Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for March 2017

HackerOne Offers Free Bounty Programs for Open Source

HackerOne Offers Free Bounty Programs for Open Source

Popular bug-bounty platform HackerOne has announced that it is offering its services for free to open source projects.

In the wake of high-profile open-source flaws like Heartbleed and Poodle, there’s an awareness that most of the tools and technology that we use every day run on open-source platforms. With that in mind, the HackerOne Community Edition is being offered for free. It provides vulnerability submission, coordination, dupe detection, analytics and bounty programs; and simplifies how organizations define scope, receive vulnerability reports, manage those reports and incentivize security researchers to help harden their projects.

While open-source projects tend to be more secure by nature, no software is perfect—and with just one flaw, vast swaths of the internet backbone can be compromised.

“Our company, product, and approach is built-on, inspired by and driven by open source and a culture of collaborative software development,” HackerOne said, in a blog post. “As such, we want to give something back. Our primary focus at HackerOne is to help make the Internet safer. As part of this we know that open source underpins many products and services that we use every day, so we want to ensure that open source projects can get as much support as possible in running simple, efficient, and productive security programs.”

As part of the HackerOne Community Edition, the company will provide a full featured instance of HackerOne Professional to any eligible project; dedicated customer support isn’t included, but there’s a “wealth of documentation online,” the company noted.

All open-source projects are welcome to apply if they meet the following requirements: Project scope must only be open-source projects that are covered by an OSI license; the project must be active and at least three months old (age is defined by shipped releases/code contributions); projects must add a SECURITY.md in the root that provides details for how to submit vulnerabilities; projects will display a link to its HackerOne profile from either the primary or secondary navigation on your project's website; and projects must maintain an initial response to new reports of less than a week.

“As open-source has become an increasing component in how organizations consume technology, the workflow of how people build these projects is critical,” said Jono Bacon, previous director of community at Canonical, GitHub and XPRIZE. “I am delighted to see HackerOne provide a key component in this workflow in much the same way code hosting/review, continuous integration, containerization and other pieces have become staple pieces.”

Many open source projects such as Ruby, Rails, Discourse, Django, GitLab, Brave and Sentry already are using HackerOne.

"Our HackerOne program has been a definite success for us—a new way to get actionable security reports that improve the security of the open source Discourse project for everyone,” said Jeff Atwood, co-founder of Discourse. “A public bounty program is an essential element of the defense in depth philosophy that underpins all security efforts."

Source: Information Security Magazine

#GartnerIAM: Analytics in IAM Enable Security

#GartnerIAM: Analytics in IAM Enable Security

A lot of negativity in security can be compounded with the positivity of the future of IAM and analytics.

Speaking at the Gartner IAM conference in London, Jason Keenaghan, program director of the IBM Security Offering Management at ‎IBM said that a lot of security focus is on external attacks, the security operations center, endpoint and the attacks from within. “This is a focus for privileged access also, and what do with it,” he explained.

“There are two key things you need to do to protect: step one is to know who the users are, and how to get a level of assurance so you know who they are claiming to be. Step two is once you have identified who the user is and who has a digital identity, you cannot just be satisfied to know what they are going after.”

Pointing at the 2016 Verizon Data Breach Investigations Report, which found that 63% of incidents are ‘still down to username/passwords’ as organizations want to lock down security and don’t want crown jewels, Keenaghan argued that password-based authentication is at odds with usability, and whether employees or contractors want good security or user experience.

“It is easier said than done, especially as with the way we have looked at security,” he said. “We want to select proper authentication methods based on associated risk, such as what device they are coming from, what access rights the person has, what location they are coming from and what behavior they have had in the past. You need to take that all into account with an authentication strategy.”

Keenaghan pointed at a 2015 IBM XForce Report which revealed that 61% of organizations do not monitor privileged access users. Joining him on stage was Angelika Steinacker, who leads IBM's Identity & Access Management Competency in Europe, and Sridhar Muppidi, chief technology officer for Identity & Access Management Solutions for IBN Security Systems. Steinacker praised comments made in the opening keynote about analytics in IAM, and identity management and governance. In particular, she said that identity management has to be a business driven topic, and on fulfilling regulations, that is where IAM fits into regulations.

Muppidi pointed at the recent launch of IBM Watson, saying that cognitive decisions mean that machine learning can be a part of IAM, spotting attacks that SOCs and analysts overlook, and are “able to make risk-based authentication and entitlements, able to influence for multi-factor authentication and be more and more cognitive”.

Source: Information Security Magazine

One Million Stolen Gmail & Yahoo Accounts for Sale on Dark Web

One Million Stolen Gmail & Yahoo Accounts for Sale on Dark Web

Log-in credentials for over one million Gmail and Yahoo accounts are being sold on a dark web marketplace.

