Author Archives: Cheryl Biswas

Unknown's avatar

About Cheryl Biswas

Writer, reader, techie, Trekkie. InfoSec and political analyst. Keeping our world safe one byte at a time.

BSidesTO: Bringing IT Home

Posted on by
Reply

In my first year of security cons, and sharing them with the world, it means a lot to pen this tribute to BSidesTO, the one in my hometown. Hitting its stride in its third year, tickets sold out in advance, there was an excellent roster of speakers, and I was thrilled to be selected.

Let me start with kudos and congratulations to the small but powerful organizing team who put together a terrific event and made themselves readily available.  The venue was packed with an appreciative audience of over 160 security folk who engaged each of the speakers in lively question and answer sessions following their talks.  And yes, there was such a thing as a free lunch, which was served up with smiles by the BSidesTO team. They even arranged a movie to end the session, for those not already engaged in the post-con convos. If anything went awry, it wasn’t evident.

bsto1

Given that our space was full to bursting, and that Toronto is Canada’s largest city, and one of the largest cities in North America, I think it’s time we had a major hacker con, along the lines of ShmooCon, GrrCon, or DerbyCon. Because it isn’t a corporate event, BSides has that potential, and has established itself as a much-loved, homegrown series of security cons that started in the US and have been spreading because of the community they build and the innovation and exploration they encourage.  It’s where the security community shares their hacks to learn, to improve, and to make the world a safer place. I really look forward to participating again next year, and to getting involved.

bsto2

Unfortunately, that isn’t always how hacking is perceived. This past year brought us the short-sighted Wassenaar agreement, which would penalize those who hack to protect, and several governments working to ban encryption. But someone has to scrutinize the ever-growing devices added to the Internet of Things; to dissect the code that builds the websites we are all accessing. Decision makers need us to give them regular reminders that hackers watch over all the connections we make, and that they serve as our early warning security system.

Which is why having a local BSides really matters – it fosters the free exchange of ideas and supports this community in their varied approaches to security. Because as the impact of breaches continues to increase, and average users discover the extent of their vulnerability online, the world needs to know that hackers are here – for good.

Creating A Culture of Security

Posted on by
Reply

| ̄ ̄ ̄ ̄ ̄  |
| Security      |
|   is  a           |
|  mindset      |
| _____ |
(\__/) ||
(•ㅅ•) ||
/   づ

Call it wishful thinking, but this may be one of the most oft-used phrased in Information Security. And the truth is, if we really want to make security happen, meaningful and life-changing security, it ain’t gonna happen without a whole lotta change.

Security isn’t something we can just plug and play. It’s actually a journey, and one that requires our long-term commitment.  We won’t like what we have to do to get there.  There will be costs, setbacks, inconveniences. And it won’t happen fast. But that’s been part of our undoing: immediate gratification, taking the easy way out. That’s not how you do anything well. And that is just not how you do “secure”.

A friend of mine, Jessy Irwin, shares her passion and recommendations for great OPSEC and EDSEC on Twitter, often via her very popular Sign Bunnies. Tonite, she delivered a fabulous impromptu seminar that I’d like to share. Along with help from the Sign Bunnies.

jesse1

jesse2

And that’s it right there. Security is a mindset.

For many security professionals, awareness is a waste of time because the “analytics suck.” But education isn’t a one-size-fits-all thing.

jesse3

We keep trying to use code in places where technology can’t fix the real problem. It will take diverse set of tactics to build a mindset.

| ̄ ̄ ̄ ̄ ̄  |
| Technology |
| can’t fix       |
|   security     |
|  education   |
| _____ |
(\__/) ||
(•ㅅ•) ||
/   づ

Technology can’t fix security education— at best, it’s a content distribution mechanism. And the work ahead of us isn’t work that scales

jesse4

If we really want to save/fix/protect/ keep the web, it’s time to get personal. To do the hard work. To teach. And not leave people behind.

| ̄ ̄ ̄ ̄ ̄ |
|  Leave        |
|   no one      |
|  behind       |
| _____|
(\__/) ||
(•ㅅ•) ||
/   づ

What is the point of everything we do if we aren’t finding ways to turn our users into one of our strongest defense tools we have?

jesse5

What’s the point of all of this, really? What are we even protecting if we’re going to blame people for not knowing things?

