Quantum Computing and Cybersecurity

For Karen Hurst. It is almost as if the greater the number of cybersecurity products that flood onto the market, the more intense the increase in cybercrime and cyberattacks become. There are quantifiably more breaches and incidents of compromised information assets today than there were a year ago. A lot more. The consequences are growing […]

from Quantum Computing and Cybersecurity

Paul Vixie, Compromised Security in IoT Caused by Market Pressure

via the Internet Society's blog, comes an outstanding screed - penned by Jeri Clausing - detailing the on-tar...

from Paul Vixie, Compromised Security in IoT Caused by Market Pressure

Musings About Advanced Ransomware

Advanced ransomware that historically targeted employees directly through phishing scams is now being deployed remotely through exploits of unsecured web servers running WordPress and JBoss. SamSam is one example of a ransomware strain that is targeting enterprises running vulnerable versions of JBoss. Rather than spreading a ransomware infection through phony emails or drive-by downloads, SamSam worms its […]

from Musings About Advanced Ransomware

10 Attributes of a NextGen Security Program

By Mat Gangwer, CTO, Rook Security The uptick in the number of data breaches in the recent months has placed more focus and attention on companies’ security processes and programs. It is critical to begin planning and executing a security program with the proper tools in place to efficiently block, notify, and respond to threats while effectively controlling security resources and utilization to meet dynamic demands. Since the 1980s, when security pros began to rise to combat hackers connecting through dial-in modems, technology-led approaches have left boards and executives unprepared. …

from 10 Attributes of a NextGen Security Program

Secure Data Deletion

The law of conservation of energy is that energy remains constant; it can be neither created or destroyed. It simply transforms from one form to another. While not a perfect analogy, data on a hard drive or other physical media is quite difficult to completely transform to the state of fully erased. While many have lost files and been unsuccessful in retrieving them; for an information security professional, the goal is often to ensure that the data is eliminated (sanitized is the official term) without the possibility of retrieval. Secure data deletion is the process of deleting data such…

from Secure Data Deletion

Hackers reuse passwords to access 26,500 National Lottery accounts

If you've been affected - and even if you haven't - now is a good time to stop re-using passwords

from Hackers reuse passwords to access 26,500 National Lottery accounts

Real threats for business: Mischief, extortion and million-dollar frauds

Check out this keynote speech by Graham Cluley about how online criminals are targeting businesses just like yours.

from Real threats for business: Mischief, extortion and million-dollar frauds

Ten things you didn’t know about the Umbrella roaming client

Ten things you didn’t know about the Umbrella roaming client. You may already know that the Umbrella roaming client is a small endpoint agent that provides on and off-network protection for Windows and Mac laptops. Here are ten other things you probably didn’t know! 1. It handles most internal domains automatically. The roaming client automatically sends […]

The post Ten things you didn’t know about the Umbrella roaming client appeared first on OpenDNS Umbrella Blog.

from Ten things you didn’t know about the Umbrella roaming client

Fake WhatsApp email comes as a billing alert

Recently, we have received a report from one of our readers on Facebook regarding another criminal-driven campaign targeting WhatsApp users. It comes in the form of a phishing email, which our reader has forwarded for us to look into. Categories: Cybercrime Social engineering Tags: fake whatsapp billing alertfraudphishingphishing scamscamwhatsapp (Read more...)

from Fake WhatsApp email comes as a billing alert

You need to embrace Straight Talk as more than communication to unlock the value

What is Straight Talk? Look it up (and move past the wireless plan in the US) to confirm Straight Talk is a direct, plain, and honest manner of speaking. We love it when someone talks straight. It’s refreshing. But it’s just a different way to communicate, right? Not everyone is ready for Straight Talk, are they? […]

The post You need to embrace Straight Talk as more than communication to unlock the value appeared first on Security Catalyst.

from You need to embrace Straight Talk as more than communication to unlock the value

You, Too, Can Rent the Murai Botnet

You can rent a 400,000-computer Murai botnet and DDoS anyone you like.

BoingBoing post. Slashdot thread.

from You, Too, Can Rent the Murai Botnet

San Francisco Transit System Target of Ransomware

It's really bad. The ticket machines were hacked.

Over the next couple of years, I believe we are going to see the downside of our headlong rush to put everything on the Internet.

Slashdot thread.

from San Francisco Transit System Target of Ransomware

Tech support scams evolve, borrow tricks from ransomware creators

If cold calling, fake alerts, and screen lockers aren't enough, potential victims now face a new threat born from ransomware.

from Tech support scams evolve, borrow tricks from ransomware creators

Threat Intelligence – An Adaptive Approach to Information Security – Free Consultation Available

Dear, blog, readers, as, of, today, I'm, making, publicly, available, my, portfolio, of, services, including, active, threat, intelligence, gathering, and, processing, cybercriminals, and, network, assets, profiling, real, life, personalization, of, ma...

from Threat Intelligence – An Adaptive Approach to Information Security – Free Consultation Available

BSides Lisbon 2016, Diogo Mónica’s ‘MTLS in a Microservices World’

Permalink

from BSides Lisbon 2016, Diogo Mónica’s ‘MTLS in a Microservices World’

Cerber Spam: Tor All the Things!

This post authored by Nick Biasini and Edmund Brumaghin with contributions from Sean Baird and Andrew Windsor.Executive SummaryTalos is continuously analyzing email based malware always looking at how adversaries change and the new techniques that are ...

from Cerber Spam: Tor All the Things!

San Francisco Transit System Target of Ransomware

It's really bad. The ticket machines were hacked. Over the next couple of years, I believe we are going to see the downside of our headlong rush to put everything on the Internet. Slashdot thread....

from San Francisco Transit System Target of Ransomware

A week in security (Nov 20 – Nov 26)

A compilation of notable security news and blog posts from the 20th of November to the 26th. This week, we talked about PrincessLocker, ransomware decryptors, malvertising on the Mac, and the Windows Firewall. Categories: Security world Week in security Tags: decryptorfirewallmalvertisingPrincessLockerransomwarerecapteslacryptweekly blog roundup (Read more...)

from A week in security (Nov 20 – Nov 26)

test post for links

This is a just a post to test an app Internal Beef Burp © Ken Belva at SecurityMaverick.com, 2016. | Permalink | No comment | Add to del.icio.us Post tags: Feed enhanced by Better Feed from Ozh

from test post for links

From my Gartner Blog – Comparing UEBA Solutions

As Anton anticipated, we’ve started working on our next research cycle, now with the intent of producing a comparison of UEBA (User and Entity Behavior Analytics) solutions. We produced a paper comparing EDR solutions a few months ago, but so far the discussion on how to compare UEBA solutions has been far more complex (and interesting!).

First, while on EDR we focused on comparing how the tools would fare related to five key use cases, for UEBA the use cases are basically all the same: detecting threats.  The difference is not only on which threats should be detected, but also on how to detect the same threats. Many of these tools have some focus on internal threats (if you consider “pseudo-internal” too, ALL of them focus on internal threats), and there are many ways you could detect those. A common example across these tools: detecting an abnormal pattern of resource access by an user.  That could indicate that the user is accessing data he/she is not supposed to access, or even that credentials were compromised and are being used by an attacker to access data.

But things are even more complicated.

Have you notice that “abnormal pattern of resource access” there?

