets every month, giving cybercriminals and other governments worldwide even more exploits and hacking tools.
Who are these guys? And how did they steal this information? The short answer is: we don't know. But we can make some educated guesses based on the material they've published.
The Shadow Brokers suddenly appeared last August, when they published a series of hacking tools and computer exploits -- vulnerabilities in common software -- from the NSA. The material was from autumn 2013, and seems to have been collected from an external NSA staging server, a machine that is owned, leased, or otherwise controlled by the US, but with no connection to the agency. NSA hackers find obscure corners of the Internet to hide the tools they need as they go about their work, and it seems the Shadow Brokers successfully hacked one of those caches.
In total, the group has published four sets of NSA material: a set of exploits and hacking tools against routers, the devices that direct data throughout computer networks; a similar collection against mail servers; another collection against Microsoft Windows; and a working directory of an NSA analyst breaking into the SWIFT banking network. Looking at the time stamps on the files and other material, they all come from around 2013. The Windows attack tools, published last month, might be a year or so older, based on which versions of Windows the tools support.
The releases are so different that they're almost certainly from multiple sources at the NSA. The SWIFT files seem to come from an internal NSA computer, albeit one connected to the Internet. The Microsoft files seem different, too; they don't have the same identifying information that the router and mail server files do. The Shadow Brokers have released all the material unredacted, without the care journalists took with the Snowden documents or even the care WikiLeaks has taken with the CIA secrets it's publishing. They also posted anonymous messages in bad English but with American cultural references.
Given all of this, I don't think the agent responsible is a whistleblower. While possible, it seems like a whistleblower wouldn't sit on attack tools for three years before publishing. They would act more like Edward Snowden or Chelsea Manning, collecting for a time and then publishing immediately -- and publishing documents that discuss what the US is doing to whom. That's not what we're seeing here; it's simply a bunch of exploit code, which doesn't have the political or ethical implications that a whistleblower would want to highlight. The SWIFT documents are records of an NSA operation, and the other posted files demonstrate that the NSA is hoarding vulnerabilities for attack rather than helping fix them and improve all of our security.
I also don't think that it's random hackers who stumbled on these tools and are just trying to harm the NSA or the US. Again, the three-year wait makes no sense. These documents and tools are cyber-Kryptonite; anyone who is secretly hoarding them is in danger from half the intelligence agencies in the world. Additionally, the publication schedule doesn't make sense for the leakers to be cybercriminals. Criminals would use the hacking tools for themselves, incorporating the exploits into worms and viruses, and generally profiting from the theft.
That leaves a nation state. Whoever got this information years before and is leaking it now has to be both capable of hacking the NSA and willing to publish it all. Countries like Israel and France are capable, but would never publish, because they wouldn't want to incur the wrath of the US. Country like North Korea or Iran probably aren't capable. (Additionally, North Korea is suspected of being behind WannaCry, which was written after the Shadow Brokers released that vulnerability to the public.) As I've written previously, the obvious list of countries who fit my two criteria is small: Russia, China, and -- I'm out of ideas. And China is currently trying to make nice with the US.
It was generally believed last August, when the first documents were released and before it became politically controversial to say so, that the Russians were behind the leak, and that it was a warning message to President Barack Obama not to retaliate for the Democratic National Committee hacks. Edward Snowden guessed Russia, too. But the problem with the Russia theory is, why? These leaked tools are much more valuable if kept secret. Russia could use the knowledge to detect NSA hacking in its own country and to attack other countries. By publishing the tools, the Shadow Brokers are signaling that they don't care if the US knows the tools were stolen.
Sure, there's a chance the attackers knew that the US knew that the attackers knew -- and round and round we go. But the "we don't give a damn" nature of the releases points to an attacker who isn't thinking strategically: a lone hacker or hacking group, which clashes with the nation-state theory.
This is all speculation on my part, based on discussion with others who don't have access to the classified forensic and intelligence analysis. Inside the NSA, they have a lot more information. Many of the files published include operational notes and identifying information. NSA researchers know exactly which servers were compromised, and through that know what other information the attackers would have access to. As with the Snowden documents, though, they only know what the attackers could have taken and not what they did take. But they did alert Microsoft about the Windows vulnerability the Shadow Brokers released months in advance. Did they have eavesdropping capability inside whoever stole the files, as they claimed to when the Russians attacked the State Department? We have no idea.
So, how did the Shadow Brokers do it? Did someone inside the NSA accidentally mount the wrong server on some external network? That's possible, but seems very unlikely for the organization to make that kind of rookie mistake. Did someone hack the NSA itself? Could there be a mole inside the NSA?
If it is a mole, my guess is that the person was arrested before the Shadow Brokers released anything. No country would burn a mole working for it by publishing what that person delivered while he or she was still in danger. Intelligence agencies know that if they betray a source this severely, they'll never get another one.
That points to two possibilities. The first is that the files came from Hal Martin. He's the NSA contractor who was arrested in August for hoarding agency secrets in his house for two years. He can't be the publisher, because the Shadow Brokers are in business even though he is in prison. But maybe the leaker got the documents from his stash, either because Martin gave the documents to them or because he himself was hacked. The dates line up, so it's theoretically possible. There's nothing in the public indictment against Martin that speaks to his selling secrets to a foreign power, but that's just the sort of thing that would be left out. It's not needed for a conviction.
If the source of the documents is Hal Martin, then we can speculate that a random hacker did in fact stumble on it -- no need for nation-state cyberattack skills.
The other option is a mysterious second NSA leaker of cyberattack tools. Could this be the person who stole the NSA documents and passed them on to someone else? The only time I have ever heard about this was from a Washington Post story about Martin:
There was a second, previously undisclosed breach of cybertools, discovered in the summer of 2015, which was also carried out by a TAO employee [a worker in the Office of Tailored Access Operations], one official said. That individual also has been arrested, but his case has not been made public. The individual is not thought to have shared the material with another country, the official said.
Of course, "not thought to have" is not the same as not having done so.
