CyberX has discovered a new, large-scale cyber-reconnaissance operation targeting a broad range of targets in the Ukraine, eavesdropping on sensitive conversations by remotely controlling PC microphones to surreptitiously bug its targets.
Because it uses Dropbox to store exfiltrated data, CyberX has named it “Operation BugDrop.”
The operation seeks to capture a range of sensitive information from its targets including audio recordings of conversations, screen shots, documents and passwords. Unlike video recordings, which are often blocked by users simply placing tape over the camera lens, it is virtually impossible to block your computer’s microphone without physically accessing and disabling the PC hardware.
Operation BugDrop infects its victims using targeted email phishing attacks and malicious macros embedded in Microsoft Office attachments. It also uses clever social engineering to trick users into enabling macros if they aren’t already enabled.
The security firm has confirmed at least 70 victims successfully targeted by the operation in a range of sectors, including critical infrastructure, media and scientific research. These include a company that designs remote monitoring systems for oil and gas pipeline infrastructures; an international organization that monitors human rights, counter-terrorism and cyberattacks on critical infrastructure in the Ukraine; and an engineering company that designs electrical substations, gas distribution pipelines and water supply plants.
Most of the targets are located in the Ukraine, but there are also targets in Russia and a smaller number of targets in Saudi Arabia and Austria. Many targets are located in the self-declared separatist states of Donetsk and Luhansk, which have been classified as terrorist organizations by the Ukrainian government.
“Operation BugDrop is a well-organized operation that employs sophisticated malware and appears to be backed by an organization with substantial resources,” said CyberX, in an analysis. “In particular, the operation requires a massive back-end infrastructure to store, decrypt and analyze several GB per day of unstructured data that is being captured from its targets. A large team of human analysts is also required to manually sort through captured data and process it manually and/or with Big Data-like analytics.”
Initially, CyberX saw similarities between Operation BugDrop and a previous cyber-surveillance operation discovered by ESET in May 2016 called Operation Groundbait. However, despite some similarities in the tactics, techniques and procedures (TTPs) used by the hackers in both operations, Operation BugDrop’s TTPs are significantly more sophisticated than those used in the earlier operation. For example, as mentioned, it uses Dropbox for data exfiltration, a clever approach because Dropbox traffic is typically not blocked or monitored by corporate firewalls.
And, it uses reflective DLL Injection, an advanced technique for injecting malware that was also used by BlackEnergy in the Ukrainian grid attacks and by Duqu in the Stuxnet attacks on Iranian nuclear facilities. Reflective DLL Injection loads malicious code without calling the normal Windows API calls, thereby bypassing security verification of the code before its gets loaded into memory. Encrypted DLLs, thereby avoiding detection by common anti-virus and sandboxing systems because they’re unable to analyze encrypted files.
The perpetrators are likely nation-state backed.
“Skilled hackers with substantial financial resources carried out Operation BugDrop,” CyberX noted. “Given the amount of data analysis that needed to be done on [a] daily basis, we believe BugDrop was heavily staffed. Given the sophistication of the code and how well the operation was executed, we have concluded that those carrying it out have previous field experience. While we are comfortable assigning nation-state level capabilities to this operation, we have no forensic evidence that links BugDrop to a specific nation-state or group. Attribution is notoriously difficult, with the added difficulty that skilled hackers can easily fake clues or evidence to throw people off their tail.”
CompTIA, the information technology (IT) association, has unveiled a vendor-neutral certification, CompTIA Cybersecurity Analyst (CSA+), designed to bring behavioral analytics to the forefront of assessing cyber-threats.
Cybersecurity’s workforce shortage is well-documented. By 2022, there will be 1.8 million positions open for highly trained candidates with advanced skills capable of moving beyond traditional approaches. The demand for cybersecurity analysts is already strong: The Bureau of Labor Statistics project growth of 18% from 2014 to 2024, making it the fastest growing job roles in the US workforce—not just in technology but across all categories.
The CompTIA CSA+ certification will offer broad-spectrum validation of knowledge and skills required to configure and use cyber-threat detection tools, perform data analysis and interpret the results to identify vulnerabilities, threats and risks to an organization. It certifies knowledge of a data-driven approach to information security.
"The internet of things is not only bringing greatly expanded capability to homes and businesses, it's also opening up potentially billons of new points of vulnerability that need to be secured," said CompTIA president and CEO Todd Thibodeaux. "It's an economic and societal imperative to train and certify hundreds of thousands of IT professionals with the analytical skills they need to address the complexity and diversity of threats as they multiply."
“By placing greater emphasis on data analytics, we get a real-time, holistic view of the behavior of the network, its users and their devices, to identify potential vulnerabilities and strengthen them before an intrusion happens,” added CompTIA’s senior director for products, James Stanger. “Armed with this information, cybersecurity professionals can more precisely identify potential risks and vulnerabilities so that resources can be allocated where they're most needed.”
The new CSA+ certification strengthens CompTIA’s portfolio of security credentials. It bridges the skills gap between CompTIA Security+ and the CompTIA Advanced Security Practitioner (CASP) exam to create a vendor-neutral cybersecurity career pathway. CompTIA Security+ is the benchmark for best practices in IT security, covering essential principles for network security and risk management, while CompTIA Advanced Security Practitioner certifies critical thinking and judgment across a broad spectrum of security disciplines.