What does it mean? That’s where tools can do things in very different ways, arriving on the same (or on vastly different results) results. You can build a dynamic profile of things the user usually access and alert when something out of that list is touched. You can also do that considering additional variables for context, like time, source (e.g. from desktop or from mobile), application and others. And why should we stop at profiling only the individual user? Would it be considered anomalous if the user’s peers usually access that resource? Ok, but who are the user peers? How do you build a peer list? Point to an OU on AD? Or learn it dynamically by putting together people with similar behaviors?

(while dreaming about how we can achieve our goal with this cool “Machine Learning” stuff, let’s not forget you could do some of this with SIEM rules only…)

So, we can see how one single use case can be implemented by the different solutions. How do we define what is “better”? This is pretty hard, especially because there’s not something like AV-TEST available to test these different methods (models, algorithms, rules…taxonomy alone is crazy enough).

So what can we do about it? We need to talk to users of all these solutions and get data from the field about how they are performing in real environments. That’s OK. But after that we need to figure out, for good and bad feedback, how those things map to each solution feature set. If clients of solution X are happy about how it’s great on detecting meaningful anomalies (oh, by the way, this is another thing we’ll discuss in another blog post – which anomalies are just that, and which ones are meaningful from a threat detection perspective), we need to figure out what in X makes it good for that use case, so we can find which features and capabilities matter (and which are just noise and unnecessary fluff). Do I need to say we’ll be extremely busy in the next couple of months?

Of course, we could also use some help here; if you’ve been through a bake-off or a comparison between UEBA tools, let us know how you’ve done it; we’d love to hear that!

The post Comparing UEBA Solutions appeared first on Augusto Barros.

from Augusto Barros http://ift.tt/2fFIQDF
via IFTTT

from From my Gartner Blog – Comparing UEBA Solutions

Tech support scammers up their game with ransomware

Ransomware is so popular that even tech support scammers have eventually adopted it. Now the ransom note asks you to call 'Microsoft' to get your encrypted files back. Categories: Threat analysis Tags: microsoftransomwaretech supporttech support scamsTSSVindows Locker (Read more...)

from Tech support scammers up their game with ransomware

Microsoft Debunks Top Cloud Myths of 2016

Microsoft's Julia White wants to clear the air about the myths surrounding the cloud and its role/impact for the IT Pros, Managers, and other key members of Enterprise leadership. read more

from Microsoft Debunks Top Cloud Myths of 2016

BSides Lisbon 2016, Pedro Vilaça’s ‘Memory Corruption is for Wussies!’

Permalink

from BSides Lisbon 2016, Pedro Vilaça’s ‘Memory Corruption is for Wussies!’

No, it’s Matt Novak who is a fucking idiot

I keep seeing this Gizmodo piece entitled “Snowden is a fucking idiot”. I understand the appeal of the piece. The hero worship of Edward Snowden is getting old. But the piece itself is garbage.

The author, Matt Novak, is of the new wave of hard-core leftists intolerant of those who disagree with them. His position is that everyone is an idiot who doesn’t agree with his views: Libertarians, Republicans, moderate voters who chose Trump, and even fellow left-wingers that aren’t as hard-core.

If you carefully read his piece, you’ll see that Novak doesn’t actually prove Snowden is wrong. Novak doesn’t show how Snowden disagrees with facts, but only how Snowden disagrees with the left-wing view of the world. It’s only through deduction that we come to the conclusion: those who aren’t left-wing are idiots, Snowden is not left-wing, therefore Snowden is an idiot.

The question under debate in the piece is:

technology is more important than policy as a way to protect our liberties

In other words, if you don’t want the government spying on you, then focus on using encryption (use Signal) rather than trying to change the laws so they can’t spy on you.

On a factual basis (rather than political), Snowden is right. If you live in Germany and don’t want the NSA spying on you there is little policy-wise that you can do about it, short of convincing Germany to go to war against the United States to get the US to stop spying.

Likewise, for all those dissenters in countries with repressive regimes, technology precedes policy. You can’t effect change until you first can protect yourselves from the state police who throws you in jail for dissenting. Use Signal.

In our own country, Snowden is right about “politics”. Snowden’s leak showed how the NSA was collecting everyone’s phone records to stop terrorism. Privacy organizations like the EFF supported the reform bill, the USA FREEDOM ACT. But rather than stopping the practice, the “reform” opened up the phone records to all law enforcement (FBI, DEA, ATF, IRS, etc.) for normal law enforcement purposes.

Imagine the protestors out there opposing the Dakota Access Pipeline. The FBI is shooting down their drones and blasting them with water cannons. Now, because of the efforts of the EFF and other privacy activists, using the USA FREEDOM ACT, the FBI is also grabbing everyone’s phone records in the area. Ask yourself who is the fucking idiot here: the guy telling you to use Signal, or the guy telling you to focus on “politics” to stop this surveillance.

Novak repeats the hard-left version of the creation of the Internet:

The internet has always been monitored by the state. It was created by the fucking US military and has been monitored from day one. Surveillance of the internet wasn’t invented after September 11, 2001, no matter how many people would like to believe that to be the case.

No, the Internet was not created by the US military. Sure, the military contributed to the Internet, but the majority of contributions came from corporations, universities, and researchers. The left-wing claim that the government/military created the Internet involves highlighting their contributions while ignoring everyone else’s.

The Internet was not “monitored from day one”, because until the 1990s, it wasn’t even an important enough network to monitor. As late as 1993, the Internet was dwarfed in size and importance by numerous other computer networks – until the web took off that year, the Internet was considered a temporary research project. Those like Novak writing the history of the Internet are astonishingly ignorant of the competing networks of those years. They miss XNS, AppleTalk, GOSIP, SNA, Novel, DECnet, Bitnet, Uunet, Fidonet, X.25, Telenet, and all the other things that were really important during those years.

And, mass Internet surveillance did indeed come only after 9/11. The NSA’s focus before that was on signals and telephone lines, because that’s where all the information was.  When 9/11 happened, they were still trying to catch up to the recent growth of the Internet. Virtually everything Snowden documents came after 9/11. Sure, they had programs like FAIRVIEW that were originally created to get telephone information in the 1970s, but these programs only started delivering mass Internet information after 9/11. Sure, the NSA occasionally got emails before 9/11, but nothing like the enormous increase in collection afterwards.

What I’ve shown here is that Matt Novak is a fucking idiot. He gets basic facts wrong about how the Internet works. He doesn’t prove Snowden’s actually wrong by citing evidence, only that Snowden is wrong because he disagrees with what leftists like Novak believe to be right. All the actual evidence supports Snowden in this case. It doesn't mean we should avoid all politics, only that if you are a DAP protester, use Signal instead of unencrypted messaging or phone.



from No, it’s Matt Novak who is a fucking idiot

Toolsmith – GSE Edition: Scapy vs CozyDuke

In continuation of observations from my GIAC Security Expert re-certification process, I'll focus here on a GCIA-centric topic: Scapy. Scapy is essential to the packet analyst skill set on so many levels. For your convenience, the Packetrix VM comes pr...

from Toolsmith – GSE Edition: Scapy vs CozyDuke

ATM Insert Skimmers: A Closer Look

KrebsOnSecurity has featured multiple stories about the threat from ATM fraud devices known as "insert skimmers," wafer-thin data theft tools made to be completely hidden inside of a cash's machine's card acceptance slot. For a closer look at how stealthy insert skimmers can be, it helps to see videos of these things being installed and removed. Here's a look at promotional sales videos produced by two different ATM insert skimmer peddlers.

from ATM Insert Skimmers: A Closer Look

BSides Lisbon 2016 – MTLS in a Microservices World by Diogo Mónica

The post BSides Lisbon 2016 – MTLS in a Microservices World by Diogo Mónica appeared first on BruteForce Lab's Blog.

from BSides Lisbon 2016 – MTLS in a Microservices World by Diogo Mónica

BSides Lisbon 2016, David Sopas’ ‘The Way of the Bounty’

Permalink

from BSides Lisbon 2016, David Sopas’ ‘The Way of the Bounty’

Can Configuration Manager manage Windows Defender in Windows 10?