It is interesting that there have been no public arrests of anyone in connection with these hacks. If the NSA knows where the files came from, it knows who had access to them -- and it's long since questioned everyone involved and should know if someone deliberately or accidentally lost control of them. I know that many people, both inside the government and out, think there is some sort of domestic involvement; things may be more complicated than I realize.
It's also not over. Last week, the Shadow Brokers were back, with a rambling and taunting message announcing a "Data Dump of the Month" service. They're offering to sell unreleased NSA attack tools -- something they also tried last August -- with the threat to publish them if no one pays. The group has made good on their previous boasts: In the coming months, we might see new exploits against web browsers, networking equipment, smartphones, and operating systems -- Windows in particular. Even scarier, they're threatening to release raw NSA intercepts: data from the SWIFT network and banks, and "compromised data from Russian, Chinese, Iranian, or North Korean nukes and missile programs."
Whoever the Shadow Brokers are, however they stole these disks full of NSA secrets, and for whatever reason they're releasing them, it's going to be a long summer inside of Fort Meade -- as it will be for the rest of us.
This essay previously appeared in the Atlantic, and is an update of this essay from Lawfare.
from Who Are the Shadow Brokers?
Monday, May 29, 2017
Tainted Leaks
Last year, I wrote about the potential for doxers to alter documents before they leaked them. It was a theoretical threat when I wrote it, but now Citizen Lab has documented this technique in the wild:
This report describes an extensive Russia-linked phishing and disinformation campaign. It provides evidence of how documents stolen from a prominent journalist and critic of Russia was tampered with and then "leaked" to achieve specific propaganda aims. We name this technique "tainted leaks." The report illustrates how the twin strategies of phishing and tainted leaks are sometimes used in combination to infiltrate civil society targets, and to seed mistrust and disinformation. It also illustrates how domestic considerations, specifically concerns about regime security, can motivate espionage operations, particularly those targeting civil society.
from Tainted Leaks
Historical OSINT – Massive Black Hat SEO Campaign Spotted in the Wild
Cybercriminals continue actively launching fraudulent and malicious blackhat SEO campaigns further acquiring legitimate traffic for the purpose of converting it into malware-infected hosts further spreading malicious software potentially compromising t...
from Historical OSINT – Massive Black Hat SEO Campaign Spotted in the Wild
from Historical OSINT – Massive Black Hat SEO Campaign Spotted in the Wild
The Continued Evolution of Ransomware in APJ
As discussed in my previous article, ransomware was arguably the most notorious cyber threat for businesses in 2016. Ransomware caused severe disruptions to victims in different industries and countries, forcing them to shut down business and, in some cases, pay ransom with the hope of speed recovery. Although malware spam messages that distribute ransomware look rather rudimentary, the actual payload is well-targeted and destructive, especially for businesses. When ransomware was only targeting consumers, it would only encrypt data that’s stored on local hard disk of compromised computer. In…
from The Continued Evolution of Ransomware in APJ
from The Continued Evolution of Ransomware in APJ
Tainted Leaks
Last year, I wrote about the potential for doxers to alter documents before they leaked them. It was a theoretical threat when I wrote it, but now Citizen Lab has documented this technique in the wild: This report describes an extensive Russia-linked phishing and disinformation campaign. It provides evidence of how documents stolen from a prominent journalist and critic of...
from Tainted Leaks
from Tainted Leaks
A stolen version of DMA-locker is making the rounds
 |
|
| Pirated versions of DMA-locker are doing the rounds, but there is some good news. All the encrypted data can be decrypted with the same key and we can give it to you.
Categories: Tags: decryptorDMA Lockerfakexptlock |
The post A stolen version of DMA-locker is making the rounds appeared first on Malwarebytes Labs.
from A stolen version of DMA-locker is making the rounds
Historical OSINT – A Diversified Portfolio of Pharmacautical Scams Spotted in the Wild
Cybercriminals continue actively speading fraudulent and malicious campaigns potentially targeting the confidentiality availability and integrity of the targeted host to a multi-tude of malicious software further earning fraudulent revenue in the proce...
from Historical OSINT – A Diversified Portfolio of Pharmacautical Scams Spotted in the Wild
from Historical OSINT – A Diversified Portfolio of Pharmacautical Scams Spotted in the Wild
Historical OSINT – Google Sponsored Scareware Spotted in the Wild
Cybercriminals continue actively spreading malicious software while looking for alternative ways to acquire and monetize legitimate traffic successfully earning fraudulent revenue in the process of spreading malicious software. We've recently came acr...
from Historical OSINT – Google Sponsored Scareware Spotted in the Wild
from Historical OSINT – Google Sponsored Scareware Spotted in the Wild
Avast releases decryptor tool for AES_NI ransomware
Special thanks to Ladislav Zezula for working on this blog post and the decryptor tool!
from Avast releases decryptor tool for AES_NI ransomware
from Avast releases decryptor tool for AES_NI ransomware
What You Need To Know: Security Vulnerabilities Found in Major Media Players
Major security vulnerabilities have been found in several popular media players – including Kodi, PopcornTime, Streamio, and VLC – have […]
The post What You Need To Know: Security Vulnerabilities Found in Major Media Players appeared first on Checkmarx.
from What You Need To Know: Security Vulnerabilities Found in Major Media Players
Historical OSINT – A Diversified Portfolio of Fake Security Software
Cybercriminals, continue, actively, launching, malicious, and, fraudulent, campaigns, further, spreading, malicious, software, potentially, exposing, the, confidentiality, availability, and, integrity, of, the, targeted, host, to, a, multi-tude, of, ma...
from Historical OSINT – A Diversified Portfolio of Fake Security Software
from Historical OSINT – A Diversified Portfolio of Fake Security Software
Historical OSINT – A Diversified Portfolio of Fake Security Software
Cybercriminals, continue, actively, launching, malicious, and, fraudulent, campaigns, further, spreading, malicious, software, potentially, exposing, the, confidentiality, availability, and, integrity, of, the, targeted, host, to, a, multi-tude, of, ma...
