CNBC shows how not to handle a security screwup

Sometimes the best lessons happen in public and are based on our mistakes. Take a look at the series of errors taken by CNBC related to collecting passwords from their online readers. The commentary is a bit wild, but I think the passion shows the level of expectation sought for such a reputable business.

When someone entered a password into the text box and hit the button, a lot more was going on than a test. The password was being sent over the site’s http (unencrypted) connection to CNBC’s third-party partners, such as ScorecardResearch and SecurePubAds (DoubleClick).

After posting the findings on Twitter, a researcher who works on Let’s Encrypt (free, easy https for websites) joined the dogpile. He added that — inexplicably — CNBC was also saving the passwords to a Google Docs spreadsheet when the user hit “submit.”

Source: CNBC shows how not to handle a security screwup

Two more healthcare networks caught up in outbreak of hospital ransomware through very old vulnerability | Ars Technica

I have been developing a cybersecurity exploitation and threat lifecycle model and this article caught my attention in it highlighting the evolution of the deployment of the ransomware tech. Initially spread through phishing, it is now being used as the payload in the attacks. Interesting.

This also creates an interesting base cost of not safeguarding a network environment. Consider that the attacks are becoming automated (automatic identification of a server running known vulnerability and then automatic installation of malware which then automatically takes over network for ransom) the attacks scale easily, and there is a bit of near certainty here. More thoughts, developed out with hard data, to come on this topic.

“This is really one of the first times we’ve seen ransomware spread by a network vulnerability,” Craig Wilson of Talos Research told Ars, …The malware, called “Samsam” by Talos, uses old, very public exploits right out of JexBoss—an open source vulnerability testing tool for JBoss. Once the malware has a foothold on the server, it spreads to Windows machines on the same network. “I wouldn’t be surprised if this [malware approach] was extended toward WordPress and other content management systems,” Wilson said. “This is really just the natural progression of ransomware.”

Source: Two more healthcare networks caught up in outbreak of hospital ransomware | Ars Technica

Best,

James

Make Sure You Don’t Miss These Peer2Peer Sessions at RSAC 2016 | RSA Conference: How not to be hacked highlighted

The largest information security conference is upon us and after some great reception at conferences and chapter meetings including InfraGuard, ISACA, the Technology Association of Georgia, and Fulton County I am ready for RSA. I have been following and building this research for nearly two years, and I can’t wait to hear fresh insights and perspectives at RSA to make everyone better. Curious about the session … here is some great Q&A about my session.  Please join me at the session or grab me for coffee during the event!

1. How Not to Be Hacked—Take the Advantage (P2P2-R08)

Who are the attendees who will most benefit from—and contribute to—this Peer2Peer session? Do you have a specific role or job title in mind? Or even the kind of skills and mindset you are looking for?

  • Seeking Attendees who are: Trendsetters, change agents, visionaries, and passionates seeking to make a difference one life at a time
  • Proper titles of those who will contribute to the session: Product Security Leaders, Parents, and Directors of Security

Why do you believe that your topic is important for the information security industry—and your attendees—to be thinking about?

  • Important to industry: Today 3.1 billion people are online and not empowered or informed making it impossible to secure every App and Device.
  • Important to you: Empowering people to protect themselves prevents human trafficking, enhances quality of life, and limits digital negative events

Challenge: Are YOUR family members, parents, children, and friends safe and secure online today because of your profession?

Can you describe one or two things you would like the attendees to think about prior to the session, as a way to prepare themselves for the discussion? 

  • What do you do habitually when navigating to a new website? What do you check? Do you type in URL? Do you Google it?
  • How do you protect your children on social media sites? Do you use manual reviews, monitoring software, account management, denial?

What kind of outcome are you hoping for at the end of the session? What will attendees walk away with afterwards?

Desired outcome: A fresh look and optimism on how to transfer habits of highly knowledgeable security professionals to regular people.

Takeaways:  Specific simple and highly potent techniques and tips to make the digital world safer and happier for our friends, family, and colleagues.

See the book on Amazon here (best anti-hacking investment you’ll ever make for your parents): How Not To Be Hacked

Source, RSA Conference Official Site: Make Sure You Don’t Miss These Peer2Peer Sessions at RSAC 2016 | RSA Conference

Ten Principles of Opportunity and Crime – INDEPENDENT SECURITY CONSULTANTS

 

Preparing for the InfraGuard Keynote I have been digging in to criminal psychology and specifically the concept of Opportunity. If you’ve heard me speak recently this year you’ve been exposed to the concept as I’ve applied it to online crime.

Rutger’s School of Criminal Justice professors Marcus Felson and Ronald V. Clarke developed Ten Principles of Opportunity and Crime which describes how opportunities, or vulnerabilities, are the root cause of crime. I’ve highlighted the last two of their ten principles below. I’d welcome those in the cyber security industry and seeking to safeguard the sensitive data (private or IP) to read these with an open mind. I believe they expose an incorrect assumption and an opportunity for approaching cybersecurity differently.

Principle 9 is reducing opportunities does not usually displace crime. Crime displacement means that by blocking crime at one facility, security measures will force crime to another, less hardened facility. While displacement does occur, it is not absolute.

Finally, principle 10 is focused opportunity reduction can produce wider declines in crime. This is the concept of diffusion of benefits. Diffusion is a process where increased security measures at one location may also benefit neighboring facilities.