Right now, individuals think security is hard and it takes a huge investment in time to get right. SO not true. Let’s fix this perception

jesse6

We should /ALL/ be doing this. Our work is at the core of everything, this would help fix the infosec image problem.

| ̄ ̄ ̄ ̄ ̄ ̄|
| We should    |
| all be doing   |
|  this!!            |
| ______|
(\__/) ||
(•ㅅ•) ||
/   づ

The whole point of security is that we get to solve big problems to support and empower innovation. We get to make awesome things happen.

And that’s what we do in InfoSec. Our work is about making a real difference in what we use everyday.  My thanks to Jesse, the Sign Bunnies, and to all the incredible people who endeavour not just to secure but to educate. Security isn’t something that should exist beyond the reach of those who aren’t technically proficient. It’s something all of us have a stake in, so each of us, whatever skills we hold, has a contribution to make. Habits can change. Mindsets will develop. And it will be in that accumulation of efforts that the tide will turn, and we can address the problem at a much higher level. That’s where real change will happen.

Thanks for reading and remember – you own your own security.

Digital Literacy: Reading Between the Lines

Posted on by
Reply

The great folks at Tech Soup Canada host a monthly series of talks, Tech Tuesday, and they recently invited me to share what I know about “Digital Literacy”.  Little did I realize what I’d actually taken on. Digital Literacy isn’t just one tidy little topic. It’s actually a bunch of concepts, interwoven and far-reaching. Confused? You should be. I was.  Which instantly galvanized me to distill a meaningful definition without diluting the impact of all the contributing factors as shown below:

Because Digital Literacy really means multiple literacies. So what we should fully appreciate is that it goes far beyond simply being able to use the technology, but also entails:

“The ability to locate, organize, understand, evaluate and analyze information using digital technology”. Wikepedia

I also very much liked this definition of what it wasn’t:

“Digital literacy is not simply a means by which we consume ever-increasing amounts of data and information, but a critical and creative means of interacting with the world.” Matt Dean

I’ll break it down to 3 core competencies:

USE: do we know how to use the range of technology available to us? And that’s a whole lot of devices

UNDERSTAND:  can we comprehend the information, put it into context? More importantly, can we critically evaluate it? 2 words kept coming up when I did the research: Critical Thinking.

CREATE: Can we produce content, and then successfully communicate and share that content using the tools available?  Content isn’t just words on a page. It’s graphic, visually impactive. It’s audio. It’s sensory.

Another big question raised repeatedly: What can you contribute to the online conversations that is unique? Websites, memes, infographics, blogs, videos and anything beyond that.

ireallymemeit

It’s all well and good to be familiar with the tech available and know how to use it. But baby, baby it’s a wide world out there and not everyone has the same techno advantages. Yes, I’m talking disparity aka known as “The Digital Divide.”  One of the caveats I learned when researching Digital Literacy is that freedom of expression comes with digital constraints.

Being digitally literate requires that we understand our responsibility for accurately and safely curating and disseminating information. Think on that for a moment. Then think about our kids, in schools everywhere, and how they are actively engaging in online media as part of their curriculum.  It would be nice to think there is a level playing field out there, especially when it comes to our kids in the classroom, but that’s far from the reality.  According to CBC Tech columnist Jesse Hirsch, it’s “a pressing social issue.”

“The digital divide is a problem that goes beyond schools that needs to be closed not just with social policies but with the technology industry making sure their products are affordable.”

And this matters vis a vis Digital Literacy because it’s how we learn; how we engage; and how we work.

“Individual freedom and creativity, and societal and economic development, are becoming dependent on a degree of digital literacy.”

But regardless of what devices we use, the key to digital literacy keeps coming back to this:  Critical Thinking.  Just as we critically evaluate print media, we must also critically evaluate digital media. “Don’t believe everything you read” fully applies, especially when it comes to social media. Advertising has morphed along with marketing to target your preferences, and to trace your digital footsteps. It’s all about what we don’t know so I have put together a checklist of things we need to stay safe in our digital communities.