from Historical OSINT – A Diversified Portfolio of Fake Security Software
from Historical OSINT – A Diversified Portfolio of Fake Security Software
Historical OSINT – Inside the 2007-2009 Series of Cyber Attacks Against Multiple International Embassies
Remember, the, Russian, Business, Network, and, the, New, Media, Malware, Gang? It's, been, several, years, since, I, last, posted, an, update, regarding, the, group's, activities, including, the, direct, establishing, of, a, direct, connection, betwe...
from Historical OSINT – Inside the 2007-2009 Series of Cyber Attacks Against Multiple International Embassies
from Historical OSINT – Inside the 2007-2009 Series of Cyber Attacks Against Multiple International Embassies
Women in Information Security: Sarah Aoun
Women are doing very important work in the cybersecurity field, and I’ve really been enjoying talking to some of the brightest and most interesting minds in my field. In my last interview, I spoke to Kelly Shortridge. She went from a career in high finance to a security-related product manager role for BAE. This time, […]… Read More
The post Women in Information Security: Sarah Aoun appeared first on The State of Security.
from Women in Information Security: Sarah Aoun
Sunday, May 28, 2017
After Manchester Bombing: The Good, the Bad, and the Ugly Online
from After Manchester Bombing: The Good, the Bad, and the Ugly Online
Android ‘design shortcomings’ allow for Cloak and Dagger series of attacks
A series of "vulnerabilities and design shortcomings" in the Android user interface sets the stage for a new class of attacks called "Cloak and Dagger." David Bisson reports.
from Android ‘design shortcomings’ allow for Cloak and Dagger series of attacks
from Android ‘design shortcomings’ allow for Cloak and Dagger series of attacks
L.A. Unconf-idential : a.k.a. an rOpenSci #runconf17 Retrospective
Last year, I was able to sit back and lazily “RT” Julia Silge’s excellent retrospective on her 2016 @rOpenSci “unconference” experience. Since Julia was not there this year, and the unconference experience is still in primary storage (LMD v2.0 was a success!) I thought this would be the perfect time for a mindful look-back. And... Continue reading →
from L.A. Unconf-idential : a.k.a. an rOpenSci #runconf17 Retrospective
from L.A. Unconf-idential : a.k.a. an rOpenSci #runconf17 Retrospective
Find naming rules for Azure resources
Understand rules for naming resources in Azure read more
from Find naming rules for Azure resources
from Find naming rules for Azure resources
Find naming rules for Azure resources
Understand rules for naming resources in Azure read more
from Find naming rules for Azure resources
from Find naming rules for Azure resources
After Manchester Bombing: The Good, the Bad, and the Ugly Online
Understand rules for naming resources in Azure read more
from After Manchester Bombing: The Good, the Bad, and the Ugly Online
from After Manchester Bombing: The Good, the Bad, and the Ugly Online
What is an App Service Environment
Find out what an app service environment is and why you would use it. read more
from What is an App Service Environment
from What is an App Service Environment
What is an App Service Environment
Find out what an app service environment is and why you would use it. read more
from What is an App Service Environment
from What is an App Service Environment
Scaling an App Service Plan
Find out how scaling an app service plan in Azure works read more
from Scaling an App Service Plan
from Scaling an App Service Plan
Scaling an App Service Plan
Find out how scaling an app service plan in Azure works read more
from Scaling an App Service Plan
from Scaling an App Service Plan
How will Windows run Linux containers
How can you run a Linux container on Windows? Find out. read more
from How will Windows run Linux containers
from How will Windows run Linux containers
How will Windows run Linux containers
How can you run a Linux container on Windows? Find out. read more
from How will Windows run Linux containers
from How will Windows run Linux containers
How long is a semi-annual channel supported for Windows 10
Learn about how long a semi-annual channel is supported for read more
from How long is a semi-annual channel supported for Windows 10
from How long is a semi-annual channel supported for Windows 10
Saturday, May 27, 2017
Friday Squid Blogging: Squid and Chips
The excellent Montreal chef Marc-Olivier Frappier, of Joe Beef fame, has created a squid and chips dish for Brit & Chips restaurant. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....
from Friday Squid Blogging: Squid and Chips
from Friday Squid Blogging: Squid and Chips
Forbes Names Beyond Fear as One of the "13 Books Technology Executives Should Have On Their Shelves"
It's a good list....
from Forbes Names Beyond Fear as One of the "13 Books Technology Executives Should Have On Their Shelves"
from Forbes Names Beyond Fear as One of the "13 Books Technology Executives Should Have On Their Shelves"
NolaCon2017, Matt Bromiley’s & Brian Marks’ ‘Skynet Will Use PsExec: When SysInternals Go Bad’
Permalink
from NolaCon2017, Matt Bromiley’s & Brian Marks’ ‘Skynet Will Use PsExec: When SysInternals Go Bad’
from NolaCon2017, Matt Bromiley’s & Brian Marks’ ‘Skynet Will Use PsExec: When SysInternals Go Bad’
NolaCon2017, Matt Bromiley’s & Brian Marks’ ‘Skynet Will Use PsExec: When SysInternals Go Bad’
Permalink
from NolaCon2017, Matt Bromiley’s & Brian Marks’ ‘Skynet Will Use PsExec: When SysInternals Go Bad’
from NolaCon2017, Matt Bromiley’s & Brian Marks’ ‘Skynet Will Use PsExec: When SysInternals Go Bad’
Marcher and Other Mobile Threats: What You Need to Know
When most people think about cyber risk, they think primarily of their organization’s servers, PCs, and laptops, and how they might be vulnerable to attack.
But in recent years, the way in which users interact with the outside world has changed. In March this year, for the first time ever, Android overtook Windows to claim the largest share of Internet traffic.
And naturally, where users go, threat actors will surely follow.
from Marcher and Other Mobile Threats: What You Need to Know
New Non-HTTPS Websites Blacklisted for Phishy Password Practices
We submit hundreds of blacklist review requests every day after cleaning our clients’ websites. Google’s Deceptive Content warning applies when Google detects dangerous code that attempts to trick users into revealing sensitive information.
For the past couple of months we have noticed that the number of websites blacklisted with Deceptive Content warnings has increased for no apparent reason. The sites were clean, and there was no external resources loading on the website.