According to reports, a seller by the name SunTzu583 is offering the accounts for sale. Among the compromised accounts being offered are 100,000 Yahoo accounts allegedly harvested from the 2012 hack of Last.fm, according to HackRead. The information includes usernames, email addresses and plain text passwords.

A further 145,000 Yahoo accounts are also on sale, apparently taken from the October 2013 Adobe breach and the MySpace hack, which happened in 2008 but not made public until 2016. These details include usernames, email addresses and decrypted passwords.

The number of Yahoo accounts on offer is dwarfed by the number of Gmail accounts said to be up for sale.

First up is 500,000 Gmail accounts, including usernames, email addresses and plain text passwords. According to HackRead, these came from 2014’s breach of the Bitcoin Security Forum, the Tumblr breach of 2013 and the same MySpace hack that yielded the Yahoo credentials.

It’s not clear if the Bitcoin Security Forum itself was breached in 2014, or if these Gmail accounts are from the same dump of five million accounts in September of that year.

A further 450,000 Gmail accounts are being offered by the same seller, said to be from a variety of breaches including Last.fm, Adobe, Dropbox, Tumblr and more.

All the accounts, totalling just under 1.2 million, are on sale in exchange for Bitcoin.

Infosecurity Magazine has reached out to Google and Yahoo for comment but has yet to receive a reply.

It has been a bad few months for Yahoo in terms of data breaches. The company has admitted to a number of incidents over the last few years that exposed customer details from over one billion accounts.

Users worried about the security of their Gmail or Yahoo account, particularly if their accounts were compromised in any of the data breaches mentioned here, should change their password immediately.

Users should also enable two-factor authentication where it is offered, as it adds another layer of security to online services by sending a unique, one-time code to a mobile device, which has to be entered alongside the password.

Source: Information Security Magazine

#GartnerIAM: Analytics Can Help IAM

#GartnerIAM: Analytics Can Help IAM

Starting off the 11th Gartner IAM conference in London, Gartner VP Gregg Kreizman highlighted the need for change, and to do a better job of building adaptively.

He said: “The key is to take possible change into account when building solutions. Bad guys find a way in, and sometimes you don’t know that until someone tells you from outside, or your credit card data on the dark net.

“Threat protection brings its own set of processes, controls and efficiency, but IAM security is a set of functions, think privileged access and lateral movement through the organization and think of the role analytics plays in IAM.”

He concluded his part of the opening keynote by saying that if you are going to do IAM, you need to be resourced better, and IAM cannot do the job on its own without sound decisions.

Putting the spotlight on Identity Governance and Administration (IGA), Gartner research VP Lori Robinson said that there are use cases on simple and employee access on point solutions and when they left, access to Active Directory was cut off. However, mobility, apps, cloud and partners have changed that, and Robinson argued that there is innovation in the IGA space to meet that.

Looking at analytics, Robinson suggested a model of peer groups and creating a model based on other users, and using that to determine entitlements and what is necessary for the job. “Analytics has moved to a model that is based on activity and what's happening in the environment,” she said. “Form peer groups on how they are behaving and with peer groups, define policy around that.”

Robinson said that analytics is not just restricted to machine learning, but there is a lot of potential and use cases available.

Rounding off the opening keynote session was research director Jonathan Care, who highlighted the challenge with passwords and that 75% of budget goes on protection and anti-malware. “We are not only doing what we do with analytics to protect, but also predict when an attack has happened,” he said. “The point being, the way we are securing data is not working.”

He called for seamless authentication for business and consumers, and also to look at each transaction to bring it within organizations. “It would be nice if we could provide something which had a low value transaction overhead,” he added. “The interactions need to be slick and seamless and reliable.”

He went on to talk about identity proofing, and proving who a person is with a continuous process, and said that there is too much reliance on static data and with 1.7 billion identities on the dark web, secret information is too easily found.

“It is not just username, passwords, dating history – although that is bad enough – start thinking about healthcare. So I see it moving from an idea about proof to validation because there is no proof, we are saying that for our risk appetite and tolerance, it is likely that Jonathan Care is the one sitting in front of the keyboard, but the question is how do we apply that to the IoT?”

Kreizman concluded by saying that we need good IAM program management that can help ensure “continuous assurance of maturity” and link that to your business outcomes. “Build flexibly and adaptively for the next change,” he said. “Big Data and analytics need to be more than cool.”