Source: Ten Principles of Opportunity and Crime – INDEPENDENT SECURITY CONSULTANTS

Best,

James

P.S. Buy to understand how to keep you and your family safe: – The definitive guide for regular people: How Not To Be Hacked today!

Chromium Blog: Introducing the Security Panel in DevTools

Love seeing the push from Google to their larger developer base to enhance transparency of iterate highly. The greatest advantage I see here (and consistent with my analysis of the leading product companies developing products) is the pressing forward of quality (security included) testing and activities to the developer.
This is a key attribute (developers owning security as they are closest to the product and the areas that develop into issues).
Look forward to seeing everyone at RSA this year as I speak on How Not To Be Hacked! I am looking for collaborators on my protecting children in a connected world effort.

IoT future: The world’s tiniest temperature sensor is powered by radio waves

All things technology interest me and in my research and professional work the development of products, building efficient technology operation centers, and managing vast cyber related assets allows a great view on where we are and where we need to be in the future. As our further dependence on technology continues to all levels of life – no we are not speaking just social connection through Facebook and Snaps, but technology today that is being embedded in our brains, hearts, homes, cars, managing the electricity to our homes, balancing the nuclear reactions at plants, and precisely throttling the water purification systems of our water the importance is paramount to survival.

It is our opportunity to ensure that technology continues to benefit life and enjoyment, but it comes at a cost of active persistence in striving for high quality performance. Yes, performance does include security. A car can be fully maintained and the best money can buy, but if the lock doesn’t lock it’ll quickly be stolen.

I have been tracking a technology being developed where tiny sensors are powered by radio waves allowing them to operate without ever requiring a recharge. These are extremely small (grain of sand small) and can be used for a vast amount of (currently) single purposes. A recent thesis and accomplishment was made by the researchers at TU/e, and I have highlighted the possibilities below, plus a bit of the article.  Enjoy

  • Sensor’s current range is 2.5 centimeters, but will be 1 meter in a year
  • Sensor size is 2 square millimeters
  • Can be painted onto walls, added to concrete, or added to latex (insert fantastic spy usage here)
  • Is powered by radio waves in the room / provided by a “router” that directs radio waves and receives data from sensor

The sensor stores that energy and, once there is enough, the sensor switches on, measures the temperature and sends a signal to the router. This signal has a slightly distinctive frequency, depending on the temperature measured. The router can deduce the temperature from this distinctive frequency. The same technology enables other wireless sensors to be made, for example to measure movement, light and humidity. The application areas are enormous, Baltus says, ranging from payment systems and wireless identification to smart buildings and industrial production systems. They won’t be expensive either: mass production will keep the cost of a sensor down to around 20 cents.

The project, called PREMISS, has received funding from the STW technology foundation. The title of Hao Gao’s thesis is ‘Fully Integrated Ultra-Low Power mm-Wave Wireless Sensor Design Methods’

Source: The world’s tiniest temperature sensor is powered by radio waves

Think outside the box,

James

DHS performing free cyber security assessments, as reported by Krebs

ncats14vulnsInteresting to read that DHS has been providing free security assessments of private industry upon request. Krebs posted a nice bit of detail on this vaguely known program. Bottom line this is not the only third party assessment, but it certainly is always worthwhile to engage such evaluations.

Among the findings in that report, which drew information from more than ~100 engagements last year:

  • Manual testing was required to identify 67 percent of the RVA vulnerability findings (as opposed to off-the-shelf, automated vulnerability scans);
  • More than 50 percent of the total 344 vulnerabilities found during the scans last year earned a severity rating of “high” (4o percent) or “critical” (13 percent).
  • RVA phishing emails resulted in a click rate of 25 percent.

“The Department of Homeland Security (DHS) works closely with public and private sector partners to strengthen the security and resilience of their systems against evolving threats in cyberspace,” DHS spokespersonSy Lee wrote in an email response to an interview request. “The National Cybersecurity Assessments and Technical Services (NCATS) team focuses on proactively engaging with federal, state, local, tribal, territorial and private sector stakeholders to assist them in improving their cybersecurity posture, limit exposure to risks and threats, and reduce rates of exploitation. As part of this effort, the NCATS team offers cybersecurity services such as red team and penetration testing and vulnerability scanning at no cost.”

The RVA program reportedly scans the target’s operating systems, databases, and Web applications for known vulnerabilities, and then tests to see if any of the weaknesses found can be used to successfully compromise the target’s systems. In addition, RVA program participants receive scans for rogue wireless devices, and their employees are tested with “social engineering” attempts to see how employees respond to targeted phishing attacks.

The Cyber Hygiene program — which is currently mandatory for agencies in the federal civilian executive branch but optional for private sector and state, local and tribal stakeholders — includes both internal and external vulnerability and Web application scanning.

The reports show detailed information about the organization’s vulnerabilities, including suggested steps to mitigate the flaws.  DHS uses the aggregate information from each client and creates a yearly non-attributable report. The FY14 End of Year report created with data from the Cyber Hygiene and RVA program is here (PDF).

How do the vulnerabilities identify balance out on a Critical -> Low scale? Here we go:

Screen Shot 2015-12-02 at 8.15.32 AM

As always, Krebs article is worth the deeper dive.

Do good,

James