  1. Look for discrepancies, bad grammar, spelling errors.  These are tip-offs that somebody is looking for something you don’t want to give them. Like access or personal information
  2. Don’t follow blindly.  Not everyone is your friend, even on Facebook
  3. Wait! Don’t click that link.  You’ve heard of breaches a lot over this past year. Well, phishing is how many victims get lured in. Malicious code is hidden in that cute attachment of kittens. Or in that website link you were sent. Evaluate!
  4. Malvertising. This is another way the bad guys go looking for easy targets. Many of those online ads actually contain malicious code that can redirect you to a website you never wanted to visit. And the worst is, it will follow you home and help itself to your information.
  5. Sponsored Ads.  Technically, if someone is paid to promote something online, that’s sponsored and it needs to be disclosed. But that isn’t happening. You’d be surprised how they get around it and I’ll talk about that in a moment.
  6. Privacy.  You have a right to your privacy. And your information should be kept private. But the internet is Pandora’s box. Once it’s out there, it’s out there for good and you no longer have control over it. Be very selective about what you sign up for and what you choose to reveal. Select All isn’t always the right answer.

This matters for everyone, but in particular it matters to our kids. This generation is growing up with technology in the classroom, at home, at play.  The onus is on us, as their parents, to understand what they can and will be exposed to.  Which is no small feat especially regarding privacy issues.  The collection of personal information online has become commonplace, and is still done without our knowledge or consent.

Read through privacy statements to see how this works. An example comes from Lucid Press, who make a free design and publication app to integrate with Google Classroom.  They encourage educators to sign up for a free educational upgrade and accounts for all their students. According to the privacy statement for Lucid Press:

lucidpress

Now, we  know these aren’t the cookies that you dunk in milk.  But what about web beacons or pixel tracking technology?  A web beacon is typically a transparent graphic image (usually 1 pixel x 1 pixel) that is placed on a site or in an email. The use of a web beacon allows the site to record the simple actions of the user opening the page that contains the beacon. Because web beacons are the same as any other content request included in the recipe for a web page, you cannot opt out or refuse them. However, where they are used in conjunction with cookies they can be rendered ineffective by either opting out of cookies or by changing the cookie settings in your browser. This is from the site “All About Cookies”  a free resource to help marketers and consumers understand the issues surrounding the use of cookies.

If I’ve made you stop and think, then this blog has served a purpose. Hopefully, I’ve given you answers to some questions, and prompted some questions you will now try to find answers for. To help you in that quest, these are some online resources you can look into:

As always, really glad you stopped by and thanks for reading!

My 10 Commandments of Good Passwords

Posted on by
Reply

passwordmeme

I just gave a little talk to my team about breaches, passwords and things that go “Boom!” like, oh, nuclear power plants.  Because apparently the US DOE (Department of Energy) keeps. Getting. Hacked.  An investigation over 4 years showed that there were 1131 attacks, 159 compromises and of those 53 were at root level (meaning you really got pwned).  Since glow-in-the dark isn’t my best look, I’m a little concerned about keeping those plants safe. If the guys looking after critical infrastructure aren’t getting it right, then we all need to paying more attention to what we do with our passwords.

jessybunnyBottom Line: Passwords are your first line of defence. Done right, they are an effective deterrent and the attackers move on. Done badly, you’ve just handed over the keys to your digital kingdom. I don’t have to remind you about the password file named “Passwords” from the Sony Hack.  Or the sorry excuses for passwords (no – not actual excuses) emerging from the Ashley Madison dump. I highly recommend the helpful and direct guidance freely given by Jessy Irwin, the owner of the sign bunny to the right …

If you want to do this right – and believe me you do – then you’re going to need to put some effort and commitment into it.  Every organization, every business, needs to have a password policy in place, and not one that they just pay lip service to or to serve as a manufacturing site for replacements. There must be guidelines issued to end users, and a policy that is both monitored and enforced.  It’s not like Halloween, where you hand them out freely.

shellout

I present to you my 10 Commandments of Good Passwords. And like Pharaoh Yul Brynner said “So let it be written, so let it be done!”

10commandments

Always Watch for the Dark Horse: Brazil Enters the Cybercrime Ring

Posted on by
Reply

We’ve seen it happen in horse races and elections.  Two well-known hot contenders go neck and neck. Everyone is so completely focused on the two leads that no one sees the dark horse come charging up the middle. Until it’s already there.