Source: Information Security Magazine

Hypocrisy Alert: Veep Pence Used AOL Account for State Business

Hypocrisy Alert: Veep Pence Used AOL Account for State Business

US Vice-president Mike Pence used a personal webmail account when Indiana governor to conduct state business, including matters of homeland security, which was subsequently hacked, according to a new report.

The IndyStar obtained 29 pages of emails from Pence's AOL account, released to it by the office of current governor of Indiana, Eric Holcomb.  

They show him discussing various official matters with advisors, including what the state’s response to terror attacks across the globe should be.

A statement from Pence’s office had the following:

"Similar to previous governors, during his time as governor of Indiana, Mike Pence maintained a state email account and a personal email account. As governor, Mr Pence fully complied with Indiana law regarding email use and retention. Government emails involving his state and personal accounts are being archived by the state consistent with Indiana law, and are being managed according to Indiana’s Access to Public Records Act.”

His actions might have been technically legal according to state law but they also smack of rank hypocrisy as Pence was among the many voices highly critical of Hillary Clinton’s use of a private email server on which to conduct state business while secretary of state.

Also, unlike Clinton, his webmail account was apparently hacked last year by a fraudster who tried to trick his address book contacts into sending money by claiming Pence and his wife were stranded in the Philippines.

After the incident, he is said to have simply set up a new AOL account.

There are also suggestions that Pence may not have followed the advice of Indiana public access counselor Luke Britt – to forward any emails involving state business to his government account – until he was leaving the governor’s office.

This isn’t the first cybersecurity scandal to hit the Trump administration.

Question marks have been raised over the cybersecurity posture of Trump’s businesses in the past, while it was revealed in January that 13 top staffers including new cybersecurity advisor Rudy Giuliani have had log-in credentials compromised in historic data breaches.

Despite all its pre-election bluster and accusations about Clinton being a national security risk, the truth is that the Trump administration is as clueless, if not more so, than the opposition when it comes to cybersecurity.

It’s widely believed that the state-sponsored hackers that managed to infiltrate Democratic officials’ emails were also able to access GOP communications.

Source: Information Security Magazine

Cybersecurity Leader Howard Schmidt Remembered

Cybersecurity Leader Howard Schmidt Remembered

News appeared on Thursday 2 March that Howard Schmidt had passed away following a long battle with cancer.

Schmidt, who was 67, was one of the most highly regarded cybersecurity leaders in the industry. A former air force veteran who served in the Vietnam war, he held positions in both the private and public sectors, most prominently in the US government.

His move from the army to cybersecurity included 12 years serving as a special agent for the United States Army Reserve, as research professor at Idaho State University, and on the boards of multiple vendors and security organizations. He was also CISO of ebay and chief security officer of Microsoft, and served as Chief Security Strategist for the US-CERT Partners Program for the Department of Homeland Security.

Eleanor Dallaway, editor and publisher of Infosecurity Magazine, said: “I am deeply saddened to hear of the passing of Howard Schmidt. It was a great honor to have him serve on the Infosecurity Magazine editorial board, and I remember being delighted when he accepted my invite many years ago.

“I've interviewed Howard several times and have always been overcome with how wonderful he was – not just as a cybersecurity professional, but as a person. Our thoughts go out to Howard's friends and family. He is a great loss to both industry and the world.” 

He was recently working with Ridge Global. Chairman Tom Ridge said in a statement: “Our nation has lost a rare gem. Howard Schmidt was a leader on digital security before most people even knew what a cyber-attack was. His expertise was sought by US Presidents on both sides of the aisle as well as presidents and CEOs of some of the most influential brands in the world.”

In government, Schmidt was the former White House Cybersecurity Advisor to Presidents Barack Obama and George W. Bush.

“In my role as (ISC)²’s CEO, I had the opportunity to travel and work closely with Howard. He was always someone I found easy to admire professionally, but the opportunity to get to know him personally is something I will always cherish,” said David Shearer, CEO, (ISC)². “We’ve not only lost an incredible person, we’ve lost a long-standing contributor to the global security community.”

Adrian Davis, managing director of (ISC)2, who also worked with Howard at the ISF, told Infosecurity: “He was a real example to us all and a true cybersecurity professional. I remember his sense of humor and his warmth. He'll be missed by both his family and his cybersecurity family.”

Schmidt served as President and CEO of the ISF between 2008 and 2010. Steve Durbin, Managing Director of the ISF, said in a statement: “The ISF is deeply saddened to hear of the passing of Howard Schmidt. During his time with the ISF Howard was able to draw on his depth of experience across senior business, government, academia, law enforcement and information security management roles.

“An internationally renowned visionary in the field of cybersecurity from its earliest days, Howard brought his unparalleled knowledge and passion to his role as president and CEO of our organization.”