CompTIA CSA+ has received a Certificate of Accreditation from the American National Standards Institute (ANSI), signifying that it meets ISO/IEC 17024:2012 general requirements for personnel certifications.
Security experts are warning of a 50%+ increase in Android ransomware over the past year as cyber-criminals import techniques from the desktop world and continue to develop their own tactics.
Eset claimed in its new Trends in Android Ransomware report that the black hats are shifting channels to target the devices which increasingly hold large amounts of valuable data.
The ransomware can be spread by email but is typically disseminated in legitimate looking apps on third party Android stores, Eset claimed.
“To avoid the unwanted attention, attackers have started to encrypt malicious payloads, burying them deeper in the application – often moving them to the assets folder, typically used for pictures or other necessary contents. Infected applications often seem to have no outside functionality, but in reality work as a decryptor able to decrypt and run the hidden ransomware payload. However, using technically more advanced techniques, such as exploit-driven drive-by downloads, is not very common on Android.”
Some variants use click-jacking techniques to trick the user into giving them Device Administrator privileges. These help to protect the malware against uninstallation.
Police “lock-screen” type ransomware is still very popular in the mobile world, although crypt-ransomware like Simplocker has also been spotted by Eset.
The hackers are increasingly looking to shift their focus out from Eastern Europe to US victims, although Asia has also crept onto the radar with the “Jisut” variants becoming popular.
Eset urged users to avoid all third party app stores, to keep their device protected by AV and to have a “functional backup of all important data” to hand.
There are also options for those who’ve fallen victim. Booting the device into Safe Mode will help tackle simple lock-screen ransomware.
Eset also urged users not to pay up if infected.
“As far as ransomware on Android is concerned, we have seen several variants where the code for decrypting files or uninstalling the lock-screen was missing altogether, so paying would not have solved anything,” it claimed.
The volume of global mobile ransomware soared nearly four times between 2015 and 2016, according to stats from Kaspersky Lab.
A Florida man has been sentenced to four years behind bars after being found guilty of crimes linked to a major spam business which netted him over $1 million.
Timothy Livingston, 31, of Boca Raton, ran a company called A Whole Lot of Nothing, which specialized in sending spam emails on behalf of clients.
These ranged from legitimate businesses like insurance companies to those selling illegal narcotics, according to the Department of Justice.
Livingston pleaded guilty to one count each of conspiracy to commit fraud in connection with computers and access devices; conspiracy to commit fraud in connection with electronic mail and aggravated identity theft.
He’s said to have enlisted the help of associate Tomasz Chmielarz, 33, of Rutherford, New Jersey, to write computer programs to spam on behalf of his clients without disclosing the source of the unsolicited messages.
Livingston also used proxy servers and botnets to stay hidden and bypass spam filters. The DoJ claimed he hacked individual email accounts and corporate email servers to send huge volumes of spam anonymously.
The pair are also said to have exploited vulnerabilities in several corporate websites, allowing them access to the email servers they needed to spam on behalf of their clients.
In total, the scheme made Livingston $1.3m in illegal profits until the FBI’s Cyber Division tracked him down. He apparently charged between $5 and $9 for each email resulting in a completed transaction for a client.
Chmielarz and a third man, Devin James McArthur, 28, of Ellicott City, Maryland, pleaded guilty to computer and fraud-related crimes back in June 2016.
McArthur admitted giving Livingston remote access to the corporate network of his then employer, enabling the theft of over 24 million records from a customer database.
The names, addresses, phone numbers and email addresses of potential, current and former customers were obtained for use in follow-up spam campaigns.
A group of US lawmakers has asked the House Oversight Committee to urgently review whether their President is putting national security at risk.
In a letter late last week the members of Congress pointed out four things that could be playing into the hands of foreign powers.
The first was Trump’s alleged use of an insecure Android phone – likely a Samsung S3 – to tweet from.
“Cybersecurity experts universally agree that an ordinary Android smartphone, which the President is reportedly using despite repeated warnings from the Secret Service, can be easily hacked,” argued congressman Ted Lieu.
“This behavior is more than bad operational security – it is an egregious affront to national security.”
Not only could the President’s Twitter account be hacked “with disastrous consequences for global stability,” but the Samsung device could be infiltrated by foreign spies to “present the President with alternative information” which could have “a huge impact on his beliefs and actions,” the letter warned.
It also asks the committee to look into reports that White House staff are using “insecure, political email accounts” to conduct official business. Ironically, this is the kind of thing Trump berated his challenger Hillary Clinton for doing when she used her private email when secretary of state.
Finally, the letter claims Trump left the keys to a briefcase containing classified documents in his briefcase, further exposing poor security practice. Also, it says he openly discussed nuclear strategy with Japanese Primeminister Shinzo Abe in a dining room at his Mar-a-Lago club in Florida – potentially allowing restaurant staff and patrons to overhear.
The letter’s requests are unlikely to be taken up by a committee that has so far refused to investigate assertions by the country’s own security services that Russian cyber spies may have influenced the last election after hacking and publicizing a trove of private Democrat emails.
The German government has told parents to destroy a talking doll called Cayla.