Continue reading New Non-HTTPS Websites Blacklisted for Phishy Password Practices at Sucuri Blog.
from New Non-HTTPS Websites Blacklisted for Phishy Password Practices
Hacking the Galaxy S8’s Iris Biometric
It was easy: The hackers took a medium range photo of their subject with a digital camera's night mode, and printed the infrared image. Then, presumably to give the image some depth, the hackers placed a contact lens on top of the printed picture....
from Hacking the Galaxy S8’s Iris Biometric
from Hacking the Galaxy S8’s Iris Biometric
News in brief: tech firms ‘must do more’ on terror’; romance scammers jailed; Disney film heist ‘a hoax’
Your daily round-up of some of the other stories in the news
from News in brief: tech firms ‘must do more’ on terror’; romance scammers jailed; Disney film heist ‘a hoax’
from News in brief: tech firms ‘must do more’ on terror’; romance scammers jailed; Disney film heist ‘a hoax’
Crysis ransomware master keys posted to Pastebin
Why would someone release the keys to victims? Who knows, but as the poster who uploaded them says, 'Enjoy!'
from Crysis ransomware master keys posted to Pastebin
from Crysis ransomware master keys posted to Pastebin
Friday, May 26, 2017
Friday Squid Blogging: Squid and Chips
The excellent Montreal chef Marc-Olivier Frappier, of Joe Beef fame, has created a squid and chips dish for Brit & Chips restaurant.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Read my blog posting guidelines here.
from Friday Squid Blogging: Squid and Chips
Forbes Names Beyond Fear as One of the "13 Books Technology Executives Should Have On Their Shelves"
It's a good list.
from Forbes Names Beyond Fear as One of the "13 Books Technology Executives Should Have On Their Shelves"
Hacking the Galaxy S8's Iris Biometric
It was easy:
The hackers took a medium range photo of their subject with a digital camera's night mode, and printed the infrared image. Then, presumably to give the image some depth, the hackers placed a contact lens on top of the printed picture.
from Hacking the Galaxy S8's Iris Biometric
Survey: Over Half of Medical Device Makers Expect an Attack on Their Devices In the Next Year
A new survey found that 67 percent of medical device manufacturers and 56 percent of healthcare delivery organizations (HDOs) believe an attack on their devices is likely to happen within the next 12 months. Despite the risks, however, a mere 17 percent of device makers and only 15 percent of HDOs say they are taking significant […]… Read More
The post Survey: Over Half of Medical Device Makers Expect an Attack on Their Devices In the Next Year appeared first on The State of Security.
from Survey: Over Half of Medical Device Makers Expect an Attack on Their Devices In the Next Year
DevSecOps is Alive and Thriving in APJ
In founding DevOps.com, I have been travelling the world observing, reporting and speaking out about DevOps, infosec and DevSecOps over the last 3-4 years. A constant theme I heard for much of that time was that the APJ region was probably slightly behind the wave around DevOps and DevSecOps. I never questioned the assumption. I should have. Another lesson in why you should never assume. After three years of running DevOps Connect: DevSecOps/Rugged DevOps at the RSA Conference San Francisco, I was invited to bring a day of DevSecOps learning and networking to RSA Conference APJ! Our day of…
from DevSecOps is Alive and Thriving in APJ
from DevSecOps is Alive and Thriving in APJ
Joy of Tech™, Amazon Goes Bananas
via the gently sarcastic cranii of Nitrozac and Snaggy at The Joy of Tech™!
from Joy of Tech™, Amazon Goes Bananas
SMB Exploited: WannaCry Use of “EternalBlue”
Server Message Block (SMB) is the transport protocol used by Windows machines for a wide variety of purposes such as file sharing, printer sharing, and access to remote Windows services. SMB operates over TCP ports 139 and 445. In April 2017, Shadow Brokers released an SMB vulnerability named “EternalBlue,” which was part of the Microsoft security bulletin MS17-010.
The recent WannaCry ransomware takes advantage of this vulnerability to compromise Windows machines, load malware, and propagate to other machines in a network. The attack uses SMB version 1 and TCP port 445 to propagate.
Context
SMB provides support for what are known as SMB Transactions. Using SMB Transactions enables atomic read and write to be performed between an SMB client and server. If the message request is greater than the SMB MaxBufferSize, the remaining messages are sent as Secondary Trans2 requests. This vulnerability affects the srv2.sys kernel driver and is triggered by malformed Secondary Trans2 requests.
Working
After the initial SMB handshake, which consists of a protocol negotiate request/response and a session setup request/response, the ransomware connects to the IPC$ share on the remote machine. Another related aspect of this attack is that the malware is configured to connect to a hardcoded local IP, as shown in Figure 1.
Figure 1: Connecting to the IPC$ share
Next it sends out an initial NT Trans request, which is a huge payload size and consists of a sequence of NOPs, as shown in Figure 2. What it essentially does is move the SMB server state machine to a point where the vulnerability exists so that the attacker can then exploit it using a special crafted packet.
Figure 2: Preparing server for exploit via NT Trans
Speaking the SMB language, the large NT Trans request leads to multiple Secondary Trans2 Requests to accommodate for the large request size. These Secondary Trans2 requests are malformed, as seen in the Figure 3. They act as a trigger point for the vulnerability, and the request data portion contains the shellcode and encrypted payload, which is the launcher for the malware on the remote machine.
Figure 3: Overflow via Malformed Trans2
Post Exploitation & Full Cycle
On successfully triggering the vulnerability, an encrypted payload containing the stager for the malware is loaded on the remote machine. The payload delivered to the remote machine launches a service “mssecsvc” from within the lsass process. This service scans the local network and the internet for machines that are accessible and have exposed SMB ports. The service then uses the aforementioned vulnerability to gain access to a remote machine and deliver the malware payload, thus completing the full cycle. All of these activities happen very quickly and the attack penetrates all machines in a typical LAN within minutes.