In the murky waters of deepweb cybercrime, that dark horse is Brazil.  China and Russia may be attribution’s favourite poster twins but we cannot afford to lose sight of other, future contenders. “Nobody saw it coming” are the wrong words to hear when dealing with cybersecurity. And over the past year, breach after massive breach has shown that, despite our best efforts, we can’t seem to stay ahead of the curve. It isn’t just about the threats and attacks, but about who and why. We really need to know our adversaries. Brazil is the new kid on the block, and he’s big.

brazil2

As early as 2011, InsightCrime was reporting a surge in cybercrime out of Latin America. What country did they identify at the epicenter? Brazil.  Both Norton’s Cybercrime Report and Symantec’s Intelligence Reports for 2011 put Brazil in that same top spot. Fast forward to July 2014.  Purported as what could be the largest electronic theft ever reported, a cybercrime op was discovered by RSA security. Approximately $3.9 billion was stolen through  “Boleto Bancario”. That catapulted Brazil into the headlines, establishing what had been building steadily yet unnoticed and unchecked for three years, since 2011.

The unnerving truth about cybercrime is that a lot can happen in just a very short time.  Which is why Brazil should have registered earlier on threat radar. The country is a perfect storm for cybercrime. The stats speak volumes. Per Kaspersky, Internet users in Brazil are the most targeted by cybercriminals in Latin America. Out of 400 million incidents logged over a period in 2015, 31% affected Brazil versus 21% in Mexico, Peru, Colombia and Venezuela.  There has been a drastic increase in new users corresponding with an increase in malicious activity of 197% between 2014-2015. This relates directly to the fact that users have no idea of what they should be doing to stay safe.  Avast reports that 65% of wireless network routers still used the default ID and password.  Symantec showed that in 2013 61% of adults connected to unsecured and public wireless.  And what about the fact that Brazil has the highest internet penetration for the region?  Or that Brazil is going through some economic turmoil, which means cuts, and that includes cuts to security.

How does that play out in a country where there is no requirement to disclose any information about breaches? Apparently, not well. At least 75% of those who use the internet in Brazil have been victims of online crime. Brazil passed its first cybercrime law in 2012, but that proved to be ineffective and inefficient.  Penalties are little more than a slap on the wrist, with house arrests or fines being levied. The lack of staff and lack of funding further limit any real action.  And here’s the kicker:  there is no law currently in place to protect personal information. That means – wait for it – that this info, this PII we fight so hard to protect, can be sold or given to anyone in Brazil, legitimate or criminal, with no repercussions.

PandaLabs Report Q1 2015 Infection rates

PandaLabs Report Q1 2015 Infection rates

According to Juan Andres Guerrero, senior security researcher with Kaspersky Labs:

“As far as global fraud is concerned Brazil is almost exclusively at the top …They are fantastically creative …Brazil actually takes an inordinate amount of time [to monitor] because of the amount of malware, the amount of schemes. They are constantly creating these phishing campaigns. They are incredibly elaborate.”

Brazil is a nation plugged in and online banking reigns supreme, at 41% of all transactions, according toe Trend Micro’s white paper from 2014 “The Brazilian Underground Market:  The Market for Cybercriminal Wannabes.”  One of Brazil’s better-known exports are banking trojans, perfected for the “Boleto” payment system there.  malware changes the bar codes on the boletos to redirect payments to attackers.  DNS poisoning is also employed to redirect users. Fake browser windows scoop credentials that are keyed in. Malicious browser extensions capture personal data and send it off to attackers.  That bestowed upon Brazil the dubious ranking of second worldwide for online banking malware infections, and almost 9% of global malware infected systems.

brazilcht1

From Trend Micro white paper “The Brazilian Underground Market” 2014

William Beer, Managing Director of Cybersecurity at Alvarez & Marsal, told ZDNet

“There is a lack of focus on cybersecurity both in the public and private sector. Senior executives at organizations don’t really see that as a priority.”

High internet penetration rate, high credit card penetration rate, high user base unaware of good security practices, and a unique banking payment system based on “boletos” have set Brazil apart by creating a cybercrime training ground that’s open for business.  For the entry level fee of $579 US, wannabe cybercriminals can learn fraud training, FUD crypter programming, trojan coding. Like its peers, Brazil offers the same range of choices as China and Russia. And in the true spirit of staying competitive, the price of crimeware and service offerings in Brazil has steadily gone down since 2011. But wait – there’s more! They’ve been very good at evading security researchers and law enforcement.