The country’s telecom regulator, known as the Federal Network Agency or Bundesnetzagentur, is warning that hackers can use an insecure Bluetooth device embedded in the toy to listen and talk to the child playing with it.
The Cayla doll has access to the internet and search, so it can answer kids’ questions; i.e., how big is a whale? Is Donald Trump’s tan real? Etc. However, hackers using specialized tools can gain control over the device and make it say anything that they choose.
The vulnerability has been known since 2015, but Vivid Toy group has yet to fix the issue, despite complaints from US and EU consumer groups. It has not yet commented on the destruction call.
The EU Commissioner for Justice, Consumers and Gender Equality, Vera Jourova, told the BBC: "I'm worried about the impact of connected dolls on children's privacy and safety."
Germany’s concern is more esoteric and linked to the country’s 20th Century legacy of state surveillance: In the post-World War II era, it’s illegal to sell or possess a banned surveillance device; in fact, it can land a person in jail for up to two years.
Student Stefan Hessel, from the University of Saarland, found that a Bluetooth-enabled device could connect to Cayla's speaker and microphone system within a radius of about 10 meters. So, an eavesdropper could spy on someone playing with the doll. Presumably, the situation can be replicated in reverse; and indeed, a spokesman for the federal agency told Sueddeutsche Zeitung daily that Cayla amounted to a "concealed transmitting device…It doesn't matter what that object is—it could be an ashtray or fire alarm.” As such, it could be banned.
Cayla isn’t the first connected doll to come under fire. During the Christmas season in 2015, Mattel’s Hello Barbie was shown to be hackable as well, kicking off a conversation around connected toys in general.
(ISC)² is accepting applications for its 2017 Undergraduate Information Security Scholarship program.
The program is administered by the Center for Cyber Safety and Education, and was created to help aspiring information security professionals with the financial burden of their educational expenses. Multiple scholarships of up to $5,000 will be awarded, and international applicants are accepted. The application period runs from now to April 20.
“Our latest research suggests that a shortage of 1.8 million information security professionals will exist by 2022,” said Patrick Craven, director, Center for Cyber Safety and Education. “These scholarships provide essential financial assistance needed for students to continue their studies and enter the field. I look forward to awarding deserving undergraduate students with these scholarships to help bring more entrants into the information security workforce.”
The Center evaluates applicants based on academic excellence, passion for the industry and financial need. Launched in 2003, the (ISC)² Undergraduate Scholarship program has made a lasting impact on these individuals.
“I am honored to have been selected for the (ISC)² Undergraduate Scholarship,” said Rachel Cohen, 2016 undergraduate scholarship recipient, US. “The scholarship will allow me to continue to pursue my undergraduate degree in computer science with a focus in cybersecurity. I look forward to a career in the field where I hope to provide solutions to the issues that exist in the evolving cyber landscape, as well as promoting the Center’s mission of promoting the inclusion of women.”
"Being a recipient of the (ISC)² scholarship is empowering,” added Alejandro Cuevas Villalba, 2016 undergraduate scholarship recipient, Paraguay. “It means that there's a group of people out there that believe in my efforts and seek to give me the tools to succeed. I've never felt more motivated to get back to school and continue with my research. Thank you."
The Russian hackers behind the election-season hacking in the United States have added to their bag of tricks: The APT28 group now can target victims running Mac OS X to steal passwords, grab screens and steal iPhone backups stored on the Mac.
According to an analysis by Bitdefender Labs, the group’s unique Xagent payload now has a Mac OSX version. It’s a modular backdoor with advanced cyber-espionage capabilities, and is most likely planted on the system via the Komplex downloader.
“The analysis reveals the presence of modules that can probe the system for hardware and software configurations, grab a list of running processes and run additional files, as well as get desktop screenshots and harvest browser passwords,” researchers noted. “But the most important module, from an intelligence-gathering perspective, is the one that allows the operator(s) to exfiltrate iPhone backups stored on a compromised Mac.”
Bitdefender’s past analysis of samples known to be linked to APT28 group shows a number of similarities between the Sofacy/APT28/Sednit Xagent component for Windows/Linux and the Mac OS binary.
“There is the presence of similar modules, such as FileSystem, KeyLogger and RemoteShell, as well as a similar network module called HttpChanel,” the researchers noted. “Other indicators show that today’s sample also reports to a C&C URL that is identical to the Sofacy/APT28/Sednit Komplex OSX Trojan.”
Forensic evidence recovered from the binary also reveals identical binary strings in both Komplex and Xagent clients. Also, the examination revealed that Komplex is a key tool for the group.
“We conclude…that the Komplex component discovered in September has been exclusively used as a downloader and installer for the Xagent binary,” the researchers added, noting that their investigation is ongoing.
The governor of New York State has announced sweeping new cybersecurity regulations for the financial service industry, designed to improve resilience to online attacks and keep customer data safe.
Governor Andrew Cuomo finally announced the regulation on Thursday, concluding a process that began back in 2014. It was also delayed by a further couple of months in December after banks complained they needed more time to comply.
The regulation stipulates minimum security standards that financial services firms are obliged to meet, and encourages them to keep pace with technological change.
These include standards for access controls; data protection, including encryption; pen testing; incident response plans; and preservation of data to help with investigations.
It demands a cybersecurity program that “is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization.”
