Pentagon Thinks Blockchain Technology Can be Used as Cybersecurity Shield – CoinTelegraph

Original Article Here

Just like any currency, Bitcoin has been involved in cases of money-laundering, drug transactions, and terrorism in previous years. However, it has also caught the Pentagon’s eyes as a potential cybersecurity shield.

Why Blockchain technology?

The US military has been open about their interest in Blockchain technology, so it’s no surprise that they may soon develop their own applications..

US defence analysts have previously pointed out the growing threats to the country’s national security that target national security decision-makers and critical infrastructure. So in an effort to withstand such threats, the Pentagon started experimenting with Blockchain.

Blockchain technology is potentially useful for protecting military technology, communications, and purchases. It is well-designed to help increase the security of the entire US military, across all departments and units. Blockchain couldl prevent hackers and terrorists from attacking military networks, including connected vehicles, aircraft and satellites.

The DARPA drive

The engineers of the Defense Advanced Research Projects Agency (DARPA) are currently experimenting with Blockchain to create a messaging service that is secure and impenetrable to foreign attacks. This service will be tested internally first, but if it holds up, may find its way onto the battlefield soon. DARPA has asked the public to submit proposals on the best ways to put the service into action.

DARPA serves as the research arm of the U.S. military and aims to decentralize significant portions of back-office infrastructure so that:

“‘Smart documents and contracts’ can be instantly and securely sent and received, thereby reducing exposure to hackers and reducing needless delays in DoD back-office correspondence.”

Additionally, DARPA seeks to create code that is impossible to hack, preventing hackers from breaking into secure databases.

Blockchain in government

DARPA joins other is not the only government agency that has taken notice of Blockchain technology and its possible use in the public services. In fact, various subsidiaries and units of the government have been eyeing the technology in optimizing existing processes, including the US Navy and various federal agencies.

Sonar-based attack could help hackers infer when you're having sex

Original Article Here

Sonar-based attack could help hackers infer when you're having sex

Hackers could use a sonar-based attack to infer information about what a target is doing, including when they might be engaging in sexual activity.

The attack, known as CovertBand, is the product of four researchers’ work at the University of Washington’s Paul G. Allen School of Computer Science & Engineering. These individuals sought to answer to an important question in the age of digital security and privacy: what if an attacker could use a smart device to track a target’s movements without the target’s knowledge?

CovertBand succeeds in this regard by masquerading as a third-party Android app.

Upon installation, the app secretly uses the AudioTrack API to blast acoustic signals at 18-20 kHz. Some adults can faintly distinguish these signals, so CovertBank transmits them under a song with lots of percussive sounds for masking purposes. The attack then uses the AudioRecord API to record these backscattered 18-20 kHz signals. With two microphones picking up the transmissions, an attacker can receive the recorded data over Bluetooth and approximate a target’s 2D positioning using a laptop.

And you thought the Amazon Echo was scary.

Screen shot 2017 08 18 at 11.59.36 am

But tracking a target’s 2D location is only the beginning of it. As the researchers explain in their paper:

“We show how CovertBand can potentially enable an attacker to differentiate between different classes of movements even when subjects are in different body positions and orientations. Specifically, we focus on two classes of motion: (1) linear motion (the subject walks in a straight line) and (2) periodic motion (pelvic tilt where the subject remains in approximately the same position (lying on his or her back on the floor) but performs a periodic exercise). These motions are sufficiently different that we should be able to differentiate them by looking at the spectrograms, but are also realistic enough to potentially enable privacy leakage. For example, (1) models information that might be of interest to intelligence community members, e.g., to track the location of a target within a room and ( 2) could be used to infer sexual activity, for which the importance of protecting might vary depending on the target’s culture and cultural norms or might vary depending on the target’s public visibility, e.g., celebrity status or political status.”

That’s right. Not even targets’ bedroom romps are safe from CovertBand!

In an experimental setup, the researchers had “Bob” walk around inside of a bathroom and do several activities. Using CovertBand, they were able to determine that Bob likely spent less than 20 seconds sitting on the toilet and brushing his teeth.

Screen shot 2017 08 18 at 12.08.28 pm

Subsequent tests revealed the attack could track an individual walking across a bathroom in a straight line outside of a closed wooden door at a mean tracking error of 18 cm. Even with more complex movements, the tracking error distance was less than 25 cm. (That’s also the case for tracking more than one subject at the same time.) When you start introducing windows and external doors, the tracking error goes up to about 30 cm.

With these results, an attacker could use lots of different devices like smart TVs to spy on unsuspecting targets.

Screen shot 2017 08 18 at 12.14.39 pm

Those who are concerned about CovertBand can protect themselves against the attack with counter-measures ranging from simple to seriously mental. On the saner end of the spectrum, they could use a sensor to listen for transmissions above people’s listening threshold. On the more “creative” side, people can play their own 18-20 kHz signals to jam CovertBand, something which could overload the sound space and create considerable discomfort for children or pets. Or they could take it one extra step and soundproof their homes.

Then again, these behaviors could be worth it in terms of protecting our privacy, especially if someone can use CovertBand to detect more activities, improve its range, and track more than two individuals.

About the author, David Bisson

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News, Associate Editor for Tripwire’s “The State of Security” blog, and Contributing Author to Carbonite.

Follow @DMBisson


Interested in being a guest contributor to this site like David Bisson? Check out our contributor guidelines.

Why Notre Dame center wants to join cybersecurity fight – Indianapolis Star

Original Article Here
CLOSE

Career yardage leaders for passing, rushing and receiving at Notre Dame. Scott Horner/IndyStar

SOUTH BEND – Sam Mustipher was fascinated by the Russian hacking story and its influence on the U.S. election — like many Americans. He thought it was “crazy” and “interesting,” but perhaps for different reasons.

Notre Dame’s starting senior center is a computer science major, and once his football career is over, he plans to pursue a career in cybersecurity. He originally wanted to go into civil engineering, but then a family friend explained how this profession relates to sports.

“It’s like building a playbook,” Mustipher said. “Like a defense against hacking. It’s ultra-competitive and right up my alley.”

Read more on the Fighting Irish:

The 6-2, 305-pound Mustipher wasn’t always interested in a career in technology; he just knew it “was going to be something major and something I had to learn eventually.” Mustipher was always good at math, liked science and in his junior year of high school, he took a programming class and learned how to build games. Once he arrived at Notre Dame, he enrolled in classes such as computer security, database concepts and networks, and will take one on algorithms this year. He’s identified consulting as a potential future job, in which he helps companies identify vulnerabilities so they can avoid being victims of a cyber attack.

“That’s why I want to do cybersecurity, because it’s in the news right now,” Mustipher said. “It’s in the now. You see companies every day getting hacked — like Target. And it’s like, I shop at these places so I want to stop this from happening.”

Show Thumbnails
Show Captions

This summer, Mustipher stayed in South Bend and interned at Bowman Creek Educational Ecosystem. He had a tight schedule where he’d lift on campus in the morning, spend several hours working with electrical engineers on software to monitor water levels of rain gardens during the day, then return for team conditioning in the afternoon.

He’ll continue doing more software research in a lab alongside one of his mentors this year.

This aggressive work has helped Mustipher with his football routine. In his second year as a starter, he’s more focused on reading defenses.

“You have to be a student of the game,” he said. “That’s something (offensive line coach Harry Hiestand) preaches to us all the time. When you study, you see things. You see tendencies. You just have to be confident.”

Show Thumbnails
Show Captions

Mustipher struggled some last year. He wasn’t the only one, as the offensive line as a whole failed to protect quarterback DeShone Kizer, allowing 28 sacks (ranked No. 71 nationally), while the running game couldn’t get going and averaged just 163.3 yards per game (No. 80).

The most glaring point for Mustipher was a 10-3 loss to N.C. State during Hurricane Matthew. He had trouble getting a grip on the ball on a water-logged field and botched too many snaps. Coach Brian Kelly called him out in the postgame, saying his inability to snap the ball was “atrocious.”

He didn’t doubt himself after that, nor did he lose his starting job.

“It was just coming back each week ready to go,” he said. “You just have to have mental toughness. You have to have short-term memory. Let it go and move onto the task at hand.”

After protecting first-year starting quarterback Brandon Wimbush and opening up the running lane more this year in Chip Long’s more physical run-play action offense, fending off cyberwar criminals seems like a logical next step.

Follow IndyStar reporter Laken Litman on Twitter and Instagram: @lakenlitman.

Show Thumbnails
Show Captions

 

F-22 Raptor getting weapons, cybersecurity upgrades – The News Herald

Original Article Here

Despite no longer being in production, the jet remains “critical” to the Air Force mission, officials said, and is undergoing upgrades to its cybersecurity, weapons and radar technology.

TYNDALL AIR FORCE BASE — When the last Air Force-ordered F-22 Raptor left Lockheed Martin in early 2012, many assumed it was the beginning of the end for one of the Air Force’s signature fighter jets.

Congress in June firmly cemented the end of production, declining a restart while citing a cost of $206 million to $216 million per jet. However, the aircraft currently is undergoing upgrades to its cybersecurity, weapons and radar technology.

An article that originally appeared on Scout.com before being picked up by Business Insider on Aug. 7 reported “upgraded radar, weapons and cybersecurity technology are being engineered into the F-22 to enable the stealth fighter to counter attacks from emerging future enemy threats, dogfights successfully against Russian and Chinese 5th-generation stealth fighters, and fly successfully well into the 2060s.”

Representatives of Air Combat Command, which oversees Tyndall Air Force Base, said many of the improvements already were underway on Tyndall aircraft, including Synthetic Aperture Radar (SAR), a method of identifying targets using electromagnetic signals or “pings.”

“The SAR capability mentioned in the Business Insider article actually began implementation into the Raptor in 2011,” ACC officials at Langley Air Force Base in Virginia wrote in an email. “All combat-coded F-22s at Tyndall AFB already possess this capability.”

Also part of the upgrades are the jet’s weapons systems, including the AIM-120 Advanced Medium Range Air-to-Air Missile (AMRAAM) and AIM-9 Sidewinder, a short-range air-to-air missile.

“The addition of the AIM-9X and AIM-120D weapons are part of what is known as the Increment 3.2B modernization effort,” Langley officials wrote. “Increment 3.2B is currently scheduled to begin delivery to the combat-coded fleet, to include Tyndall, in 2019.”

Tyndall crew members will be among those working on the upgrades, Langley confirmed, though officials did not say in what capacity.

The Air Force fleet houses 187 F-22 Raptors, and though the jet has reached the end of its production line, Langley officials said it remains critical to the mission.

“The F-22 and F-35 mixed force is critical to counter persistent and emerging threats to national security in the 21st century,” Langley officials wrote. “The warfighter always welcomes upgrades that increase lethality and mission effectiveness.”

Solar eclipse: Desperate brands leap on the sunny side – CNET

Original Article Here

Technically Incorrect offers a slightly twisted take on the tech that’s taken over our lives.


Eclipse Glasses, Season's Must Have For Upcoming Eclipse Viewing

See the eclipse, enjoy the brands?


Spencer Platt/Getty Images

You’ve probably been wearing your solar eclipse glasses around the house for days already.

You need to make sure they fit perfectly so that you can enjoy, what, a couple of minutes of oohing, aahing and “I flew to Idaho just to see it-ing.”

The moneymaking corporations of America, though, are desperate for you to think that they contributed to your eclipse-viewing pleasure.

I’ve already written about banana brand Chiquita, which released a slightly absurd effort at suggesting that you should really watch the banana eclipse. (It’s shortly before and after the solar one.)

Naturally, Chiquita wasn’t alone. Many are trying to associate the eclipse with their own products.

Denny’s, for example, insists that it’s serving “mooncakes.” They are, in fact, the same pancakes you can buy any other day of the week. But, says the ad, “Regular pancakes look a lot like the moon.”

Krispy Kreme couldn’t help itself either. 

But what can you do with a doughnut? Can you find some way to eclipse it? In Krispy Kreme’s case, the solution was staring it in the face. Welcome, then, to the chocolate-glazed Krispy Kreme. Complete with spacey music

Mitsubishi actually has a car called the Eclipse Cross. Which is odd for a brand that, at least in my mind, has been eclipsed for a while.

Still, its shtick on Monday is to be the exclusive sponsor of ABC’s “Great American Eclipse” special. During this event, Mitsubishi’s photographers — oh, you’ve already guessed, haven’t you — will be trying to capture a picture of the eclipse and the car together in Salem, Oregon.

It’s what you might call a once-in-a-lifetime opportunity. Or, well, an extended ad.

Retailers such as McDonald’s (in Oregon), Best Buy and Kroger have become purveyors of official solar glasses approved by NASA and the American Astronomical Society.

DoorDash is giving away free half-moon cookies between 2 p.m. and 4 p.m. on Monday. Which seems a little late.

Blessed coolster Nike has a web page encouraging you to wear black on the big day.

Talking of blessed, even churches are joining in the branding exercises.

There’s the Sinking Fork Baptist Church in Hopkinsville, Kentucky, for example. Its brand message? “Without God, your darkness will exceed 2 minutes and 40 sec.”

Towns In Midwest Prepare For Influx Of Tourists For Upcoming Eclipse

It’s all about marketing.


Scott Olson/Getty Images

I was getting a little tired of the strained associations to which some brands were stooping when I came across Southern Pressed Juicery, a cheerily organic place in Greenville, South Carolina. 

It’s offering Black Sun Lemonade. This concoction of ginger, cayenne, lemon, lime and maple syrup also includes charcoal. 

When you pick it up, it’s yellow. Shake it and it turns black. 

Doesn’t that have a gloriously simple, scientific appeal? 

I hope they make a lot of money out of it.

Tech Culture: From film and television to social media and games, here’s your place for the lighter side of tech.

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.

RSS

Original Article Here
Newsletters

Stay up to date on the latest CSO Online news

About RSS Feeds

Keep up to date effortlessly on the latest technology news, reviews and analyses using our RSS feeds.

You can use an RSS newsreader like Feedly, Flipboard or Pulse to get all our latest headlines, or just the stories about certain topics or by specific authors.

Click on a feed to add it to your favorite reader.

Where Next for Microchip Implants?

Original Article Here

The mainstream media is full of stories this week about a Wisconsin vending machine company that plans to embed a rice-size microchip in the hands of employees on a voluntary basis on Aug. 1, 2017.

According to NBC News:

With the wave of their hands, employees will be able to open doors that require identification cards, log into their computers, operate copy machines or pay for snacks out of the company’s vending machines, the company said.

The chips operate on electromagnetic fields and must be no more than 6 inches from a device that can read them, known as radio-frequency identification.

Three Square Market is partnering with Swedish-based BioHax International to install the technology, which was approved by the U.S. Food and Drug Administration in 2004 for the marketing of the VeriChip to medical patients.”

Reactions to this news are all over the map, with headlines ranging from positive stories about the dawning of a great new era to Big Brother privacy concerns to fears that Biblical prophecies are about to come true.

Yesterday’s Predictions Are Today’s Reality: How Did We Get to This Point?

Back in 2010, ABC News ran this report which predicted that we would see implants by 2017, although their example was for medical purposes.

Three years ago, Fox News asked the question: Is there a microchip implant in your future?

“You can inject one under your skin and no one will ever notice. Using short-range radio frequency identification (RFID) signals, it can transmit your identity as you pass through a security checkpoint or walk into a football stadium. It can help you buy groceries at Wal-Mart. In a worst-case scenario — if you are kidnapped in a foreign country, for example — it could save your life.

Microchip implants like the ones pet owners use to track their dogs and cats could become commonplace in humans in the next decade. Experts are divided on whether they’re appropriate for people, but the implants could offer several advantages. For soldiers and journalists in war zones, an implant could be the difference between life and death. A tracker could also help law enforcement quickly locate a kidnapped child.”

And in 2015, ZDNet ran this intriguing piece on biohacking, which is the name that many give to embedding chips into our bodies.

“If you could replace your car keys, website login data, credit cards and bus passes with a chip embedded under your skin, would you?

For those concerned with privacy, the biohacker noted how wearable devices and mobile technology are already collecting and sharing our personal data. Where embedded NFC chips come in, however, is that we can achieve the same results but with “less clutter.”

So what does the future hold for biohacking? According to Sjoblad, biotechnology and embedded NFC chips will eventually become a quick digital identification process used for everyday purposes.”

Back in April, The Washington Post pointed out that some Swedish workers have been using this technology for a while.

“But while it may sound like the dawning of an era of a cyborg workforce, management consultants say they’re hearing little interest in the concept so far, and those leading the experiment in Sweden say it’s an entirely voluntary exercise intended simply as a technological test for convenience.”

But this “test for convenience” is being deployed in a real U.S. business this week.

Ethical, Privacy and Medical Issues?

Many experts are pointing to related ethical and privacy issues, which could become a major concern if the implanted chips do more in the future and organizations embrace the technology.

According to this CBN article, there are plenty of legal implications in embedding chips as well.

Illinois Institute of Technology professor Jeremy Hajek says the legal system needs to catch up with this new technology. 

‘So you’re opening up a much larger privacy issue of, well, who owns where you go? Who owns what you do? And who owns what you buy? Are you entitled to that privacy? Or does that privacy not really exist,’ he questions. 

‘Do you own that data? Or does the company own that data? And I think the legal system needs to catch up a little bit to this because these are new questions that the current laws on hand may not quite accurately cover,’ he added.” 

As Ben Libberton, a microbiologist at Stockholm’s Karolinska Institute, told the Associated Press, “Conceptually, you could get data about your health, you could get data about your whereabouts, how often you’re working, how long you’re working, if you’re taking toilet breaks and things like that.”

My millennial daughter Katherine Lohrmann said she fears three things about chip implants:

  • Is it medically safe? Not just for today, but what about in three to five years? At one time, breast implants were thought to be safe, but later, problems were found.
  • Her privacy could be violated. Could the policy change over time so they did track her actions — such as restroom breaks or time in cafeteria?
  • Where will this go next? Could it move from optional to mandatory or affect the promotions or career paths of those who did not implant the chip?

Katherine also pointed out that she thought the entire episode was a PR stunt by the company. “Look at the attention they are getting. This must be worth millions in sales for them.”

One interesting point related to medical and privacy issues will be proposed new laws that will be introduced at the local, state and federal levels to assist in protecting employees that do not want to embed chips in their bodies for various reasons — and protect those that do.

What About Security?

The interviews with Three Square Market executives portrayed the use of encrypted RFID as virtually hack-proof. Bold statements are being made about security that are overconfident, in my opinion. When you consider that we are not just talking about the encrypted chips, but the people, process and technology surrounding the security implementation, the challenge is greater.

An article from last year articulated 7 types of security attacks on RFID systems. A more recent article describes how easy it is to clone ID cards, although it should be added that the examples used at DEFCON were not as secure as those used in the Wisconsin embedded chip implementation.

This article from stackexchange.com describes the reasons why it is not easy to clone RFID tags when they are using passive technology:

“The reason these cards are not easily clonable is that nobody but the bank knows the secret key hidden in the chip, so nobody else can produce a card that will react the same way to the challenge that came from the reader, thus the card cannot produce the correct CVV. The bank is responsible for detecting the incorrect CVV and rejecting the cloned card.

Not all the systems in use today are perfect. Researchers (and criminals) have figured out several attacks. Some cards are inherently insecure because they use weak encryption (such as the MiFare cards often used in transit systems). Some cards have had their secret keys read by using side channel attacks, such as power analysis or timing analysis. Some have been examined using ion beam microscopy, revealing the bits containing the secret keys. And some banks did a poor job initially implementing their secret keys such that they didn’t validate the CCVs correctly.”

Also, this RFID Journal blog describes some ways to prevent RFID cloning using encryption.

Social Media Feedback

When I posted this story on LinkedIn this week, the comments were overwhelmingly negative. Most people were concerned less with this specific “volunteer” deployment and more about where this trend may lead in the future.

Here is a selection of the more than 50 public comments received:

Tony Robinson: “I hope laws in place so as not to make this an opt-out without termination … no chip, no job is not acceptable.”

Tim Johnsrude: Optional” tends to be a temporary condition. For example, credit cards are optional, but it is becoming increasingly more inconvenient not to have one. Can’t rent a car without one. Can’t order food on an airliner. eBay is out of reach for cash customers. Let’s not let this monkey out of its cage.”

Baran Erdogan: “Who wants to live and work like an ‘asset’???”

Allison Dolan: “One company that did this got positive feedback from employees when the ‘chip’ was linked to the internal cafeteria payment system – just swipe your wrist to pay for lunch! Just a reminder that if the incentives are there, people will accept almost anything.”

Robert Myles: “The chip signs/logs/is registered into a data base as well, which could be hacked.”

Jeffrey Lunde: “Key question is when, not if, a health insurance company offers it. Optional becomes conditionally then mandatory way too often.”

Andrew L.: “Why isn’t anyone talking about the malicious removal of the chip for ill intent? It’s not like you can hide it once it’s inserted?”

Jan Buitron: “Something so easy to ‘install ‘can probably be easily removed, and then used by a miscreant to ‘hack’ the building, the computers, the lunchroom, you name it…Does anyone remember the ‘eyeball’ scene in Minority Report?”

Maria Thompson: “You have got to be kidding me? The ways in which this could go sideways are mind boggling. I truly support and embrace innovation and technology but the privacy violations that come to mind make this option repulsive. The thought occurred to me years ago that it was only a matter of time this would be introduced to humans once tested on animals. I read an article recently that certain areas in Asia are using microchips to track elderly folks with Alzheimer’s … sorry, not biting.”

Allison Dolan (in response to Maria): “The point I was making is that for many people, myself included, convenience is a big appeal, especially when the risks in this very specific case seem quite low, including the option not to participate. Every new technology has a dark side, and if we rejected new things based on what could happen, we wouldn’t have most of what we have today.”

Allan Bradley: “There is a place for this, but without a clear defined digital citizenship boundary under legal definition, it is an invasion of bodily private space.”

My Perspective

With the exception of medical purposes to embed chips in the human body, I am very concerned about this embedded chip trend — especially for security convenience. I think this is the beginning of a long trip down a “Yellow Brick Road” that will not lead to the Emerald City that people expect.

I agree with the social media comments that “optional” is usually the first step that leads to “standard,” which leads to “expected,” which can lead to mandatory or almost-required situations (such as with credit cards). I am concerned with “hack-proof” statements about 256-bit encryption, which do not take into account the people, process and technology that needs to be implemented with such system security.

No, the sky is not falling. Yes, there is still plenty of time for planning. However, the technology is again out in front of the ethical and legal framework for microchip implants. No doubt, new laws will be coming in this area soon — so legislatures should pay attention.

Finally, watch out for the list of technologies that managers claim are not being deployed with microchip implants  yet. For example, “We are not tracking people around the building” or “we are not using GPS.” Others will do these things down the road, but whether they tell their employees that or not is another matter.

Even if policies state that tracking is not allowed, and privacy is assured, audits often prove otherwise.

‘No More Ransom’ Program Grows: Initiative Helps Global Organizations Deal with Ransomware

Original Article Here

Over the past few years, ransomware cyberattacks have increasingly impacted public and private-sector organizations. The recent outbreaks NotPetya and WannaCry are only two of the many different examples of malware wreaking havoc across the globe.

A recent Google study says that ransomware is here to stay, and cyberthieves have made at least $25 million from ransomware in the last two years

While the threat and urgency surrounding solutions to our ransomware emergency have surfaced, there is a growing focus on one of the most prominent counter-developments called the “No More Ransom” Project.   

Here’s some background on “No More Ransom” from their website:

“Law enforcement and IT Security companies have joined forces to disrupt cybercriminal businesses with ransomware connections.

The “No More Ransom” website is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and two cyber security companies — Kaspersky Lab and McAfee — with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.

Since it is much easier to avoid the threat than to fight against it once the system is affected, the project also aims to educate users about how ransomware works and what countermeasures can be taken to effectively prevent infection. The more parties supporting this project the better the results can be. This initiative is open to other public and private parties.”