It doesn’t bode well when the criminals openly use social media to flaunt and advertise their business.  Whereas cybercrime tends to opt for obscure channels to remain untraceable, the Brazilians are all over Facebook, YouTube, Twitter and WhatsApp to communicate and organize their lives and their business.  And why shouldn’t they, in a country where the gains far outweigh the risks. All of which makes Brazil very appealing, and very much the dark horse threat we should have been watching for.

Hack All the Things – Including Mainframes ?!

Posted on by
1

mainframe1

One of the coolest things I got to learn about this past August at Hacker Summer Camp was this: How to Hack a Mainframe.  That’s just crazy, right?  Isn’t everything Windows and Unix and OS X?  Who uses mainframes? Ahh – well that’s where things get interesting.

E.V.E.R.Y.B.O.D.Y.

The talks were served up like a one-two punch. The first was “The Internet of Mainframes”, given by Phil Young, aka Soldier of Fortran, at the Underground track at BSidesLV.  That carried over and was expanded on at DefCon by Phil and Chad Rikansrud, aka Bigendian Smalls, in their joint talk “Security Necromancy – Further Adventures in Mainframe Hacking”.  Both of these guys work with major financial institutions and their job is protecting all that money.  So they really, really, know their stuff when it comes to the mainframe world. They also just happen to be hackers. Having cut my tech teeth in a mainframe shop I can tell you it is a world unto itself, pretty much sequestered from the fun and games on the internet. Or so you would think. But hackers like to ask “what if” and “how do I”.  And that’s where our story begins. Cue Slideshow!

Hacker Summer Camp: My Excellent BSidesLV Adventure

Posted on by
Reply

This past week I had my best adventure yet. I went to Hacker Summer Camp. Yes, that’s right!  Imagine – tens of thousands of attendees at the single biggest week for Information Security professionals as three major conferences converge on the city of Las Vegas. Hackers were everywhere in Sin City. That does seem rather apropos. Some attended all three conferences: Black Hat, DefCon and BSidesLV.  Given that this was on my time and my dime, I couldn’t swing the higher rates of Black Hat, however I was able to do BSidesLV and DefCon.  There is always plenty of press about the two larger conferences, Black Hat and DefCon.  But I want to tell you about BSidesLV, the “little” conference that could… change the world.

BSides are a much-loved series of community-driven security events, and run by volunteers.  They are accessible, affordable and are not about selling stuff but rather about generating ideas and relationships. My first experience with BSidesLV has been truly rewarding, both as a speaker in their Proving Grounds track, and as a volunteer.  Proving Grounds is an incredible opportunity for inexperienced or first time speakers to be mentored by someone experienced, and help them get to the conference. That’s a huge deal when you’re just starting out. My mentor was fun to work with, very supportive, and steered me clear of pitfalls as we worked on my presentation. This was a major commitment on his part, as we teleconferenced every two weeks from May thru July, and I reaped all the rewards. When I stepped up to the podium, I was more excited than nervous to give the talk I had always wanted to deliver. Now, I can’t wait to do another talk. And I watched my fellow novice speakers deliver their talks with confidence and skill, setting them on course to go do more.

(Image from Tripwire as they covered talk by @GRC_Ninja)

Volunteering with BSidesLV has turned out to be a gift I gave myself, because it was an opportunity to become part of the community and to give back. What I’ve discovered is that so many members are willing to give freely of their time and talent to make this conference available to all who want to attend. There are no entrance fees. Just opportunities to learn, grow and connect. To say I feel privileged just to be here would be an understatement. Being part of a community like this when you are just starting out encourages new ideas and creative approaches, without which security cannot meet the constant evolution of threats.  BSides is all about learning as a community, supporting members through informal mentoring, and fostering collaboration from the ground level.  You can see it in the collection of hallway huddles. Or by impromptu conversations that invite passersby and last for hours. Passion fuels innovation. Which perfectly reflects the theme at this year’s BSidesLV: The Next Big Thing.

BSidesLV offers more than just innovative and informed perspectives on security matters.  Yes, there are all the “big” talks happening on hot-button issues, like hacking cars and zero days.  But security grows when those within the community probe and question beyond the obvious, pushing us toward the next “big” thing, so that when it happens, we were already looking for it.  Bigger conference venues aren’t always receptive to security unknowns, whether they be ideas or people.  That’s why organizations like BSides have developed and continue to grow in popularity. They invite new ideas, and welcome uninitiated security enthusiasts (like me) into the fold.