Understand how Windows Defender is managed by Configuration Manager read more

from Can Configuration Manager manage Windows Defender in Windows 10?

Can Configuration Manager manage Windows Defender in Windows 10?

Understand how Windows Defender is managed by Configuration Manager read more

from Can Configuration Manager manage Windows Defender in Windows 10?

Can I use an Azure AD account with Cortana in Windows 10 Anniversary?

Understand the account requirements to use Cortana in Windows 10 read more

from Can I use an Azure AD account with Cortana in Windows 10 Anniversary?

Can I use an Azure AD account with Cortana in Windows 10 Anniversary?

Understand the account requirements to use Cortana in Windows 10 read more

from Can I use an Azure AD account with Cortana in Windows 10 Anniversary?

Solve remote PowerShell errors trying to enable cluster aware updating.

Solve common remote PowerShell issues when enabling cluster aware updating. read more

from Solve remote PowerShell errors trying to enable cluster aware updating.

Solve remote PowerShell errors trying to enable cluster aware updating.

Solve common remote PowerShell issues when enabling cluster aware updating. read more

from Solve remote PowerShell errors trying to enable cluster aware updating.

The Trouble With Recounts in the Name of Hacking

Solve common remote PowerShell issues when enabling cluster aware updating. read more

from The Trouble With Recounts in the Name of Hacking

Encrypted email service Riseup sparks worry after warrant canary ‘expires’

Warrant canaries are useful but flawed when not implemented properly.

from Encrypted email service Riseup sparks worry after warrant canary ‘expires’

Encrypted email service Riseup sparks worry after warrant canary ‘expires’

Warrant canaries are useful but flawed when not implemented properly.

from Encrypted email service Riseup sparks worry after warrant canary ‘expires’

BSides Lisbon 2016, Oliver Kunz’s ‘Semi-Offline Attack on the Android Full-Disk Encryption’

Permalink

from BSides Lisbon 2016, Oliver Kunz’s ‘Semi-Offline Attack on the Android Full-Disk Encryption’

Friday Squid Blogging: Striped Pyjama Squid

Here's a nice picture of one of the few known poisonous squids.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

from Friday Squid Blogging: Striped Pyjama Squid

Hacking and the 2016 Presidential Election

Was the 2016 presidential election hacked? It's hard to tell. There were no obvious hacks on Election Day, but new reports have raised the question of whether voting machines were tampered with in three states that Donald Trump won this month: Wisconsin, Michigan and Pennsylvania.

The researchers behind these reports include voting rights lawyer John Bonifaz and J. Alex Halderman, the director of the University of Michigan Center for Computer Security and Society, both respected in the community. They have been talking with Hillary Clinton's campaign, but their analysis is not yet public.

According to a report in New York magazine, the share of votes received by Clinton was significantly lower in precincts that used a particular type of voting machine: The magazine story suggested that Clinton had received 7 percent fewer votes in Wisconsin counties that used electronic machines, which could be hacked, than in counties that used paper ballots. That is exactly the sort of result we would expect to see if there had been some sort of voting machine hack. There are many different types of voting machines, and attacks against one type would not work against the others. So a voting anomaly correlated to machine type could be a red flag, although Trump did better across the entire Midwest than pre-election polls expected, and there are also some correlations between voting machine type and the demographics of the various precincts. Even Halderman wrote early Wednesday morning that "the most likely explanation is that the polls were systematically wrong, rather than that the election was hacked."

What the allegations, and the ripples they're causing on social media, really show is how fundamentally untrustworthy our hodgepodge election system is.

Accountability is a major problem for U.S. elections. The candidates are the ones required to petition for recounts, and we throw the matter into the courts when we can't figure it out. This all happens after an election, and because the battle lines have already been drawn, the process is intensely political. Unlike many other countries, we don't have an independent body empowered to investigate these matters. There is no government agency empowered to verify these researchers' claims, even if it would be merely to reassure voters that the election count was accurate.

Instead, we have a patchwork of voting systems: different rules, different machines, different standards. I've seen arguments that there is security in this setup ­ an attacker can't broadly attack the entire country ­ but the downsides of this system are much more critical. National standards would significantly improve our voting process.

Further investigation of the claims raised by the researchers would help settle this particular question. Unfortunately, time is of the essence ­ underscoring another problem with how we conduct elections. For anything to happen, Clinton has to call for a recount and investigation. She has until Friday to do it in Wisconsin, until Monday in Pennsylvania and until next Wednesday in Michigan. I don't expect the research team to have any better data before then. Without changes to the system, we're telling future hackers that they can be successful as long as they're able to hide their attacks for a few weeks until after the recount deadlines pass.

Computer forensics investigations are not easy, and they're not quick. They require access to the machines. They involve analysis of Internet traffic. If we suspect a foreign country like Russia, the National Security Agency will analyze what they've intercepted from that country. This could easily take weeks, perhaps even months. And in the end, we might not even get a definitive answer. And even if we do end up with evidence that the voting machines were hacked, we don't have rules about what to do next.

Although winning those three states would flip the election, I predict Clinton will do nothing (her campaign, after all, has reportedly been aware of the researchers' work for nearly a week). Not because she does not believe the researchers ­- although she might not -­ but because she doesn't want to throw the post-election process into turmoil by starting a highly politicized process whose eventual outcome will have little to do with computer forensics and a lot to do with which party has more power in the three states.

But we only have two years until the next national elections, and it's time to start fixing things if we don't want to be wondering the same things about hackers in 2018. The risks are real: Electronic voting machines that don't use a paper ballot are vulnerable to hacking.

Clinton supporters are seizing on this story as their last lifeline of hope. I sympathize with them. When I wrote about vote-hacking the day after the election, I said: "Elections serve two purposes. First, and most obvious, they are how we choose a winner. But second, and equally important, they convince the loser ­- and all the supporters ­- that he or she lost." If the election system fails to do the second, we risk undermining the legitimacy of our democratic process. Clinton's supporters deserve to know whether this apparent statistical anomaly is the result of a hack against our election system or a spurious correlation. They deserve an election that is demonstrably fair and accurate. Our patchwork, ad hoc system means they may never feel confident in the outcome. And that will further erode the trust we have in our election systems.

This essay previously appeared in the Washington Post.

Edited to Add: Green-party candidate Jill Stein is calling for a recount in the three states. I have no idea of a recount includes forensic analysis to ensure that the machines were not hacked, but I doubt it. It would be funny if it wasn't all so horrible.