The ransomware contains two parts, the main executable file containing the code for scanning the network and triggering the SMB vulnerability on accessible machines. Within the resource section of this executable is another executable file embedded in a section named “R”, which contains the ransomware code. The executable containing the ransomware code has an encrypted ZIP file embedded in the resource section named “XIA”. The encrypted ZIP file contains encrypted keys, image files, Tor client and two other executables: taskdl.exe and tasse.exe. The ZIP file contents can be extracted using the password WNcry@2ol7 embedded within the malware code
Mitigation
There are anomalies and patterns in the NT Trans, Trans2 requests and responses packets that analysts and researchers can use to create useful network level detection. A couple of example signatures that can be deployed are found here and here.
from SMB Exploited: WannaCry Use of “EternalBlue”
Amazon’s app store puts millions of Android devices at risk
It's dangerous to go alone outside Google's protective walled garden, but it's the price you pay for free software.
from Amazon’s app store puts millions of Android devices at risk
from Amazon’s app store puts millions of Android devices at risk
Amazon’s app store puts millions of Android devices at risk
It's dangerous to go alone outside Google's protective walled garden, but it's the price you pay for free software.
from Amazon’s app store puts millions of Android devices at risk
from Amazon’s app store puts millions of Android devices at risk
Check if your Critical Software Programs are Compatible with Microsoft’s Windows 10 Before Migrating
The last thing any organization wants to do when upgrading to Windows 10 is discover one of their critical pieces of software is not compatible with the latest version of Windows. read more
from Check if your Critical Software Programs are Compatible with Microsoft’s Windows 10 Before Migrating
from Check if your Critical Software Programs are Compatible with Microsoft’s Windows 10 Before Migrating
Check if your Critical Software Programs are Compatible with Microsoft’s Windows 10 Before Migrating
The last thing any organization wants to do when upgrading to Windows 10 is discover one of their critical pieces of software is not compatible with the latest version of Windows. read more
from Check if your Critical Software Programs are Compatible with Microsoft’s Windows 10 Before Migrating
from Check if your Critical Software Programs are Compatible with Microsoft’s Windows 10 Before Migrating
Lessons from the NHS: A bitter pill to swallow
The WannaCry cyber-attack, which took place earlier this month, has made headlines all over the world over in recent weeks. Already documented as the biggest ransomware attack in history, the hackers shut down IT systems worldwide, with a staggering 75,000 attacks in 99 countries. However, of those impacted, the organisation which has been given the … Continued
The post Lessons from the NHS: A bitter pill to swallow appeared first on Enterprise Network Security Blog from ISDecisions.
from Lessons from the NHS: A bitter pill to swallow
Resources: Handling SMB v1 in Managed Environments with Group Policy
Learn the background behind SMB vulnerabilities in Windows and how you can deal with it in your organization. read more
from Resources: Handling SMB v1 in Managed Environments with Group Policy
from Resources: Handling SMB v1 in Managed Environments with Group Policy
Top 10 Mobile Security Tips for Your Summer Vacation
With the summer holiday and festival season getting into full swing, you’ll want to stay connected to convenient travel and social media apps more than ever. But it’s important to be hyper-aware that cyberthieves are on the prowl for your personal, financial, and location information. When traveling, like many of us will be doing this […]… Read More
The post Top 10 Mobile Security Tips for Your Summer Vacation appeared first on The State of Security.
from Top 10 Mobile Security Tips for Your Summer Vacation
Five Ways to Empower Your Staff While Keeping Your Network Secure
News of the Google Docs phishing scam is not the first time that shared cloud-based resources have hit the headlines for all the wrong reasons. Many popular collaboration and IT management tools, such as Teamviewer and Slack, have had their time in the spotlight for compromises and breaches. The truth is these systems unwittingly provide […]… Read More
The post Five Ways to Empower Your Staff While Keeping Your Network Secure appeared first on The State of Security.
from Five Ways to Empower Your Staff While Keeping Your Network Secure
Security Assessments and Critical Security Controls: The Keys to Proactive ICS Security
It’s imperative that organizations protect their industrial control systems (ICS) against intentional and accidental security threats. As I discussed in a previous article, that effort begins with understanding the potential threats confronting their network. Organizations can then leverage that information to create a digital security strategy, or a plan that hopefully protects assets that are […]… Read More
The post Security Assessments and Critical Security Controls: The Keys to Proactive ICS Security appeared first on The State of Security.
from Security Assessments and Critical Security Controls: The Keys to Proactive ICS Security
WannaCry: the rush to blame XP masked bigger problems
Many pointed the finger at Windows XP, but the worst hit computers were unpatched Windows 7 machines
from WannaCry: the rush to blame XP masked bigger problems
from WannaCry: the rush to blame XP masked bigger problems
Samba users urged to patch 7-year-old remote code execution flaw ASAP
Samba network filesystem administrators are being urged to patch a seven-year-old remote execution vulnerability as soon as possible. David Bisson reports.
from Samba users urged to patch 7-year-old remote code execution flaw ASAP
from Samba users urged to patch 7-year-old remote code execution flaw ASAP
NolaCon 2017, Joshua Galloway’s ‘The Devils Bargain: Targeted Ransomware and Its Costs “
Permalink
from NolaCon 2017, Joshua Galloway’s ‘The Devils Bargain: Targeted Ransomware and Its Costs “
from NolaCon 2017, Joshua Galloway’s ‘The Devils Bargain: Targeted Ransomware and Its Costs “
NolaCon 2017, Joshua Galloway’s ‘The Devils Bargain: Targeted Ransomware and Its Costs “
Permalink
from NolaCon 2017, Joshua Galloway’s ‘The Devils Bargain: Targeted Ransomware and Its Costs “
from NolaCon 2017, Joshua Galloway’s ‘The Devils Bargain: Targeted Ransomware and Its Costs “
Join HPE Security at the Gartner Security & Risk Management Summit
June is right around the corner, which means it is time for the Gartner Security & Risk Management Summit in National Harbor, MD. This annual gathering of security and risk management leaders helps organizations prepare for and head off increasingly dangerous cyber threats. The Summit takes place from June 12-15 and this year’s theme is: […]
The post Join HPE Security at the Gartner Security & Risk Management Summit appeared first on HPE Security - Data Security.
from Join HPE Security at the Gartner Security & Risk Management Summit
As more EU GDPR fines hit news headlines, what does the regulation really mean for your company?