Infact, this year saw a marked increase in attendance, and entry badges were gone early.  I overheard several conversations citing the quality and diversity of the talks at BSidesLV in comparison to some at Blackhat.  It was good to have Tripwire actively covering the talks and sharing them with the community at large, as well as Peerlyst.  This kind of collaboration furthers relationships and opportunities within InfoSec, and acknowledges the genuine passion and hard work of so many talented people here.

BSidesLV has so much to offer as a community within the larger security community, and as a forum that welcomes collaboration and innovation to challenge what we know.  This “little” conference is earning some high praise and recognition among its larger counterparts, and if I were a betting person, I’d lay odds this is where the next “big” things will be discovered.

The Internet & Wassenaar: This Changes Everything

Posted on by
Reply

reg

Legislation is tricky stuff. Hard to understand, hard to follow. Hard to undo.  Which is why we need to be aware of things that have the potential to impact us be so we can get ahead of them incase there is a problem.  The reality is, time won’t be on our side.

As is the case with the Wassenaar Arrangement, and the proposal to enforce it by the US Business of Industry and Security (BIS).   Wassenaar is a voluntary agreement between 41 countries, with the purpose of regulating the knowledge of how to create “intrusion software,” which is defined as “software that is capable of extracting or modifying data or modifying the standard execution path of software in order to allow the execution of externally provided instructions.”   Their mandate is for controls to be put in place over intrusive software that could become digital weapons, used by regimes to subjugate their citizens, or  spy on their personal lives. While this sounds like a good premise, it’s actually far-reaching and has the potential to create a lot of collateral damage. And the direct recipients of that damage are the very people we need to keep us and our information safe online: those who work with security testing, research and software.

wassenaar-arrangementThe objectives of Wassenaar and the BIS have only been furthered by the recent publicity over the attack of Hacking Team, a cyber espionage outfit that counted governments as clients and whose dealings were kept secret for the benefit of both sides. As per the recent article by Katie Moussouris in Wired,

“Security experts warn that overzealous laws will stifle this vital security research that aids defense. Many also fear these regulations will put legitimate tech companies out of business due to excessive license application burdens and delays in the ability to sell security products and compete globally.”

Here’s the truth of it. By enforcing the broad mandate of Wassenaar as per BIS, we shut down the very organizations and people who can best act as our first line of defence. There is no question that malware and cybercrime are evolving rapidly, and that we do not have full control over our security.  Those who seek to profit from using and abusing technology will continue to do so, and find ways around any legislation, or risk existing penalties in favour of what they stand to gain, be that money, power or both. Wassenaar will not rewrite human nature any more than it will prevent the inevitable from happening.

finfisher

We need to have people finding the bugs in our software that could be exploited and making that knowledge available through vulnerability research and disclosure. But the legislation would control information necessary for research, testing & development. Security researchers and companies must be able to watch over existing traffic and monitor it for threats without fear of reprisal.  To fully appreciate just how BIS and Wassenaar will impede security providers I encourage you to read the full article by Katie Moussouris in Wired here.

“One thing is constant: Those who wish to create tools and use or distribute them to cause harm will continue to do so with the impunity that was revealed in the internal communications of the hacked Hacking Team. No regulation will stop them. It is our job to collectively ensure that no regulation stops defenders.”

BIS has invited public feedback about what they propose but the deadline is today, July 20.  If you can, speak up today. Here are some helpful guidelines:

  1. Give examples of what technology is caught by these rules and what the impact will be.

  2. Explain in detail the burden to organizations and individuals who will have to apply for export licenses under the new rule.

  3. Show how the new rule won’t achieve the stated goal of protecting human rights, but instead will hinder defense of the Internet.

Comments on this rule may be submitted to the Federal rulemakingportal (www.regulations.gov). The regulations.gov ID for this rule is: BIS-2015-0011. Comments may also be submitted via email to publiccomments@bis.doc.gov or on paper to Regulatory Policy Division, Bureau of Industry and Security, Room 2099B, U.S. Department of Commerce, 14th St. and Pennsylvania Ave. NW., Washington, DC 20230. Please refer to RIN 0694-AG49 in all comments and in the subject line of email comments.

https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items#h-19

We all have a stake in how Wassenaar plays out. And today, we all have an opportunity to influence that outcome.