Also, here's an article from 538.com arguing that demographics explains all the discrepancies.

from Hacking and the 2016 Presidential Election

The malicious iPhone video with a silver lining

It might just be a video that crashes your iPhone so hard you have to do a force restart, but that's enough of a risk to be worth noting

from The malicious iPhone video with a silver lining

Black Friday Purchases Could Deliver Malware to Your Network

As shoppers rush out and buy the latest tech for their holiday gift giving – or order them online during Cyber Monday – they will never know the hidden dangers in what they purchased. The Internet of Things is exciting and the cool tech provides some of the most coveted gifts every year but at […]

from Black Friday Purchases Could Deliver Malware to Your Network

Tesla cars can be stolen by hacking the app

Our researchers have demonstrated that because of lack of security in the Tesla smartphone app, cyber criminals could take control of the company’s vehicles, to the point where they can track and locate the car in real-time, and unlock and drive the car away unhindered. Such a hack gives criminals total control of the vehicle, providing additional functionality to that exposed by Keen Security Labs in a different hack in late September.... Read more

The post Tesla cars can be stolen by hacking the app appeared first on VASCO Data Security - Blog.

from Tesla cars can be stolen by hacking the app

Lock down your Twitter: take care that rogue third-party apps don’t hijack your account

Have you linked third-party apps to your Twitter account? Maybe it's time you did an audit of whether you still want them to have access to your Twitter followers and messages. The recent Twitter Counter hack proves that even legitimate third-party se...

from Lock down your Twitter: take care that rogue third-party apps don’t hijack your account

BSides Lisbon 2016, Dima Bekerman ‘s ‘Brace YoSelf: DDoS is Coming’

Permalink

from BSides Lisbon 2016, Dima Bekerman ‘s ‘Brace YoSelf: DDoS is Coming’

Don’t be a security turkey this Thanksgiving!

Here's a plain-talking video to help you stay secure this weekend...and on into the New Year.

from Don’t be a security turkey this Thanksgiving!

Support Scams and Diagnostic Services

Every so often I get requests for help from people with a computer problem that may or may not be malware-related. When I have to refuse help, which is more often than I’d like, I try to refer the people concerned to a more appropriate person or forum, and to suggest they do what they […]

from Support Scams and Diagnostic Services

‘Compromised’ laptop implicated in US Navy breach of 130,000 records

Names and social security numbers of more than 130,000 serving and former sailors "accessed by unknown individuals"

from ‘Compromised’ laptop implicated in US Navy breach of 130,000 records

Dr Solly Yanks a Support Scammer’s Chain

Dr Alan Solomon, one of the pioneers of the anti-virus/anti-malware industry (though not one of its biggest fans these days) describes a game of ‘upstairs downstairs’ played with a hapless scammer who made the terrible mistake of ringing him to tell about his malware ‘problem’. Another tech support scam It might not tell you anything […]

from Dr Solly Yanks a Support Scammer’s Chain

Facebook ‘quietly developing censorship tool’ for China

Tool would be offered to third parties to monitor stories that 'bubble up' as users share them

from Facebook ‘quietly developing censorship tool’ for China

Securing Communications in a Trump Administration

Susan Landau has an excellent essay on why it's more important than ever to have backdoor-free encryption on our computer and communications systems.

Protecting the privacy of speech is crucial for preserving our democracy. We live at a time when tracking an individual -- ­a journalist, a member of the political opposition, a citizen engaged in peaceful protest­ -- or listening to their communications is far easier than at any time in human history. Political leaders on both sides now have a responsibility to work for securing communications and devices. This means supporting not only the laws protecting free speech and the accompanying communications, but also the technologies to do so: end-to-end encryption and secured devices; it also means soundly rejecting all proposals for front-door exceptional access. Prior to the election there were strong, sound security arguments for rejecting such proposals. The privacy arguments have now, suddenly, become critically important as well. Threatened authoritarianism means that we need technological protections for our private communications every bit as much as we need the legal ones we presently have.

Unfortunately, the trend is moving in the other direction. The UK just passed the Investigatory Powers Act, giving police and intelligence agencies incredibly broad surveillance powers with very little oversight. And Bits of Freedom just reported that "Croatia, Italy, Latvia, Poland and Hungary all want an EU law to be created to help their law enforcement authorities access encrypted information and share data with investigators in other countries."

from Securing Communications in a Trump Administration

Happy Thanksgiving

from Happy Thanksgiving

Kiwicon X: Pwning ML for Fun and Profit

I presented “Pwning ML for Fun and Profit” at Kiwicon X When: Friday, Nov 18th, 2016 at 14:15 Where: Michael Fowler Centre, Wellington Everyone is talking ML this and AI that as if they expect some kind of Utopian beast to be waiting just behind the next door and whisk us all away to a […]

from Kiwicon X: Pwning ML for Fun and Profit

SSD Advisory – CakePHP Multiple Vulnerabilities

Vulnerability Description The following advisory describes two (2) different vulnerabilities. One related to CakePHP framework and the other in a product that uses the CakePHP framework: CakePHP Arbitrary Source Address Spoofing Croogo ACL Bypass Credit An independent security researcher Dawid Golunski (https://legalhackers.com/) has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program Affected Version: … Continue reading SSD Advisory – CakePHP Multiple Vulnerabilities →

from SSD Advisory – CakePHP Multiple Vulnerabilities

Showrooming this shopping season? Protect yourself with a VPN.

During Black Friday and the weeks leading up to Christmas, tech savvy shoppers visit brick-and-mortar stores to see the items they want to buy, but they use price comparison apps on their phones to check for the best deal. This is called “showrooming”. Shopping apps do things like scan barcodes for price comparisons between your local retailer and online stores, send alerts when the price drops, find money-saving coupons, and even tell which stores in the mall have a particular item on sale.  

from Showrooming this shopping season? Protect yourself with a VPN.

Vicinity of obscurity! Fareit trojan spread via uncommon file type

The Fareit trojan is using .mht files as a disguise as it spreads via phishing and other spam mail campaigns. David Bisson reports.

from Vicinity of obscurity! Fareit trojan spread via uncommon file type

BSides DC 2016 – John Laycock and Monty St John’s YAYA (Yet Another YARA Allocution)

Permalink

from BSides DC 2016 – John Laycock and Monty St John’s YAYA (Yet Another YARA Allocution)

DoD Opens .Mil to Legal Hacking, Within Limits

Hackers of all stripes looking to test their mettle can now legally hone their cyber skills, tools and weaponry against any Web property operated by the U.S. Department of Defense, according to a new military-wide policy for reporting and fixing security vulnerabilities. Security researchers are often reluctant to report programming flaws or security holes they've stumbled upon for fear that the vulnerable organization might instead decide to shoot the messenger and pursue hacking charges. But on Nov. 21, the DoD aimed to clear up any ambiguity on that front for the military's substantial online presence, creating both a centralized place to report cybersecurity flaws across the dot-mil space as well as a legal safe harbor (and the prospect of public recognition) for researchers who abide by a few ground rules.

from DoD Opens .Mil to Legal Hacking, Within Limits

InfoSec and Actuarial Science – A Risky Alliance

I’ve been doing research lately into mergers & acquisitions, the exciting world of reps & warranties, insurance and cyber insurance in general. Interesting stuff. It has brought me to the conclusion that there is a real alliance between the work … Continue reading →