By Shane Lewis, Information Security Manager With the EU General Data Protection Regulation (EU GDPR) creeping ever-closer, recent figures released by the should set alarm bells ringing for big businesses. The organisation reported that, had the new legislation already been in place in 2016, data breach fines doled out by the Information Commissioners Officer (ICO) […]
The post As more EU GDPR fines hit news headlines, what does the regulation really mean for your company? appeared first on Semafone.
from As more EU GDPR fines hit news headlines, what does the regulation really mean for your company?
As more EU GDPR fines hit news headlines, what does the regulation really mean for your company?
By Shane Lewis, Information Security Manager With the EU General Data Protection Regulation (EU GDPR) creeping ever-closer, recent figures released by the should set alarm bells ringing for big businesses. The organisation reported that, had the new legislation already been in place in 2016, data breach fines doled out by the Information Commissioners Officer (ICO) […]
The post As more EU GDPR fines hit news headlines, what does the regulation really mean for your company? appeared first on Semafone.
from As more EU GDPR fines hit news headlines, what does the regulation really mean for your company?
Thursday, May 25, 2017
Security and Human Behavior (SHB 2017)
I'm in Cambridge University, at the tenth Workshop on Security and Human Behavior.
SHB is a small invitational gathering of people studying various aspects of the human side of security, organized each year by Ross Anderson, Alessandro Acquisti, and myself. The 50 or so people in the room include psychologists, economists, computer security researchers, sociologists, political scientists, political scientists, neuroscientists, designers, lawyers, philosophers, anthropologists, business school professors, and a smattering of others. It's not just an interdisciplinary event; most of the people here are individually interdisciplinary.
The goal is maximum interaction and discussion. We do that by putting everyone on panels. There are eight six-person panels over the course of the two days. Everyone gets to talk for ten minutes about their work, and then there's half an hour of questions and discussion. We also have lunches, dinners, and receptions -- all designed so people from different disciplines talk to each other.
It's the most intellectually stimulating conference of my year, and influences my thinking about security in many different ways.
This year's schedule is here. This page lists the participants and includes links to some of their work. As he does every year, Ross Anderson is liveblogging the talks.
Here are my posts on the first, second, third, fourth, fifth, sixth, seventh, eighth, and ninth SHB workshops. Follow those links to find summaries, papers, and occasionally audio recordings of the various workshops.
Next year will be our tenth anniversary. I don't think any of us imagined that this conference would be around this long.
from Security and Human Behavior (SHB 2017)
Ransomware and the Internet of Things
As devastating as the latest widespread ransomware attacks have been, it's a problem with a solution. If your copy of Windows is relatively current and you've kept it updated, your laptop is immune. It's only older unpatched systems on your computer that are vulnerable.
Patching is how the computer industry maintains security in the face of rampant Internet insecurity. Microsoft, Apple and Google have teams of engineers who quickly write, test and distribute these patches, updates to the codes that fix vulnerabilities in software. Most people have set up their computers and phones to automatically apply these patches, and the whole thing works seamlessly. It isn't a perfect system, but it's the best we have.
But it is a system that's going to fail in the "Internet of things": everyday devices like smart speakers, household appliances, toys, lighting systems, even cars, that are connected to the web. Many of the embedded networked systems in these devices that will pervade our lives don't have engineering teams on hand to write patches and may well last far longer than the companies that are supposed to keep the software safe from criminals. Some of them don't even have the ability to be patched.
Fast forward five to 10 years, and the world is going to be filled with literally tens of billions of devices that hackers can attack. We're going to see ransomware against our cars. Our digital video recorders and web cameras will be taken over by botnets. The data that these devices collect about us will be stolen and used to commit fraud. And we're not going to be able to secure these devices.
Like every other instance of product safety, this problem will never be solved without considerable government involvement.
For years, I have been calling for more regulation to improve security in the face of this market failure. In the short term, the government can mandate that these devices have more secure default configurations and the ability to be patched. It can issue best-practice regulations for critical software and make software manufacturers liable for vulnerabilities. It'll be expensive, but it will go a long way toward improved security.
But it won't be enough to focus only on the devices, because these things are going to be around and on the Internet much longer than the two to three years we use our phones and computers before we upgrade them. I expect to keep my car for 15 years, and my refrigerator for at least 20 years. Cities will expect the networks they're putting in place to last at least that long. I don't want to replace my digital thermostat ever again. Nor, if I ever need one, do I want a surgeon to ever have to go back in to replace my computerized heart defibrillator in order to fix a software bug.
No amount of regulation can force companies to maintain old products, and it certainly can't prevent companies from going out of business. The future will contain billions of orphaned devices connected to the web that simply have no engineers able to patch them.
Imagine this: The company that made your Internet-enabled door lock is long out of business. You have no way to secure yourself against the ransomware attack on that lock. Your only option, other than paying, and paying again when it's reinfected, is to throw it away and buy a new one.
Ultimately, we will also need the network to block these attacks before they get to the devices, but there again the market will not fix the problem on its own. We need additional government intervention to mandate these sorts of solutions.
None of this is welcome news to a government that prides itself on minimal intervention and maximal market forces, but national security is often an exception to this rule. Last week's cyberattacks have laid bare some fundamental vulnerabilities in our computer infrastructure and serve as a harbinger. There's a lot of good research into robust solutions, but the economic incentives are all misaligned. As politically untenable as it is, we need government to step in to create the market forces that will get us out of this mess.
This essay previously appeared in the New York Times. Yes, I know I'm repeating myself.