It also stipulates accountability in organizations by requiring “identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to the Department of Financial Services (DFS).”
Firms also have to notify the DFS of any “material events” and scrutinize security procedures at third party providers – often a weak link when it comes to protecting data and systems from attack.
A DFS poll of 40 banks back in 2015 revealed that only around a third mandate that their partners notify them of any breaches.
“I know that defeating cybercrime requires not only prosecuting it, but taking necessary actions to prevent it,” claimed Manhattan district attorney, Cyrus Vance.
“DFS’s cybersecurity regulation will be a crucial tool in the ongoing battle against cyber-crime and identity theft by mandating that New York’s financial services industries adopt and put in place robust and appropriate controls to detect, thwart and report cyber incidents.”
The regulation will come into force on 1 March.
Concerns over state-sponsored hacking and the Trump administration appear to be driving concerns over data privacy in the security community, according to new research carried out by Venafi.
The security vendor polled nearly 1000 security professionals at RSA Conference this week and found nearly three-quarters are now more worried about the security of their data.
Two-thirds said their organization is considering increasing its use of encryption as a result.
“The tension between data privacy and national security is going to continue to escalate,” said Jeff Hudson, CEO of Venafi, in a statement. “Encryption is the lynchpin of our entire global digital economy. It controls the privacy and security of everything from our personal photos to the most sensitive national security data. Our collective ability to secure encrypted data has a profound impact on digital privacy and trust around the world.”
However, key figures in the new Trump administration including the president himself are known to favor encryption backdoors.
Newly appointed attorney general, Jeff Sessions, made his position clear in a written response to questions posed by senator Patrick Leahy last month:
“Encryption serves many valuable and important purposes. It is also critical, however, that national security and criminal investigators be able to overcome encryption, under lawful authority, when necessary to the furtherance of national-security and criminal investigations.”
It’s no surprise, therefore, that three-quarters (72%) of IT security pros are more concerned today about encryption backdoors than they were a year ago, according to the Venafi poll.
What’s more, nearly a third (32%) said they are “not confident” or have only “50% confidence” in their organizations’ ability to protect and secure encrypted communication.
Venafi argues that the sheer number of digital keys and certificates organizations have to manage today has compromised the integrity of encryption programs.
“The challenges organizations are already facing in managing and securing encryption keys, combined with concerns about the integrity and strength of encryption implementations, is undermining confidence in the privacy and security of data,” argued Venafi’s CTO of server products, Paul Turner.
A prolific Russian-speaking hacker has been systematically locating and exploiting SQLi vulnerabilities in the websites of prominent universities and US government agencies, to sell unauthorized access to the highest bidder, researchers have warned.
Following an attack on the US Election Assistance Commission in the same month, ‘Rasputin’ has subsequently targeted over 60 universities and federal, state, and local US government agencies.
The targets are being chosen because they’re thought to have fewer effective defensive measures in place and high value data, including PII.
Victims include the universities of Oxford and Cambridge as well as the US Postal Regulatory Commission and National Oceanic and Atmospheric Administration.
Rasputin is said to be using a homegrown SQLi tool to scan for vulnerabilities in these sites and then sell unauthorized access.
“SQL injection has been around since databases first appeared on the internet. When a user is allowed to interact directly with a database, through an application in a web browser, without checking or sanitizing the input before the database executes the instruction(s), a SQL injection vulnerability exists,” explained Gundert.
“Financial profits motivate actors like Rasputin, who have technical skills to create their own tools to outperform the competition in both identifying and exploiting vulnerable databases. North American and Western European databases contain information on customers or users that are historically valued at a premium in the underground economy. Buyer demand typically centers on access to American, Canadian, or UK database access.”
SQLi flaws are easy to remediate through better vetting of code before production use, but many organizations are still failing to get the basics right, as evidenced by Rasputin’s success.
Gundert suggested stiff government penalties for inaction could focus minds on the problem.
He urged any named organizations to get in touch if they want further details of the SQLi flaws.
#RSAC: Too Many Unintelligent Investment Dollars Spent in Infosecurity says Cybersecurity Seed Accelerator
MACH37 is an American seed accelerator that launches new cybersecurity companies. Rick Gordon, managing partner at MACH37, says that although it’s “still early days, we’ve demonstrated that we’re good at it.”
The accelerator was funded for the first three years by the Virginia Commonwealth. “There’s a really rich talent base in the mid-Atlantic region that is not being optimally harnessed to solve some of the vexing sec problems experienced by the commercial sector,” says Gordon, explaining why the accelerator was needed.
Now funded entirely by the public sector, the 14-week program trains entrepreneurs in how to build and position commercial companies, how to inspire investors, and how to be successful in the long-term.
Their long-term success is the end goal, explains Gordon, “because then I get ROI”. MACH37 invests really early on, then helping the business with their go-to-market strategy. “We invest before the prototype is even built in some cases,” says Gordon, adding that their considerations are how it will scale and how it will be financed. “Every venture capitalist will tell you they bet on a team, but we invest so early we don’t have that luxury. Instead, we bet on a concept and a founder.”
Annually, MACH37 offer 12 companies a $50,000 flat investment fee in return for 8% of the company, a fee which Gordon says “should let them eat until they get funding.” To date, 70% of the companies they have invested in have later received funding.