The post InfoSec and Actuarial Science – A Risky Alliance appeared first on AsTech Consulting.

from InfoSec and Actuarial Science – A Risky Alliance

Why Employees can be a Security Risk for Hospitals

Large quantities of sensitive data held by hospitals are being targeted by hackers. 90% of employees in hospitals failed a CynergisTek phishing test Bromium protects companies from the unknown There’s an ever growing epidemic of cyber-attacks on hospitals. The NHS and other healthcare providers are being targeted by hackers because they have such large quantities of […]

from Why Employees can be a Security Risk for Hospitals

Video found freezing Apple devices

A video has been found to freeze (a.k.a. cause a denial of service attack) on various models of Apple mobile devices according to YouTuber, EverythingApplePro, and reported by Bleeping Computer. Categories: Cybercrime Mobile Tags: AndroidAppleHTML5ipadiPhonemalware (Read more...)

from Video found freezing Apple devices

Headphones as Microphones

Surprising no one who has been following this sort of thing, headphones can be used as microphones.

from Headphones as Microphones

Government Propaganda on Social Media

Vice Motherboard has an interesting article about governments using social-media platforms for propaganda and surveillance, and the companies that are supporting this.

from Government Propaganda on Social Media

"Security for the High-Risk User"

Interesting paper. John Scott-Railton on securing the high-risk user.

from "Security for the High-Risk User"

Deliveroo customers get hacked, go hungry and foot the bill

It seems free food does indeed taste better, with hackers now targeting the takeaway service's customers to satisfy their cravings.

from Deliveroo customers get hacked, go hungry and foot the bill

BSides DC 2016 – Marcia Hoffman’s Keynote

Permalink

from BSides DC 2016 – Marcia Hoffman’s Keynote

TeleCrypt – the ransomware abusing Telegram API – defeated!

A new ransomware, TeleCrypt appeared recently carrying some new ideas. Telecrypt abuses the API of a popular messenger, Telegram. Categories: Malware Threat analysis Tags: malwareransomwareTeleCryptTeleCrypt DecryptorTelegram API (Read more...)

from TeleCrypt – the ransomware abusing Telegram API – defeated!

Government Propaganda on Social Media

Vice Motherboard has an interesting article about governments using social-media platforms for propaganda and surveillance, and the companies that are supporting this....

from Government Propaganda on Social Media

Conquering the Rising Threat of Malvertising

The recent shift in enterprise application platforms from desktop to mobile has brought with it many exciting benefits, which organizations have recognized and leveraged to provide a more flexible and convenient workplace. Unfortunately, individuals and groups with less honorable intentions have also taken notice of this shift. In fact, a report from ISACA predicts a…

The post Conquering the Rising Threat of Malvertising appeared first on Speaking of Security - The RSA Blog.

from Conquering the Rising Threat of Malvertising

Fareit Spam: Rocking Out to a New File Type

This post authored by Nick BiasiniTalos is constantly monitoring the threat landscape including the email threat landscape. Lately this landscape has been dominated with Locky distribution. During a recent Locky vacation Talos noticed an interesting sh...

from Fareit Spam: Rocking Out to a New File Type

Is your SOC Intelligent?

 

Having a Threat Intelligence function isn’t a "go big or stay home" proposition.

from Is your SOC Intelligent?

Black Friday: What to watch out for when you hit the stores

Here's the first of three pieces we'll be publishing this Thanksgiving weekend, to keep you more secure right into the New Year and beyond.

from Black Friday: What to watch out for when you hit the stores

The Criminal Appeal of Advanced Ransomware: How Can Companies Protect Their Files?

Advanced ransomware—malicious software designed to take control of a computer system and hold it hostage until the victims pay for its release—is one of the fastest-growing areas of cybercrime. Another closely related threat is cyberextortion, where attackers threaten to cause harm to a company by releasing sensitive information to the public or sustaining distributed denial-of-service…

The post The Criminal Appeal of Advanced Ransomware: How Can Companies Protect Their Files? appeared first on Speaking of Security - The RSA Blog.

from The Criminal Appeal of Advanced Ransomware: How Can Companies Protect Their Files?

An overview of malvertising on the Mac

Mac users may face less malware attacks than their Windows counterparts, but it doesn't mean they are safe from online crooks. In this post we review the top malvertising attacks that target the OS X platform and how to stay safe. Categories: Social engineering Tags: Applemacmalvertisingmalwareos XPUPPUPsscam (Read more...)

from An overview of malvertising on the Mac

Dumb Security Survey Questions

According to a Harris poll, 39% of Americans would give up sex for a year in exchange for perfect computer security:

According to an online survey among over 2,000 U.S. adults conducted by Harris Poll on behalf of Dashlane, the leader in online identity and password management, nearly four in ten Americans (39%) would sacrifice sex for one year if it meant they never had to worry about being hacked, having their identity stolen, or their accounts breached. With a new hack or breach making news almost daily, people are constantly being reminded about the importance of secure passwords, yet some are still not following proper password protocol.

Does anyone think that this hypothetical survey question means anything? What, are they bored at Harris? Oh, I see. This is a paid survey by a computer company looking for some publicity.

Four in 10 people (41%) would rather give up their favorite food for a month than go through the password reset process for all their online accounts.

I guess it's more fun to ask these questions than to poll the election.

from Dumb Security Survey Questions

3 million Android phones vulnerable due to pre-installed rootkit

Security researchers at BitSight (AnubisNetworks) have found a backdoor that affects 3 million budget Android devices. The backdoor makes the phones vulnerable to a Man-in-the-Middle (MITM) attack and could allow attackers to remotely execute commands ...

from 3 million Android phones vulnerable due to pre-installed rootkit

Were your grandparents hacking in 1963?

More than 50 years ago, on November 20, 1963, MIT's campus newspaper published what is believed to be the first ever mention of computer hacking.

from Were your grandparents hacking in 1963?

The Amplituhedron

The Amplituhedron, via Nima Arkani-Hamed and Jaroslav Trnka Beho...

from The Amplituhedron

Campaigners bid to delay Rule 41 ‘legal hacking’ bill

Lawmakers seek to delay controversial rule granting US law enforcment officials wide-ranging freedom to hack computers - wherever they are

from Campaigners bid to delay Rule 41 ‘legal hacking’ bill

Beware: The business-class redefines “workaround” for inclusion of unsupported devices, apps, and online services

The advent of social media, discussions there, and all manner of apps and services readily available for free download, has created a Wild West type of environment for organizations that are not taking careful control of their IT enablements.  I...

from Beware: The business-class redefines “workaround” for inclusion of unsupported devices, apps, and online services

Vulnerability Prioritization with Nessus Cloud

If you’re a security professional, vulnerability prioritization is likely something you deal with frequently. Few, if any organizations ever address 100% of discovered vulnerabilities, as new vulnerabilities come out every day and old vulnerabilities can hide out on unknown and shadow assets or simply never make it to the top of the patching priority list.

Vulnerabilities that don’t get addressed cause problems. In last year’s Data Breach Investigations Report (DBIR), Verizon noted that 99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published.