The list of organizations, including global governments and companies, that have become partners on No More Ransom is growing rapidly. You can see that partner list here.

How Can the Website Help?

The No More Ransom project Web portal offers many resources, including: A Crypto Sheriff tool to help identify what type of ransomware you may be infected with, plenty of ransomware prevention advice, a Q/A section which includes the history of ransomware and even some decryption tools to help with the fix for many types of ransomware. There is also a link to report a cybercrime.

This YouTube video below from AWS re:Invent 2016 in December describes in detail some of the recent ransomware attacks on health-care organizations and how No More Ransom offers help.

I also like this article from ZDNet, which describes the No More Ransom Project as being one year old. Here’s an excerpt:

“Following the initial success of the initiative, seven more cybersecurity firms have since joined as associate partners — Bitdefender, Check Point, Trend Micro, Emisoft, ElevenPaths, Avast and Cert.PL — each contributing to the development of decryption keys.

Dozens of law enforcement agencies — including Interpol, Enisa and the NCA — have also become actively involved in the scheme, which also receives additional support from dozens of security firms. There’s now 109 partners in total. …

It’s difficult to quantify the exact number of decryptions which have occurred thanks to downloads from No More Ransom — the portal just provides links, it doesn’t monitor what happens next — but it’s thought that over 28,000 decryptions have taken place using the tools, saving millions from being paid to cybercriminals in the process.”

Expert Interview

The number of companies supporting this initiative is growing rapidly, and I actually first heard about the project from Caston Thomas, who is a trusted professional cyberindustry colleague who works for InterWorks, which just joined the initiative.  

I asked Caston some questions that I believe can help readers understand the value and importance of this effort.

Dan Lohrmann (DL):  What do you see as the primary benefit of the No More Ransom Initiative?

Caston Thomas (CT): The biggest benefit is that there is now a free, one-stop shop where anyone affected by ransomware can:

  • Test encrypted files to see if the files can be decrypted without paying the ransom
  • Learn the best practices for preventing ransomware attacks
  • Access the latest information and tools to decrypt files
  • Report a cybercrime in the country where the attack was perpetrated

I’m excited about the creative ways that the private sector and public institutions are coming together in new ways, whether that’s the NoMoreRansom project or, here in the US, Infragard. NMR is a grassroots organization, and even though many governments are sponsoring the effort, it did not originate from legislation or regulation.

DL: Why did your company join? Can you benefit without joining?

CT: InterWorks’ mission is to make the Internet safer. The No More Ransom initiative was started to help victims of ransomware and to eliminate the incentives for cybercriminals. And after its one-year anniversary, NMR remains truer to its roots than ever. Every sponsor of NMR supports that mission when we sign on to be a sponsor.

Anyone can enjoy the benefits of the information & tools made available on the No More Ransom website. NMR is bringing together the best and brightest of subject matter experts into a single online, collaborative site — ransomware researchers and anti-malware developers, law enforcement and incident responders, awareness trainers and governmental/academic educators. I guess it’s a lot like Wikipedia, open source and freely available to anyone! There’s not one place on the NRM website that requires a login.

DL: What are the goals over the next year?

CT: Because NMR is grassroots, and the interaction of the sponsors is informal, I’m not aware of any “goals.”  If I were able to speak for all the sponsors, I think we would all agree that our goal is to help as many people as possible to avoid being hit by ransomware or having to pay a ransom.

DL: Is there anything else we should know about this topic?

CT: Please, just go check out the NMR website and spread the word.

Final Thoughts

I urge federal, state and local governments to become engaged in this No More Ransom (NMR) project. The reason is that international cooperation can often get bogged down in policy discussions and lack the “hands-on” solutions that most organizations need now.

As my friend Mark Weatherford said in this CSO online post on the same topic: “This is an area that requires the international community to come together and create some norms that everyone could agree to. …”

Personally, I find this No More Ransom project to be refreshing and see it as an excellent resource that we can all use and encourage to grow.  

On Metrics: Responding to Failing Security Grades

Original Article Here

With new data breaches, cyberattacks, nation-state hacking, ransomware outbreaks and related stories making news media headlines daily, the global cybersecurity landscape has become somewhat of a blur for the vast majority of us. As a result, only the biggest hacking stories (I’m talking really bad incidents with broad impact such as HBO’s recent data breach) receive significant attention anymore.

Sadly Americans have grown accustomed to being hacked. Even security and technology professionals cannot keep up with the rapid growth of regional, national and international cyberactivities.

Meanwhile, organizations struggle to measure and report on their own security risks, vulnerabilities and solutions or justify cybersecurity expenditures. Fortunately for some, most local cyberemergencies never make the evening news.

So given this backdrop, how do you measure your cybersecurity progress? What metrics do you use in your public- or private-sector business? Are your measurements yielding improvements in your cyberdefense posture? Are you passing cyber 101 — or are your grades improving?

A new report suggests that the majority of us are failing to make passing cybergrades.

Back in April of this year, I wrote an article for GovTech magazine entitled: Cybersecurity Has a Metrics Problem — Here’s What You Can Do About It. The global response to that piece has vastly exceeded expectations, with thousands of online references and shares and over 400 likes and comments from the Information Security Community on LinkedIn. I have also received many thoughtful messages from thought-leaders all over the world who are working on this metrics problem.

One person that I met along this cybermetrics journey was Joseph Carson, who is a respected cybersecurity professional and ethical hacker with more than 25 years’ experience in enterprise security. Carson speaks at global conferences such as Black Hat, and he serves as chief security scientist at Thycotic. He is also the author of Privileged Account Management for dummies

Beyond a fascinating online conversation regarding metrics, Carson pointed me to some new research that their company has performed on this cybermetrics topic. Their full report can be downloaded for free by registering at their website here. Nevertheless, I received permission to provide readers with some fascinating report excerpts, along with related graphics. At the end of this report summary, I interview Carson to dig deeper into a few cybersecurity measurement areas.

2017 State of Cybersecurity Metrics Annual Report Executive Summary

I found the results of this global survey, which included U.S. federal, state and local governments, to be very eye-opening.

Most Organizations Failing at Cybersecurity Metrics

With over 400 global business and security executives participating in this benchmark survey, more than half of respondents scored an “F” or “D” grade when evaluating their efforts to measure their cybersecurity investments and performance against best practices. Based on internationally accepted standards for security embodied in ISO 27001, as well as best practices from industry experts and professional associations, the Security Measurement Index benchmark survey provides a comprehensive way to define how well an organization is measuring the effectiveness of its IT security.

  • 58 percent of companies are failing in their efforts to measure the effectiveness of their cybersecurity investments and performance against best practices.

Most survey respondents do not feel confident about how they are measuring the value of their cybersecurity investments, and 80 percent stated that they are not fully satisfied with the metrics available.

  • 4 out of 5 companies worldwide are not fully satisfied with their cybersecurity metrics.

Failures in Planning

With global companies and governments spending more than $100 billion a year on cybersecurity defenses, a substantial number — 32 percent — of companies are making business decisions and purchasing cybersecurity technology blindly.

Even more disturbing, more than 80 percent of respondents fail to include business users in making cybersecurity purchase decisions, nor have they established a steering committee to evaluate the business impact and risks associated with cybersecurity investments.

  • 1 in 3 companies invest in cybersecurity technologies without any way to measure their value or effectiveness.
  • 4 out 5 companies don’t know where their sensitive data is located, and how to secure it.
  • 4 out of 5 fail to communicate effectively with business stakeholders and include them in cybersecurity investment decisions.

Failures in Performance

With ransomware causing major havoc in the past year, it’s alarming that so many organizations are uncertain whether they have backed up information properly and if they can recover it in a timely manner. Nearly two out of three businesses (64 percent) among survey respondents fail to recover timely, or in a way that aligned with their disaster recovery plan.

Results from this Security Measurement Index benchmark survey clearly indicate that companies need to do a better job of measuring business success and key metrics on how cybersecurity investments are performing.

In addition, 8 out 10 companies fail to ensure that their IT security policies are understood by employees and measure this. This puts organizations at risk since human error or malicious intention are frequent causes of security breaches.

Access controls for privileged accounts in network systems are some of the most important ways to protect enterprises, including highly sensitive power accounts like those of a system administrator or root accounts that if compromised, can enable an attacker to move anywhere within the network undetected. Yet, nearly two out of three or 60 percent of our survey respondents fail to adequately protect privileged administrator accounts. 

  • 2 out of 3 companies don’t fully measure whether their disaster recovery will work as planned.
  • 4 out of 5 never measure the success of security training investments.
  • While 80 percent of breaches involve stolen or weak credentials 60 percent of companies still do not adequately protect privileged accounts — their keys to the kingdom.

Small Businesses Especially Vulnerable

Small and medium-size businesses (SMBs) are being targeted more because their cybersecurity is typically much easier to compromise. Though they are not usually the main target but a secondary victim, the real goal of cybercriminals is to infiltrate partnerships SMBs have established with larger organizations via a supply chain or data shared with larger companies.   

  • Small businesses are targeted in 2 out of 3 cyberattacks.
  • 60 percent (of small businesses) go out of business six months after a breach.

Exclusive Blog Interview with Joseph Carson

Dan Lohrmann (DL): How many times have you done this metrics report? Are the results getting better or worse?

Joseph Carson (JC): This was the first time we have run such a security research report on Cyber Security Metrics.  We have run security research previously on Password Growth, State of Privileged Accounts and Hackers reports from Blackhat and RSA. The main reason for conducting the report is that we are researching what critical data and cybersecurity metrics executives and CISOs need to be able to effectively measure their Cyber Security Effectiveness and wanted to understand what the current state is today. What appears to be is that we are not getting any better as many companies continue to measure cybersecurity as part of IT and not as part of Risk and Governance and without this change, it will always be measured incorrectly.   

DL: Where are security metrics and cyberplanning doing so poorly in your opinion?

JC: The main reason why it is doing so poorly as companies are measuring the technology as part of IT which has always been about availability, performance and usage however cybersecurity is about risk mitigation and is very different from measuring traditional IT systems. It is about the risk to the business and cost of incidents and lost productivity, and unless companies/governments change the way they measure cybersecurity, they will continue doing this poorly and wasting huge sums of money and not reducing the cybersecurity risks.

DL: What do you think are the best cybersecurity metrics to use? Why?

JC: The best security metrics are about how well the business is performing against the threats mitigated, knowing that systems and data did not get corrupted due to security controls being in place and the value over time this helps companies measure the effectiveness of the solutions. At the end of the day, it is how did these solutions help our employees do their job and reduce the risk of compromise.

DL: Does there seem to be a difference between organization size and their grade?

JC: Not really. We found all sizes of organizations had the same issues and have been approaching the measurement of cybersecurity in a traditional IT sense. 

DL: How did government organizations fail as compared to the private sector?

JC: Governments organizations failed just like the private sector, while they had more regulations to deal with they become overwhelmed with resource constraints, lack of budget and education.   

DL: Is there anything else you would like to tell us?

JC: It is important to get Cyber Security Metrics correctly prioritized and measure the risk of the business versus traditional IT. Once the data has been classified and the risks impact versus probability, companies can then easily choose the right security controls that will help both the business measure the right metrics and reduce the right risk effectively allowing them to easily meet compliance.

Recommended Solutions to Improving Metrics (From the Thycotic Report)

Here is a subset of what the report recommends. Note: Many more details on each item are available in the report:

Educate All Stakeholders

  • Educate Employees and Measure Cyber Hygiene

The weakest link in the security of most organizations is the human being. As more sophisticated social engineering and phishing attacks have emerged in the past few years, companies must consider expanding their IT security awareness programs beyond simple online tests or acknowledgements of policies. As personal mobile devices are increasingly used for business purposes, educating employees on secure behaviors has become imperative.

  • Mandate that C-level execs experience a Red Team assessment
  • Implement an approach and culture of least privilege

Protect Critical Systems

  • Backup critical data and systems and customize your recovery plan for different types of cyberthreats. Test your restore capabilities.
  • Ensure Multi-Factor Authentication is in place
  • Strengthen Identity Access Management and Protect Privileged Accounts
  • Prepare and Implement a Cyber Incident Plan

Monitor and Control

  • Control, Monitor, and Report Admin Privileged Access to Systems
  • Correlate, Monitor and Audit Security Logs

Measure

  • Get your Key Business Metrics Sorted

At the moment, the difficulty measuring cybersecurity risk and effectiveness for many organizations has challenged the CISO in demonstrating how cybersecurity can show business value. The metrics are still evolving, and for most cybersecurity professionals, it’s been about keeping the existing security controls working, make continuous improvements where possible, and placing security on previously adopted technologies. Cybersecurity has typically been an afterthought, making the CISO’s already-tough job more challenging. 

As cybersecurity continues to capture more attention at the boardroom level, measuring the planning and performance of cybersecurity investments will hopefully get more sophisticated and helpful. The stronger our metrics, the better our odds of making smart decisions that keep our businesses growing safely and securely.      

  • Take the Security Measurement Index Benchmark Survey

Final Thoughts

There are many cybersecurity industry viewpoints, including several recent books and whitepapers, on this cybermetrics topic. While I am not endorsing their products or services and have no business relationship with their company, I like the approach that Thycotic has taken on this important security metrics discipline. I want to thank Joe Carson for providing his viewpoints, materials and expertise for this blog.

Other industry experts have focused on other aspects of applying the right security metrics, such as this recent article in CSO magazine on why security ROI is not a good measurement. Whether you agree or not, the article is thought-provoking.

I urge readers to take action on cybersecurity metrics and come up with what the best approach is for your enterprise. Doing nothing is not a sustainable option, and the results of this survey tell an important story on why cybersecurity grades are failing around the globe. 

Business continuity is the ultimate killer application for cloud

Original Article Here

A couple of decades back, I had the opportunity to tour a World War II-era tank factory that had been converted to an IT disaster recovery center. It had all the amenities: sleeping quarters, kitchen, and of course, every system conceivable for the two-day process of bringing an enterprise’s operations back online from tapes.

clouds-crane-over-hudson-river-cropped-june-2013-photo-by-joe-mckendrick.jpg Photo: Joe McKendrick

Now, cloud compresses that whole process to seconds. No cots or tapes needed.

While cloud computing delivers advantages at many levels, for IT executives and professionals, there’s one benefit that outshines anything else: cloud offers great insurance against disasters or outages.

That’s the takeaway from two recent industry surveys, which looked at cloud’s value as it now approaches its second decade in the enterprise. A recent survey of 100 IT executives from Commvault finds data protection ranking as the top use case for cloud, cited by 75%. Its value as a data storage platform was the second benefit cited, coming in at 73%.

To be sure, IT managers recognize that business leaders are finding cloud delivers advantages above and beyond operational IT concerns. Customer focus through business agility ranks as a top business-side driver, followed by cost savings, then the ability to deliver greater innovation, and product innovation.

But along with business continuity and backup, cloud is useful as a medium to replace tape storage, as well as a way to move away from legacy apps and infrastructure. IT managers also saw cloud as providing a way to move IT staff themselves from maintenance mode to more innovative roles.

Another survey of 443 IT professionals from Druva puts a fine point on the drive toward cloud as disaster recovery protection. Disaster recovery, workload mobility, and archival automation were all strong adoption drivers, with many organizations looking to save money and maximize IT initiatives focused on simplifying their infrastructure. The Druva survey concentrated on the VMware user base.

Data protection of virtual infrastructure is a key driver for cloud adoption, the Druval survey finds, reporting that 82% of those surveyed cited disaster recovery as a critical reason to move to the cloud.

While both Commvault and Druva have stakes in these results — they are both in the data protection business — it’s notable that IT managers are aggressively entrusting their data and business continuity to cloud providers. A few years back, cloud was seen as more of a risk than a safe haven.

At the same time, the ultimately responsibility for data security, protection and backup still is on the enterprise, not the cloud provider. The best strategy may be hybrid: cloud backs up on-premises data, and on-premises systems back up cloud data. As the Druva survey report’s authors put it: “while initially the IT community was skeptical about the cloud’s robust security, these perceptions are changing as professionals understand how it reduces the possibility of costly downtime and promotes productivity.” Forty-two percent intend to have virtual infrastructure both on-premises and in the cloud.

As one CTO in the Commvault survey put it: “I think there’s a misunderstanding about data and the cloud in general that falls into two camps. One camp is people who think it’s in the cloud so the data is automatically recoverable. The second camp is the people who think it’s in the cloud, but they need to make a copy. What people need to understand is the restore procedure. What does it mean? Is there a standby server? And if so, is there a hot standby or a warm standby? I think many CIOs need better explanations of that recovery process than they currently have.”

Another CTO panelist put it even more bluntly: “If the SaaS company evaporates with your data, it’s not just their problem, it’s yours.”

Six features the iPhone needs to stay ahead of Android

Original Article Here

While Apple likes to focus on making new iPhones lighter, thinner, and faster, I’d rather the iPhone 8 get these six features.

Must read: Ten Apple products you shouldn’t buy (and three that you can’t buy anymore)

#1: Fast charging

what’s hot on zdnet

Forget wireless charging, which is always much better in theory than in reality — what the next iPhone really needs is fast charging. Fast charging does away with having to leave your iPhone tethered to an outlet for hours, and also means that if your battery does get low, a few minutes of charging gives you hours of power.

Having to leave an iPhone plugged in for hours is unacceptable. There are plenty of high-end — and not so high-end — smartphones that can get a decent charge in a quarter of an hour, and it’s time for Apple to add this to its premium smartphone.

#2: Shatterproof screen

There’s no doubt that Gorilla Glass is tough, but it’s still glass. Glass has a habit of shattering. And with rumors suggesting that Apple is putting glass on the back of the iPhone too — to support wireless charging — there will be twice as much glass to break.

A sapphire display would be awesome, but a seriously toughened display such as that found on the Motorola Droid Turbo 2 would do fine.

#3: microSD card slot

Apple uses tiered storage as a way to ask big bucks for what is essentially a few dollars worth of extra storage. Also, the lack of an expansion slot means that if owners hit a storage wall, well, it’s time to buy a new iPhone.

I mean, if the tenth-anniversary iPhone 8 ends up costing more than a MacBook Pro, then Apple should be bold and stop nickel-and-diming buyers for more storage.

Alternatively, you can add your own microSD card slot … sort of.

#4: Higher-resolution camera

Twelve megapixels isn’t really that much when it comes to a camera, and despite the fact that the Plus version of the iPhone has a twin-camera arrangement, it’s time for Apple to push the megapixel envelope with the next release.

I know that image quality isn’t down to just the number of megapixels, but at the end of the day, the more detail captured by the camera, the more detail will be in the photo, and the more processing and refining that can be done.

#5: More system RAM

While 3 GB of RAM as found in the latest iPhones isn’t bad, more RAM would allow for better and smoother multitasking, as well as allowing the operating system to process higher megapixel photos and juggle bigger files with less of a performance hit.

#6: A dock to transform the iPhone into a desktop computer

Samsung has one feature that is pretty exciting that Apple needs to consider — DeX.

For those who don’t know, DeX is a dock that allows users to connect their Galaxy S8/S8 Plus to a monitor, keyboard, and mouse to turn it into a desktop experience — of sorts — powered by the handset.

This “dock that transforms a smartphone into a desktop PC” thing is not a new idea — it’s been tried many times before — and DeX is not perfect by a long shot, but it is certainly the most credible attempt at bridging the smartphone/desktop gap.

And, right now, Apple has nothing to compete with DeX.

OK, some of you are probably already flexing your fingers in preparation to type into the comments something along the lines of “but what about the iPad?” or “who needs a desktop when you have an iPhone?” or “what about the MacBook?”

My response is simple: None of these solutions comes close to what DeX offers.

Now, you might be thinking that DeX is just a flash in the pan. A fad. A sign that Samsung is desperately throwing ideas against a wall in the hope that just a few stick.

Maybe.

But it’s also pretty timely. If the current limited laptop ban ever does expands into a global laptop ban, then platforms such as DeX might get a foothold as business travelers decide that it’s too risky to take a laptop. While some might appreciate the break from the never-ending distraction that modern technology bombards us with, others might feel that their smartphone can be leveraged to do more than we currently ask of such devices.

WWDC 2017 highlights

The greatest cyber security threats of 2017

Original Article Here

The first half of the year have seen an inordinate number of cyber security meltdowns. And they weren’t just your standard corporate breaches. There’s been viral, state-sponsored ransomware, leaks of spy tools from US intelligence agencies, and full-on campaign hacking.

According to 2017 Ponemon Cost of Data Breach Study, sponsored by IBM, the average total cost of a data breach is $3.62 million. That is not a loss most companies can afford to take. The study also found that one in four companies will experience a breach.

Let this recap of 2017’s biggest cyber-incidents so far serve as a reminder of just how chaotic things have already gotten.

Voter Records Exposed

Researcher Chris Vickery, on June 19, announced that he discovered a publicly accessible database that contained personal information for 198 million US voters – possibly every American voter going back more than 10 years. The conservative data firm Deep Root Analytics hosted the database on an Amazon S3 server. The group had misconfigured it, though, such that some data on the server was protected, but more than a terabyte of voter information was publicly accessible to anyone on the web. Misconfiguration isn’t a malicious hack in itself, but it is a critical and all-too-common cyber-security risk for both institutions and individuals.

Also Read:   How Small Businesses Can Protect Their Systems from Hackers

WannaCry Ransomeware

On May 12 a strain of ransomware called WannaCry spread around the world, walloping hundreds of thousands of targets, including public utilities and large corporations. Notably, the ransomware temporarily crippled National Health Service hospitals and facilities in the United Kingdom, hobbling emergency rooms, delaying vital medical procedures, and creating chaos for many British patients. Though powerful, the ransomeware also had significant flaws, including a mechanism that security experts effectively used as a kill switch to render the malware inert and stem its spread.

Macron Campaign Hack

Two days before France’s presidential runoff in May, hackers dumped a 9GB trove of leaked emails from the party of left-leaning front-runner (now French president) Emmanuel Macron. The leak seemed orchestrated to give Macron minimal time and ability to respond, since French presidential candidates are barred from speaking publicly beginning two days before an election. But the Macron campaign did release statements confirming that the En Marche! party had been breached, while cautioning that not
everything in the data dump was legitimate.

Shadow Brokers

The mysterious hacking group known as the Shadow Brokers first surfaced in August 2016, claiming to have breached the spy tools of the elite NSA-linked operation known as the Equation Group. The Shadow Brokers offered a sample of alleged stolen NSA data and attempted to auction off a bigger trove, following up with leaks for Halloween and Black Friday in 2016. In April 2017, though, marked the group’s most impactful release yet. It included a trove of particularly significant alleged NSA tools, including a Windows exploit known as EternalBlue, which hackers have since used to infect targets in two high-profile ransomware attacks.

Also Read:   Drive your customers towards your products & services With an impressive online presence

Petya/ NotPetya/ Nyetya/ Goldeneye

A month or so after WannaCry, another wave of ransomware infections that partially leveraged Shadow Brokers Windows exploits hit targets worldwide. This malware, called Petya, NotPetya and a few other names, was more advanced than WannaCry in many ways, but still had some flaws, like an ineffective and inefficient payment system. It infected networks in multiple countries – like the US pharmaceutical company Merck, Danish shipping company Maersk, and Russian oil giant Rosnoft.

World-wide Cyber Attacks

Display panels at the main railway station had gone black when cyber attackers targeted German railways in Frankfurt am Main, Germany on 13 May 2017. This world-wide cyber attack broke down ten thousands of computers of companies, institutions and users.