Once they receive funding and hire stuff, the new investors allow MACH37 to take a step back. “Our model is to get them in good hands, and then take off on their own.”
Gordon says that MACH37 is so important because seed rounds are notoriously hard on the east coast. “Usually it’s multiple rounds of convertible debt. It’s not like the West Coast; the money is on the east coast and they don’t like to fly.”
Most of the founders that Gordon works with are technical tecchies. “Technical founders are paired with seasoned entrepreneurs. Sometimes, tech founders end up being price takers, not price sellers. Tech founders do all the hard work in order to get to market, but then have to pair with someone who can build a company, thus having to give up a lot of their company.”
The biggest challenge for start-ups in the industry, says Gordon, is that it’s “too noisy. There’s too much investment going in to companies that aren’t unique. Of the 600 companies exhibiting at RSA, 80% will have been over-funded. There’s probably some irony in there,” he adds.
“There is too much money flowing in, but it’s not informed or intelligent money. So that becomes just noise, and the problem with noise is that everything becomes labelled the same,” he explains. “Even if your idea is unique, the branding gets stolen immediately. Everyone says the same thing but their products haven’t changed at all. They just follow the trend.”
Of MACH37 investments, Gordon expects 15% to “target exit and give a great return.”
A pair of newly uncovered Android vulnerabilities allow maliciously crafted personal apps to silently view, steal and even manipulate content that should be safely locked in the Work profile of Android.
Google’s work features in Android were developed to address the massive demand for using personal devices in the business environment. The basic idea is to create a separate profile on the device which has business-level controls, while leaving the original, personal profile open and unmanaged.
The Android mechanism of user separation relies on an additional sandbox or secure container, where apps outside the sandbox cannot access data inside the sandbox,” explained Yair Amit, CTO and co-founder, Skycure, in a blog. “In other words, no application installed within the device’s personal profile should have any kind of access to the activity or content in the work profile.”
However, Skycure found that two ‘app-in-the-middle’ attacks could get around this.
The first issue is that work persona notifications are presented alongside personal notifications in the same, seamless interface. Since Notifications access is a device-level permission, a malicious app in the personal profile can acquire permission to view and take actions on all notifications, including work notifications, by design.
Sensitive information, such as calendar meetings, email messages and other information appears in these notifications, which are also visible to the “personal” malicious app. If the malicious app is designed to transmit the information viewed in notifications to a command and control server, then the information contained in notifications is no longer secure.
Worse, “a clever hacker may be able to use this method to gain even greater access into sensitive work information by initiating a forgot[ten] password process on some enterprise system and hijacking the subsequent on-device notification to grant himself full enterprise access, even outside of the context of the mobile device,” said Amit. “To keep this attack covert, the malicious app can immediately dismiss the notification and ‘archive’ the recovery email using the Android Notifications API so the victim is completely unaware they have been hacked….The attacker may even capture two-factor authentication and administrators will not have any visibility of the theft.”
As for the second vulnerability, it exists in the Accessibility Service, which provides user interface enhancements to help users interact with their device. This includes features like audible narration of on-screen text for visually impaired users. In order to facilitate these features, the Accessibility Service necessarily has access to virtually all content and controls, both reading and writing, on the device. An application in the personal profile that acquires Accessibility permissions can gain access to applications that are executed in the business persona, effectively circumventing the secure separation.
“This app-in-the-middle resides in the personal profile, yet is effective in stealing corporate information as the user interacts with it,” Amit said. “The personal profile cannot be monitored or controlled from the work profile, so even if IT administrators try to enforce security on the work profile (e.g., by restricting the profile settings or allowing only whitelisted apps) it won’t be possible to detect any exposure of sensitive information that uses the Accessibility Service, as they cannot access the personal profile. In order to perform such an attack, a malicious application would register as an Accessibility Service, present it with an innocent label, and manipulate the user to grant the access.”
The Android team says that both of these are “intended behaviors”—which means that no patch will be forthcoming.
“As that behavior poses an unexpected and clear threat to corporate data of organizations that utilize Android for Work, we have mutually agreed to disclose the findings with the public, to raise awareness to the exposure,” Amit said.
Champion of white hat hackers Keren Elazari, analyst, author and senior researcher, Blavatnik Interdisciplinary Cyber, gave a lively presentation describing how the vulnerabilities of a modern wired world reflect circus concepts of yesteryear. Elazari began by emphasizing that in 2017, cybersecurity is about the trust people place in “everyday things” like baby monitors, cars and insulin pumps. But researchers and white hats are eager to demonstrate just how untrustworthy these can be. Elazari noted that “It’s not about secrets anymore. It’s about the trust we place in our way of life. How can people trust technology given so much hacking and so many threats?”
She advocated that amid the media frenzy, stunt hacks, and high-profile disclosures, friendly hackers can help industry build safer products. Citing Barnaby Jack, who showed how to hack an insulin device at RSA several years ago, she explained how that contained, non-harmful demonstration led to big changes in US Food and Drug Administration protocol and warnings to device manufacturers. Jack proclaimed “you have to demonstrate a threat to spark a solution”, now a mantra for Elazari.