Addressing 100% of vulnerabilities 100% of the time is not an achievable goal for most organizations. But being able to prioritize those that pose the highest risk is something that most organizations should be able to accomplish using a solution like Nessus® Cloud. Here are a few tips for using Nessus Cloud to prioritize your vulnerabilities list.

Scoring vulnerabilities with CVSS

The industry standard for communicating the severity of vulnerabilities is the Common Vulnerability Scoring System, or CVSS. The CVSS uses an algorithm based on metrics in three different areas that approximate the ease and impact of exploiting a vulnerability. Our EMEA technical director, Gavin Millard gives a good explanation of the three CVSS scoring areas (base, temporal, environmental) in this on-demand webcast if you’d like to learn more about CVSS.

Addressing 100% of vulnerabilities 100% of the time is not an achievable goal for most organizations

As an industry standard, Nessus Cloud uses CVSS in multiple ways. First, when Nessus Cloud identifies a vulnerability as Critical, High, Medium, Low or Informational, it uses CVSS scores to assign those categories:

You can also use the Nessus Cloud Advanced Search capability to identify vulnerabilities with specific CVSS characteristics. For example, many organizations rely on CVSS Base Scores, the metrics that measure how easy it is to access a vulnerability. In Advanced Search, it’s easy to identify vulnerabilities cataloged on your network that have a CVSS Base Score of 7.5 or higher. This search would list all of the High severity vulnerabilities:

Additional search filters

CVSS provides a number you can associate with each vulnerability; but by using Advanced Search, there are a few other search filters that provide additional context from the mountain of vulnerabilities.

Tenable announced several of these advanced search filters for Nessus Cloud last year. One of my favorites is the In the News filter. Your CISO may have just read about a big new vulnerability, such as Heartbleed, Shellshock, or Ghost, that has caught the attention of the media. The In the News filter can identify these high profile vulnerabilities and therefore help your security team mitigate the newsworthy questions so that when asked, you can confidently state that you have taken care of the big vulnerability that’s making headlines.

Identifying vulnerabilities on specific assets - or not

Earlier this year, Asset Lists and Exclusions were introduced in Nessus Cloud. Asset Lists are a way to organize hosts into groups. For example, hosts that fall under the same compliance area could be placed into a list, such as all hosts that fall under PCI DSS. Asset Lists have several benefits. You can scan similar assets using the most appropriate scan policies and frequencies. Asset lists also make it easier to share vulnerability information with the appropriate business group, which can simplify the remediation process.

Assets Lists can also be useful if and when you need to scan specific assets at a specific time. For example, you might want to scan all your PCI assets immediately before an annual PCI audit.

On the other hand, Exclusions enable you to restrict the scanning of specific hosts based on a given schedule. If there is a situation where one or many hosts do not need to be included in a scan, you can omit them and simplify your vulnerability results.

Dashboards

While CVSS, Advanced Search Filters, Asset Lists, and Exclusions are all useful ways to prioritize vulnerabilities, sometimes you just need to see the big picture. To accomplish this, Nessus Cloud offers dashboards that provide a graphical representation of vulnerability trending data over time.

You can use the dashboards to quickly get an overall view of vulnerabilities in your environment as well as to identify if you are meeting goals and policies set forth by your organization. Let’s say your organization has a policy that it will not tolerate more than 25 critical vulnerabilities open at any time. In the example below, even though there are 19 critical vulnerabilities open, you know you’re within policy; so maybe you could mix some vulnerability remediation work with another important project instead of just focusing on remediation efforts.

This same dashboard helps you track how long vulnerabilities have been open. As I noted earlier, last year’s Verizon DBIR highlighted how often old vulnerabilities end up being the path attackers take to gain access to networks. The dashboard could help you identify critical vulnerabilities that could lead to actual breaches.

Starting with the dashboard, you can access an interactive list of all vulnerabilities that are more than 30 days old and easily drill down to details for a specific host exhibiting an old security hole.

Try Nessus Cloud

Nessus Cloud provides insight into the vulnerabilities on your network that should be given your immediate attention

If you aren’t already using Nessus Cloud and would like to try any of these vulnerability prioritization techniques, you can request a free Nessus Cloud evaluation. Try out the ideas from this article and see even more ways that Nessus Cloud provides insight into the vulnerabilities on your network that should be given your immediate attention.

Continue the vulnerability prioritization conversation on Tenable’s Discussion Forums at https://community.tenable.com/welcome, or on Twitter @TenableSecurity.

Thanks to Diane Garey for assisting with this blog.

from Vulnerability Prioritization with Nessus Cloud

5 Things IT Pros Can Be Thankful For

This week in the United States, we’ll celebrate Thanksgiving. It’s a time to reflect on the good things in life, and for anyone who’s had a rough year, that reflection can be a very positive experience. The IT industry has experienc...

from 5 Things IT Pros Can Be Thankful For

AdultFriendFinder network finally comes clean to members about hack

The adult entertainment and dating network waited a week to message its millions of users after news of the hack broke, but its method of delivery was far from proactive.

from AdultFriendFinder network finally comes clean to members about hack

Defeating Integer Overflow Attack

Abstract This article unleashes memory overflow related security vulnerabilities, in particular, Integer Overflow (resided during source coding inadvertently) in software as the number of... Go on to the site to read the full article

from Defeating Integer Overflow Attack

Midstream Security for Oil

I hope you enjoyed the previous parts of Oil and Gas Cyber Security series (Upstream Cyber Security and Oil and Gas Cyber Security 101). Today we will talk about OT and ICS with a special focus on... Go on to the site to read the full article

from Midstream Security for Oil

Where Next for Government CIOs?

from Where Next for Government CIOs?

Where Next for Government CIOs?

from Where Next for Government CIOs?

BSides DC 2016 – Timothy Allmon’s WCTF Magic as Told by a Clumsy Magician

Permalink

from BSides DC 2016 – Timothy Allmon’s WCTF Magic as Told by a Clumsy Magician

BSides DC 2016 – Timothy Allmon’s WCTF Magic as Told by a Clumsy Magician

Permalink

from BSides DC 2016 – Timothy Allmon’s WCTF Magic as Told by a Clumsy Magician

Hassles and concerns upgrading from Windows 10 Home to Pro

Windows 10 Pro supports some features that are nice to have, especially if you like to take advantage of more features of your OS than the Home edition allows for. Windows store changes my local account to an online account The Window shop application requires you to sign in with your MSDN account. Once you’ve … Continue reading Hassles and concerns upgrading from Windows 10 Home to Pro →

from Hassles and concerns upgrading from Windows 10 Home to Pro

More details emerge regarding the Three data breach

Kudos to British mobile phone company Three, which has shared more details regarding its recent data breach.

from More details emerge regarding the Three data breach

Analysis

I just sketched a bit with Procreate on the iPad, after a lovely day in Tokyo (Emily got a massive, fluffy pink coat!) here at a side street Starbucks. I was inspired by Timour and Alexander and decided to write out the ideas of text as black lines on a white screen vs ‘what the […]

from Analysis 

An Introduction to Javascript for XSS Payloads

I recently got the opportunity to speak at B-Sides Charleston on cross-site scripting (XSS) payload development. For me, this was a really enjoyable opportunity because of my background. I was […]

from An Introduction to Javascript for XSS Payloads

Les Carr Meeting 25 October 2016

The audio recording from my meeting with Les is at https://soundcloud.com/user-75792421/les

from Les Carr Meeting 25 October 2016

Timour Meeting (Facebook audio)

In my chat with Timour last night he opened my mind further, as he always does. The recording is available at: soundcloud.com/user-75792421/timour-chat-1 A few notes from the chat, which was ostensibly to go through the initial questionnaire I have sent out for Author | PhD. (Temporary name, while hunting around, but it looks quite good […]

from Timour Meeting (Facebook audio)

Friday Squid Blogging: Peruvian Squid Fishermen Are Trying to Diversify

Squid catch is down, so fisherman are trying to sell more processed product.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

from Friday Squid Blogging: Peruvian Squid Fishermen Are Trying to Diversify

Smartphone Secretly Sends Private Data to China

This is pretty amazing:

International customers and users of disposable or prepaid phones are the people most affected by the software. But the scope is unclear. The Chinese company that wrote the software, Shanghai Adups Technology Company, says its code runs on more than 700 million phones, cars and other smart devices. One American phone manufacturer, BLU Products, said that 120,000 of its phones had been affected and that it had updated the software to eliminate the feature.