EDITED TO ADD: A good cartoon.
from Ransomware and the Internet of Things
Ransomware and the Internet of Things
As devastating as the latest widespread ransomware attacks have been, it's a problem with a solution. If your copy of Windows is relatively current and you've kept it updated, your laptop is immune. It's only older unpatched systems on your computer that are vulnerable. Patching is how the computer industry maintains security in the face of rampant Internet insecurity. Microsoft,...
from Ransomware and the Internet of Things
from Ransomware and the Internet of Things
YouTube, Twitter and Facebook face curbs on hate speech videos
Europe moves a step closer to limiting the spread of extremism and toxic content via social platforms
from YouTube, Twitter and Facebook face curbs on hate speech videos
from YouTube, Twitter and Facebook face curbs on hate speech videos
Five Australian Hospitals Suffer IT Outages after Patching for Ransomware
Five hospitals in the Australian state of Queensland have suffered IT outages after a botched attempt to patch their systems against ransomware. On 25 May, Queensland Health Minister Cameron Dick provided some details to The Courier-Mail about the failures: “Over the course of that weekend as part of protecting our systems from cyber-attack, a series […]… Read More
The post Five Australian Hospitals Suffer IT Outages after Patching for Ransomware appeared first on The State of Security.
from Five Australian Hospitals Suffer IT Outages after Patching for Ransomware
Events for the week of May 28-June 3, 2017
May 201726-28: LayerOne - Los Angeles, CA (@layer_one) 29-31: 32nd International Conference on ICT Systems Security and Privacy Protection - IFIP SEC 2017 - Rome, Italy29-31: ISACA EuroCACS - Munich, Germany (@ISACANews)30-31: SyScan - Seattle, WA (@sy...
from Events for the week of May 28-June 3, 2017
from Events for the week of May 28-June 3, 2017
Apple iCloud, Android Nvidia driver N-day exploit details revealed
Kernels can be exploited and iCloud account user information leaked due to the security flaws.
from Apple iCloud, Android Nvidia driver N-day exploit details revealed
from Apple iCloud, Android Nvidia driver N-day exploit details revealed
Apple iCloud, Android Nvidia driver N-day exploit details revealed
Kernels can be exploited and iCloud account user information leaked due to the security flaws.
from Apple iCloud, Android Nvidia driver N-day exploit details revealed
from Apple iCloud, Android Nvidia driver N-day exploit details revealed
2017: These aren’t the droids you’re looking for
40 years after the premiere of Star Wars, we're much closer to HAL and The Terminator than we are Artoo and Threepio.
from 2017: These aren’t the droids you’re looking for
from 2017: These aren’t the droids you’re looking for
2017: These aren’t the droids you’re looking for
40 years after the premiere of Star Wars, we're much closer to HAL and The Terminator than we are Artoo and Threepio.
from 2017: These aren’t the droids you’re looking for
from 2017: These aren’t the droids you’re looking for
Yup, the Android app store is full of useless, unwanted anti-WannaCry apps
Apps claiming to protect Android users against WannaCry ransomware are popping up on Google Play, but all of them are a bunch of hogwash. David Bisson reports.
from Yup, the Android app store is full of useless, unwanted anti-WannaCry apps
from Yup, the Android app store is full of useless, unwanted anti-WannaCry apps
SSD Advisory – KEMP LoadMaster from XSS Pre Authentication to RCE
KEMP’s main product, the LoadMaster, is a load balancer built on its own proprietary software platform called LMOS, that enables it to run on almost any platform: As a KEMP LoadMaster appliance, a Virtual LoadMaster (VLM) deployed on Hyper-V, VMWare, on bare metal or in the public cloud. KEMP is available in Azure, where it … Continue reading SSD Advisory – KEMP LoadMaster from XSS Pre Authentication to RCE
from SSD Advisory – KEMP LoadMaster from XSS Pre Authentication to RCE
from SSD Advisory – KEMP LoadMaster from XSS Pre Authentication to RCE
Wednesday, May 24, 2017
Multi-cloud Key Management Research Paper
Posted under: Research and Analysis
Cloud computing is the single biggest change to computing we have seen, fundamentally changing how we use computing resources. We have reached a point where multi-cloud support is a reality for most firms; SaaS and private clouds are complimented by public PaaS and IaaS. With these changes we have received an increasing number of questions on how to protect data in the cloud, so in this research paper we discuss several approaches to both keeping data secure and maintaining control over access.
From the paper:
Controlling encryption keys – and thus also your data – while adopting cloud services is one of the more difficult puzzles in moving to the cloud. For example you need to decide who creates keys (you or your provider), where they are managed (on-premises or in-cloud), how they are stored (hardware or software), how keys will be maintained, how to scale up in a dynamic environment, and how to integrate with each different cloud model you use (SaaS, PaaS, IaaS, and hybrid). And you still need to either select your own encryption library or invoke your cloud service to encrypt on your behalf. Combine this with regulatory and contractual requirements for data security that – if anything – are becoming more stringent than ever before, piecing together a solution that addresses these concerns is a challenge.
We are grateful that security companies like Thales eSecurity and many others appreciate the need to educate customers and prospects with objective material built in a Totally Transparent manner. This allows us to perform impactful research and protect our integrity.
You can get a copy of the paper, or go to our research library to download it there.
- Adrian Lane (0) Comments Subscribe to our daily email digestfrom Multi-cloud Key Management Research Paper
Our Bring Your Own Malware Challenge is Back!
We are hosting the Bring Your Own Malware Challenge at a series of upcoming events. Bring it to InfoSec in London, Gartner Security Summit in Maryland and of course, Black Hat in July. The rules are simple, you have to plan ahead, but we have a cash prize. That’s right. We’ll be hosting our BYOM […]
The post Our Bring Your Own Malware Challenge is Back! appeared first on Bromium.
from Our Bring Your Own Malware Challenge is Back!