WEEKLY SECURITY BRIEF: July 14 2015

Posted on by
Reply

secmat1

WEEKLY SECURITY BRIEF: July 14 2015

UPDATES: Microsoft Patch Tuesday: Critical Updates for RDP and Explorer

There are urgent fixes required for Internet Explorer, as one more zero day is added to the growing pile of fallout from the Hacking Team hack. This flaw is being actively exploited by hackers, so IE users need to get the patch on ASAP. And there are equally urgent fixes to apply for RDP Remote Desktop Protocol, Office and Windows because of active exploits in play. Other fixes address issues of remote code exploitation and elevation of privilege.

THE BIG STORY: Get the Flash Outta Here!
flashOr better yet – how many zero days can you release in a week? Seriously, the time has come and the time is now to get rid of Adobe Flash Player. After Hacking Team got hacked a week ago Sunday, some of the spillage included several zero day vulnerabilities they had been sitting on. And while Flash seems to be a manufacturing plant of flaws that was no excuse. Hackers have been lying in wait for the good stuff to emerge. When it did, they were ready and jumped all over it. Exploits are booming. If we thought we had problems with folks clicking on stuff they shouldn’t before this, it’s going to be malware-palooza if Flash remains enabled. Mozilla was first to take direct response, and Firefox has blacklisted Flash Player. Who’s next?

Java Zero Day

Adding to all the fun is a zero day for Java, due to an unpatched flaw by Oracle. Note that this is the first Java exploit to be reported in almost 2 years. And users cannot downgrade to earlier versions which aren’t susceptible because of the way Oracle does things. A cybercrime group, out of Russia? Pawn Storm, has been using this nifty little flaw in their attacks on various nation-states and governments & armed forces. Yes, like in “War Games”. The recommendation by security experts is to disable java in browsers for now until it’s patched, especially given the triple-header of Flash zero days on hand.

Oh Windows XP Users … ripwinxp

With all this talk of zero days, folks still using Win XP have not been getting any security patches since April 2014. Just imagine. Today, support for Microsoft’s Malicious Software Removal Tool and updates officially ends. There will be no more. But there are still approximately 180 million users out there, which amounts to 12% of all Windows users. Be warned: an anti-virus product isn’t going to fix Windows vulnerabilities and flaws. If the saying holds true that you get what you pay for, then expect that you will pay for not upgrading to a patchable, safer version of Windows.
And let’s not forget Windows Server 2003. End of Life is also today.

https://grahamcluley.com/2015/07/anti-virus-updates/

The OpenSSL Patch or Much Ado about Nothing

Given all the advance hype leading to this mysterious flaw and its urgent patch, I am happy to report that this issue is not another HeartBleed or worse. Infact, only newer versions of OpenSSL are affected.
Apparently, any application that verifies certificates, including SSL and TLS, could be compromised by this problem: OpenSSL tried to find an alternative certificate chain if its first try to build a chain fails. If an error occurs during the implementation of this logic, an attacker would be able to cause certain checks to be bypassed on untrusted certificates. They would then be able to forge a trusted certificate and then set up Man in the Middle attacks. BUT this won’t have a widespread impact as most web browsers currently do not use OpenSSL and not affected. OpenSSL 1.0.2b/1.0.2c users are urged to upgrade to 1.0.2d, whereas those with OpenSSL 1.0.1n/1.0.1o should upgrade to 1.0.1p.

A New Threat in Corporate Espionage takes Wing

A corporate espionage group dubbed “Butterfly” has been raiding a varied selection of civilian firms for valuable intellectual property. Companies run the gamut from tech, legal, pharmaceuticals, commodities. Most are listed in the Fortune 200 and are publicly traded. Those attacked include multi-billion firms like Microsoft and Facebook.
What sets this group apart from other cybercrime gangs is that they are very well resourced, utilize customized malware tools and zero days, and are not going after credit card or customer data. They were first identified in 2013, then seemingly went undercover, but were actually operating without detection, hitting 49 companies in 20 countries. They track their prey to favoured online “watering holes” – sites visited frequently by people within the target company. Vigilance, anti-virus and intrusion detection systems are as this group is disciplined, and increasing their attacks.