Kryptowire, the security firm that discovered the vulnerability, said the Adups software transmitted the full contents of text messages, contact lists, call logs, location information and other data to a Chinese server.

On one hand, the phone secretly sends private user data to China. On the other hand, it only costs $50.

from Smartphone Secretly Sends Private Data to China

Using Wi-Fi to Detect Hand Motions and Steal Passwords

This is impressive research: "When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via WiFi Signals":

Abstract: In this study, we present WindTalker, a novel and practical keystroke inference framework that allows an attacker to infer the sensitive keystrokes on a mobile device through WiFi-based side-channel information. WindTalker is motivated from the observation that keystrokes on mobile devices will lead to different hand coverage and the finger motions, which will introduce a unique interference to the multi-path signals and can be reflected by the channel state information (CSI). The adversary can exploit the strong correlation between the CSI fluctuation and the keystrokes to infer the user's number input. WindTalker presents a novel approach to collect the target's CSI data by deploying a public WiFi hotspot. Compared with the previous keystroke inference approach, WindTalker neither deploys external devices close to the target device nor compromises the target device. Instead, it utilizes the public WiFi to collect user's CSI data, which is easy-to-deploy and difficult-to-detect. In addition, it jointly analyzes the traffic and the CSI to launch the keystroke inference only for the sensitive period where password entering occurs. WindTalker can be launched without the requirement of visually seeing the smart phone user's input process, backside motion, or installing any malware on the tablet. We implemented Windtalker on several mobile phones and performed a detailed case study to evaluate the practicality of the password inference towards Alipay, the largest mobile payment platform in the world. The evaluation results show that the attacker can recover the key with a high successful rate.

That "high successful rate" is 81.7%.

News article.

from Using Wi-Fi to Detect Hand Motions and Steal Passwords

Save the Data, or Making It Simple to Make Sure Data Is Protected with SEDs

TCG and its members created a non-proprietary way to ensure data on storage devices, such as hard disk drives or solid state (flash) drives. The industry specifications for self-encrypting drives (http://www.trustedcomputinggroup.org/work-groups/storage/). SEDs, available from all major drive makers and many others, now are embedded into almost all new drives and enterprise storage systems. These drives … Continue reading "Save the Data, or Making It Simple to Make Sure Data Is Protected with SEDs"

The post Save the Data, or Making It Simple to Make Sure Data Is Protected with SEDs appeared first on Trusted Computing Group.

from Save the Data, or Making It Simple to Make Sure Data Is Protected with SEDs

Webcast: Save the Data: How to Protect Data Wherever It Lives

Data has exploded across devices and anything with memory. No matter where it lives and whatever it is – sensitive personal, medical, financial, business data, photos and music – all such data is highly vulnerable, In fact, breaches occur daily and the growing number of interconnected “things” means that even more data is open to … Continue reading "Webcast: Save the Data: How to Protect Data Wherever It Lives"

The post Webcast: Save the Data: How to Protect Data Wherever It Lives appeared first on Trusted Computing Group.

from Webcast: Save the Data: How to Protect Data Wherever It Lives

NIST Publishes Cybersecurity Framework Specifically for Small Businesses

NIST recently published NISTIR 7621, a cybersecurity framework specifically for small business. Most small businesses do not have the resources that large corporations have to implement a cybersecurity program. The guide was developed in conjunction with the small business administration … Continue reading →

The post NIST Publishes Cybersecurity Framework Specifically for Small Businesses appeared first on AsTech Consulting.

from NIST Publishes Cybersecurity Framework Specifically for Small Businesses

Cyber News Rundown: Edition 11/18/16

Alarming Number of Sites Still Using SHA-1 Certificates The January deadline for switching over to SHA-2 rapidly approaching. For the vendors that are still lagging behind, they will begin to see browser warnings...read more

The post Cyber News Rundown: Edition 11/18/16 appeared first on Webroot Threat Blog.

from Cyber News Rundown: Edition 11/18/16

BSides DC 2016 – Gordon MacKay ‘s Vulnerability Management Systems Flawed – Leaving your Enterprise at High Risk

Permalink

from BSides DC 2016 – Gordon MacKay ‘s Vulnerability Management Systems Flawed – Leaving your Enterprise at High Risk

Liquidmatrix Security Digest TV – mini0x1E

Samy Kamkar – PoisonTap – https://samy.pl/poisontap/ RCMP want an iphone unlocker – http://www.cbc.ca/news/investigates/police-power-privacy-encryption-1.3856375 Discussion paper – https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/ntnl-scrt-grn-ppr-2016-bckgrndr/index-en.aspx

The post Liquidmatrix Security Digest TV – mini0x1E appeared first on Liquidmatrix Security Digest.

from Liquidmatrix Security Digest TV – mini0x1E

OK, so it’s called “BlackNurse”. But *why*? [Chet Chat Podcast 255]

Here's the latest episode of our security podcast. Enjoy!

from OK, so it’s called “BlackNurse”. But *why*? [Chet Chat Podcast 255]

Friday Squid Blogging: Peruvian Squid Fishermen Are Trying to Diversify

Squid catch is down, so fisherman are trying to sell more processed product. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

from Friday Squid Blogging: Peruvian Squid Fishermen Are Trying to Diversify

From my Gartner Blog – Deception Technologies – The Paper

After some very fun research, we’re finally publishing our paper on deception technologies:

Applying Deception Technologies and Techniques to Improve Threat Detection and Response
18 November 2016 | ID: G00314562
Augusto Barros | Anton Chuvakin

Summary: Deception is a viable option to improve threat detection and response capabilities. Technical professionals focused on security should evaluate deception as a “low-friction” method to detect lateral threat movement, and as an alternative or a complement to other detection technologies.

It was a very fun paper to write. We’ve been using and talking about honeypots and other deception techniques and technologies for ages, but it seems that it’s finally the time to use those in enterprise environments as part of a comprehensive security architecture and strategy. Here are some fun bits from the paper:

• Many organizations report low-friction deployment, management and operation as the primary advantages of deception tools over other threat detection tools (such as SIEM, UEBA and NTA).
• Improved detection capabilities are the main motivation of those who adopt deception technologies. Most have no motivation to actively engage with attackers, and cut access or interaction as soon as detection happens.
• Test the effectiveness of deception tools by running a POC or a pilot on a production environment. Utilize threat simulation tools, or perform a quality penetration test without informing the testers about the deceptions in place.