Wikileaks CIA Vault 7

On March 7, WikiLeaks published a data trove called “Vault 7” containing 8,761 documents allegedly stolen from the CIA that contained extensive documentation of alleged spying operations and hacking tools. Revelations included iOS and Android vulnerabilities, bugs in Windows, and the ability to turn some smart TVs into listening devices. These revelations have detailed individual tools for things like using Wi-Fi signals to track a device’s location, and persistently surveilling Macs by controlling the fundamental layer of code that coordinates hardware and software. WikiLeaks claims that Vault 7 reveals “the majority of [the CIA] hacking arsenal including malware, viruses, trojans, weaponised ‘zero day’ exploits, malware remote control systems and associated documentation.”

Cloudbleed

In February, the internet infrastructure company Cloudflare announced that a bug in its platform caused random leakage of potentially sensitive customer data. Cloudflare offers performance and security services to about six million customer websites, so though the leaks were infrequent and only involved small snippets of data, they drew from an enormous pool of information. Google vulnerability researcher Tavis Ormandy discovered the problem on February 17, and Cloudflare patched the bug within hours.

Also Read:   Mobile Automation Testing: Effective Testing Strategies For Successful Mobile Apps

Fuelling the increase in cybercrime or cybersecurity is the growing role digital devices and data storage play in people’s lives. Criminals follow the money, and for them, data means dollar signs. What can be done to avoid these crimes and make the web more secure?


Want to Support WittySparks? Why not use these links to buy stuff from Amazon US, Amazon IN, Flipkart and Snapdeal. Maybe little purchase from these sites may help us to cut down our expenses. Thank You.

America's weak cybersecurity puts our nation at risk of a modern 9/11

Original Article Here

As serious as Kim Jong Un’s threats are to attack Guam, Alaska or Hawaii with nuclear ballistic missiles, it’s likely that any future conflict will begin, and possibly end, with non-kinetic but no less crippling cyber warfare. This kind of warfare encompasses the assault on the electronic “connective tissue” of modern society by interfering with the critical data and electronic signals that control and influence every facet of modern  life.

Americans may understand that cyber threats exist, defining the dangers in terms of loss of credit card information, personal information like addresses, phone numbers, social security numbers, bank account information and even private health information. Fifteen million Americans will have their identities stolen this year. And by some estimates, Cybercrime will cost American businesses $8 trillion over the next five years. Appalling? Yes. Life threatening? Maybe not.

ADVERTISEMENT

More serious but less publicized is the loss of very sensitive proprietary information like China’s theft of Lockheed Martin’s F-35 stealth fighter jet. At least two of China’s modern fighter aircraft, the J-31 and J-20, are built off of stolen F-35 designs. The 2016 presidential campaign saw the hacking of 33,000 of Hillary ClintonHillary Rodham ClintonAssange meets U.S. congressman, vows to prove Russia did not leak him documents High-ranking FBI official leaves Russia probe OPINION | Steve Bannon is Trump’s indispensable man — don’t sacrifice him to the critics MORE’s emails, many containing classified information.

Blatant attempts by Russians and others to manipulate our sacrosanct election process through cyber meddling focused attention at the political level. The notion that Vladimir Putin could impact our election process should be seen as a grave threat. After all, Russia’s cyber manipulation has successfully impacted the elections in France, Germany, Ukraine and others.

Why would we think America would be immune from Russian hacking or cyberattacks by other nations and groups? Information warfare, which is what Russia is waging against the United States, has become a major political distraction, but many in Washington and across the country are missing the bigger point.

Considering the far more serious implications of network intrusion and data manipulation by hostile foreign powers, the stakes are far higher than political theater and sensational journalism will allow. From government information technology networks to the cockpits of our most sophisticated aircraft, cyber threats are real, dangerous and growing daily.

The largest U.S. government network hack recently occurred when cyber thieves stole records affecting 21.5 million current and former government employees. In the government domain (.gov) alone, there are more than 100 departments and agencies across every functional federal and state IT component at significant cyber risk.

Foreign agents are constantly probing, attempting to steal whatever they can from virtually every critical part of our IT networks. Departments whose purpose includes everything from developing war plans, to gathering intelligence, to managing our currency, collecting taxes and managing our electrical power grid are under constant cyberattack.

Bringing down any one of these critical .gov functions through cyberattack seriously threatens our national security, which is why the U.S. Department of Homeland Security (DHS) is responsible for protecting these interconnected networks at all costs. Protecting critical IT infrastructure is the responsibility of the National Cybersecurity Protection System (NCPS), specifically a system of tools known collectively as “Einstein,” which secures and defends .gov networks.

As the cyber threat grows, so must the government’s capabilities. DHS awarded the development, operations and maintenance contract, known as “Domino,” to upgrade the .gov system and integrate ongoing function and cyber protection across the domain.

For more than two years, the Obama administration has been in wrapped up in a wasteful, revolving door contract protest that has led .gov to be no closer to bringing online the much needed upgrades to the government’s IT protection tools, including state of the art predictive analytics, network protection and much needed automation.

This urgent upgrade is still not underway, despite the urgent need, and through multiple review processes the DOMino contract repeatedly being awarded to the same vendor get the job done. At stake here is more than procurement integrity. Delaying cyber protection affects all government agencies, not just one or two, because they’re all interconnected in one way or another. Citizens rely on their government to prevent a cyber 9/11, whose effects could cripple and destabilize the country.

It is axiomatic that the Department of Homeland Security is charged with protecting citizens from all external threats, including the devastating effects of cyberattack. The Trump administration and officials at DHS have an opportunity to get this right once and for all. They should not let the arcane government acquisition process blunt the agency’s critical mission, especially now, when the threat is increasing.

Sandy Clark is a retired U.S. Navy captain who served 24 years on tours around the world. He is now a consultant on national defense issues including cybersecurity.


The views expressed by contributors are their own and are not the views of The Hill.

Use a cybersecurity incident response plan with BC/DR

Original Article Here

Outcomes of a cybersecurity event can be just as damaging to an organization as a more traditional business continuity/disaster…

recovery event. But despite the possibility of each reporting to the same department, the disciplines typically do not interact.

The figure below depicts how a cybersecurity incident response plan and business continuity/disaster recovery (BC/DR) activities may launch from an overall incident response plan as the triggering mechanism, but do not typically interact after that. As you can see, BC and DR activities are typically linked and collaborative.

Typical BC/DR and cybersecurity incident response

By contrast, the next figure proposes a different and potentially more effective approach to the relationship of the three disciplines. Once an event occurs, regardless of which of the disciplines responds — or which has primary responsibility for the incident — all three work together.

Comprehensive BC/DR and cybersecurity approach

The second figure suggests a way to leverage the skills and resources of the three disciplines to achieve maximum value in the aftermath of an incident, especially a cyber incident. But a simple diagram is not enough. You’ll want to find ways to validate the collaboration of the disciplines.

Justifying the collaboration

A cyberattack affects the entire business, not just the servers, networks, data, firewalls or other assets. And a disruption to each of these assets affects the organization and its critical functions.

Based on the nature of the cyber event and its extended effect on company assets, what plan or plans would you launch? Cybersecurity? Disaster recovery? Business continuity?

During the incident response, you’ll assess the event, what it is, what it affects, its severity and ways to mitigate it. At some point in the incident response plan timeline, decisions must be made as to whether or not other plans should be activated.

Examine the incident scenarios addressed in the cybersecurity incident response plan and BC/DR plans, and look for areas of commonality and overlap.

A key question is: At what point does one plan end and another begin? Let’s assume the cybersecurity incident response plan is in action, and it’s determined that several servers have been compromised. Do you switch over and launch the DR plan? What happens to the cybersecurity plan? If such a transition occurs, how is that transition determined? Who makes that determination? Are those instructions written into each plan?

If each of the disciplines is represented in your organization, it’s likely they have been fully justified to senior management. Move the bar higher by discovering ways to leverage the benefits of each discipline. From an audit perspective, it may be necessary to develop new controls that address linkages and ground rules for how and when each plan is used.

Tips for bridging the gap

Consider the following tips to effectively combine a cybersecurity incident response plan with your BC/DR plans:

  • Establish cooperation across the plans and their teams. Agree that the disciplines should be more closely aligned and determine new ground rules for how the plans interact, how they are triggered and how they manage the incident.
  • Set procedures for how the teams interact from when the incident occurs to when it ends. Each plan includes guidance and contact details for launching a plan or an additional plan, communicating among the teams, as well as a joint post-event meeting to examine how the plans worked and how their teams performed.
  • Examine existing plans in the context of a broader range of potential incident scenarios. Cybersecurity events are often different from those associated with BC/DR. Examine the incident scenarios addressed in the cybersecurity incident response plan and BC/DR plans, and look for areas of commonality and overlap. Recognize that a cybersecurity event could evolve into a BC/DR event. Conversely, a BC/DR event could potentially open the door to a cyber event. For example, a catastrophic failure of network firewalls could enable unauthorized data to pass into the organization’s internal networks.
  • Identify transition points where an incident response plan can launch another plan or more than one plan. When an event occurs, the incident response team moves quickly to determine the nature of the incident. Based on the team’s determination and discussions with internal subject matter experts, a specific plan may be launched. Prior to such an event, develop rules and procedures for situations when the incident escalates to more than the initial plan can handle. These transition points are built into each plan to establish criteria for launching additional plans.
  • Establish joint planning and management activities. Ensure that the various teams meet periodically to discuss planning activities, new technologies, information sharing and strategies for responding to events. This is also a good opportunity to discuss individual plans, document how they can work collaboratively and identify ways of improving them.
  • Schedule joint exercises. When developing exercises associated with a cybersecurity incident response plan and BC/DR plans, consider performing joint exercises. These can help transition planning, information sharing, and increase the likelihood of a successful recovery and resumption of business operations.

If you're really concerned about browser security, Incognito isn't enough

Original Article Here

Quick question: What do you do when you want to browse the internet securely? Do you click on your browser menu and select your browser’s privacy mode and go about your merry way, assuming your data is safe and your history not saved. I’ve got news for you; chances are that private or incognito mode isn’t exactly what it’s cracked up to be.

I’ve tested both Chrome and Firefox and have witnessed both of them retaining browser history. What does this mean for you, the user? It means if you need serious privacy for your web browsing, or if you need to safeguard data while working on company sites, you might have to turn to a speciality browser, such as Tor Browser or Epic Browser. Tor Browser is available for all platforms, and Epic Browser is only available for Mac and Windows. Both browsers not only ensure your history will not be retained, but they also work with the help of a proxy system to keep your browsing encrypted and private.

So, if you’re looking for the highest level of security in a browser, look away from the the likes of Edge, Chrome, and Firefox and turn your sites on Tor and Epic. Both of these browsers are surprisingly easy to use and will go a long way to keep your data safe. Are they perfect? Are the superior than what you’re using now? Chances are, the answer to that question is a resounding yes.

Also see

sechero.jpg

Image: Jack Wallen

LENSAlert touches residents where they live (literally)

Original Article Here

IFTTT for Louisville

LENSAlert touches residents where they live (literally)

In Louisville, Ky., city officials monitor weather conditions for over 400 square miles in Jefferson County.  Using Rave Mobile Safety technology to power the Louisville emergency notification system called LENSAlert, they can send targeted notifications to residents’ phones about severe thunderstorms, flash flooding, tornadoes, snowstorms and air quality.

LENSAlert can send out messages through text, email, voice calls, Facebook, Twitter and RSS feeds.  It has also been integrated with If This Then That (IFTTT), a digital service that allows users to set conditional triggers to deliver specific actions.

In February the city’s Air Pollution Control District started working with IFTTT to notify residents about air quality conditions.  A team at Louisville Emergency Services worked with a developer in its IT department to enable the data feed from the Rave-based LENSAlert to be sent directly to IFTTT. From there, IFTTT Smart Louisville Applets can be set up to send an email, update Slack or activate a number of smart home responses.  LENSAlert can now be connected to over 400 software and hardware devices, allowing a new level of accessibility.

There are also applications to help those with disabilities.  “There are some devices that you can attach to a bed and if the person is deaf or blind, it will shake the bed to wake them up,” said Mitchell Burmeister, executive administration and public information officer at Louisville Emergency Services. “We can basically connect to any smart home device or internet-connected device that uses internet of things.”

Burmeister even has six Phillips LED smart bulbs in his own house that change color depending on the emergency notification status.  When emergency notifications are sent the bulbs will flash red; general notifications flash yellow.

“Rave is set up so we can geographically target [alerts for] different areas of the community that could be affected,” Burmeister said. An isolated storm moving through could have hail or high winds but it might only hit the southern and northeastern part of the county, so we make sure that the alerts are targeted through the Rave system” to notify just those likely to be affected.

IFTTT users are also able to set up which notifications they would like to receive. Besides getting alerts when emergency notifications have been issued, they can get them for changes in air quality. Applets can send alerts on air quality changes or turn on a homeowner’s WeMo Air Purifier.

The LENSAlert notifications are not just for home users, however.  Louisville is in the process of installing Wi-Fi-enabled kiosks in the downtown area to give directions and help with tourism and plans to push emergency notifications to the kiosks as well.

About the Author

Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.

Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.

Friedman can be contacted at sfriedman@gcn.com or follow her on Twitter @SaraEFriedman.

Click here for previous articles by Friedman.

Oregon DMV overhaul drives Real-ID compliance

Original Article Here

dmv modernization

Oregon DMV overhaul drives Real-ID compliance

As Oregon works toward complying with the Real ID Act, the state is also modernizing its computer systems at the Department of Motor Vehicles.

The 2005 Real ID Act established new security standards for state-issued driver’s licenses and ID cards related to data, documentation, verification and sharing. It also prohibits federal agencies from accepting licenses and ID cards from states that do not meet these standards. That means ID from non-compliant states will not be accepted for entrance to military bases and federal facilities as well as at airport security checkpoints.

Although Oregon’s DMV could use its existing mainframe computer software, created in the mid-1960s and ’70s, to implement a Real ID-compliant identification card, it would be costly and time consuming, Lauren Mulligan, a spokesperson for the department’s Service Transformation Program, said in an email.

“Because our modernization program has already been launched, issuing Real ID-compliant cards has been scheduled to coincide with our modernization program,” she added.

That revamp became necessary because the legacy software has become so outdated that it hinders the department’s ability to deliver myriad services, not just upgraded ID cards, she said.

“It could also affect the collection of revenues that support Oregon’s transportation system,” Mulligan said. “To meet the requirements of changing laws, address the significant limitations of the existing system and meet customer expectations, it is important for DMV to improve core business processes and support these with better technology.”

The modernization, which is in the second of its projected 10 years, will bring about several benefits for DMV employees and Oregonians alike, including more digital and self-serve options and faster visits to field offices.  “DMV will become a more nimble organization, better equipped to adapt to the changing needs of customers, business partners and the legislature,” Mulligan said.

At the end of June, DMV awarded Fast Enterprises a contract worth $69.4 million contract for its FastDS-VS system to replace Oregon’s aged software. Fast DS-VS is an integrated software solution designed specifically for use by motor vehicle agencies. Its architecture is based on seven modules:

  • Customer maintains customer information such as demographics and registrations, and also has customer self-service features.
  • Driver services handles the issuance of licenses and ID credentials, while also supporting fraud detection and the reporting of driver restrictions.
  • Vehicle services deals with titling and registration
  • Financials supports revenue accounting and distribution.
  • Workflow enables managers to assign and prioritize work.
  • Information provides real-time reporting, data exchange, analysis and storage.  
  • Management studio allows employees to configure and use the solution.

“Choosing a commercial off-the-shelf product means that instead of building a costly and time-consuming custom system, Oregon DMV will work with the vendor to configure their existing product to meet our needs,” Mulligan said.

The first two years of the modernization effort were dedicated to readiness planning, including purchasing a commercial system. Officials are still determining how they will migrate paper-based and outdated digital records into the new systems, Mulligan said.

“We’ve selected our vehicle programs as the starting point, so we know that forms and records related to vehicle titling, registration and permits will change first,” she said. “We anticipate that most of the legacy software will be replaced with the new software over the next three years.”

The vehicles services module should be in place in early 2019, with the driver services module coming about 18 to 20 months later, she said. Becoming fully compliant with Real ID will be part of that second phase.

A law signed in early July set an implementation target date of July 1, 2020, just three months shy of the Homeland Security Department’s cutoff in October of that year for accepting IDs from non-compliant states.

The state speculates that with a firm implementation goal on record, the Department of Homeland Security will grant additional extensions beyond the current Jan. 22, 2018 deadline, according to an Oregon Transportation Department statement.

About the Author

Stephanie Kanowitz is a freelance writer based in northern Virginia.

NIST tackles smart grid framework update

Original Article Here

smart grid rolling out (DarwelShots/Shutterstock.com)

NIST tackles smart grid framework update

The entire energy ecosystem has shifted since the National Institute of Standards and Technology last updated its Framework and Roadmap for Smart Grid Interoperability Standards in September 2014.  On Aug. 17 and 18, a meeting of the NIST Smart Grid Advisory Committee discussed updating the framework to meet the needs of today’s producers and consumers.

With attacks on the electric grid seen as increasingly plausible, cybersecurity was top of mind. Nelson Hastings, an electronics engineer and project leader at NIST’s computer security division, led a discussion about the importance of keeping smart grid devices secure without creating latency.

“We are profiling performance of smart grid devices when cybersecurity capabilities are enabled,” Hastings said.  NIST is also developing technology to assess the impact of security solutions on grid edge devices, which it defines as smart meters, thermostats and HVAC heating and cooling systems, he said. Work is also being done to assess the effects of enabling encryption on smart meters, inverters, EV charging stations and thermostats.

John McDonald, the business development leader with GE’s SmartGrid Strategy Group North America, expressed some concern about how adding cybersecurity measures into devices could impact their performance. He suggested putting the security technology into the network gateway rather than the device itself.

“You can have the same level of security by putting it at a different device level like in the gateway, but you need to look at architectural tradeoffs,” McDonald said.  “I’m not sacrificing the cyber capability, but I’m making the total system less expensive.”

NIST Smart Grid Program Manager Avi Gopstein explained how smart grid systems have changed with the ownership of assets coming now from the service owners.

“The question of asset ownership is very important, and it is a dynamic area of understanding right now,” Gopstein said.  “We are struggling with what it means for consumer provider devices, service devices and utility devices on the system.”

Work on the framework will focus on the smart grid technology layers: conceptual, logical, physical and implementation. It will build on version 3.0, which took a conceptual model and made the framework into an architectural discussion.

NIST is looking to get input from the public on operations, economics, cybersecurity, testing and certification with a focus on the changing architecture of the smart grid.

“We want to leverage some of the current research,” Gopstein said.  “For each of these topics, we want to partner with an organization to hold a workshop in the field to get input from the community.”

Industry stakeholders were particularly interested in the current issues such as storage components and what it means to deal with the data from smart metering. 

But Deborah Gracio, director of the National Security Program Development Office at Pacific Northwest National Laboratory, urged committee members to think further ahead — about new markets like bitcoin and the “huge explosion” of edge devices on the smart grid.

“Going back to the cyber risk framework is great start for what we need to do for the smart grid,” Gracio said.  “As you start to think about renewables and storage, you need think about how these issues will work on the grid, and the hygiene component is going to be one of the big issues.”

To ensure the framework meets the challenges of the next five years, stakeholders recommended study of other considerations:

  • Spatial and temporal granularity.
  • Role of the “prosumer,” a consumer who also produces energy .
  • A highly electrified low-carbon future.
  • Embedded measurement and sensing.
  • Operational interdependence.
  • Plug-and-play integration.
  • Technology renovation cycle and the pace of standard developments.
  • Analytics for better use of data.

Meanwhile, NIST is taking steps to test smart grid technology in house.  Committee members got to see the work in progress on the Smart Grid Testbed Facility.

The $2.5 million facility on the NIST site in Gaithersburg, Md., will create a set of interconnected and interacting labs that test measurement systems and validate smart grid standards with a particular focus on microgrids — smaller grids that can be quickly disconnected from, and function independently of, the larger grid.

Measurements will be conducted in eight areas including power conditioning, cybersecurity, precision time synchronization, sensor interfaces and energy storage.

More information about NIST’s work in the smart grid space can be found here.

About the Author

Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.

Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.

Friedman can be contacted at sfriedman@gcn.com or follow her on Twitter @SaraEFriedman.

Click here for previous articles by Friedman.

Serious about online privacy? Try these 2 browsers

Original Article Here

Serious about online privacy? Try these 2 browsers – TechRepublic

Serious about online privacy? Try these 2 browsers

Related


Most Recent

Mastering Article 30 Compliance: Conducting, Maintaining and Reporting on your Data Inventory

Original Article Here

As part of its Summer / Fall Privacy Insight Series, TrustArc hosted a webinar where Charles Nwasor of Ensono, Paul Iagnocco and Margaret Alson of TrustArc spoke about the EU GDPR Article 30 requirements.

Article 30 pertains to Records of Processing Activities. Not only do organizations have to keep records, but also,

The controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make the record available to the supervisory authority on request.

While creating data maps are not required, many organizations find them very useful. Data maps, or data flow maps, are visual representations of data flows that help organizations understand data movements across borders, and within critical aspects of an organization’s data environments. Data flows are extremely complex in most organizations, so capturing those flows in a linear spreadsheet can be difficult. Visual representations of these complex relationships are easier to understand and can be used as a communication tool across the organization.  

The panelists spoke about two different ways of conducting data flow maps, and the benefits and drawbacks of using each method. The two methods are: the IT/Systems Based Approach and the Process Based Approach. For example, one benefit of using the Process Based Approach is that organization oftentimes get more accurate results. The Systems Based Approach may miss those systems that are being used “off the record”.

To find out more about mastering Article 30 requirements, you can listen to the webinar on demand here. Other topics covered include:

  • Methodology & tools;
  • How to get internal buy-in;
  • Where to start; and what’s next

TrustArc offers tools and solutions through a proven methodology to evaluate readiness, build a plan, and then implement the plan for GDPR compliance. The Build, Implement & Demonstrate approach coupled with our integrated technology solution helps companies manage a sustainable GDPR program. To find out more, contact us to learn more about TrustArc GDPR solutions.

 

Russian-Speaking APT Engaged in G20 Themed Attack

Original Article Here

A newly discovered dropper for the KopiLuwak backdoor suggests that the Turla group is back at it again, Proofpoint says.

Turla, a long operating advanced persistent threat group (APT) with presumed ties to the Russian government, appears to be actively targeting G20 participants and those interested in its activities including policymakers, member nations and journalists.

That analysis is based on the discovery of a new JavaScript dropper for a backdoor called KopiLuwak that Turla has been known to use.

Security vendor Proofpoint, which recently discovered the dropper on a public malware repository, described it as being delivered with a benign decoy document inviting people to a G20 Digital Economy Taskforce meeting in Hamburg this October. The dropper first surfaced in mid-July suggesting that the campaign is a new and potentially ongoing one, Proofpoint said in a blog.

Kevin Epstein, vice president of Proofpoint’s threat operations center, says the dropper is most likely being delivered to targets via spear phishing emails. Targets receive an email containing a decoy “Save The Date” invitation to the October G20 taskforce meeting.

The invitation appears to be a PDF but is actually an executable Program Information File (PIG) with a set of instructions for dropping KupiLuwak on the computer. When a recipient double-clicks on the PDF icon, the PIF basically causes the decoy document to open normally while in the background it quietly installs the backdoor. In addition to installing KopiLuwak, the JavaScript dropper is also designed to profile the victim system and to establish persistence on it.

The decoy document itself appears to be a genuine invitation to the G20 task force meeting and was likely stolen. The invitation is not publicly available so the fact that the Turla group is using it as a decoy suggests that an entity with legitimate access to the invitation has already been compromised. Another possibility is that the invitation was legitimately obtained from a recipient, Proofpoint said.

Once installed on a system, KupiLuwak enables attackers to take complete control of it and carry out a variety of malicious actions, Epstein says.  “It can be commanded to download and execute arbitrary files. They can run a keylogger or activate the camera or microphone, read documents or put in a browser extension that copies your passwords. They own you.”