Semafone announces availability of secure telephone payment solution for call centers on Genesys AppFoundry
Semafone leverages industry-leading Genesys Customer Experience Platform to deliver a world-class customer experience solution that simplifies PCI DSS compliance and reduces risk Guildford, U.K., – 24 May, 2017 – Semafone has launched its secure payment solution for contact centers, Cardprotect, on the Genesys AppFoundry, an online marketplace dedicated to providing customer experience solutions. The AppFoundry allows […]
The post Semafone announces availability of secure telephone payment solution for call centers on Genesys AppFoundry appeared first on Semafone.
from Semafone announces availability of secure telephone payment solution for call centers on Genesys AppFoundry
Target Agrees to $18.5 Million Settlement with States
Target Corp. has reached an agreement with 47 states and the District of Columbia, resolving investigations on the infamous 2013 breach that exposed 41 million customer payment card accounts. According to an announcement by the Attorney General Eric T. Schneiderman’s office on Tuesday, the agreement is the largest multi-state data breach settlement to date. Target […]… Read More
The post Target Agrees to $18.5 Million Settlement with States appeared first on The State of Security.
from Target Agrees to $18.5 Million Settlement with States
NolaCon 2017, 22 Charlie Vedaa’s ‘Short Films About Security’
Target Corp. has reached an agreement with 47 states and the District of Columbia, resolving investigations on the infamous 2013 breach that exposed 41 million customer payment card accounts. According to an announcement by the Attorney General Eric T. Schneiderman’s office on Tuesday, the agreement is the largest multi-state data breach settlement to date. Target […]… Read More
The post Target Agrees to $18.5 Million Settlement with States appeared first on The State of Security.
from NolaCon 2017, 22 Charlie Vedaa’s ‘Short Films About Security’
Search
Target Corp. has reached an agreement with 47 states and the District of Columbia, resolving investigations on the infamous 2013 breach that exposed 41 million customer payment card accounts. According to an announcement by the Attorney General Eric T. Schneiderman’s office on Tuesday, the agreement is the largest multi-state data breach settlement to date. Target […]… Read More
The post Target Agrees to $18.5 Million Settlement with States appeared first on The State of Security.
from Search
What are “national security letters,” and why should you care?
Here's everything you need to know about the secretive FBI's investigative powers.
from What are “national security letters,” and why should you care?
from What are “national security letters,” and why should you care?
What are “national security letters?” Here’s everything you need to know
Here's everything you need to know about the secretive FBI's investigative powers.
from What are “national security letters?” Here’s everything you need to know
from What are “national security letters?” Here’s everything you need to know
Post-Quantum Safe Crypto Algorithm and PAKE Protocol, The Interview
Outstanding interview ov Jintai Ding, Ph.D. (Author of Post-Quantum Safe Crypto Algorithm and PAKE Protocol) ...
from Post-Quantum Safe Crypto Algorithm and PAKE Protocol, The Interview
from Post-Quantum Safe Crypto Algorithm and PAKE Protocol, The Interview
Europol busts 27 burglars for Black box-based ATM logic attacks
Europol has arrested 27 members of an international conspiracy that sought to commit ATM "Black box" attacks across Europe and parts of Scandinavia. David Bisson reports.
from Europol busts 27 burglars for Black box-based ATM logic attacks
from Europol busts 27 burglars for Black box-based ATM logic attacks
How get your workforce to take cybersecurity seriously
How to make sure your workforce takes cyber security threats seriously
Common sense is only limited and for you to make sure that things are taken seriously, you will have to go beyond the basics and make sure that best practices in cybersecurity are being taken seriously by your workforce.
When it involves cyber security, big IT security companies tend to make sure that at least 20 of their employees are well prepared to fight back security attacks. They tell them that it is a matter of life and death where winning means the company stays in business and continues to flourish.
Cyber criminals are especially targeting employees at companies that don’t take cyber security very seriously. Don’t forget that most malware attacks are successful thanks to the work force that never pays attention to what is scamming them. They just open links and let whatever there is fool them.
Cyber criminals are now also using social media to perform these scam attacks which employees never realize that they are dangerous. The results are that a malware attack spreads across your network.
So how do you prepare them to fight back? How do you make sure that the thousands you are spending on their training are actually making any sense to them and that they are actually taking things seriously?
Here are a couple of strategies you can use to make sure your cyber security message sticks with your employees.
- Don’t use scare tactics, your goal should be to build a culture inside your company that promotes cyber security in all departments. You need to treat this like an inside campaign that should be persuaded.
- Start with small and informative graphics and videos that your employees will actually enjoy watching while learning a thing or two about the threats. A message said in casual tone is often remembered for a long time.
- Don’t try to send out large letters that are uninspiring and boring for the staff to read. Chances are that no one in your team will actually read.
Your aim should be to change the employee behavior and not force things upon them. If you successfully create a cybersecurity culture, your employees will be more vigilant than ever.
The post How get your workforce to take cybersecurity seriously appeared first on Cyber Security Portal.
from Lavina Bentley – Cyber Security Portal https://cybersecurityportal.com/get-workforce-take-cybersecurity-seriously/
Hacking Fingerprint Readers with Master Prints
There's interesting research on using a set of "master" digital fingerprints to fool biometric readers. The work is theoretical at the moment, but they might be able to open about two-thirds of iPhones with these master prints.
Definitely something to keep watching.
Research paper (behind a paywall).
from Hacking Fingerprint Readers with Master Prints
Twitter flaw allowed you to tweet from any account
All this time, a rather simple Twitter bug could have caused chaos on the platform.
from Twitter flaw allowed you to tweet from any account
from Twitter flaw allowed you to tweet from any account
How Hackers Attack Web Applications: Bots and Simple Flaws – Part 1
Public web applications are an attractive target for hackers. Attacks on web applications open up wide opportunities, including access to internal resources of the company, sensitive information, disruption of the application, and circumvention of business logic. Virtually any attack can bring financial benefits to the attacker and losses, both financial and reputational, to the owner […]… Read More
The post How Hackers Attack Web Applications: Bots and Simple Flaws – Part 1 appeared first on The State of Security.
from How Hackers Attack Web Applications: Bots and Simple Flaws – Part 1
Today’s Cybersecurity Challenges Started in 1648
Understandably, a few eyebrows raise up when I suggest today’s cybersecurity challenges started nearly 370 years ago, some 300 years before the invention of ENIAC (the world’s first digital computer). But I stand by this observation because of the unintended clash of two systems: the nation-state and the Internet. Many of the institutions, social constructs […]… Read More
The post Today’s Cybersecurity Challenges Started in 1648 appeared first on The State of Security.
from Today’s Cybersecurity Challenges Started in 1648
Subscribe to:
Posts (Atom)