The Tightrope Balancing Act
Elazari went on to describe other high profile incidents around medical device vulnerability. In 2016, security firm MedSec was hired by short-selling firm Muddy Waters to claim that pacemaker devices made by St. Jude Medical were vulnerable to hacks. The aim was ostensibly to short St. Jude stock, but it also triggered considerable patient concern. In January, the FDA found that the devices indeed can be hacked. In another case, doctors implanted a defibrillator into Dr. Marie Moe after she suffered cardiac arrest, but without her knowledge or consent. She now has concerns about the “Internet of Things” in her body. Elazari noted that more and more “We’re being expected to accept these things without knowing what they do or what the impacts could be.”
She further described a General Motors firmware update that was required as a result of a white hat hack that found serious flaws in the company’s Jeep automobile. To implement the update, GM sent thumb drives containing the fix to Jeep customers—who had no training in what to do with them. Expecting people to be technologists for their own cars, Elazari suggested, is not a good approach.
Fearless Lion Taming
By contrast, Tesla Motors brought its Model S to DefCon 23, actively engaging hackers to work with them on hack-proofing their signature car. As a result, Tesla have the capability to “push a button” and make SW updates to all cars when they learn of security vulnerabilities. Tesla even awards coveted Challenge Coins to top researchers who contribute findings. Elazari found this ‘lion taming’ approach far superior to GM’s tightrope walk.
Public awareness and opinion about cyber security has increased dramatically and continues to rise. This past October, Google saw a huge spike in security searches in the wake of last October’s Mirai botnet attack. The incident was a wake-up moment for many people outside of the security industry.
Which brought Elazari to the proverbial Elephant: the media. A key player in the security ecosystem, the media pushes stories and influences audience thinking on security issues. She cited the Internet of Things-enabled Barbie doll and stories about hackable baby monitors. But, she contends, fear mongering, a tactic strongly embraced by the security industry, is not helpful. A power blackout last week in Brussels was the result of a technical error in a high-voltage substation, but had many Belgian citizens worried their country was under cyber attack. Ultimately, media and public opinion will affect policy and government decision-making.
Stop the spread of FUD—Fear, Uncertainty and Doubt. Instead of spreading rumors, get the facts about risks and attacks, and tell people about them. She urged the audience not to generalize or talk in fear-inducing statements.
She also encouraged everyone, regardless of occupation, to step up. “You have to start thinking of yourself as the CISO of your home, your car, and what you bring into your house. You have the capacity to have safer products at home—get those by demanding them from the companies who make them, by changing your passwords, and by securing your network.”
Finally, she encouraged her fellow cyber pros to join www.Iamthecavalry.org, a grassroots org focused on the intersection of computer security, public safety and human life.
In an engaging keynote at RSA Conference 2017 Dame Stella Rimington reflected on her fascinating journey from academic librarian to the first female director general of the Security Service (MI5), and shone an illuminating light on her work in the fields of countersubversion, counterespionage and counterterrorism.
Dame Rimington explained that, in the late 1960s and at the height of the Cold War, she was recruited to the small MI5 office in India as a part time clerk typist, gathering information on spies and passing information back to London where it would become part of a great database of information.
“When we went back to London, I decided it would be more fun trying to get a job in MI5, and I was recruited as a junior assistant officer.”
Dame Rimington explained that at that time, the main threat was from the Soviet Union, and she was tasked with stopping their spies from gaining information that would help them if the Cold War ever turned to a fighting war, along with finding out who they were, catching them out and trying to get them out of the country.
“In those days the sources of intelligence were very similar fundamentally to the sources of intelligence now,” she said, “but the way it worked was of course very different. Nobody had heard of the internet, nobody had invented cyber space, so it was all pretty simple stuff.”
The sources of intelligence back then were:
• Intercepting communications (by opening letters and interfering with landline telephones)
• Surveillance (by following people on the street, seeing where they went, who they met)
• Eavesdropping (trying to find out what was going on in houses or embassies)
• Managing human sources (the most important sources of intelligence, even in today’s technological world—they can not only tell you what’s going on, but what might be going to happen next)
“The world was a simpler place, but we did get the intelligence by those means.
“It wasn’t easy—when you are countering espionage it’s slow, difficult work, as certainty is far more important than speed. You’ve got to be certain that you’ve got the right person.”
However, things saw a dramatic change towards the end of the 1970s and the beginning of the 80s with the arrival of terrorism.
“Suddenly we were faced with dealing with an enemy that was very, very different from the enemy that we had dealt with before. With terrorism, you don’t have time, speed is of the essence. You have to take action on inadequate information—and it needs people with nerve.”
From there, continued Remmington, the nature of the service moved on again into the modern world, bringing about new laws and legislations on intelligence and the end of the Cold War.
It was around this time that Dame Rimington was informed that she was to be appointed the next director general of MI5, something that came to her as a great surprise.
“I was also told,” she added, “that the government had decided it was going to announce the appointment and my name. This was the very first time ever that any announcement of this kind had been made about any of our intelligence services.”
Imagine, she quipped, the very first time ever an announcement of this kind has been made, and it’s a woman! Whilst everybody thinks the head of our intelligence services is James Bond!
In the late 1980s, once established in her role, Dame Rimington, along with colleagues, decided the time was right to instigate a belief that it was right for the intelligence services to have a certain amount of openness, formulating what they described as their Openness Strategy.