The subject matter of the decoy document and Turla’s background suggests that the latest campaign is designed to gather key information related to G20 from participants and others associated with it, Epstein says.

That, however, does not mean that others shouldn’t be paying attention to such APT campaigns as well, he says. Increasingly, cybercriminals have begun copying and adopting the tactics used by APT groups in carrying out financially motivated attacks.

“Just because you think you are not an APT target is not a reason to underspend on security,” Epstein says. “The tactics used be every day cybercriminals are absolutely comparable to the more sophisticated actors out there.”

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights

Merged VR: Augmented Reality Cubed

Original Article Here


There is considerable development activity at the high end of hardware and content creation for virtual reality and augmented reality, as well as such AR aliases as mixed reality, extended reality and others. Most industry investment is aimed at leading-edge gaming and industrial application development. However, the low-end of the market is also worth looking at, to see how people and institutions without big budgets — consumers and education — might adopt these technologies sooner, rather than waiting for the advancements to trickle down.

50% of Ex-Employees Can Still Access Corporate Apps

Original Article Here

Businesses drive the risk for data breaches when they fail to terminate employees’ access to corporate apps after they leave.

When employees are terminated or move on to new roles, they’re often taking access to corporate data with them. For some companies, this access leads to a data breach.

Researchers at identity management firm OneLogin polled 500 IT decision makers to learn about how they provision and deprovision, or terminate, staff login information in-house. Results indicate most aren’t doing enough to protect against the threat of ex-employees.

Twenty percent of respondents report their failure to deprovision employees from corporate applications has contributed to a data breach at their organization. Of those, 47% say more than 10% of all data breaches have been the result of ex-employees.

Nearly half of respondents are aware of former employees who can still access enterprise applications following their departure. Half of ex-employees’ accounts remain active for longer than a day after they leave. One-quarter of respondents take longer than one week to deprovision former employees, and one-quarter don’t know how long accounts remain active after workers leave.

“The value of the data at risk is higher than ever,” says Tom Thomassen, senior staff engineer of security at MarkLogic. In the early stages of the cloud, businesses first moved less critical information to data lakes and cloud environments; as they began to trust the cloud, they moved larger amounts of mission-critical data to centralized data environments.

“The net result is data breaches that are much more devastating than in the past and unfortunately, more frequent,” he adds.

The threat of ex-employees has grown as companies adopt third-party apps for various processes, says OneLogin CISO Alvaro Hoyos. Up until the 2000s, people would have a few applications installed on their desktops — spreadsheets, processors, general ledgers. Then they began to transition to cloud services.

“Over time, a lot of companies have been migrating their internal applications, used to run their own businesses, to the cloud.”

Instead of using homegrown systems, businesses will turn to the growing number of vendors creating different tools for specific needs. Cloud providers specialize in systems for commission, ledgers, marketing, purchasing, paying invoices, doing expenses. As the surface area expands, companies have to deprovision 20- to 30 applications per worker instead of the usual four or five.

“There’s this proliferation of applications,” Hoyos continues. “Because of that, the risk has increased exponentially.”

Each ex-employee presents a different threat depending on their role and access level. A former salesperson, for example, could use old credentials to get valuable information like sales forecasts, contacts, and lists of prospects to give to competitors. They may not have access to their corporate office or email, but to a Dropbox or Box account where information is stored.

Similarly, operations employees have access to more applications, including custom applications and internally created applications. An engineer could create an unauthorized system, or copies of a system, in the cloud without other employees’ knowledge.

Operations employees were the hardest to deprovision, reported 26% of respondents, followed by engineering and sales (20%), HR (18%), finance and customer support (16%), and marketing (13%).

The amount of time it takes to deprovision an employee depends on how many applications they used and how long they’ve been gone from the business, says Hoyos. Terminating someone can take minutes or hours, depending on the application. Admins also have to think about how different tools integrate with one another.

“There are several ways to mitigate, prevent, and protect against insider threats,” says Thomassen. Generally these techniques fall into three categories: access control, monitoring, and detection.

With respect to access control, it’s best to use industry standards for authentication like LDAP, PKI, Kerberos, two-factor authentication, implemented at the organization level, or ensure accurate identification. Databases are set up to do this, he says, and some provide more granular authorization than others.

Monitoring data to see how it’s updated and accessed is tough, he says. Most tools for this attempt to gather enormous amounts of information from around the network related to server activity, user logins, and network access so they can detect possible breaches and unauthorized access.

“This is very difficult and this is one reason why there are so many data breaches today,” Thomassen adds.

Businesses are still grappling with how to tackle the insider threat. Sixteen percent of respondents in the Dark Reading Strategic Security Survey said preventing data theft by employees was one of their greatest IT security challenges.

Verizon’s Data Breach Investigations Report found in 60% of cases involving insider and privilege misuse, insiders leave with data in the hope of converting it into cash. Sometimes it’s unsanctioned snooping (17%) or taking data to a new employer to start a rival company.

Related Content:

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

More Insights

Docker strives for profit with new Enterprise Edition

Original Article Here

Docker has released Docker Enterprise Edition (DEE), a Container-as-a-Service (CaaS) platform for managing and securing Windows, Linux, and mainframe containerized applications across multiple platforms both on premises and in the cloud.

DEE provides a container management platform that unites Windows, Linux, and Mainframe apps on a single platform on the same cluster. This puts in competition with container orchestration market leader Kubernetes. Docker’s program provides customizable and flexible access control for Bring Your Own (BYO) environments, support for a broad range of applications and infrastructure types, and new capabilities for creating predefined policies that unify and automate the software supply chain.

DEE is a re-branding and re-positioning of Docker’s commercial platform. It combines what had been known as Docker Commercially Supported edition and Docker Datacenter platform. The first version of DEE appeared in March. Since then, Docker has released a monthly Community Edition (CE) version. Features, which prove their worth in the CE, are then released inside Dee.

The new release, DEE 17.06, is built on Docker CE 17.06. It also includes several what had been Docker Datacenter features such as a private Docker registry and management interface.

DEE comes in basic, standard, and advanced tiers. Docker also launched a certification program so third parties can integrate with its framework and sell software on the Docker Store.

  • Basic has the Docker platform for certified infrastructure and support from the company. Certified containers and plug-ins are available from the Docker Store.
  • Standard adds multi-tenancy support with advanced image and container management and secure hooks into data centers.
  • Advanced includes the previous items and security scanning and vulnerability monitoring.

DEE is certified for CentOS, Red Hat Enterprise Linux (RHEL), Ubuntu, SUSE Linux Enterprise Server (SLES), Oracle Linux, and Windows Server 2016, as well as cloud providers AWS and Azure. With this release, it also runs on Linux running on IBM z Systems, LinuxONE, and Power Systems.

The technical point is to provide a single orchestration system for centralized access controls, security policies, etc., across teams and business units without requiring changes in code, processes or procedures over Linux, Windows, and mainframe architectures.

This also provides organizations with the ability to customize role-based access control (RBAC). This and defines both physical and logical boundaries for different users and teams sharing the same DEE environment.

On the business side, DEE is Docker’s latest attempt to become profitable. True, Docker kick-started the container revolution, but Docker’s never mastered being able to profit from containers. As Matt Asay, writer and Adobe’s VP of mobile, recently wrote, Docker hasn’t made the shift yet of turning “a hugely successful open-source project into a hard-headed, open-source business.”

PREVIOUS AND RELATED COVERAGE

Docker launches Enterprise Edition, courts broader corporate adoption

Developers already love Docker to deploy applications. Now Docker is rolling out a new edition to court more enterprise-wide usage and adoption.

TechRepublic: Why Docker’s survival depends on money from customers, not investors

Docker started the container revolution, but it is struggling to capitalize on it as better-equipped competitors take on the market.

Vendor Exposes Backup of Chicago Voter Roll via AWS Bucket

Original Article Here

Voter registration data belonging to the entirety of Chicago’s electoral roll—1.8 million records—was found a week ago in an Amazon Web Services bucket configured for public access.

The data was a backup stored in AWS by Election Systems & Software (ES&S), a voting machine and election management systems vendor based in Omaha, Ne.

Researchers from UpGuard made the discovery last Saturday and privately reported the leak to a government regulator who connected them to the Chicago FBI field office. The FBI then notified ES&S, which immediately pulled down the data from Amazon.

Amazon buckets are configured to be private by default and require some kind of authentication to access what’s stored in them. For some reason, ES&S misconfigured its bucket to public months ago, opening the possibility that others had accessed the data before UpGuard.

ES&S confirmed in a statement that the copy of the backup file, a .bak or Microsoft SQL backup file, contained 1.8 million names, addresses, dates of birth, partial Social Security numbers and in some cases, driver’s license and state identification numbers. Jon Hendren, director of strategy at UpGuard and the person who found the exposed data, said that the databases also included fields indicating whether a voter was active. About 1.5 million of the records belonged to active voters.

There were two folders in the AWS bucket, Hendren said, containing about a dozen backup files, about 12GB in all. Also in the folder was some information on ES&S security procedures that included the hashed email passwords of ES&S employees. While the personal information of voters exposes them to fraud via phishing and other scams, the employee data poses a serious threat in another direction.

“There’s no telling how far a nefarious actor could get if they’re willing to use those credentials,” said Chris Vickery, UpGuard director of cyber risk research who has found other similar leaks via Amazon buckets. “There’s no way to tell if they would be able to infiltrate ES&S networks or systems, but the potential is there.”

ES&S sells a number of different electronic voting systems and vote tabulators. The City of Chicago is a customer of theirs, and it’s unknown what type of work was being done with the data or why it was being stored in a publicly accessible bucket.

“The backup files on the AWS server did not include any ballot information or vote totals and were not in any way connected to Chicago’s voting or tabulation systems,” ES&S said in a statement. “These backup files had no impact on any voters’ registration records and had no impact on the results of any election.”

The City of Chicago Election Board said it was notified of the breach by the FBI last Saturday afternoon at 5:37. By 9:44 p.m., the board said ES&S had taken the server offline. The board said in a statement that no systems, websites or servers managed by the board were affected and that none of its sites or networks reside on AWS.

“We were deeply troubled to learn of this incident, and very relieved to have it contained quickly,” said Chicago Election Board Chairwoman Marisel A. Hernandez. “We have been in steady contact with ES&S to order and review the steps that must be taken, including the investigation of ES&S’s AWS server. We will continue reviewing our contract, policies and practices with ES&S. We are taking steps to make certain this can never happen again.”

Vickery said it’s unknown whether anyone else accessed the data, nor whether ES&S had logging configured and enabled.

“Given the bucket name was easy to guess (“Chicago DB”) and had been up many months before I noticed it, I would say the chances of me being the first one are slim,” Hendren said.

Vickery added that ES&S websites do not have SSL enabled. A web-scanning and ranking service called CSTAR run by UpGuard determined the ES&S also falls short in that it does not have HSTS turned on, nor does it use HttpOnly cookies, secure cookies, DMARC or DNSSEC. It also displays the server information header.

News in brief: few girls studying computing; new Galaxy Note battery issue; fine over parking data breach

Original Article Here

Your daily round-up of some of the other stories in the news

Concern at number of girls studying computing

There’s been a lot of focus on how to improve the representation of women in the tech industry in the wake of concerns about the culture at companies such as Uber, and many experts agree that it’s important to focus on the pipeline and to encourage girls and young women to choose relevant subjects at school.

So the news that of those taking the A-level computing studies exam at 18, just 9.8% of them are girls has sparked concern – while there was also concern about the low overall numbers taking the course, the BBC reported.

Bill Mitchell of BCS, the chartered institute for IT, said in response to the figures from the Joint Council for Qualifications: “Today’s announcement that nearly 7,600 students in England took A-level computing means it’s not going to be party time in the IT world for a long time to come,” and added: “At less than 10%, the numbers of girls taking computing A-level are seriously low.”

He went on: “We need to make sure that our young women are leaving education with the digital skills they need to secure a worthwhile job, an apprenticeship or go on to further study.”

Battery fears hit Samsung again

Remember the debacle over the Samsung Galaxy Note 7 and the overheating batteries? Now Samsung has been hit by another battery issue – some refurbished Galaxy Note 4 devices are having their batteries recalled.

However, this time it’s not Samsung’s fault: the 10,000-odd affected devices, according to the US Consumer Product Safety Commission, which issued the recall, are “batteries placed into refurbished AT&T Samsung Galaxy Note 4 cellphones by FedEx Supply chain and distributed as replacement phones through AT&T’s insurance program only”.

The affected batteries are apparently counterfeit, and are at risk of overheating. Although the Note 4 is three years old, the affected phones were sent out to customers fairly recently, between December 2016 and April this year as replacements via AT&T.

If you’ve got one of these devices, power down the phone and don’t use it – you’ll be hearing from FedEx.

Council fined over parking data breach

A local authority in London has been fined £70,000 after it exposed the personal information of 89,000 people via its parking ticket system, which allowed people to see CCTV images of their alleged parking offence.

The Information Commissioner’s Office, the UK’s data regulator, fined the council after a member of the public realised that by manipulating a URL on the council’s Ticket Viewer system they could access the information of other people including bank details, medical evidence and home addresses and phone numbers.

Sally Anne Poole, the ICO enforcement officer, said: “People have a right to expect their personal information is looked after. Local authorities handle lots of personal information, much of which is sensitive. If that information isn’t kept secure, it can have distressing consequences for all those involved.”

The ICO said that the council hadn’t tested the system either before it went live nor regularly after that.

Catch up with all of today’s stories on Naked Security


Neo-Nazi Site Takedown Raises Tough Questions on Who Should Police Content

Original Article Here

FL-photography/Thinkstock

Neo-Nazi website the Daily Stormer hopped from one service provider to another this week as a string of companies, including Google, GoDaddy and Cloudflare, cancelled its accounts in the wake of the Charlottesville attack. The issue has brought up a lot of questions around who should have the final say in policing unsavory content online: private companies or law enforcement, or neither?

Cloudflare CEO Matthew Prince, who has previously said that he doesn’t believe his own political beliefs should color what is and is not allowed on its network, said the last straw was when Daily Stormer readers were claiming Cloudflare supported their beliefs. Prince acknowledged that his decision to terminate the service to Daily Stormer was not a Cloudflare policy and was ultimately his call.

In an interview with The Verge, Prince said the decision was dangerous “in a lot of ways … I think that we as the internet need to have a conversation about where the right place for content restriction is … but there was no way we could have that conversation until we resolved this particular issue.”

In a post on Thursday, the Electronic Frontier Foundation (EFF) agreed that the decision by Prince was dangerous, and “that on the Internet, any tactic used now to silence neo-Nazis will soon be used against others, including people whose opinions we agree with.”

“Protecting free speech is not something we do because we agree with all of the speech that gets protected. We do it because we believe that no one—not the government and not private commercial enterprises—should decide who gets to speak and who doesn’t.”

The EFF said that because internet intermediaries like GoDaddy, Google, and Cloudflare “control so much online speech, the consequences of their decisions have far-reaching impacts on speech around the world.”

In the case of GoDaddy and Google, services to Daily Stormer were terminated because it was in violations of their policies and terms of service. Terms of service are the fine-print in contracts that often get skipped over as users sign up for an online service like web hosting. Companies like GoDaddy will include clauses that allow them to cancel a user’s service in specific instances, such as if the hosting services are used to promote or encourage illegal activity. In these cases, it is up to the service providers’ discretion whether a site violates its TOS.

The EFF recommends that content hosts implement procedural protections to mitigate mistakes, such as providing “user content providers with mechanisms to review decisions to restrict content in violation of the intermediary’s content restriction policies.” By being clear about these content takedown policies, users and governments will have transparency into the process.

The EFF has previously given recommendations to tech companies on how to protect their users, including fighting against unconstitutional gag orders and National Security Letters, and resisting demands for encryption backdoors. Cloudflare has previously worked with the EFF to protect its users from overarching court orders.

“Currently there are no U.S. laws or regulations to prevent web infrastructure providers from taking such actions. Under federal law, private corporations can deny service to groups or individuals, as long as it’s not because of their race, religion or sexuality. Nor does the principle of ‘net neutrality’ really apply since that just calls for broadband providers like Verizon or Comcast to treat all data equally,” according to a report by Bloomberg.

It is also unrealistic to expect hosting providers and internet infrastructure providers to be able to police the content of their users on an individual basis. Hosting providers already adhere to laws around copyright takedown notices and are protected through the Digital Millennium Copyright Act (DMCA). 

As many have noted in the past few days, what has happened with Daily Stormer and its fight to stay online could be a slippery slope where governments and others can pull sites they don’t agree with offline. The conversation is one companies who provide the nuts and bolts of the internet are being forced into having, even if it is uncomfortable and complex.

Carbon Emissions: Oversharing Bug Puts Security Vendor Back in Spotlight

Original Article Here

Last week, security firm DirectDefense came under fire for over-hyping claims that Cb Response, a cybersecurity product sold by competitor Carbon Black, was leaking proprietary from customers who use it. Carbon Black responded that the bug identified by its competitor was a feature, and that customers were amply cautioned in advance about the potential privacy risks of using the feature. Now Carbon Black is warning that an internal review has revealed a wholly separate bug in Cb Response that could in fact result in some customers unintentionally sharing sensitive files.

cblogoAs noted in last week’s story, DirectDefense warned about a problem with Cb Response’s use of Google’s VirusTotal — a free tool that lets anyone submit a suspicious file and have it scanned against dozens of commercial anti-malware tools. There is also a paid version of VirusTotal that allows customers to examine any file uploaded to the service.

Specifically, DirectDefense claimed that Cb Response’s sharing of suspicious files with VirusTotal could expose sensitive data because VirusTotal allows paying customers to download any files submitted by other users. DirectDefense labeled the bug “the world’s largest pay-for-play data exfiltration botnet.”

Numerous industry analysts leapt to Carbon Black’s defense — with some even calling “bullshit” on the findings — pointing out that plenty of other vendors submit files through Virustotal and that DirectDefense was merely trying to besmirch a competitor’s product.

But earlier this week, Carbon Black began quietly notifying customers that an internal review of the claims revealed a completely different bug that could result in some benign customer files being miscategorized as executable files and inadvertently uploaded to Virustotal for scanning.

“On Thursday, we discovered a bug affecting a small percentage of our Cb Response customers,” said Mike Viscuso, co-founder and chief technology officer at Carbon Black. “Our review is still ongoing, but based on what we learned to date it requires a very specific customer configuration, and we have already taken steps to remediate the bug and protect our customers.”

Viscuso said this bug appears to affect a small number of Cb Response customers who have enabled VirusTotal submissions and use the program on a Mac OS in the presence of specific third-party applications. For example, he said, when a Mac user opens Spotify, the popular music service will read a configuration file in a way that causes Cb Response to classify regular content files (e.g., Microsoft Word, PDF, .TXT) as an unknown binary file. A binary file is computer-readable but not human readable; for example, executable programs (e.g., .exe files on Windows) are stored as binary files.

According to Viscuso, the bug was introduced in the Mac version of Cb Response roughly three months ago. He said part of the problem seems to stem from the file classification tool that ships with the Cb Response — explaining that the tool sometimes misclassifies corrupted binary files. One of the most common sources of corrupted binary files are antivirus products, which often modify suspected malicious binaries after placing the files in quarantine to ensure the programs can’t be accidentally run.

The Carbon Black discovery comes as more software-as-a-service providers are seeking ways to alert customers who may be inadvertently sharing sensitive data. Amazon recently launched Amazon Macie, a new security service that uses machine learning to discover and classify sensitive data such as personal information in AWS, alerting customers when such data is moved, accessed or otherwise publicly available.

Viscuso said the company was considering whether it, too, could offer any additional service that might help customers prevent the accidental sharing of content files to third-party services like VirusTotal. In the meantime, he said, Carbon Black is providing a full list of uploaded files to affected customers, asking them to report whether the files were binaries or content files.

Tags: , , , , ,

White House elevates status of US Cyber Command

Original Article Here

cyber-command.jpg

The White House announced Friday that President Trump has elevated US Cyber Command to the status of a Unified Combatant Command, putting it on par with the military’s other combat branches, such as the US Pacific Command and US Central Command.

Currently, US Cyber Command is part of the US Strategic Command, and it is directed by the head of the National Security Agency (NSA), Navy Admiral Michael S. Rogers.

The move, the president said in a statement, will consolidate cyberspace operations under a single commander and ensure that “critical” cyberspace operations are adequately funded. In conjunction with this move, Secretary of Defense James Mattis will consider whether to split Cyber Command from the NSA and will deliver his recommendation “at a later date.”

President Obama had also considered elevating Cyber Command and splitting it from the NSA. The Obama administration established Cyber Command under US Strategic Command in 2009 to address the growing threat of cyber attacks. Elevating the agency acknowledges that Cyber Command’s mission to conduct offensive and defensive cyber activities is distinct from the NSA’s electronic intelligence-gathering mission.

The president’s decision was commended by defense hawks in Congress like Republican Sens. Lindsey Graham of South Carolina and John McCain of Arizona.

“While we welcome this elevation, there is much more to be done to prepare our nation and our military to meet our cybersecurity challenges,” McCain, chairman of the Senate Armed Services Committee, said in a statement. “We must develop a clear policy and strategy for deterring and responding to cyber threats. We must also develop an integrated, whole-of-government approach to protect and defend the United States from cyberattacks.”

McCain also said he appreciates the administration’s commitment to “ensuring that a future separation of the so-called ‘dual hat’ relationship between Cyber Command and the National Security Agency will be based on conditions, rather than arbitrary political timelines.”

Offensive cyberweapons from enemies may be reengineered

Original Article Here

The U.S. Defense Intelligence Agency claimed it wanted to reengineer enemy malware to be used as offensive cyberweapons, but experts said this may be less of a practical plan of action and more a signal of intent to shift away from a defensive posture.

Lieutenant General Vincent Stewart, director of the U.S. Defense Intelligence Agency, expressed this interest in offensive cyberweapons while speaking at the U.S. Department of Defense Intelligence Information Systems conference in St. Louis.

“Once we’ve isolated malware, I want to reengineer it and prep to use it against the same adversary who sought to use against us,” Stewart said. “We must disrupt to exist.”

Jonathan Sander, chief technology officer at STEALTHbits Technologies, said calling these comments about offensive cyberweapons, “a plan is reading too much into the press conference.”

“The premise of the comments were that the U.S. has been in a defense only posture, but the NSA leaks of cyberweapons like EternalBlue  show that’s far from the truth,” Sander told SearchSecurity. “It’s clear the U.S. has an active and capable red team that’s finding and weaponizing its own cyber assets. Of course the military will also capture, analyze and learn from any weapons used against it. But that’s less news and more something we should all hope they are doing anyway.”

Mounir Hahad, senior director of Cyphort Labs, agreed that Stewart’s comments were “intended to convey intent to be more active than the passive past.”

“There is no advantage gained by the U.S. government in re-using adversary developed malware, the U.S. is plenty capable of developing its own and inflicting whatever damage it wants,” Hahad told SearchSecurity. “Furthermore, the targets may be completely different technologically speaking, so a weapon that works against U.S. targets may be ineffective against a target at a different level of automation.”

The risks of reengineering malware

Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., said a plan to reengineer offensive cyberweapons would be ineffective.

“This is the general idea of throwing the grenade back at the person who threw it at you, [but] it’s certainly more effective with grenades than with malware,” Williams told SearchSecurity. “Reverse engineering is a much more specialized skill than programming, so the effort required to do this is much higher than simply developing malware in the first place.”

Georgia Weidman, founder and CTO of Shevirah, a penetration testing firm based in Washington, D.C., said our government should be analyzing the offensive cyberweapons samples obtained “to further protect ourselves from future similar attacks,” but noted there are major risks in attempting to repurpose that malware.