(overview of deception technologies – Gartner (2016)

The corporate world has invested in many different technologies for threat detection. Yet, it is still hard to find organizations actively using deception techniques and technologies as part of their detection and response strategies, or for risk reduction outcomes.

However, with recent advances in technologies such as virtualization and software-defined networking (SDN), it has become easier to deploy, manage and monitor “honeypots,” the basic components of network-based deception, making deception techniques viable alternatives for regular organizations. At the same time, the limitations of existing security technologies have become more obvious, requiring a rebalance of focus from preventative approaches to detection and response

[…]

Although a direct, fact-based comparison between the effectiveness of deception techniques and the effectiveness of other detection approaches does not exist, enough success reports do exist to justify including deception as part of a threat detection strategy.

The post Deception Technologies – The Paper appeared first on Augusto Barros.

from Augusto Barros http://ift.tt/2g3fjnR
via IFTTT

from From my Gartner Blog – Deception Technologies – The Paper

Invincea Labs: FireEye FLARE On 2016 Challenges Write Up (Pt. 1)

After some very fun research, we’re finally publishing our paper on deception technologies:

Applying Deception Technologies and Techniques to Improve Threat Detection and Response
18 November 2016 | ID: G00314562
Augusto Barros | Anton Chuvakin

Summary: Deception is a viable option to improve threat detection and response capabilities. Technical professionals focused on security should evaluate deception as a “low-friction” method to detect lateral threat movement, and as an alternative or a complement to other detection technologies.

It was a very fun paper to write. We’ve been using and talking about honeypots and other deception techniques and technologies for ages, but it seems that it’s finally the time to use those in enterprise environments as part of a comprehensive security architecture and strategy. Here are some fun bits from the paper:

• Many organizations report low-friction deployment, management and operation as the primary advantages of deception tools over other threat detection tools (such as SIEM, UEBA and NTA).
• Improved detection capabilities are the main motivation of those who adopt deception technologies. Most have no motivation to actively engage with attackers, and cut access or interaction as soon as detection happens.
• Test the effectiveness of deception tools by running a POC or a pilot on a production environment. Utilize threat simulation tools, or perform a quality penetration test without informing the testers about the deceptions in place.

(overview of deception technologies – Gartner (2016)

The corporate world has invested in many different technologies for threat detection. Yet, it is still hard to find organizations actively using deception techniques and technologies as part of their detection and response strategies, or for risk reduction outcomes.

However, with recent advances in technologies such as virtualization and software-defined networking (SDN), it has become easier to deploy, manage and monitor “honeypots,” the basic components of network-based deception, making deception techniques viable alternatives for regular organizations. At the same time, the limitations of existing security technologies have become more obvious, requiring a rebalance of focus from preventative approaches to detection and response

[…]

Although a direct, fact-based comparison between the effectiveness of deception techniques and the effectiveness of other detection approaches does not exist, enough success reports do exist to justify including deception as part of a threat detection strategy.

The post Deception Technologies – The Paper appeared first on Augusto Barros.

from Augusto Barros http://ift.tt/2g3fjnR
via IFTTT

from Invincea Labs: FireEye FLARE On 2016 Challenges Write Up (Pt. 1)

Hacking Password-Protected Computers via the USB Port

PoisonTap is an impressive hacking tool that can compromise computers via the USB port, even when they are password-protected. What's interesting is the chain of vulnerabilities the tool exploits. No individual vulnerability is a problem, but together they create a big problem.

Kamkar's trick works by chaining together a long, complex series of seemingly innocuous software security oversights that only together add up to a full-blown threat. When PoisonTap -- a tiny $5 Raspberry Pi microcomputer loaded with Kamkar's code and attached to a USB adapter -- is plugged into a computer's USB drive, it starts impersonating a new ethernet connection. Even if the computer is already connected to Wifi, PoisonTap is programmed to tell the victim's computer that any IP address accessed through that connection is actually on the computer's local network rather than the internet, fooling the machine into prioritizing its network connection to PoisonTap over that of the Wifi network.

With that interception point established, the malicious USB device waits for any request from the user's browser for new web content; if you leave your browser open when you walk away from your machine, chances are there's at least one tab in your browser that's still periodically loading new bits of HTTP data like ads or news updates. When PoisonTap sees that request, it spoofs a response and feeds your browser its own payload: a page that contains a collection of iframes -- a technique for invisibly loading content from one website inside another­that consist of carefully crafted versions of virtually every popular website address on the internet. (Kamkar pulled his list from web-popularity ranking service Alexa's top one million sites.)

As it loads that long list of site addresses, PoisonTap tricks your browser into sharing any cookies it's stored from visiting them, and writes all of that cookie data to a text file on the USB stick. Sites use cookies to check if a visitor has recently logged into the page, allowing visitors to avoid doing so repeatedly. So that list of cookies allows any hacker who walks away with the PoisonTap and its stored text file to access the user's accounts on those sites.

There's more. Here's another article with more details. Also note that HTTPS is a protection.

Yesterday, I testified about this at a joint hearing of the Subcommittee on Communications and Technology, and the Subcommittee on Commerce, Manufacturing, and Trade -- both part of the Committee on Energy and Commerce of the US House of Representatives. Here's the video; my testimony starts around 24:40.

The topic was the Dyn attacks and the Internet of Things. I talked about different market failures that will affect security on the Internet of Things. One of them was this problem of emergent vulnerabilities. I worry that as we continue to connect things to the Internet, we're going to be seeing a lot of these sorts of attacks: chains of tiny vulnerabilities that combine into a massive security risk. It'll be hard to defend against these types of attacks. If no one product or process is to blame, no one has responsibility to fix the problem. So I gave a mostly Republican audience a pro-regulation message. They were surprisingly polite and receptive.

from Hacking Password-Protected Computers via the USB Port

PoisonTap, The Ransacker

via Ars Technica's Security Editor Dan Goodin, comes proof that MITM exploits cost-to-deploy ratios are dropp...

from PoisonTap, The Ransacker

How a $5 Raspberry Pi Zero can hack your locked laptop

PoisonTap is toxic even to the password-protected laptop - make sure it doesn't happen to you

from How a $5 Raspberry Pi Zero can hack your locked laptop

RSAC 2017 Speaker Submissions Parallel Industry Predictions and Real-World Events

This year has been the year of extortions and, more than ever before, conversations around cybersecurity are more mainstream with increased media coverage of everything from major enterprise hacks to dinner table discussions around the upcoming election and privacy. And with cyber-criminals collecting $209 million in just the first three months of 2016, we have seen an increase in overall consumer – and enterprise level – concern over the security of our data. As active participants in the security community, the RSA Conference Program Committee aims to provide content that is not only…

from RSAC 2017 Speaker Submissions Parallel Industry Predictions and Real-World Events

Securing Your Branch Network

Blog Post

Securing Your Branch Network

Beth Barach

Nov 17, 2016

Today’s large, distributed networks are difficult to defend from advanced threats. In many cases, security operators are unable to see what is...

Read more >

Branch network, Stealthwatch learning network license, learning network license, Threat Detection, machine learning

      

from Securing Your Branch Network