“We knew we were never going to talk about our operations in detail, not about any of our equipment, but we would talk about what a security service has the right to do in a democracy. The Openness Strategy balanced out the public’s understanding of what our intelligence services are here to do.”
To conclude, Rimington left the audience with the following closing thoughts:
“The world is probably a more insecure place now than it has ever been. It is in a very troubled state. We are relying on all of you to make the world a safer, simpler and kinder place for our grandchildren and great-grandchildren than it has been for us.”
At the RSA Conference in San Francisco, on February 16 2017, Infosecurity spoke to Kelly Bissell, managing director of Accenture Security, about Accenture’s new security index tool, the maturity of artificial intelligence, and the progress that the information security industry is – or isn’t – making.
How mature is the AI market?
With every technology innovation there’s a threat around security. So we’re seeing great advances in blockchain and artificial intelligence. It’s not that mature but it’s emerging fast. We need machine learning to be even better and faster than technology innovations to combat the threats.
A year on from the last RSA, is the industry in a better or worse position that it was 12 months ago?
We’re in a better position but a worse position at the same time. Innovation in the market around the world has been fantastic, but the threat landscape has also evolved at perhaps an even better pace. You see a race for who can innovate and get better faster – our industry or the bad guys. Sometimes it’s easier to make a lot of money if you’re a bad guy. You have to make it difficult for the bad guys to make money, and make it more risky for them. We also need to train our people better at university and even in school.
Accenture has just released the Accenture Security Index. Tell us about that.
While organizations have improved their security over the last few years, progress has not kept pace with the sophistication of highly motivated attackers. A new approach is clearly needed, one that protects the organization from the inside out and across the entire industry value chain. This needs to begin with a new, more comprehensive definition of what constitutes cybersecurity success based on impact to the business.
To gauge the effectiveness of current enterprise security efforts and the adequacy of their existing investments, Accenture surveyed 2,000 top enterprise security practitioners representing companies with annual revenues of $1 billion or more. The results of this survey were analyzed in collaboration with Oxford Economics to develop the Accenture Security Index, which aggregates scores across 15 countries and 12 industries, providing the ability to compare the relative strength of all organizations to protect themselves from cyberattacks.
The Index provides a new benchmark to determine what high performance security looks like and what it takes for organizations to establish cybersecurity success. It’s a free tool that we put out this year, and then next year we’ll refine it and make it better.
What are the main information security challenges facing organizations in 2017?
There are a lot, and there’s no silver bullet. What we need to do is secure the entire industry value chain.
The full video interview with Kelly Bissell will be available shortly.
At the 12th security blogger meet-up at RSA Conference in San Francisco on February 15, 2017, the security blogger award winners were announced. The following blogs were nominated by esteemed influencers: Ericka Chickowski, George Hulme, Kelly Jackson-Higgins and Don MacVittie.
The winning blogs were voted for by industry.
The 2017 Security Blogger Awards Nominees and Winners:
Most Entertaining Security Blog
· WINNER: Graham Cluley https://www.grahamcluley.com/
· Security Reactions https://securityreactions.tumblr.com
· Avast Blog https://blog.avast.com/
· Erratasec http://blog.erratasec.com/
· And You Will Know Us By The Trail Of Bits https://blog.trailofbits.com
· Emergent Chaos http://www.emergentchaos.com/
Most Educational Security Blog
· Errata Security/Rob Graham
· Trend Micro Security Intelligence blog http://blog.trendmicro.com/trendlabs-security-intelligence
· Stack Overflow – Security http://security.blogoverflow.com/
· Tao Security https://taosecurity.blogspot.com/
· WINNER: Naked Security Blog by Sophos https://nakedsecurity.sophos.com/
Best New Security Blog or Podcast
· Anomali https://anomali.com/blog
· E&T Cyber Security Hub https://cybersecurity.theiet.org
· Cymmetria http://blog.cymmetria.com
· Aqua Security Aqua Blog http://blog.aquasec.com/
· WINNER: Flashpoint Intelligence Corner https://www.flashpoint-intel.com/blog/
Best Blog Post of the Year
· Nick Selby: When Security Monitoring Provides Neither Security Nor Monintoring http://nselby.github.io/When-Security-Monitoring-Provides-Neither-Security-Nor-Monitoring/
· Jeremiah Grossman: What Keeps Me in the Security Industry http://blog.jeremiahgrossman.com/2016/10/what-keeps-me-in-security-industry.html
· Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/
· Securosis Tidal Forces: The Trends Tearing Apart Security As We Know It https://securosis.com/blog/tidal-forces-the-trends-tearing-apart-security-as-we-know-it
· WINNER: Troy Hunt: Security insanity: how we keep failing at the basics https://www.troyhunt.com/security-insanity-how-we-keep-failing-at-the-basics/
Best Corporate Security Blog
· WINNER: Bitdefender Business Insights http://businessinsights.bitdefender.com
· Tripwire Blog http://www.tripwire.com/state-of-security/
· Veracode Blog https://www.veracode.com/blog
· SC Magazine Threat Hunter Blog https://www.scmagazine.com/the-threat-hunter-blog/section/6822/
· Sentinel One https://sentinelone.com/blog/
Best Security Podcast
· Liquid Matrix https://www.liquidmatrix.org/blog/category/podcasts/
· Down the Security Rabbithole #DtSR http//podcast.wh1t3rabbit.net/
· The Southern Fried Security Podcast http://www.southernfriedsecurity.com/
· SANS StormCast https://isc.sans.edu/podcast.html
· Risky Business http://risky.biz/netcasts/risky-business
· Winner: Security Weekly http://securityweekly.com/
The majority of consumers currently do not pay for mobile security services.