Malware once released from its cage has no moral compass when attacking intended victims. Georgia Weidmanfounder and CTO, Shevirah

“There are many instances of exploit code freely available on the internet that purports to attack an enemy but instead attacks the machine that attempts to run the attack, making a victim of the attacker,” Weidman told SearchSecurity. “Sophisticated malware often goes to great lengths to make it difficult for malware analysts to fully understand what it is doing, obfuscating its code to mislead analysts. Or it may behave differently in different environments, attempting to detect when it is being analyzed and changing its behavior accordingly. Simply ripping out the target information in a piece of malware and sending it back out could have devastating unintended consequences if the malware is not fully understood.”

Williams also noted that the practice of reengineering offensive cyberweapons wouldn’t be new, because the CIA “mined malware for capabilities as part of their UMBRAGE program.”

“In most cases, this isn’t a question of patching. Most malware doesn’t use any zero day exploits. The real issue is signatures. We would generally assume that the adversary who is deploying malware has signatures in place to detect their own malware,” Williams said. “Any reengineering effort would have to include some programs to obfuscate the signatures of the malware itself. The problem with this is that the adversary you are throwing the malware back at knows more about the malware than you do and you don’t know what specifically in the malware they are alerting on. A much better plan is to write your own malware from scratch.”

Weidman said the government shouldn’t trust it can control offensive cyberweapons that it didn’t create.

“Malware once released from its cage has no moral compass when attacking intended victims,” Weidman said. “While some malware such as the famous Stuxnet went to great lengths to only attack intended targets, spreading far and wide but only running its destructive payload under specific circumstances, there is very likely to be collateral damage in a malware attack.”

Hijacked Chrome extensions infect millions of users

Original Article Here

New research shows millions of Google Chrome users have been hit with malware through eight hijacked Chrome extensions.

According to threat protection vendor Proofpoint, the eight compromised Chrome browser extensions include two that were hijacked earlier this month — Copyfish and Web Developer. According to the Proofpoint researcher known as Kafeine, the other six compromised extensions are Chrometana, Infinity New Tab, Web Paint, Social Fixer, TouchVPN and Betternet VPN. From downloads of all eight hijacked Chrome extensions, nearly 4.8 million users received malicious code from the attackers.

“At the end of July and beginning of August, several Chrome Extensions were compromised after their author’s Google Account credentials were stolen via a phishing scheme,” Kafeine wrote in a blog post. “This resulted in hijacking of traffic and exposing users to potentially malicious popups and credential theft.”

Targeted users were shown a JavaScript alert that said their PC needed to be repaired and were then directed to pay for the false repairs, enabling the attackers to profit from this scheme.

According to Kafeine, the attackers “are leveraging compromised Chrome extensions to hijack traffic and substitute advertisements on victims’ browsers. Once they obtain developer credentials through emailed phishing campaigns, they can publish malicious versions of legitimate extensions.”

However, Kafeine also noted that, “in addition to hijacking traffic and driving users to questionable affiliate programs, we have also observed them gathering and exfiltrating Cloudflare credentials, providing the actors with new means of potential future attacks.”

There is no proof yet that all of the hijacked Chrome extensions were targeted by the same hacker or hacking group, though the compromises all happened in the same time frame.

Google has dealt with security issues surrounding Chrome browser extensions in the past. In 2015, the company implemented a policy that requires all Windows and Mac users and developers to install extensions only from the Chrome Web Store. This change was spurred by concerns about extensions that enabled the download of malware. The policy update also included a feature called Enhanced Item Validation, which runs additional checks on extensions before they are published in the Chrome Web Store.

In other news

  • DNS provider Cloudflare terminated the account of neo-Nazi website the Daily Stormer. In an official statement, the company’s co-founder and CEO Matthew Prince wrote: “Our terms of service reserve the right for us to terminate users of our network at our sole discretion. The tipping point for us making this decision was that the team behind Daily Stormer made the claim that we were secretly supporters of their ideology.” However, in a candid internal notice to Cloudflare employees, Prince said the decision was personal. “I woke up this morning in a bad mood and decided to kick them off the Internet,” he wrote. While the company has previously maintained content neutrality, Prince said Cloudflare still received requests to terminate its distributed denial-of-service (DDoS) attack protection services of the site. “The initial requests we received to terminate their service came from hackers who literally said: ‘Get out of the way so we can DDoS this site off the Internet,'” wrote Prince. In the official statement, he went on to acknowledge his decision is “dangerous,” but argued it likely won’t set a precedent. The Electronic Frontier Foundation (EFF), however, issued a statement that expressed concern over Cloudflare’s decision, arguing that “because Internet intermediaries, especially those with few competitors, control so much online speech, the consequences of their decisions have far-reaching impacts on speech around the world. And at EFF we see the consequences first hand: every time a company throws a vile neo-Nazi site off the Net, thousands of less visible decisions are made by companies with little oversight or transparency. Precedents being set now can shift the justice of those removals.” While the EFF is clear that it disagrees with the content on the Daily Stormer, the group said it defends “the right of anyone to choose what speech they provide online; platforms have a First Amendment right to decide what speech does and does not appear on their platforms.”
  • A Venafi survey found that 72% of security professionals don’t believe that encryption backdoors would make a nation safer from terrorists. Venafi surveyed over 290 attendees of the Black Hat USA conference in July and found that “the majority of industry professionals believe encryption backdoors are ineffective and potentially dangerous.” In a blog post, Venafi wrote that, “it is widely acknowledged that backdoors into encryption technology create vulnerabilities that can be exploited by a wide range of malicious actors, including hostile or abusive government agencies,” and despite the danger, many government officials advocate for encryption backdoors to “strengthen national security and hinder terrorism.” Respondents of the survey disagree — 91% of them said cybercriminals could take advantage of encryption backdoors that are government mandated. Another notable finding is that 81% of respondents said they believe that governments should not have the ability to force technology companies to give them access to encrypted user data.
  • VMware patched an important denial-of-service vulnerability in its NSX-V Edge products. The vulnerability, according to VMware’s advisory, is that the “VMware NSX-V implementation of the OSPF protocol doesn’t correctly handle the link-state advertisement (LSA). A rogue LSA may exploit this issue resulting in continuous sending of LSAs between two routers eventually going in loop or loss of connectivity.” VMware also noted that the vulnerability, classified as CVE-2017-4920, is tough to exploit because an attacker would need local access to the targeted system in order for an exploit to be possible. Security researchers Adi Sosnovich, Orna Grumberg and Gabi Nakibly first reported the vulnerability to VMware. Patches are now available for all affected products, which could be running on any platform.

Opening Java EE, Tectonic on Azure, Free Tools & More…

Original Article Here

While the open source story everyone was watching this week was probably the release of Docker EE 17.06, there were a couple of stories “bubbling under” (as Billboard used to call an also-ran record sales chart) that deserves some attention.

We’ll start with Oracle, because no company says “open source” like Oracle.

Actually, Ellison & Company has always seemed to have trouble wrapping its head around open source, so much so that whenever the company inherits established open source projects — as happened seven years ago when it acquired Sun Microsystems — die hard open source advocates find themselves running for the hills, fearing that revolution is nigh.

Evidently the folks at Oracle have realized that the Java Enterprise Edition platform might be better off if it moved out of Redwood Shores and found a home more conducive to the open source development model.

“Although Java EE is developed in open source with the participation of the Java EE community, often the process is not seen as being agile, flexible or open enough, particularly when compared to other open source communities,” Oracle software evangelist David Delabassee wrote in a blog on Thursday. “We’d like to do better.”

The long and short of it: Oracle is “considering” finding a new place for Java EE developers to hang their proverbial hats.

“We believe that moving Java EE technologies including reference implementations and test compatibility kit to an open source foundation may be the right next step,” Delabassee continued, “in order to adopt more agile processes, implement more flexible licensing, and change the governance process. We plan on exploring this possibility with the community, our licensees and several candidate foundations to see if we can move Java EE forward in this direction.”

My guess is that if Oracle does decide to relinquish control of the platform, it’ll end up at either the Linux Foundation or the Apache Foundation. The later would be the obvious best guess, since it’s where Oracle dumped OpenOffice after it famously lost most of the office suite’s longtime developers in a revolt that turned into the LibreOffice fork. In this case, Apache might be problematic, depending on how long people hold grudges. In 2010, soon after Oracle acquired Java, the Apache Foundation resigned it’s seat on the Java Community Process board when Oracle refused to license its Technology Compatibility Kit for Apache’s version of Java.

And you thought open source folks were a bunch of kumbaya tree huggers.

CoreOS luvs Microsoft. It appears that the more Microsoft professes its love for Linux and open source, the more open source loves Redmond back. Why? Because Azure, that’s why — which really boils down to money. In most cases, every time somebody spins up an open source enterprise app on Azure (or AWS, GCP or Bluemix), the cash register starts ka-chinging — and usually without even having to pay a salesperson to wear out shoe leather.

No surprise then that CoreOS, a container centered Linux distribution, is making its Kubernetes-based DevOps platform, Tectonic, available on Microsoft Azure, beginning with Thursday’s release of version 1.7.1. The platform is already available on AWS.

This can be a good option for DevOps. CoreOS is a leading developer of Kubernetes, and its products always contain the orchestration platform’s latest version. It’s also available for a free trial on 10 or fewer nodes.

Red Hat releases new Development Suite. Raleigh based Red Hat showed a little southern hospitality on Tuesday with the release of some new tools for developers. In a blog, Bob Davis explained:

“This collection of tools has been assembled into an easy-to-use installer to help software developers quickly and easily put together a development environment to create containerized enterprise Java apps by installing OpenShift on their desktop. The Developer Tools Installer will automatically download, install and configure the selected tools on macOS, Windows and Red Hat Enterprise Linux. Development Suite also simplifies the installation and configuration of EAP, Fuse, and Kompose. As always, it’s available at no-cost from developers.redhat.com/downloads.”

Sweet, eh?

Weekend reading: This week, Red Hat’s community site, Opensource.com, published an article on “How to Write Better Error Messages.” Usefulness to the user seems to be the key.

That does it for this week. Have a great weekend. And until next time, may the FOSS be with you…

ShieldFS Hits 'Rewind' on Ransomware

Original Article Here

INsecurity – For the Defenders of Enterprise Security

A Dark Reading Conference
While “red team” conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the “blue team” will be the focus.

How likely is a ‘digital Pearl Harbor’ attack on critical infrastructure?

Original Article Here

It’s coming on two decades now since the first warnings that US critical infrastructure is vulnerable to a catastrophic cyberattack. According to some experts, it is perhaps more vulnerable now than ever – the threats are worse and the security is no better.

But how likely is such an attack? There is still plenty of debate about that.

Richard A Clarke, who in 2000 was the US’s top counter-terrorism and cybersecurity chief, gets credit for coining the term “digital Pearl Harbor”. He said at the time that it was “improbable,” but added that “statistically improbable events can occur”.

There have been similar warnings since from top government officials – former defense secretary Leon Panetta paraphrased Clarke in 2012, warning of a “cyber Pearl Harbor” – a major cyberattack on industrial control systems (ICS) that could disable the nation’s power grid, transportation system, financial industry and government for months or longer.

Of course, nothing even close to that catastrophic level has happened – yet. And there are a number of experts who say such doomsday language is gross hyperbole, peddling nothing but FUD (fear, uncertainty and doubt). Marcus Sachs, CSO of the North American Electric Reliability Corporation (NERC), said at the 2015 RSA conference that squirrels and natural disasters were a more realistic threat of taking down the grid than a cyber attack.

But a couple of experts in ICS – the equipment used to operate the grid and other critical infrastructure – say they are increasingly troubled that security has not really improved since the warnings began.

Galina Antova, co-founder and chief business development officer at Claroty, recently referred in a blog to “The Lost Decade of Information Security”, saying:

“We are no better off today in terms of cybersecurity readiness than we were 10 years ago. The threat landscape is clearly growing more active and dangerous by the day. The theoretical is becoming reality and, unfortunately, we aren’t prepared to counter the threat just over the horizon.

She has some company in the person of Joe Weiss, managing partner at Applied Control Solutions, who has said for years that ICS security is dangerously lax. Writing on his “Unfettered” blog last week, Weiss said there is essentially no security in ICS process sensors, the tools to detect anomalies in the operation of ICSs – which means an attacker could get control of them relatively easily and create major physical damage.

Weiss cited a number of sensor “malfunctions” that illustrate the problem. One, he said, resulted in the release of 10m gallons of untreated wastewater. Another, he said, was the rupture of a pipeline in Bellingham, WA, which released 237,000 gallons of gasoline into a nearby creek causing it to catch fire, killed three people, caused an estimated $45m in property damage and led to the bankruptcy of the Olympic Pipeline Company.

“That happened in June, 1999,” Weiss said in an interview. “How can that be relevant today? It turns out every bit of it is, because the same flaws that existed then exist today.”

He said in most cases there is no way to know if what happened was an accident or a malicious attack, because of a lack of visibility into the networks. And he wondered on his blog: “How can this lack of security and authentication of process sensors be acceptable?”

What to do? That is where Weiss and Antova part company – just a bit. Antova said she agrees that the sensor flaws exist and, as she wrote, the threat of major ICS attacks “is real and just over the horizon”, But, in an interview, she also said she is “allergic” to describing the threat at either extreme – in relatively trivial terms (squirrels) or disaster (Pearl Harbor).

She said it is not simple or quick to fix flaws in sensors. “Engineers know it takes years to design,” she said, “and it can take 25 to 35 years to replace the architecture” of ICS equipment. She ought to know – she was formerly global head of industrial security services at Siemens, a leading manufacturer of power generation and transmission systems.

In her blog post, she said called for implementing what is practical and feasible – the kind of “security hygiene” steps that would keep ICS from being the “low-hanging fruit” that it is now. Things like patches, really taking network segmentation seriously, and giving IT professionals visibility into the networks.

What has hampered that, she wrote, has been a failure to “bridge the gap” between IT and engineering staff, each of whom, “approach the world with different viewpoints, backgrounds and missions.” Engineers, she noted, focus on keeping things physically safe and running. Anything that impedes that, they reject.

She also said government regulatory frameworks and standards are, in many cases, not practical. One example she cited was the push for “air-gapped” networks. It sounded good, she said, but it interfered too much with efficiency and the needs of the business. “As a result, air gaps now have one thing in common with unicorns – they don’t exist,” she wrote.

But just doing security basics would help. “You have to start somewhere,” she said.

Weiss contends it is possible, and necessary, to be both more aggressive and creative. Part of the problem, he said, “is a failure of imagination. When you look at the bad guys, they really are bad guys. We need to think like bad guys.”

But the two agree that there needs to be better communication between operations and IT. “We’ve got to have engineering in the same room when IT comes in and says this is what I want to do,” Weiss said. “Every time there’s an important meeting in DC on cybersecurity, GE and Siemens aren’t there.”

And both agree that the risk of something really serious happening is growing. “We know these (ICS) networks are exposed,” Antova said. “They are resilient and have safety measures, but for a skilled hacker, it’s not that hard to fool safety equipment.”

The real menace, she is said, is that ransomware like WannaCry and Petya are not just in the hands of nation states, but, “in the hands of every crazy person. I don’t think people realize how poor the cyber hygiene is.”


It’s Not Exactly Open Season on the iOS Secure Enclave

Original Article Here

The black box that is Apple’s iOS Secure Enclave may have been pried open, but that doesn’t necessarily mean it’s open season on iPhones and iPads worldwide.

Yesterday’s public disclosure of the decryption key for the Secure Enclave Processor firmware does indeed allow white and black hats to poke and probe about for vulnerabilities. And while finding a bug is one thing; exploiting it may be quite another.

Very little granular detail has been made public about what’s going on inside Secure Enclave. Probably the best known insight was provided during a 2016 Black Hat talk given by Azimuth Security researchers Tarjei Mandt, David Wang and Mathew Solnik.

They were able to reverse engineer the Secure Enclave Processor (SEP) hardware and software, and determined that while the hardware was state-of-the-art—or better—the software left a bit to be desired. Wang was interviewed on the Risky Business podcast (interview begins at 31:24) nearly a year ago and told host Patrick Gray that there were very little in the way of memory mitigations, though he could see that Apple was constantly tinkering with the security of the Secure Enclave’s software with each successive update.

“We think the hardware is light years ahead of the competition; the software, not so much,” Wang said. “It’s missing a lot of modern exploit mitigation technology; it’s pretty much unprotected.”

This was also disclosed during the Black Hat presentation where it was revealed that things such as ASLR or stack cookie protections were missing at the time.

Mandt, however, yesterday echoed what other researchers have been saying since the key was published: the immediate threat to users is negligible.

“Our research from last year also showed that doing this typically requires additional vulnerabilities in iOS in order to enable an attacker to communicate arbitrary messages (data) to the SEP,” Mandt told Threatpost. “It is also worth noting that Apple by now presumably has addressed the shortcomings that we highlighted last year regarding exploit mitigations, making exploitation harder.”

According to the most recent iOS Security Guide, communication between the Secure Enclave and the iOS application processor—which is entirely separated from the SEP—is done through “an interrupt-driven mailbox and shared memory data buffers.”

As for the lack of ASLR or stack cookies, Wang told Risky Business this could be due to a lack of computing resources in the Secure Enclave microkernel needed to support these mitigations.

The Secure Enclave, as explained in the iOS Security Guide, is a coprocessor onto itself inside the mobile operating system. Its job is to handle cryptographic operations for data protection key management; its separation from the rest of iOS maintains its integrity even if the kernel is compromised, Apple said in the guide. Primarily, the Secure Enclave processes Touch ID fingerprint data, signs off on purchases authorized through the sensor, or unlocks the phone by verifying the user’s fingerprint.

The key was published by a hacker known only as xerub, who refused to identify himself or provide any detail on how he derived the key or whether he found any vulnerabilities in the Secure Enclave. Apple acknowledged the report, but as of yesterday still had not confirmed the legitimacy of the key xerub published. The key unlocks only the SEP firmware; user data is not at risk, xerub told Threatpost.

The disclosure also harkened back to Apple’s decision last June to release an unencrypted version of the iOS 10 kernel to beta testers. “The kernel cache doesn’t contain any user info, and by unencrypting it we’re able to optimize the operating system’s performance without compromising security,” Apple said at the time.

The decision sparked similar concerns as to yesterday’s leak, that attackers as well as legitimate researchers would be able to find and potentially exploit vulnerabilities in the kernel. Apple’s contention is that the move ultimately improves security with more researchers examining the code for bugs and privately disclosing them to the company or through its bug bounty program. Such a move also potentially weakens gray-market sales for iOS bugs, or government hoarding of bugs.

Yesterday’s news set off another flurry of angst as to the ongoing security of iOS and what would happen now that the firmware had been unlocked.

“I wouldn’t say there is any immediate threat to users at this point,” Azimuth Security’s Mandt said. “Although the key disclosure allows anyone to analyze the software that is running on the SEP processor, it still requires an attacker to find and exploit a vulnerability in order to compromise SEP.”

Infosys CEO Vishal Sikka resigns

Original Article Here

sikka-one.jpg

Vishal Sikka

Infosys chief executive Vishal Sikka issued a shock announcement Friday that he has resigned his position amid executive tensions and an “untenable atmosphere” surrounding the company.

what’s hot on zdnet

“I cannot carry out my job as CEO and continue to create value, while also constantly defending against unrelenting, baseless/malicious and increasingly personal attacks,” Sikka said in a blog post.

Sikka was the first chief technology officer at SAP before joining Infosys in June 2014. At the time, his arrival was considered a turning point for the beleaguered IT outsourcer and a chance for the company to embark on a much needed transformational journey.

Sikka’s turnaround efforts included a shakeup of Infosys’ growth strategy — shifting the focus from contracts over to software and platforms — and a revitalization of its sagging employee morale. In large part, Sikka was successful. He restored credibility, retained and boosted employment, and helped rebound revenue in his first two years on the job.

More recently, however, Infosys has struggled with revenue growth, and Sikka found himself dragged into a public feud with co-founder Narayana Murthy, who questioned the firm’s decision on compensation doled out to senior executives.

“Life is too short to engage in battles of opinions in the public, these add no value, take critical time and focus away from the business, and indeed add more to the noise, to the eardrum buzz, as I wrote to you a few months ago,” Sikka said in his resignation post.

“I now need to move forward, and return to an environment of respect, trust and empowerment, where I can take on new lofty challenges, as can each of you.”

Infosys appointed longtime employee and COO Pravin Rao as the interim CEO and managing director.

PREVIOUS AND RELATED COVERAGE

Tepid results for Infosys offers few positives for firm or industry looking ahead

A few of the tough challenges confronting Sikka in the upcoming year.

Infosys feud and whistleblower email threaten to sink the iconic Indian firm

Everyone involved in this unseemly fracas should hope for a quick and amicable resolution, lest it derail a firm in the middle of a remarkable turnaround amidst a tough business environment.

Trump’s anti-H1B tactics compel Infosys to recruit 10,000 employees in the US

Infosys should thank President Donald Trump for pushing it in this direction in a time of shifting business models that require more US hires to staff client-facing offices.

New Faketoken Android malware records calls, intercepts texts, and steals credit card info

Original Article Here

A year-old piece of Android malware has begun to evolve, taking it from low-level nuisance to serious security threat.

Called Faketoken, the malware is able to record phone calls, intercept and redirect text messages, and put screen overlays on an estimated 2,000 apps to fake payment information windows.

Kaspersky labs reports that Faketoken has been mainly spotted in Russia but also notes that its evolution has kept pace with its spread around the globe.

If you use Android this is definitely one to be worried about.

How the Faketoken malware spreads

Kaspersky, which identified the malware, hasn’t fully reconstructed the infection process yet, but evidence points to Faketoken spreading through bulk SMS messages that prompt users to download images.

Once on the system the malware obfuscates its existence, installs itself, hides its icon, and gets to work monitoring which apps are being used and which messages are being received, and it records every phone call, which it then sends to its command and control (C&C) server.

SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)

Recording phone calls is insidious enough, but that’s not Faketoken’s main objective: Its goals are to steal credit card numbers and intercept two-factor authentication text messages.

No one expects a sinister overlay

How many apps on your Android device store credit or debit card information? If you’re like the average mobile user, the answer is probably at least a few. Those apps sometimes forget info, update and need it reentered, or otherwise ask for verification on occasion, which is exactly what Faketoken aims to exploit.

The roughly 2,000 apps mentioned earlier are all spoofable by Faketoken, which goes a step further in making its spoof pages look realistic: It uses app overlays to trick you into thinking they’re legitimate.

android-overlay.jpg

Two examples of overlays in one image: The purchase window for buying an item on Google Play, and the overlay demonstrating how to edit a screenshot.

Image: TechRepublic/Brandon Vigliarolo

The apps that Faketoken monitors all support linking bank cards for in-app purchases, Kaspersky researchers said. When Faketoken detects one of those apps running, it substitutes its fake UI and overlay on top of the real app, and it happens pretty much instantly.

That doesn’t leave much time for users to realize what’s going on.

In order to complete the process of stealing credentials, Faketoken monitors incoming text messages so it can catch one-time passwords before they arrive in the phone’s SMS inbox. It redirects them to its C&C server, and with that the hack is complete: Hackers now have your credit card info, expiration dates, CVV, and the one-time password needed to verify enrollment.

Faketoken is still new

Kaspersky is pretty sure that the version of Faketoken it examined were early tests, but it warns of more advanced versions to come, and it’s entirely possible those versions are already in the wild.

SEE: How cybercriminals are using Android security bulletins to plan attacks (TechRepublic)

There’s nothing new to be said regarding protecting yourself: Don’t install third-party apps, don’t download attachments from unknown sources, and keep an anti-malware app installed on your device.

As the amount of mobile malware continues to rise, sophisticated threats like Faketoken are likely to become more and more common. It can be anxiety-inducing to think of all the ways someone can steal your personal information, and ultimately a balance between convenience and security has to be struck.

Security best practices may add a few steps to everyday tasks, but they’re essential when hackers are getting better and better at disguising their malware.