TeslaCrypt/CryptoWall

TeslaCrypt is the newest variant of ransomware, having made its dubious debut in Feb 2015. It likes to target computer game files, like saves and profiles. And has become a chameleon, taking on new identities eg TeslaCrypt, AlphaCrypt and now pretending to be CryptoWall, with a variety of file extensions to match: .ecc, .ezz, exx.teslacrypt
The latest version differs in its enhanced encryption. Bad news for victims because at this time it is impossible to decrypt files hit by TeslaCrypt. And it now uses an HTML page and not a GUI. The methodology: a victim visits an infected website; malicious code uses vulnerabilities in the browser – plugins like Adobe Flash – to install target malware in the system. The best safeguard is backing up data daily, and stored away from systems that could become infected.
https://securelist.com/blog/research/71371/teslacrypt-2-0-disguised-as-cryptowall/?utm_source=dlvr.it&utm_medium=twitter

Thanks for reading! 

My First “Con”: Alice in Security Wonderland

Posted on by
Reply

bslv

This month I did something that is a rite of passage for anyone in InfoSec:  I attended my first “Con”, Circle City in Indianapolis, a Security Convention that is about the community and largely attended by … hackers.

Let’s clear up a big misconception. The hackers I know are definitely not this stereotype found ad nauseum.  Yes, there are hackers who choose to attack our systems, steal data, and threaten our security.  But there’s a whole other group out there who are also hackers, and in the constructive definition of the term.  They “hack” to understand and improve the code and technology we use everyday;  they test networks and programs, finding weaknesses and vulnerable points we need to defend from the attackers. Highly skilled and naturally curious, they understand our systems better than we understand ourselves.  They know what can go wrong because they know how it can be broken, and that prevention is the best fix.

Cons offer a major venue to present new research and discoveries, and to discuss theories about a fascinating range of topics that impact Information Security.  There are a variety, in different flavours, with varying appeal. And they happen throughout the year. Every year in  August, Las Vegas hosts DEF CON, a massive hacker event, alongside the more corporate Blackhat, and BSidesLV, from the popular local BSides series encouraging novice through expert.   We have some in Canada, but the cost of admission and travel are big factors for attendance.  When I asked what first Con should be, Circle City was the resounding choice.  Smaller, new (this was its second year and very successful), it would be well-attended by people I knew, and feature a diverse mix of classes and talks.

To say this was an incredible learning opportunity would be an understatement. There was a constant exchange of information happening on and offline.  I felt like I was back in university- in a very good way- as we worked together in small groups to resolve a given problem and then present to the class.  And there I was, sitting and working with some of the smartest, most interesting people I have ever met, who made me feel welcome and invited my contributions.  It was truly a privilege.

The best connections however, aren’t plugged into the network, but those made within the network of attendees.  This is a community.  There is an open camaraderie as folks who spend most of the year connecting online enjoy this opportunity to connect face to face. Attendees wear t-shirts from the past cons they’ve attended.  Badges on lanyards denote speakers, participants, staff, and trainers.  Tattoos are a walking montage of art and personal expression. Some describe themselves as introverts, but at these Cons they are among friends, accepted and welcomed.  And then there are the parties, when hackers come out to play and the fun lasts all night long.  A series of artful DJs delivered a wicked sound and light show as a wish-list of arcade games beckoned and we talked until we lost our voices. Yes, Alice, welcome to InfoSec!

Closing ceremonies may be worth missing at some conventions, but I’m glad I stayed to take it all in.  It was all good fun watching prizes bestowed on heartily enthusiastic winners.  Raffle tickets were sold in handfuls to keen attendees, for a range of prizes including an extraordinary quilt made by one of the members, the intricate pattern actually an encrypted message. Recognition and thanks were sincerely given to those who had given so much.  And then there was moment that brought many of us to tears, as a fellow hacker fighting cancer was welcomed on stage, and the story about bringing him to the Con was told.  This really is a community.

I’m so glad I fell down this rabbit hole to InfoSec. I started following paths on Twitter, which is an incredible repository of access points for up to the minute security developments, detailed research, knowledgeable blog posts, and of course, people with whom to connect. Now my kids regulate my screen time and tweets. Had you told me a couple years ago that I’d sit in on a talk about digital forensics and devour every word of it, I would have called you crazy.  Instead, you can call me Alice, because InfoSec has become my Wonderland of learning and discovery. Welcome to my excellent InfoSec adventure.  I can’t wait for what comes next – in Vegas!