According to Allot Communications’ MobileTrends H1/2017 Report, 89% don’t have paid tools for securing their mobile device.
That said, the survey also reveals that 68% of mobile internet consumers say they are aware of mobile malware (and one in seven of these consumers have experienced a malware attack in the past 12 months). And in every region, representing 61% overall, they want and are willing to pay for protection services from their service provider.
Rather than independently seek out, evaluate and download security apps for each of their mobile devices, consumers would like a one-stop-shop for online protection for themselves and their families. This presents communication service providers (CSPs) with a huge opportunity to be the provider of personal mobile security services from their network, Allot concluded.
26% of consumers contact the CSP when facing a malware incident. The same percentage of consumers contact the app developer, and most consumers (35%) contact no one.
“CSPs have a huge opportunity to be proactive and deliver relevant protection,” said Yaniv Sulkes, AVP of marketing at Allot. “Our survey has revealed consumers are demanding simplified protection for their various connected devices and are willing to pay for it. CSPs are best placed to address this industry-wide issue and improve the customer experience.”
A startling number of IT professionals at this week’s RSA conference lack confidence in their own organization’s corporate security.
Centrify’s onsite survey of attendees to North America’s largest security confab asked how their companies secure applications and infrastructure in the age of access. Only slightly more than half (55%) stated they believe their company’s current technology investment ensures their company’s cybersecurity.
When pressed about which of the 15 different identity and access management (IAM) best practices they use, many fell short on implementing enough of them to warrant a confidence score.
Among those best practices, organizations are most likely to enforce single sign-on (68%), adaptive multi-factor authentication (43%), least privileged access (44%), no sharing of privileged accounts (36%) and secure remote access without a VPN (35%).
Organizations are least likely to enforce privileged session recording (13%), granular automatic deprovisioning across server and app accounts (12%), and privilege elevation management (8%).
Depending on the IAM best practices employed, respondents received an IAM maturity score—with level one being the least mature and level four being the most mature. Only 20% of respondents received a level four IAM maturity score, meaning they conduct audits with confidence.
IAM maturity translates into real results: A recent Forrester study commissioned by Centrify showed that those with the highest maturity levels are 50% less likely to experience a breach and more likely to spend 40% less on technology. The other 80% received a lower IAM maturity score, meaning they are much more likely to experience two times more breaches and $5 million more in costs.
“The lack of confidence in corporate cybersecurity directly correlates to most organizations having a low maturity score,” said Bill Mann, chief product officer, Centrify. “Our on-the-ground survey at RSA reinforces the study we recently commissioned with Forrester Consulting, and further validates that eighty% of organizations really need to employ better IAM practices to stop the breaches now.”
Additionally, the survey found 26% of respondents still share passwords, despite an increase in breaches, and 78% have been the victim of a phishing email.
Speaking at RSA Conference 2017 Wendy Moore, director of user protection at Trend Micro, presented a session on going beyond next gen to deliver security with maximum impact.
Moore said that there are key things that companies can look for in security solutions that can help them protect not only what they have today but also help them and support them as they change their IT philosophy moving forward.
“The modern enterprise is categorized by always trying to be more competitive in the market, more global in nature and trying to do things more rapidly. There’s been a lot of paradigm shifts when it comes to IT. Right now we are undergoing multiple paradigm shifts, and they are all happening at the same time, and what that’s doing is it’s creating a lot of difficulty for the IT manager/organization to get their arms around their most important information.”
We’re seeing shifts to the cloud, added Moore, and shifts to more virtualized server workloads, and more mobile devices – all of these changes are happening very quickly.
As we move along with that, she said, security needs to think about how it will protect corporate information as we move to all of these new IT models.
“Gone are the days when you could have a secure perimeter around your organization,” Moore argued. “There are three key things that are happening that are making that perimeter go away, become more porous and really making perimeter security defenses not a strong way to do things”, which are:
- Cloud virtualization
- Complex networks
In terms of moving beyond next gen security, we hear a lot about having a silver bullet that will help you solve all of your security needs, said Moore. However, in reality, there are a lot of things you need to look for in order to get a solution that will actually evolve with your organization and your IT delivery models.
First, you need a solution that is smart: a cross-generated blend of threat defense techniques.
Second is a solution that is optimized: designed for and integrated with leading platforms and applications.
Third is a solution that is connected: allowing for centralized visibility and control and automatic sharing of threat intelligence.
“Things have very much changed,” she added, “now the problem of unknown threats is what organizations are really struggling to deal with.”
To conclude, Moore highlighted the following as the next steps that companies need to take to maximize their security beyond next gen:
- Evaluate if you are using everything your existing solutions have to offer
- Identify gaps in each key domain: hybrid cloud, network and endpoint
- Look for solutions that:
- Continue to evolve threat protection techniques to address new threats
- Cover entire threat protection lifecycle: protect, detect and respond
- Share threat intelligence amongst security layers