Top three takeaways for TechRepublic readers:

  1. Kaspersky labs has identified a new evolution of a previously known Android malware called Faketoken. This new version can record phone calls, intercept text messages, and spoof app overlays to steal credit card information.
  2. While the Faketoken analyzed by Kaspersky may be an early version, there’s no way of knowing if a more advanced version already exists.
  3. Protecting your personal information on an Android device is possible, and it’s nothing unique or new. Install anti-malware software, disable third-party app installation, and don’t download attachments from unknown senders.

Also see:

Google to unveil Android O on Aug. 21 via livestream

Original Article Here

While most of the US will be staring into the sky watching the first total solar eclipse in years, Google will be gearing up to livestream the final unveiling of Android O.

The announcement came via a dedicated Android eclipse site, which features a countdown timer for the Monday, August 21, 2:40 p.m. ET livestream of Android O, a link to the official NASA stream of the eclipse, as well as a handy tool to help you visualize just how much of the eclipse you will see, and at what times.

According to the site, those who tune into the livestream will “meet the next release of Android and all of its super (sweet) new powers” shortly after the eclipse will end.

We already know quite a bit Android O, thanks to the public beta that was first released in March. The update brings performance improvements, a streamlined OS update method, a picture-in-picture mode, and notification channels. What we don’t know, however, is the final name and when it will be available. Luckily, the wait is almost over.

To watch a livestream of the announcement, be sure to visit Android.com/eclipse.

what’s hot on zdnet

Friday Five: 8/18 Edition

Original Article Here

It’s Friday! Catch up on the latest infosec news with this week’s roundup.

1. HBO social media hacked in latest cyber security breach by BBC News

In the latest cyberattack on HBO, OurMine, the group that breached Mark Zuckerberg’s social media accounts last year, hacked HBO’s main corporate Facebook and Twitter accounts. This is following leaks of scripts, company documents, and full episodes of various HBO shows. In addition, four suspects related to the Game of Thrones episode leak have been arrested in India. Three of these suspects are current employees of Prime Focus, which stores and processes the Game of Thrones series for an Indian streaming site.

2. Petya ransomware: Cyberattack costs could hit $300m for shipping giant Maersk by Danny Palmer

The world’s largest container ship and supply vessel operator, Maersk, was one of the first high-profile organizations that had fallen victim to the most recent Petya ransomware attack. The attack impacted Maersk Line, APM Terminals and Damco, and they had to temporarily shut down services to prevent the ransomware’s spread. Though they claim no data breach or data loss occurred, they expect a total loss in revenue of $200-300 million according to their press release because of operational interruptions during the shutdown.

3. Hacker claims to have decrypted Apple’s Secure Enclave, destroying key piece of iOS mobile security by Brandon Vigliarolo

This week, a hacker going by xerub, released a full decryption key for Apple’s Secure Enclave Processor (SEP). The SEP operates separately from the rest of the device and generates the device’s Unique ID. It also handles Apple’s Touch ID transactions. With the decryption key, the SEP firmware’s code will be exposed as well as its vulnerabilities. This could be a hit to Apple’s mobile security, though xerub claims his intention for releasing the key was to add to the security of SEP. It’s too early to tell what the effects will be but there is still a ton of work that would need to go into exploiting this decryption and being able to compromise customer data.

4. Och. Scottish Parliament under siege from brute-force cyber attack by John Leyden

This week, the Scottish Parliament experienced brute-force attacks on its systems similar to previous attacks on Westminster earlier in June, which were blamed on Russia. The attacks appear to be targeting IT accounts, resulting in account lockouts or failed logins. MSPs and staff have been informed to update their passwords with stronger strings of letters, numbers and special characters.

5. North Korean Cyberspies Target US Defense Contractors Following Nuclear Threats by Catalin Cimpanu

The Lazarus Group, a North Korean cyber-espionage group believed to be a division of the government’s state intelligence, recently switched its target from South Korean organizations to U.S. defense contractors. The Group has been sending spear-phishing emails containing Word documents disguised with job descriptions and internal policies. There were several similarities in this series of attacks to past Lazarus Group campaigns, and with Trump’s recent nuclear threats against North Korea, it’s not a far leap.

Ellen Zhang

Tally of GoldenEye’s damage to corporate earnings reaches half a billion dollars

Original Article Here

June’s GoldenEye (Petya/NotPetya) ransomware contagion crippled power distributors, pharmaceutical companies, banks, advertisers and even law firms, sparing no organization running a vulnerable infrastructure. Earning reports from several affected companies now reveal just how much the attack damaged some industries.

Despite the widely accepted theory that GoldenEye was deployed mainly to shake up Ukraine, it now appears the ransomware could have fetched a handsome sum for its authors, had they not been so clumsy with their end of the bargain – decrypting victims’ data.

HelpNetSecurity has compiled an short list of companies that have (so far) confirmed the extent of the financial damage inflicted in June’s cyber-attack.

The losses

Following the attack, Danish shipping giant A.P. Møller-Mærsk was forced to commission a major shutdown of its systems, freezing its container business for long enough to cause hundreds of millions of dollars worth of damage.

“We expect that the cyber-attack will impact results negatively by USD 200-300m,” CEO Søren Skou said.

Construction materials manufacturer Saint-Gobain reports similar adversity. In a press release disclosing its first-half results for 2017, the company reveals that GoldenEye caused such massive disruption to its operations that it took two weeks to return to normal.

“The cyber-attack is estimated to have had a negative impact of €220 million on first-half sales and of €65 million on first-half operating income,” the company said. “Over the full year, the negative impact is estimated at less than €250 million on sales and €80 million on operating income, with July including additional losses in some businesses in the first few days of the month, a claw-back of June sales, and costs associated with re-starting operations.”

Mondelez International, a multinational confectionery, food, and beverage company saw its net revenues drop 5% due to a GoldenEye infection. It gave no precise estimate of the damage.

American pharma company Merck was equally unable to quantify the losses, but said it is working hard to “minimize the effects.”

Between the four of them, these organizations alone have reported up to half a billion dollars worth of damage to their industries. Considering that this is just a fraction of the companies that reported getting infected with the GoldenEye ransomware, we can only imagine the total damage at a global level.

All it ever needed was one vulnerable computer

Big organizations are compelled to disclose losses to stakeholders, which ultimately causes reputation damage too, further deepening the dent in their business. Companies big and small are increasingly aware that running vulnerable systems can cause irreparable damage. With several major attacks occurring this year alone, CIOs and CTOs everywhere need to radically rethink their investments in cybersecurity.

GoldenEye used the EternalBlue exploit that was leveraged by WannaCry, as well as a second exploit called EternalRomance, to act like a worm and replicate laterally, infecting entire networks of computers in seconds.

And a credential dumping tool let the ransomware infect even non-vulnerable systems by gaining administrator rights – all it ever needed was a single vulnerable system.

Drone firm says it’s stepping up security after US army ban

Original Article Here

Two weeks ago, the US Army told its troops that using drones from DJI – maker of the world’s best-selling drones – was henceforth verboten, given unspecified vulnerabilities discovered by its research lab and the US Navy.

While the army was keeping mum about those vulnerabilities, others haven’t been so circumspect. Rather, they’ve been talking for months about sensitive information having the potential to be scattered in the tailwinds.

In May, Kevin Pomaski, a chief pilot for one of the largest commercial UAS service providers in the US, wrote an article about highly sensitive information that can be revealed in conversations between unmanned aerial system (UAS) pilots and their clients: details that he said can include infrastructure, stadiums, military installations, construction sites, details about security, details about the drone itself, details about the drone operator, and more.

This sensitive data is vulnerable to interception, he said:

Critical infrastructure access and layouts are being captured every day. This information may be accessed by foreign actors that mean to harm the countries that these locations are in. The complete data record can be cataloged by pilot, region or location and a full report of the layout, security response, names of people will be revealed. Corporate espionage agents would love to have visual and audio details of that new system being captured by the drone in any industrial field of pursuit.

More recently, rumors have been flying about operators being told not to show up for work at US government agencies unless they bring American-made drones with them. According to sUAS News, the unspecified government agencies allegedly have security concerns about data being shared unwittingly.

If the allegations are true, it adds up to a ban on the Chinese-made DJI equipment. DJI is, after all, a Chinese company, governed by Chinese law, as Pomaski pointed out.

He dissected the privacy policy of DJI’s Go app and came up with a number of issues around sensitive data. For example, this passage from the privacy policy notes that personal information could be transferred to offshore servers:

The DJI Go App connects to servers hosted in the United States, China, and Hong Kong. If you choose to use the DJI Go App from the European Union or other regions of the world, then please note that you may be transferring your personal information outside of those regions for storage and processing. Also, we may transfer your data from the US, China, and Hong Kong to other countries or regions in connection with storage and processing of data, fulfilling your requests, and providing the services associated with the DJI Go App. By providing any information, including personal information, on or through the DJI Go App, you consent to such transfer, storage, and processing.

Now, two months after the army banned DJI drones, DJI has responded by adding a privacy mode to its equipment to prevent flight data being shared to the internet.

On Monday, DJI announced that it’s adding a local data mode that stops internet traffic to and from its flight control apps “in order to provide enhanced data privacy assurances for sensitive government and enterprise customers”.

The company says the privacy mode had been in the works for months, before the army ban. The new privacy mode, due out in future app versions expected in the coming weeks, entails a tradeoff: blocking all internet data means that DJI apps won’t…

  • update maps or geofencing information, meaning pilots could wind up flying in banned zones
  • notify pilots of newly issued flight restrictions or software updates
  • be able to upload to YouTube

On the plus side:

[Local data mode] will provide an enhanced level of data assurance for sensitive flights, such as those involving critical infrastructure, commercial trade secrets, governmental functions or other similar operations.

The army memo had told troops to “cease all use, uninstall all DJI applications, remove all batteries/storage media from devices, and secure equipment for follow on direction.”

However, the army has reportedly walked that ban back a bit, sUAS News reported on Monday. A second memo had reportedly gone out at the end of last week, to the effect that the army will grant exceptions to the ban once a DJI plugin has passed OPSEC (Operational Security) scrutiny.


Microsoft acquires cloud-based HPC developer

Original Article Here

Microsoft pulled off a big get with its acquisition of Cycle Computing, the developer of a suite of high-performance computing (HPC) services called CycleCloud for cloud orchestration, provisioning and data management in the cloud.

You may not know its name but Cycle Computing is actually a major player. In 2012, it helped Amazon create the first massive cloud-based supercomputer, spanning 51,000 cores. For just one hour of run time, the bill was $5,000.

+ Also on Network World: Azure Stack: Microsoft’s private-cloud platform and what IT pros need to know about it +

In 2013, Cycle Computing hit its biggest cloud run, creating a cluster of 156,314 cores with a theoretical peak speed of 1.21 petaflops that ran for 18 hours and spanned Amazon data centers around the world. The bill for that monstrosity was $33,000. 

Since then, Cycle Computing’s cloud orchestration software has been adopted by Amazon, Microsoft and Google. And now Microsoft has it. According to a blog post by Cycle Computing CEO Jason Stowe, the company will continue to service all of its customers. 

Azure only

However, going forward, Cycle Computing’s software will only be on Azure, and existing Cycle customers will be asked to move to Azure if they want new versions. 

“We will continue to support Cycle Computing clients using [Amazon Web Services] AWS and/or Google Cloud. Future Microsoft versions released will be Azure focused. We are committed to providing customers a seamless migration experience to Azure if and when they choose to migrate,” a Microsoft spokesperson said. 

So, you can see why this is a huge get for Microsoft. They just kneecapped AWS and Google in cloud-based HPC and might even steal away some customers. 

Cycle Computing seems down with this strategy. Stowe wrote in his blog post: 

“Now, we see amazing opportunities in joining forces with Microsoft. Its global cloud footprint and unique hybrid offering is built with enterprises in mind, and its Big Compute/HPC team has already delivered pivotal technologies such as InfiniBand and next-generation GPUs. 

“The Cycle team can’t wait to combine CycleCloud’s technology for managing Linux and Windows compute and data workloads with Microsoft Azure’s Big Compute infrastructure roadmap and global market reach.” 

For its part, Microsoft hopes Cycle Computing will help customers accelerate their movement to the cloud. Microsoft specifically cites Cycle Computing’s “depth and expertise around massively scalable applications” and its technology that can “enhance our support of Linux HPC workloads and make it easier to extend on-premise workloads to the cloud.” 

But here’s the thing: Microsoft recently introduced the Azure Stack, which essentially lets you run an Azure environment in your own data center. So, what’s to say CycleCloud can’t be made available on Azure Stack? 

Of course, the appeal is it spans multiple massive data centers to bring tens of thousands of cores to bear on a project. Unless you have a data center to match Microsoft, you won’t get the real benefit. Still, the potential for on-premises supercomputing has its appeal, and hopefully Microsoft will see its potential.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Lenovo Posts Surprise Loss as PC Sales Crater, Costs Climb

Original Article Here

Yang Yuanqing, Lenovo CEO, unveils the new PHAB2 Pro, the world’s first Tango-powered smartphone at Lenovo Tech World at The Masonic Auditorium on June 9, 2016 in San Francisco, California.

Kelly Sullivan/Getty Images

(Bloomberg) — Lenovo Group Ltd. posted a surprise quarterly loss after losing its grip on the global personal computer market, while its smartphone unit continues to bleed money.

China’s largest PC maker reported a net loss of $72 million in the three months ended June — its first in six quarters and well below projections for income of $32.9 million. That drove its stock down as much as as 4.2 percent in Hong Kong to its lowest intraday level in more than a year.

Lenovo lost its position as the world’s top PC maker as HP Inc. and Dell Inc. win back customers with new models. Its smartphone and server businesses, bulked up through multibillion-dollar acquisitions, again struggled to make money amid supply constraints, rising costs and aggressive pricing from competitors. Chief Operating Officer Gianfranco Lanci told reporters he expects costs for essential components such as memory chips to keep rising throughout the rest of the year, albeit at a slower pace.

“Lenovo is facing a great deal of performance pressure in its first two quarters of new fiscal year,” said Antonio Wang, associate vice-president for IDC China. It “is facing a transformation period as the executive team tries to reorganize business in major regions and reconstruct its business model.”

Revenue for the period slipped a tad to $10 billion, a whisker above predictions for $9.9 billion.

Its dismal quarter contrasts with HP, which has reported revenue in excess of projections for four straight quarters and this year overtook Lenovo in market share despite lagging its rival in China. Chairman Yang Yuanqing is exploring ways to rejuvenate Lenovo’s core PC business, including a potential tie-up with Fujitsu Ltd. that he said last month is still under negotiation. The company has reenlisted former mobile-unit head Liu Jun to oversee its Chinese business and has joined with e-commerce site JD.com in a bid to push its annual online revenue to 80 billion yuan ($12 billion) within three years.

While the 2005 acquisition of International Business Machines Corp.’s PC division paid off by lifting Lenovo closer to the top of the market, the 2014 purchases of IBM’s low-end server unit and Motorola Mobility haven’t gone as smoothly. The division reported a 6 percent decline in PC shipments to 12.4 million units. Revenue rose slightly to $7 billion.

“Since PC is the only profitable segment, these headwinds will hurt profitability,” Kai Qian and Liping Zhao, analysts at China International Capital Corp., wrote in a report ahead of the earnings.

Lenovo is betting on the Motorola brand and innovative modular designs to revive its mobile unit, and remains outside the top five in its home market, according to IDC. Sales in the division rose 2.4 percent to $1.75 billion. Its datacenter business, which saw revenue shrink 11 percent in the quarter, is on track to become profitable in about two years, Yang told analysts on a conference call.

It’s also sinking money into an effort to catch the next wave of computing gadgets. On Friday, it said it’ll invest $1.2 billion on research into artificial intelligence, the Internet of Things, virtual reality and other emergent fields over the next four years.

“The material cost increase significantly impacted our business, actually it impacted all three business,” Yang said in an interview, referring to the PC, mobile and data center units. “We definitely have to consume the cost increase if we want to keep the decent profitability. It must be reflected into our selling price.”

63% off Anker SoundCore 2 Bluetooth Speaker with 24-Hour Playtime – Deal Alert

Original Article Here

SoundCore 2 From Anker produces outstanding audio from an astonishingly compact speaker. Upgraded 2x 6W drivers blast out rich, clear sound. IPX5 water-resistant rating and dustproof engineering mean you can bring your beats anywhere – from the garden, to the beach. Upgraded materials provide smooth touch, and better grip. Listen for up to 66ft with latest Bluetooth 4.2 technology, while an in-built microphone makes hands-free calling a breeze. If you find yourself without BlueTooth, an aux port allows you to plug in and play. And a 24-hour / 500-song playtime means you can listen all day. The SoundCore 2 from Anker’s typical list price has been reduced 63% to just $33.59. See this deal on Amazon.

This story, “63% off Anker SoundCore 2 Bluetooth Speaker with 24-Hour Playtime – Deal Alert” was originally published by TechConnect.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Level up your cybersecurity journey with CLOUDSEC 2017

Original Article Here

Beginning this month, Trend Micro will be hosting CLOUDSEC, one of the largest cybersecurity conferences across Asia-Pacific and Europe. The event features presentations and panel discussions from industry experts and thought leaders who will discuss high-level strategies, forward looking security measures, and security roadmaps affecting the different markets.

Now on its seventh year, CLOUDSEC is supported by industry leaders, government agencies, commercial organizations, professional associations, technology vendors, and cyber security professionals from around the world.

Level up your cybersecurity skills

We all know the enterprise IT environment is becoming increasingly complex and diverse. The introduction of the cloud, not to mention mobile and IoT, to the enterprise IT environment means that IT professionals need to adapt in order to protect the now-diverse infrastructures, systems, and assets.

This complexity is the reason behind this year’s theme—Level up.  We view cybersecurity as a game where anything can happen all at once and in all directions. And just like in gaming, security practitioners now need to level up their skills and knowledge in order to overcome any and all obstacles they will encounter.

Speakers for this year’s CLOUDSEC will provide attendees with insights on leveling up strategies and tactics in today’s rapidly changing environment. The sessions span various topics, such as creating holistic cybersecurity strategies, protecting critical infrastructure in an IOT environment, cloud services assurance frameworks, and innovation in DDoS mitigation.

Join us at CLOUDSEC

Last year drew in big numbers for CLOUDSEC. More than 6,500 attendees, 90 sponsors and partners, and 150 speakers came together to participate in ten events spanning the globe. All the CLOUDSEC events resulted in over 1.5 million social media and online engagements.

We are confident that this year’s CLOUDSEC will once again deliver great numbers and even greater discussions and insights about the state of cybersecurity today. We hope you can join us in leveling up and gaining cybersecurity wins.

You may register for the following CLOUDSEC events:

•  CLOUDSEC Australia (15th August)

•  CLOUDSEC Singapore (22nd August)

•  CLOUDSEC London (5th September)

•  CLOUDSEC Taiwan (6th September)

• CLOUDSEC India (13th September)

•  CLOUDSEC Korea (20th September)

For more information and live coverage from CLOUDSEC, follow @CLOUDSECtweets on Twitter and CLOUDSECofficial on Facebook. You can also join the conversation with the hashtag #CLOUDSEC.

Threatpost News Wrap, August 18, 2017

Original Article Here

Mike Mimoso and Tom Spring discuss this week’s security news, including recent abuse of Google Chrome extensions for fraud, a close look at Adobe’s decision to end of life Flash Player, and a backdoor discovered in NetSarang server management software’s update mechanism.

Download: Threatpost News Wrap Aug. 18, 2017

Music by Chris Gonsalves.

Show Notes:

NIST Security Draft Promises New Privacy Standards for US Federal Agencies

Original Article Here

The US National Institute of Standards and Technology (NIST) has drafted a new set of privacy standards that US federal agencies will have to abide by when implementing new interconnected systems related to the internet-of-things (IoT).

The draft, entitled “Security and Privacy Controls for Information Systems and Organizations”, addresses the security and privacy concerns expressed by the US’s Task Force on Cyber Defense, which stated that the risks of interconnecting new devices to critical infrastructure should not be taken lightly. The draft focuses on privacy and new technologies and products, emphasizing the need for stricter integration of controls and regulations not just for federal agencies, but for other organizations as well.

“Individual privacy cannot be achieved solely through securing personally identifiable information,” reads the draft. “Consequently, this publication contains controls designed to meet privacy requirements and to manage the privacy risks associated with an organizations’ creation, collection, use, processing, storage, maintenance, dissemination, disclosure, or disposal of personally identifiable information separate from security concerns.”

While the document mainly focuses on federal institutions, recommending how privacy and security controls should be put in place when integrating new technologies, it also touches on personally identifiable information (PII) and how consumers should be warned regarding the data being collected. Somewhat similar to the European Union’s General Data Protection Regulation (GDPR), the NIST draft also states that users should be given clear, concise information about what PII is collected from them.

“To help users understand the risks being accepted when providing consent, organizations write materials in plain language and avoid technical jargon,” reads the NIST draft. “When developing or purchasing consent tools, organizations consider the application of good information design procedures in all user-facing consent materials; use of active voice and conversational style; logical sequencing of main points; consistent use of the same word (rather than synonyms) to avoid confusion; the use of bullets, numbers, and formatting where appropriate to aid readability; and legibility of text, such as font style, size, color, and contrast with surrounding background.”

A final draft of the documented is expected in October. If approved, it will significantly impact US infrastructures and the way new technologies are integrated from both a security and privacy perspective.

This Week in Security News

Original Article Here

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days.

Below you’ll find a quick recap of topics followed by links to news articles and/or our blog posts providing additional insight. Be sure to check back each Friday for highlights of the goings-on each week! 

Vulnerabilities Are Affecting the CAN Standard of Connected Cars

In many instances, researchers and engineers have found ways to hack into modern, internet-capable cars, as has been documented and reported several times. One famous example is the Chrysler Jeep hack that researchers Charlie Miller and Chris Valasek discovered. 

There Are Benefits to Knowing Information Security Breach Attribution

Earlier this week the iSMG Fraud and Breach Prevention Summit in New York City featured a fascinating conversation on the value of attribution, led by Gartner’s Avivah Litan. The panel was called: “Moving from Indicators of Compromise to Indicators of Attack: But Will Attacker Attribution Really Help Us?” 

GhostClicker Adware is a Phantomlike Android Click Fraud

We’ve uncovered a pervasive auto-clicking adware from as much as 340 apps from Google Play, one of which, named “Aladdin’s Adventure’s World”, was downloaded 5 million times. While the majority of the said apps have been taken down, 101 were still downloadable as of August 7, 2017. 

ZDI Published Two 0-Day Advisories for Vulnerabilities in Foxit

The beauty of these vulnerabilities is their simplicity by nature, and that they are not memory corruption vulnerabilities. To be exact, they are Command Injection and File Write vulnerabilities that can be triggered through the JavaScript API in Foxit Reader. 

Locky Ransomware Is Back

One of the most successful families of ransomware has returned once again, with a new email spam campaign. Locky was one of the first major forms of ransomware to become globally successful and at one point was one of the most common forms of malware. 

HBO’s Twitter Accounts Were Hacked in Latest Cyberattack

Premium cable channel HBO has fallen victim yet again to a hacker attack. This time its official Twitter account was broken into, along with accounts for several of its most popular shows. A group calling itself OurMine gained control of HBO’s main account Wednesday night, according to reports. 

AWS Launched a New Service Called Amazon Macie

At the AWS Summit in New York City, AWS launched a new service: Amazon Macie. Trend Micro is proud to support this exciting new service at launch. Amazon Macie provides automated insights into the usage of your Amazon S3 data. 

Disdain Exploit Kit Detected in the Wild

On August 9, we detected a new exploit kit in the wild, being distributed through a malvertising campaign. With additional analysis of the code and activity, we can confirm that it is the Disdain exploit kit, which started to advertise their services in underground forums starting August 8. 

Scottish Parliament Says the Ongoing ‘Brute-Force’ Cyberattack Has Not Breached Defenses

Scotland’s devolved parliament is suffering an ongoing brute-force cyberattack but the attack has not breached the assembly’s IT defenses, it said on Wednesday. Hackers are becoming more and more adept at developing or finding malware to wipe data on computers, making them inoperable. 

Not All Hacking Requires a Computer

Why spend days or weeks trying to bust into a network when you could pick up a phone? Exploiting vulnerabilities of a company can simply involve picking up a phone, chatting with a few people or memorizing a few tones. 

Cybersecurity Experts Are Finding Common Ground

Data breaches and cyberattacks can be extremely damaging to businesses and to people’s personal and professional lives. But, IT pros and policymakers focusing on cybersecurity often don’t speak the same language. Discover how these cybersecurity experts are finding common ground. 

Hackers of the Future Could Use Malware Stored in DNA to Infect Computers

Researchers from the University of Washington have figured out a way to take over a computer by encoding malicious software into physical strands of DNA. In its most basic form, the DNA is a way of storing information, and its strands are made from four building blocks — A, C, G, and T. 

Please add your thoughts in the comments below or follow me on Twitter; @JonLClay.

Six myths about blockchain and Bitcoin: Debunking the effectiveness of the technology

Original Article Here

Blockchain: so cool, what a breakthrough — soon almost everything will be based on blockchain technology. If you bought all of that, then I might just disappoint you.

This article will discuss the version of blockchain technology that is used for Bitcoin cryptocurrency. There are other implementations, and they may have eliminated some of the disadvantages of the “classic blockchain,” but usually everything is built around the same principles.

About Bitcoin in general

I consider the Bitcoin technology itself revolutionary. Unfortunately, Bitcoin has been used for criminal activities far too often, and as an information security specialist, I strongly dislike that practice. Yet, technologically speaking, Bitcoin is an obvious breakthrough.

The Bitcoin protocol components and built-in ideas aren’t new; generally, they were all known before 2009, but only the authors of Bitcoin managed to piece them together to make it work back in 2009. Since then, for almost nine years, only one critical vulnerability has been found in its implementation, when one malefactor snagged 92 billion bitcoins. Fixing that required rolling back the entire financial record by 24 hours. Nevertheless, just one vulnerability in nine years is praiseworthy. Hats off to the creators.

The authors of Bitcoin faced the challenge of making it all work with no central system and no one trusting anyone else. The creators rose to the challenge and made electronic money an operational currency. Nevertheless, some of their decisions were devastating in their ineffectiveness.

I am not here to discredit blockchain, a useful technology that has shown many remarkable uses. Despite its disadvantages, it has unique advantages as well. However, in the pursuit of the sensational and revolutionary, many people concentrate on the upsides of the technology, often forgetting to take a sober view of things, thus disregarding all of its downsides. It is for this reason, for the sake of diversity, that I deem it useful to focus on the disadvantages of the technology.

A book that expresses high hopes for the blockchain. Quotes from this book appear throughout this article

Myth #1: The blockchain is a giant, distributed computer

Quote #1: “The blockchain could be an Occam’s razor, the most efficient, direct, and natural means of coordinating all human and machine activity; it is a natural efficiency process.”

If you haven’t looked into the principles of blockchain operation and you’ve only heard opinions about this technology, then you might be under the impression that blockchain is some sort of distributed computer, performing distributed computations. You might have supposed that nodes across the world gather something bigger bit by bit.

Blockchain, simplified

That is totally incorrect. In fact, all of the nodes that maintain the blockchain do exactly the same thing. Here is what millions of computers do:

  1. They verify the same transactions in accordance with the same rules and perform identical operations.
  2. They record the same thing into a blockchain (if they were fortunate enough to be allowed to do so).
  3. They store the entire history, which is the same for all of them, for all time.

There is no paralleling, no synergy, and no mutual assistance. There is only instant, millionfold duplication. It’s the opposite of efficient — and that’s important, as we’ll see later on.

Myth #2: The blockchain is everlasting. Everything that is recorded into a blockchain will remain there forever

Quote #2: “With Dapps, DAOs, DACs, and DASs, there could be many interesting new kinds of emergent and complex AI-like behavior.”

So: Every high-grade Bitcoin network client stores the entire transaction history, and this record has already become as large as 100GB. That’s the full capacity of a cheap laptop’s or the most advanced smartphone’s storage. The more transactions processed on the Bitcoin network, the faster the size grows. And the greatest bulk of it has appeared over the past couple of years.

The growth of the blockchain. Source

Bitcoin’s blockchain growth isn’t even the fastest — the competitor Ethereum network has accumulated 200GB of history data in the blockchain, within just two years of launch and six months of active use. Hence, the blockchain’s life span is limited by a decade under current circumstances. The growth of HDD capacity definitely lags behind.

In addition to the need to store a large chunk of data, the data has to be downloaded as well. Anyone who has ever tried to use a locally stored wallet for cryptocurrency discovered with amazement and dismay that he or she could not make or receive payments until the entire download and verification process was complete — a few days if you were lucky.

You may ask: If it’s all the same thing, perhaps we shouldn’t store it on every network node? Sure, it would be more efficient. But, first of all, then it wouldn’t be a peer-to-peer blockchain but rather a traditional client–server architecture. Second, clients would then have to trust servers. Remember, “not trusting anyone” is one of the foundations of blockchain.

For a long time, Bitcoin users have been divided into enthusiasts, who “suffer,” downloading everything and storing the whole blockchain on their own computer, and common people, who use online wallets, trust the server, and do not care how it all works.

Myth #3: The blockchain is effective and scalable. Conventional money will soon disappear

Quote #3: “The concept is ‘blockchain technology + in vivo personal connectome‘ to encode and make useful in a standardized compressed data format all of a person’s thinking. The data could be captured via intracortical recordings, consumer EEGs, brain/computer interfaces, cognitive nanorobots, and other methodologies. Thus, thinking could be instantiated in a blockchain — and really all of an individual’s subjective experience could eventually be as well, including (possibly) consciousness, especially if it’s more precisely defined. After they’re on the blockchain, the various components could be administered and transacted. For example, this could be done in the case of post-stroke memory restoration.”

If each network node does the same thing, then obviously, the bandwidth of the entire network is the same as the bandwidth of one network node. But do you know exactly what that is? The Bitcoin network is capable of processing a maximum of seven transactions per second — for the millions of users worldwide.

Aside from that, Bitcoin-blockchain transactions are recorded only once every 10 minutes. To increase payments security, it is standard practice to wait 50 minutes more after each new record appears because the records regularly roll back. Now imagine trying to buy a snack using bitcoins. It’s no big deal to stand in line for an hour at the store, right?

If you consider the entire world, that sounds ludicrous even now, when Bitcoin is used by just one in every thousand people on the planet. And given the transaction-processing speed, significantly increasing the number of active users simply isn’t possible. For comparison, Visa processes thousands of transactions per second and, if required, can easily increase its bandwidth. After all, classic banking technologies are scalable.

If conventional money disappears, it won’t be because of blockchain solutions.

Myth #4: Miners provide network security

Quote #4: “Cloud-based, blockchain-based autonomous business entities running via smart contract could then electronically contract with compliance entities like governments to self-register in any jurisdictions in which they wanted to operate.”

You have certainly heard of miners and giant mining farms built next to power stations. What do they actually do? They burn a lot of electricity for no purpose at all for 10 minutes, “shaking” blocks until they become “beautiful” and thus eligible to be added to a blockchain (you can learn about all of that in this post). Essentially, it’s done for one purpose: to make sure that rewriting transaction history would require the same amount of time it took to write the original history (given the same overall computing power).

The electricity consumed to achieve that is the same as the amount a city with a population of 100,000 people would use. And don’t forget the expensive custom mining equipment, which is almost useless for any purpose other than mining bitcoins.

Explainer: Bitcoin mining

Blockchain optimists like to say that miners don’t just perform useless operations but maintain the stability and security of the Bitcoin network. This is true, but the problem is that miners are protecting Bitcoin from other miners.

If only one-thousandth of the current number of miners existed, and thus one-thousandth of the electric power was consumed, then Bitcoin would be just as good as it is now. It would still produce one block per 10 minutes, process the same number of transactions, and operate at exactly the same speed.

The risk of a 51% attack applies to blockchain solutions as well. If someone controls more than half of the computing power currently being used for mining, then that person can surreptitiously write an alternative financial history. That version then becomes reality. Thus, it becomes possible to spend the same money more than once. Traditional payment systems are immune to such an attack.

As it turns out, Bitcoin has become a prisoner of its own ideology. “Excessive” miners cannot stop mining; that would dramatically increase the probability of a single person controlling more than half of the remaining computing power. Mining is still lucrative, and the network is still stable. However, if the situation changes (if, for example, the price of electricity increases), the network may come across a huge number of “double spending” incidents.

Myth #5: The blockchain is decentralized, therefore it is indestructible

Quote #5: “To become an organization more formally, a Dapp might adopt more complicated functionality such as a constitution…”

It may seem that if a blockchain is stored on each network node, then special services or authorities can’t shut down Bitcoin on a whim, inasmuch as there is no centralized server or something similar — they have no one to go to if they want to shut it all down. That is just an illusion, however.

Actually, all “independent” miners are merged into pools (technically, they’re cartels). They have to merge on the assumption that it’s better to have a small but stable income than a huge payoff maybe every thousand years (and even that isn’t guaranteed if you on your own).

An estimate of computing power distribution among the largest mining pools. Source

The pie chart above shows approximately 20 of the largest mining pools, but the top 4 control more than 50% of all computing power. Gaining access to just four controlling computers would gain someone the ability to double spend bitcoins. This, as you can imagine, would depreciate bitcoins somewhat, and doing it is actually quite feasible.

But the threat is even more serious than the above might imply, because the majority of pools, along with their computing powers, are located inside one country, which makes it much easier to capture them and gain control over Bitcoin.

Distribution of mining by country. Source

Myth #6: The anonymous and open character of the blockchain is a good thing

Quote #6: “Traditional government 1.0 is becoming outdated as a governance model in the blockchain era, especially as we begin to see the possibility to move from paternalistic, one-size-fits-all structures to a more granular personalized form of government.”

Blockchain is open, and everyone sees everything. Thus, blockchain has no real anonymity. It offers pseudonymity instead. Putting aside the significant issues that crooked users have with that, here’s why pseudonymity is bad for honest users. A simple example: I am transferring a few bitcoins to my mother. Here’s what she can learn:

  1. How much money I have at any given time.
  2. How much I spent and, more important, what I spent it on. She could also find out what I bought, what I gambled on, and what politician I supported “anonymously.”

Alternatively, if I paid back my friend for some lemonade, I would thus let him know everything about my finances. That’s hardly a trifling matter: Would you reveal the financial history of your credit card to everyone you knew? Keep in mind that this would include not only past but also future transactions.

Some disclosure may be tolerable for individuals, but it is deadly for companies. All of their contracting parties, sales, customers, account amounts, and every other little, petty detail would all become public. Financial transparency is perhaps one of the largest disadvantages of using Bitcoin.

Conclusion

Quote #7: “The connected world could usefully include blockchain technology as the economic overlay to what is increasingly becoming a seamlessly connected world of multidevice computing that includes wearable computing, Internet-of-Things (IoT) sensors…”

I have listed six major disadvantages of Bitcoin and the blockchain version it uses. You may ask: “Why did I have to learn it from you and not earlier from someone else? Is it possible that no one sees the problems?”

Some people may be blinded, some may simply not understand how the technology works, and others may see and realize everything but feel the system is working for them. It’s worth considering that many of those who have purchased bitcoins begin advertising and advocating them — as in a pyramid scheme. Why disclose that the technologies have disadvantages if you’re counting on the growth of the exchange rate?

Yes, Bitcoin has competitors that tried to solve some of these problems. Although some of those ideas are quite good, they are still based on the blockchain. And yes, there are other, nonmonetary applications for blockchain technology, but the main disadvantages are found in them as well.

So, if someone tells you that the invention of the blockchain can be compared with the invention of the Internet in terms of importance, be skeptical.

Cybercrime update: Big trouble in dark markets?

Original Article Here

Many of the components required to commit cybercrime can be bought and sold online if you know the right part of the internet in which to look. These “dark markets” also enable cybercriminals to monetize the fruits of their larcenous labors, from botnet building to credential theft.

In the first part of our cybercrime update we noted more than a dozen arrests and other law enforcement actions against cybercriminals. In this, the second part of the update, we look at some of the “takedowns” that have hit the cyber-underworld this year, beginning with botnet bashing.

Down with malware spamming

One of the commodities that criminals buy and sell online is the ability to distribute malware using spam. This enables digital nastiness like password-stealers and fake antivirus software to be spread far and wide.

But because no self-respecting internet service providers will allow their systems to be used for spam operations, spammers use your systems instead: they secretly recruit them into “botnets”— networks of compromised computers. These bots can be laptops, workstations, even phones and servers. Botnet activity is coordinated through a form of software known as C2, short for Command and Control.

“Botnets can use tens of thousands of machines at once to spew out spam.”

Botnets can use tens of thousands of machines at once to spew out spam. In recent years one of the most notorious botnets was called Kelihos. ESET researchers have previously described some of the characteristics and campaigns wrought by the Kelihos botnet, and its predecessor – known as Storm – in a technical paper: Same botnet, same guys, new code.

Well, in April, the person responsible for Kelihos, a Russian programmer by the name of Pyotr Levashov, was arrested while on vacation in Spain. Levashow has long been on the radar of US cybercrime investigators, having been charged back in 2009 with operating the Storm botnet.

Shortly after the arrest, the authorities moved to disrupt and dismantle Kelihos, blocking malicious domains associated with the botnet to prohibit further infections.

While there are still shady characters who formerly were clients utilizing the services of the Kelihos botnet, the takedown is likely to reduce global spam volumes at least temporarily. Furthermore, a swift conclusion to the Levashov case and a strong sentence (prison time plus asset forfeiture) could encourage some criminal spammers to switch to more legitimate activities.

Deep dark terminology

For those to whom the dark side of the internet is terra incognita, a dark market is a place to buy and sell goods online that is not readily accessible to the public. The FBI uses the following terms to describe this phenomenon. First, there is the Clear Web, the one we’re most familiar with, searchable through Google and Bing, comprising everything from news sites to social media, streaming media, and traditional ecommerce like online banking and stores such as Amazon.

In addition to the Clear Web, there is a whole bunch of internet enabled activity that is not readily searchable and cannot be reached without special software or appropriate credentials. This is the Deep Web and it includes certain member-only sites and forums that are used solely to discuss and transact illegal activity. Markets in the Deep Web are referred to as dark markets.

A subset of the Deep Web can only be accessed with special networking software (for example, the Tor browser). This part of the Deep Web is known as the DarkNet and is a haven for cybercrime. Until recently, this was where you could find two of the largest dark markets, known as AlphaBay and Hansa. Despite the FBI’s efforts to stick to this terminology, it is quite common for people to refer generically to any illicit internet activity as Dark Web (and let’s face it, these are all terms that are evolving over time, without “official” definitions).

Big trouble in dark markets

In June, a combined law enforcement effort took down AlphaBay and Hansa. So, what were the websites doing that bothered law enforcement? They were enabling people to indulge in cybercrime as they tried to buy and sell goods and services that are illegal. For example, in many countries and US states, it is illegal for citizens to own completely automatic firearms with large capacity magazines, but you can buy them in dark markets (Screenshot A).

SCREENSHOT A

The sale and purchase of malicious code such as ransomware is also illegal in many jurisdictions, but dark markets make it possible (Screenshot B). Clearly, dark markets that traffic in these items, and others, like child pornography, banned substances, and hacking services, are crime-enabling institutions.

The crime enablement aspect of dark markets is enhanced by the fact that they use crypto-currencies like Bitcoin which make parties to the buying and selling activity hard to trace. So, it is not surprising that law enforcement agencies in many countries are keen to take down dark markets and punish their users and operators.

SCREENSHOT B

Dark times for the DarkNet?

You may recall the 2013 takedown of Silk Road, a DarkNet predecessor to AlphaBay and Hansa. Headlines were made when the court imposed a life sentence on its creator and operator, Ross Ulbricht (a sentence that was recently upheld by the US Court of Appeals for the Second Circuit).

You may also know that new iterations of Silk Road soon appeared to replace the one that was taken down. This was due in part to the fact that a dark market typically hosts a collection of sellers; in other words, it is more of a dark bazaar than a dark department store. If a seller loses a stall in one market, that stall can quickly migrate to a different market.

So it is unlikely that the takedown of AlphaBay and Hansa will end the practice of selling illegal goods on the internet. However, it might well deter some aspiring criminals, particularly if the persons responsible for AlphaBay and Hansa meet the same fate at the hands of the criminal justice system as Ross Ulbricht. (In a tragic twist, the alleged creator of AlphaBay, a Canadian citizen living in Thailand, appears to have committed suicide in prison not long after his arrest.)

The AlphaBay/Hansa takedown is also likely to discourage some dark market sellers, given the way it was carried out: a sort of one-two punch. From studying past takedowns it was clear that customers quickly migrate from the closed market to the next best market that is still open.

So, here’s how law enforcement played it: the Dutch police took full control of Hansa on June 20. However, they kept it open and monitored activity until AlphaBay was closed in early July.

“According to CNET, when AlphaBay was shuttered, police saw an eight-fold spike in traffic heading to Hansa.”

According to CNET, when AlphaBay was shuttered, police saw an eight-fold spike in traffic heading to Hansa. Here’s how Rob Wainwright, the Europol director put it: “We could identify and disrupt the regular criminal activity that was happening on Hansa market but also sweep up all of those new users that were displaced from AlphaBay and looking for a new trading platform for their criminal activities.”

In announcing the AlphaBay takedown the US authorities left no doubt as to how serious they are about prosecuting this type of criminal activity: “The seizure and shut-down of the AlphaBay criminal marketplace and the indictment and arrest of its founder should send a clear message. If you choose to become involved in administering a site like AlphaBay on the dark web, or decide to use it to engage in criminal transactions, you will have federal law enforcement and United States Attorney offices from every District and State across the nation pursuing you.”

Dark aftermath?

If you read what people familiar with dark markets are saying online, then it is seems that this one-two blow may have shaken what you could call “dark market confidence”. When people talk about taking an extended break from purchasing, you know there is an abundance of fear and suspicion, which was clearly one of the goals of the police action (Screenshot C).

SCREENSHOT C

It will be interesting to see what impact, if any, the takedowns have on malware campaigns. We know that dark markets have enabled crimeware-as-a-service operations, notably ransomware-as-a-service. Will there be a temporary reprieve? Will a significant percentage of would-be criminals decide to do something more legitimate with their time and resources? Will the more committed criminals simply move their operations to other parts of the Deep Web?

I tend to think some folks will continue to chance their hand in dark markets. A hallmark of predatory criminals is the belief that they will never be caught, and sadly only a small percentage of cybercriminals are being caught (although the list of arrests in the first part of this article was encouraging).

SCREENSHOT D

Unfortunately, if you look at how much dark markets have evolved in the last few years, offering “fast, client-facing support”, as well as escrow services and multilingual help (Screenshot D), you get the impression they are backed by some determined people.

The unanswered question is: how many of them are willing to risk a life sentence?

Author Stephen Cobb, ESET

Multiple critical security vulnerabilities in Drupal 8, patches released

Original Article Here

Users of website management platform Drupal are urged to immediately update their system, after versions 8.0 through 8.3.6 have been affected by a number of critical security vulnerabilities, announced Drupal Security Team on Wednesday.

As a result, the company has released a number of security patches to fix the access bypass vulnerabilities in Drupal 8. The problem affects sites that use the RESTful Web Services module and the comment entity REST resource, allowing attackers to illegally access user accounts and post comments.

“When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments,” the company writes.

“This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments.”

A third-party can exploit the CVE-2017-6925 flaw to make changes on the platform, including create and delete entries.

“There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different access restrictions on different revisions of the same entity,” reads the site.

For more technical details, take a look at the advisory.

TippingPoint Threat Intelligence and Zero-Day Coverage – Week of August 14, 2017

Original Article Here

One of my favorite movies is the 1999 comedy “Galaxy Quest,” which features the cast of a science-fiction television series similar to Star Trek. In the movie, the crew is visited by real aliens who ask them for help against an intergalactic adversary because they believe that Galaxy Quest is a documentary of historical documents – not a TV show. There’s a scene in the movie where someone pressed the button that destroys the ship. The crew makes it to the center of the ship where they can stop the process but the stop button doesn’t work. The countdown to destruction continues, but when the clock hits one second, it stops. Why? Because on a TV show, the clock always stops at one second before total destruction.

Sometimes, we can’t control the script of our real-life security world and the clock doesn’t stop at one second. Yesterday, the Zero Day Initiative (ZDI) published two zero-day advisories for vulnerabilities in Foxit Reader per the guidelines outlined in the ZDI disclosure policy. The two advisories, ZDI-17-691 and ZDI-17-692, allow remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. For more detailed analysis of the Foxit Reader vulnerabilities, you can read the ZDI blog: Busting Myths in Foxit Reader.

Adobe Security Update

This week’s Digital Vaccine (DV) package includes coverage for Adobe updates released on or before August 8, 2017. The following table maps Digital Vaccine filters to the Adobe updates. Filters marked with an (*) shipped prior to this week’s DV package, providing zero-day protection for our customers. You can get more detailed information on this month’s security updates from Dustin Childs’ August 2017 Security Update Review from the Zero Day Initiative:

Bulletin # CVE # Digital Vaccine Filter # Status
APSB17-23 CVE-2017-3085 Local Only
APSB17-23 CVE-2017-3106 29353
APSB17-24 CVE-2017-3113 *26537
APSB17-24 CVE-2017-3115 *27233
APSB17-24 CVE-2017-3116 29354
APSB17-24 CVE-2017-3117 Vendor Deemed Reproducibility or Exploitation Unlikely
APSB17-24 CVE-2017-3118 29358
APSB17-24 CVE-2017-3119 29359
APSB17-24 CVE-2017-3120 *27751
APSB17-24 CVE-2017-3121 *27948
APSB17-24 CVE-2017-3122 *28005
APSB17-24 CVE-2017-3123 *28032
APSB17-24 CVE-2017-3124 *28034
APSB17-24 CVE-2017-11209 *28035
APSB17-24 CVE-2017-11210 *28092
APSB17-24 CVE-2017-11211 *28218
APSB17-24 CVE-2017-11212 *28100
APSB17-24 CVE-2017-11214 *28216
APSB17-24 CVE-2017-11216 *27821
APSB17-24 CVE-2017-11217 *27812
APSB17-24 CVE-2017-11218 *27753
APSB17-24 CVE-2017-11219 *27820
APSB17-24 CVE-2017-11220 29360
APSB17-24 CVE-2017-11221 29413
APSB17-24 CVE-2017-11222 29352
APSB17-24 CVE-2017-11223 *28202
APSB17-24 CVE-2017-11224 *28202
APSB17-24 CVE-2017-11226 29349
APSB17-24 CVE-2017-11227 *28473
APSB17-24 CVE-2017-11228 *28475
APSB17-24 CVE-2017-11229 29361
APSB17-24 CVE-2017-11230 *28476
APSB17-24 CVE-2017-11231 *28478
APSB17-24 CVE-2017-11232 *28479
APSB17-24 CVE-2017-11233 *28481
APSB17-24 CVE-2017-11234 *28543
APSB17-24 CVE-2017-11235 29362
APSB17-24 CVE-2017-11236 29363
APSB17-24 CVE-2017-11237 29370
APSB17-24 CVE-2017-11238 29371
APSB17-24 CVE-2017-11239 *28544
APSB17-24 CVE-2017-11241 *28547
APSB17-24 CVE-2017-11242 28480, 28548
APSB17-24 CVE-2017-11243 *28663
APSB17-24 CVE-2017-11244 *28664
APSB17-24 CVE-2017-11245 *28666
APSB17-24 CVE-2017-11246 29414
APSB17-24 CVE-2017-11248 *28463
APSB17-24 CVE-2017-11249 *28464
APSB17-24 CVE-2017-11251 29418
APSB17-24 CVE-2017-11252 *28477
APSB17-24 CVE-2017-11254 29350
APSB17-24 CVE-2017-11255 *28741
APSB17-24 CVE-2017-11256 *28735
APSB17-24 CVE-2017-11257 *28734
APSB17-24 CVE-2017-11258 *28732
APSB17-24 CVE-2017-11259 *28733
APSB17-24 CVE-2017-11260 *28731
APSB17-24 CVE-2017-11261 *28730
APSB17-24 CVE-2017-11262 29355
APSB17-24 CVE-2017-11263 29369
APSB17-24 CVE-2017-11265 *28916
APSB17-24 CVE-2017-11267 29364
APSB17-24 CVE-2017-11268 29365
APSB17-24 CVE-2017-11269 29366
APSB17-24 CVE-2017-11270 29367
APSB17-24 CVE-2017-11271 29368

TippingPoint Operating System (TOS) v3.9.2 Release

Earlier this week, we issued a maintenance release version 3.9.2 build 4784 of the TippingPoint Operating System (TOS) for the N/NX Platform family. For the complete list of enhancements and changes, please refer to the product Release Notes located on the Threat Management center (TMC) Web site at https://tmc.tippingpoint.com. Customers with questions or technical assistance can contact the TippingPoint Technical Assistance Center (TAC).

Zero-Day Filters

There are 14 new zero-day filters covering two vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website.

Adobe (11)

  • 29362: HTTP: Adobe Acrobat Pro DC ImageConversion JPEG Use-After-Free Vulnerability (ZDI-17-590)
  • 29363: HTTP: Adobe Acrobat Pro DC Forms Information Disclosure Vulnerability (ZDI-17-591)
  • 29364: HTTP: Adobe Acrobat Pro DC ImageConversion Memory Corruption Vulnerability (ZDI-17-621)
  • 29365: HTTP: Adobe Acrobat Pro DC ImageConversion Information Disclosure Vulnerability (ZDI-17-622)
  • 29366: HTTP: Adobe Acrobat Pro DC ImageConversion Information Disclosure Vulnerability (ZDI-17-623)
  • 29367: HTTP: Adobe Acrobat Pro DC ImageConversion Information Disclosure Vulnerability (ZDI-17-625)
  • 29368: HTTP: Adobe Acrobat Pro DC ImageConversion Memory Corruption Vulnerability (ZDI-17-629)
  • 29370: HTTP: Adobe Acrobat Pro DC Font Parsing Information Disclosure Vulnerability (ZDI-17-592)
  • 29371: HTTP: Adobe Acrobat Pro DC ImageConversion EMF Information Disclosure Vulnerability (ZDI-17-593)
  • 29414: HTTP: Adobe Acrobat Pro ImageConversion JPEG Information Disclosure Vulnerability (ZDI-17-603)
  • 29418: HTTP: Adobe Acrobat Pro DC JPEG2000 Memory Corruption Vulnerability (ZDI-17-609) 

 

Trend Micro (3)

  • 29333: HTTPS: Trend Micro SafeSync for Enterprise replace_local_disk Command Injection (ZDI-17-119)
  • 29337: HTTP: Trend Micro SafeSync for Enterprise dead_local_disk Command Injection (ZDI-17-118)
  • 29338: HTTPS: Trend Micro SafeSync for Enterprise dead_local_disk Command Injection (ZDI-17-118)

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.

IDG Contributor Network: Can the U.S. Senate secure the Internet of Things?

Original Article Here

As a free and open internet continues to come under assault by the FCC’s proposal to effectively end net neutrality, investors, programmers, and internet users of all stripes have vociferously voiced their support of the Internet of Things (IoT) and the open web that enables it. It appears those voices have been heard, as the U.S. Senate may be taking steps to secure the IoT’s future.

So, what exactly is the U.S. Senate up to, and how might its actions impact the health of the IoT? What are the specifics of the bill in question, and how might its text impact American’s everyday lives as they make use of the IoT?

A hopeful IoT security bill

A new bipartisan bill published Tuesday by Sen. Mark Warner (D-Va.) and Sen. Cory Gardner (R-Colo.), the Internet of Things Cybersecurity Improvement Act of 2017, hopes to beef up America’s internet security. The bill highlights the enormous complexity of the IoT and the huge benefits it provides to the American economy, but it also notes the fragility and vulnerability of the system to outside attacks.

The crux of the bill is that it will force companies which sell web-connected devices to the U.S. government to do more to ensure the cybersecurity of said devices. Vendors to the government must ensure that whatever gadgets they sell to Uncle Sam are patchable, don’t contain vulnerabilities, and don’t contain hard-coded passwords, amongst other measures.

The bill also directs the Office of Management and Budget to develop alternative network-level security requirements for devices with limiting processing capabilities. Critically, it even mandates that the government inventory all internet-connected devices used by executive agencies, a hurdle which could prove to be insurmountable.

Securing the IoT is a herculean task, and even the U.S. Senate may not be fully cut out for the job. Some analyst expect IoT spending to rocket to over $800 billion by the end of 2017, meaning the government and its private vendors will be dealing with millions if not billions of individual gadgets and devices. As the expansion of the IoT shows no signs of slowing down, the number of devices affected by the legislation and the funds needed to carry it out will only grow with time.

The firm Govini has previously reported that government spending on sensors nearly tripled from FY2011 to FY2015, as well. As the government and its private contractors employ more sensors, keeping track of them and ensuring they’re adequately patched to prevent security-breaches could become virtually impossible.

The senators sponsoring the bill appear to be well aware of its potential limitations, and they have included sections that may make it easier for government officials to comply with it in the bills’ text. Agencies could purchase devices that are non-compliant with the bill, for instance, as long as they get permission from the OMB and demonstrate that the devices are still secure.

Preventing future IoT attacks

The legislation is the most concrete response yet to the devastating 2016 cyber attack that crippled portions of the internet. Experts say the attack, which brought down highly trafficked sites such as Reddit, Twitter, and CNN, was largely carried out by a botnet made up of IoT devices.

While many consumers may worry that their home appliances may be highjacked by malevolent hackers, the real threat to the IoT could come from further large-scale attacks such as that seen in 2016. As more and more devices connect to one another, somethings Movers Corp. is finding out, malicious malware can gain access to lightly protected IoT devices across the nation and enlist them in its brutal attacks.

The European Commission has already attempted to tackle the problem of IoT security, meaning the U.S. Senate will be able to look elsewhere for guidance as they attempt to craft their own legislation. Both the new EU rules and the bill being pushed in the U.S. senate could end up costing vendors who create and sell appliances to governments a pretty penny, but the additional regulations are likely the only way to secure the rampantly ungoverned IoT.

Major tech companies such as Apple and Microsoft already regularly deliver updates and patches to their consumers’ gadgets, often on a monthly basis. The new IoT bill could essentially work to force vendor’s hands so that they, too, have to take more steps to ensure IoT security before passing their gadgets off to government workers who may be unfamiliar with IT.

The push for greater IoT security is not new to Sen. Warner, who has lobbied the FCC in the past for more stringent rules on data security. Whether the bill gains enough support to pass in an increasingly gridlocked congress remains to be seen, but taking action to ensure the IoT’s health and security are a step in the right direction.

This article is published as part of the IDG Contributor Network. Want to Join?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

The most important security acquisitions of 2017 so far

Original Article Here

Share

This year is already shaping up to be an interesting year for acquisitions as some of the biggest names in technology swallow up vendors and startups – with a particular focus on machine learning, AI, and automation.

AWS quietly picked up a small San Diego startup – Harvest.ai – to boost its cloud threat detection capabilities, while Microsoft splashed out a figure believed to be around the $100 million mark for Israeli automated incident response business Hexadite.

Read on for the most important cybersecurity acquisitions of 2017 so far. 

Rogers Cup ‘Tech and Tennis Day’ cybersecurity panel

Original Article Here

While you might not think tennis and cybersecurity have much in common, both can be unpredictable and therefore require you to keep your eye on the ball.

But unlike a tennis match, cybersecurity is no game.

In its efforts to help consumers and businesses maintain a home court advantage, ESET – an official sponsor of the 2017 Rogers Cup — gave away one-year protection software to attendees in Toronto, and took part in the cybersecurity panel on the inaugural Salesforce Tech and Tennis Day, presented by ESET on August 10.

The lively discussion centered on current security threats and solutions along with the potential issues we might face in the future.

Along with yours truly, Security Intelligence Team Lead, Alexis Dorais-Joncas, graced the stage for the discussion, along with two other cybersecurity experts: Eliot Behar, Former Security Counsel for Apple, and Sean Earhard, Head of Advanced Threat Solutions, at Cisco Canada.

The emcee and moderator for the morning event was none other than Amber MacArthur, celebrated author, TV and radio personality, and public speaker.

Cyberthreat today

The first question focused on our most concerning cyberthreat today, to which Alexis replied, “human error,” as it’s easy to be duped into giving away private information if the source seems legitimate. Alexis gave an anecdote about a planned phishing attempt at a business, to see what would get through. If the email looked suspicious, including multiple spelling or grammatical errors, none of the employees clicked on the link or clicked on an attachment. But a subsequent email, which looked a lot more legitimate, fooled 99 percent of those same employees.

Yikes! You could hear an audible gasp from the crowd.

I mirrored much of Alexis’s sentiment in my response – that software may help stop a malware (malicious software) attack, but employees could be voluntarily sharing private info if an email looks legitimate, which puts your company’s data at risk. As such, good policies, practices and procedures need to be established – and reviewed often – with all employees, regardless of the size of the company.

“Nearly 98 percent of businesses in Canada are small businesses and many believe they’re not at risk from a cyberattack.”

In fact, I also acknowledged that nearly 98 percent of businesses in Canada are small businesses and many believe they’re not at risk from a cyberattack. Malicious types are capitalizing on this misconception and are specifically targeting small and midsize businesses (SMBs) with various kinds of phishing and ransomware attempts. Attacks may come in all forms, but many take advantage of lapses in common sense.

Another concern is our growing Bring Your Own Device (B.Y.O.D.) culture, where we are encouraged to bring in our own personal devices to the workplace, which could invite more risks in cybersecurity.

Alexis pointed out the importance of good software to help flag those risks. For example, ESET software scans an email on the gateway before it reaches the receiver. It scans the email again in the receiver’s inbox and again after it’s opened. “This multilayered approach helps to protect and catch threats at each layer,” said Alexis. “ESET’s differentiator is its DNA technology, which utilize generic signatures against malware attacks.”

Alexis also said ignoring software updates makes your system vulnerable – whether it’s a mobile device, or a laptop or desktop – as these threats target systems that are not up-to-date.

Motivation of cyberattacks

cybersecurity_attack

As the session continued, Amber asked about the motivation of cyberattacks, to which Alexis talked about state-sponsored attacks, which may be more politically motivated, and those driven by organized crime, which are more financially motivated. “They’re both exceptionally difficult to defend against because they have time to plan their attacks and that makes them exceptionally efficient versus the average attacker who will launch an attack, pocket the money, and be done with it,” he said.

Amber asked about cyberspace becoming “militarized.” Panelists, Eliot Behar and Sean Earhard believed it had already begun. Alexis said many countries already have units specializing in defensive and offensive measures in cyberspace – including Canada’s Department of National Defense’s announcement in May to “strengthen” its cyberwarfare arsenal.

When asked about new and upcoming threats, I spoke of the emerging Internet of Things (IoT) revolution, where all our devices are talking to each other. I cited stats that suggest there are 8.5 billion IoT devices today, including machine-to-machine (M2M) connections, but that number is expected to balloon to 50 billion devices by 2020.

While more entry points can translate to increased vulnerability, I suggested during the panel that IoT might actually (or ironically), bolster security, if we can make devices serve as authenticators. For instance, instead of a smartwatch or connected car as an added threat, what if a second or third device was required for authentication, perhaps to enter a business?

Improve your cybersecurity

Finally, Amber challenged the panelists to suggest ways to improve cybersecurity and “perimeter-based” security popped up in the discussion that followed.

Alexis said the key for any organization is to have layers of security. “Border security is basic – it can be compared to a lock on a house – but it’s the added level of security measures beyond the ‘perimeter’ that create a safe network,” he said. “The best strategy is to make the attackers’ job as difficult as possible by having security at every level to protect against breaches.”

As we wrapped up, Amber asked about building a safer cyberworld. In my response, I focused heavily on education in the workplace. I cited a free training module for cybersecurity awareness that any administrator in an organization can download and distribute. There is even certification after completion of the two-hour course.

Finally, I reinforced the necessity to be proactive, and to preemptively back-up important information – in case something happens. Downtime for a business could be damaging, so you need to ensure safeguards are in place to protect the business from these threats, whether it’s cloud back-up with redundant/mirrored servers (in case one goes down), strong cybersecurity software or regularly reviewed good practices with employees.

It was an honour to be part of Rogers Cup’s Tech and Tennis Day – alongside Alexis Dorais-Joncas, who I’ve had the pleasure of interviewing on my radio shows and I hope the attendees of this cybersecurity panel walked away with more insights after our discussion. And a clear call to action, too.

Author , ESET

Locky ransomware returns in two new variants

Original Article Here

The Locky ransomware has returned in the form of two new strains, security researchers at Malwarebytes have warned.

Locky was one of the three most widely distributed forms of malware in 2016, along with Cryptowall and Cerber. But although ransomware has boomed during 2017, Locky has been largely quiet.

But on the 9 August, Locky made a dramatic return, using a new ransom note and file extension, ‘.diablo6′, which it followed up a week later with another variant, with the extension ‘.Lukitus’.

What hasn’t changed, though, is the method of distribution.

Rather than rifling through the trove of spilt US National Security Agency exploits, as the groups behind WannaCry and NotPetya did, Locky is distributed via phishing emails containing malicious Microsoft Office files or zipped attachments containing a malicious script.

The new Locky variants, adds Malwarebytes, callback to a different command and control servers (C2) and use the affiliate id: AffilID3 and AffilID5.

“Over the last few months, Locky has drastically decreased its distribution, even failed to be distributed at all, then popped back up again, vanished and reappeared once more. The ups and downs of Locky remain shrouded in mystery. One thing time has taught us is that we should never assume Locky is gone simply because it’s not active at a particular given time,” the company warned in a briefing note

In 2016, a US hospital was forced to pay $17,000 in bitcoin in order to recover devices that had fallen victim to the Locky ransomware.

Locky is a variant on the Dridex banking Trojan, which is believed to have been behind the theft of around £20m from bank accounts in the UK alone, refitted for ransomware rather than stealing online banking credentials. Both are associated with the Necurs malware distribution botnet.

Back then, security researchers at Proofpoint pointed out the connection between Dridex and Locky.

“While a variety of new ransomware has appeared since the end of 2015, Locky stands out because it is being delivered by the same actor behind many of the Dridex campaigns we have tracked over the past year,” warned the company in an advisory.

It continued: “The actors behind Locky are clearly taking a cue from the Dridex playbook in terms of distribution. Just as Dridex has been pushing the limits of campaign sizes, now we’re seeing even higher volumes with Locky, rivalling the largest Dridex campaigns we have observed to date.” 

Further reading

LG hit by WannaCry ransomware after IT staff fail to apply security patches

Original Article Here

South Korean electronics giant LG is believed to have been infected with the WannaCry ransomware after IT staff failed to apply security patches to all its Windows PCs and servers. 

WannaCry infected several hundred thousand Windows machines within days of its release in May, using a US National Security Agency (NSA) exploit to self-propagate. 

That exploit, called EternalBlue, used security flaws in Microsoft’s perennially insecure SMB networking protocol that the NSA had used for years in its own covert work. 

And, according to security specialists, the outbreak is almost entirely down to negligence or incompetence on the part of LG’s IT staff. 

“Reports suggest that the company had not applied all the security updates available from Microsoft. This highlights something that we already knew – many organisations are not good at applying software security updates,” said Dean Ferrando, EMEA Manager at Tripwire.

Applying available patches, as quickly as possible, is one of the easiest ways to keep an organisation safe from new and emerging threats. 

“Applying available patches is one of the easiest ways to keep an organisation safe from new attacks however, the unfortunate truth is that, despite the warnings and advisories to patch and secure the systems, there will always be a system that is missed,” said Dean Ferrando, EMEA Manager at Tripwire.

He continued: “Complacency could be another reason why new outbreaks are being discovered – some companies may feel that because they were not impacted in the immediate period of time afterwards, they won’t be infected as the controls they have in place are working without checking.

“Conficker hit us in 2008 with a similar attack, causing an outbreak globally. Companies patched and secured their systems but months after the outbreak, Conficker was still infecting companies that hadn’t taken the necessary precautions.”

LG has not officially confirmed that it’s been struck by WannaCry yet – the company hasn’t responded to requests for comment. According to reports, the company has had to close down some of its facilities in South Korea in order to contain the infection.

Speaking to the Korean Herald the company admitted that it had been the target of a ransomware attack, but added that it hadn’t been badly affected.

“The problem was found to be caused by ransomware,” said a spokesperson. “There was no damage such as data encryption or asking for money, as we immediately shut down the service centre network.” 

Further reading

Weekly update 48 (windy Sydney edition)

Original Article Here

I’ve been in Sydney all week for the NDC conference here so it’s been a pretty non-stop time. A 2 day workshop, 2 new Pluralsight courses, 2 talks and all the usual social things that go along with these. But regardless, I got that Ubiquiti UniFi course out and a blog post to go along with it. I’m keeping things brief here now as I prepare for (the always epicly fun) Pubcon, more next week from snowy Australia. Yes – snow!

iTunes podcast | Google Play Music podcast | RSS podcast

References

  1. Everything you need to know about Ubiquiti UniFi to get started (this is such awesome gear and I love hearing about how happy people are with it)
  2. Terbium is sponsoring my blog (a repeat sponsor I’m very grateful to have onboard)

NBlog August 18 – security culture through awareness

Original Article Here
That sums-up our approach to using security awareness as a mechanism to foster a ‘culture of security’.  In the spirit of yesterday’s blog, rather than wax lyrical, I’ll let the diagram speak for itself.  ‘Nuff said.

Blowing the Whistle on Bad Attribution

Original Article Here

The New York Times this week published a fascinating story about a young programmer in Ukraine who’d turned himself in to the local police. The Times says the man did so after one of his software tools was identified by the U.S. government as part of the arsenal used by Russian hackers suspected of hacking into the Democratic National Committee (DNC) last year. It’s a good read, as long as you can ignore that the premise of the piece is completely wrong.

The story, “In Ukraine, a Malware Expert Who Could Blow the Whistle on Russian Hacking,” details the plight of a hacker in Kiev better known as “Profexer,” who has reportedly agreed to be a witness for the FBI. From the story:

“Profexer’s posts, already accessible to only a small band of fellow hackers and cybercriminals looking for software tips, blinked out in January — just days after American intelligence agencies publicly identified a program he had written as one tool used in Russian hacking in the United States. American intelligence agencies have determined Russian hackers were behind the electronic break-in of the Democratic National Committee.”

The Times’ reasoning for focusing on the travails of Mr. Profexer comes from the “GRIZZLYSTEPPE” report, a collection of technical indicators or attack “signatures” published in December 2016 by the U.S. government that companies can use to determine whether their networks may be compromised by a number of different Russian cybercrime groups.

The only trouble is nothing in the GRIZZLYSTEPPE report said which of those technical indicators were found in the DNC hack. In fact, Prefexer’s “P.A.S. Web shell” tool — a program designed to insert a digital backdoor that lets attackers control a hacked Web site remotely — was specifically not among the hacking tools found in the DNC break-in.

The P.A.S. Web shell, as previously offered for free on the now-defunct site profexer[dot]name.

The P.A.S. Web shell, as previously offered for free on the now-defunct site profexer[dot]name.

That’s according to Crowdstrike, the company called in to examine the DNC’s servers following the intrusion. In a statement released to KrebsOnSecurity, Crowdstrike said it published the list of malware that it found was used in the DNC hack, and that the Web shell named in the New York Times story was not on that list.

Robert M. Lee is founder of the industrial cybersecurity firm Dragos, Inc. and an expert on the challenges associated with attribution in cybercrime. In a post on his personal blog, Lee challenged The Times on its conclusions.

“The GRIZZLYSTEPPE report has nothing to do with the DNC breach though and was a collection of technical indicators the government compiled from multiple agencies all working different Russian related threat groups,” Lee wrote.

“The threat group that compromised the DNC was Russian but not all Russian groups broke into the DNC,” he continued. “The GRIZZLYSTEPPE report was also highly criticized for its lack of accuracy and lack of a clear message and purpose. I covered it here on my blog but that was also picked up by numerous journalists and covered elsewhere [link added]. In other words, there’s no excuse for not knowing how widely criticized the GRIZZLYSTEPPE report was before citing it as good evidence in a NYT piece.”

Perhaps in response to Lee’s blog post, The Times issued a correction to the story, re-writing the above-quoted and indented paragraph to read:

“It is the first known instance of a living witness emerging from the arid mass of technical detail that has so far shaped the investigation into the election hacking and the heated debate it has stirred. The Ukrainian police declined to divulge the man’s name or other details, other than that he is living in Ukraine and has not been arrested.”

[Side note: Profexer may well have been doxed by this publication just weeks after the GRIZZLYSTEPPE report was released.]

This would not be the first time the GRIZZLYSTEPPE report provided fodder for some too-hasty hacking conclusions by a major newspaper. On December 31 2016, The Washington Post published a breathless story reporting that an electric utility in Vermont had been compromised by Russian hackers who had penetrated the U.S. electric grid.

The Post cited unnamed “U.S. officials” saying the Vermont utility had found a threat signature from the GRIZZLYSTEPPE report inside its networks. Not long after the story ran, the utility in question said it detected the malware signature in a single laptop that was not connected to the grid, and the Post was forced to significantly walk back its story.

Matt Tait, a senior fellow at the Robert Strauss Center for International Security and Law at UT Austin, said indicators of compromise or IOCs like those listed in the GRIZZLYSTEPPE report have limited value in attributing who may be responsible for an online attack.

“It’s a classic problem that these IOCs indicate you may be compromised, but they’re not very good for attribution,” Tait said. “The Grizzly Steppe report is a massive file of signatures, and loads of people have run those, found various things on their network, and then assumed it’s all related to the DNC hack. But there’s absolutely no tie between the DNC hack that in any way involved this P.A.S. Web shell.”

If it’s not always clear how seriously to take conclusions from Uncle Sam about the sources of cybercrime, it certainly doesn’t help when intelligence agencies are still relying on discredited sources of information about the sources of cyberattacks. As Mr. Lee observed at the top of his blog post, the Twitter account for the U.S. Defense Intelligence Agency tweeted on Aug. 14, 2017: “Cyber attacks going on right now #DoDIIS17”.

The DIA tweet included a brief video of the global threat map produced by Norse Corp., a company whose lovely but otherwise misguided efforts at cyber attack attribution have been repeatedly denounced by Lee and other cybersecurity experts. For more on how Norse self-destructed from the inside, see my Jan. 2016 story, Sources: Security Firm Norse Corp. Imploding.

dia-norse

One final note: Wired.com has a lengthy but tremendous new story worth reading called A Guide to Russia’s High Tech Tool Box for Subverting US Democracy. It makes a convincing case that the real, long-term goal of Russian state-sponsored hacking activity is to sow public and popular distrust in the democratic process and to weaken democratic institutions inside countries that support the North Atlantic Treaty Organization (NATO).

Tags: , , , , , , , , , ,