Marios Damianides, Past ISACA board chair and partner at Ernst & Young LLP, told Infosecurity: “First, my condolences to Howard’s family for their loss. It is a sad day for all of us, including his friends, colleagues and the security world. I worked with him some years back when we were working on closer alignment between our respective organizations (ISSA and ISACA). It was my honor to present Howard with an honorary CISM certification in 2003, and his contributions as a member of ISACA’s IT Governance Advisory Panel proved invaluable.

“He has always been a terrific leader and visionary in the security world and was not afraid to share perspectives and be provocative. He served his country with dignity and was always proud of that service as well as his contributions to the security industry and thinking. He will be missed.”

Source: Information Security Magazine

Chinese VoIP Kit Contains Backdoor, Warn Researchers

Chinese VoIP Kit Contains Backdoor, Warn Researchers

Researchers at Trustwave are warning of a hidden backdoor in VoIP devices produced by Chinese manufacturer DBL Technology which could allow access by the manufacturer or malicious third parties.

The issue is with the authentication process, allowing a remote attacker to gain a shell with root privileges on an affected device, Trustwave researcher Neil Kettle explained in a blog post.

“The Telnet interface of the GoIP is documented as providing information for users of the device through the use of logins ‘ctlcmd’ and ‘limitsh’. Both of these logins provide limited information about the device, and are accessed using the user-configured administrator password. However, an additional undocumented user, namely ‘dbladm’ is present which provides root level shell access on the device. Instead of a traditional password, this account is protected by a proprietary challenge-response authentication scheme,” he explained.

“Investigation has shown this scheme to be fundamentally flawed in that it is not necessary for a remote user to possess knowledge of any secret besides the challenge itself and knowledge of the protocol/computation.”

This is apparently in contrast to more secure challenge-response schemes such as password-based log-ins where the user is asked for a password, which is then obscured to guard against “network interception and replay attacks.”

The issue was first spotted by Trustwave in an 8 port VoIP GSM Gateway from the company. However, it’s since been discovered present in GoIP 1, 4, 8, 16 and 32 and could affect many more DBL Technology devices and OEM kit.

More worryingly, when contacted last October, the firm did not fix the issue.

“Verification of the patched version reveals that the challenge response mechanism is still present in the latest version albeit a little more complex. It seems DBL Technology engineers did not understand that the issue is the presence of a flawed challenge response mechanism and not the difficulty of reverse engineering it,” explained Kettle.

“The main differences between the latest challenge response mechanism and the older variant is the level of complexity it employs: a simplistic MD5 with a linear equation changed to several 'round' functions mixed with a modified version of the MD5 hash algorithm.”

Source: Information Security Magazine

Amazon Outage Caused by Simple Input Error

Amazon Outage Caused by Simple Input Error

A major outage which struck Amazon’s US-EAST-1 region on Tuesday, rendering large swathes of the internet inaccessible, was caused by a simple input error on the part of an engineering team, AWS has revealed.

The cloud giant explained in a lengthy online post that a Simple Storage Service (S3) team was debugging an issue which had been causing the S3 billing system to slow.

It continued:

“At 9:37AM PST, an authorized S3 team member using an established playbook executed a command which was intended to remove a small number of servers for one of the S3 subsystems that is used by the S3 billing process. Unfortunately, one of the inputs to the command was entered incorrectly and a larger set of servers was removed than intended.”

The bad news continued when it turned out that the servers inadvertently removed were supporting two other S3 subsystems. The index subsystem manages the metadata and location information of all S3 objects in the region, and the location subsystem “manages allocation of new storage and requires the index subsystem to be functioning properly to correctly operate.”

Amazon was forced to restart these two subsystems, also rendering a range of other services reliant on S3 for storage unavailable, including the S3 console, Amazon Elastic Compute Cloud (EC2) new instance launches, Amazon Elastic Block Store (EBS) volumes when data was needed from a S3 snapshot and AWS Lambda.

AWS said it has not had to restart the index or placement subsystem for several years, during which time S3 has experienced massive growth which made the whole process, including checks on the integrity of metadata, take longer than expected.

The cloud giant said it is changing things to prevent a similar incident happening in the future, but for many it is a reminder of what can go wrong even in organizations with the resources of Amazon Web Services.

Apart from coinciding with Amazon’s AWSome day, designed to encourage UK start-ups to migrate to the cloud, reports suggest websites and services including Quora, Imgur, Github, Zendesk and Yahoo Mail went down or were patchy for several hours.

Gavin Millard, EMEA technical director of Tenable Network Security, argued that cloud services are usually less prone to downtime than on-premise set-ups, but can cause a domino effect when they do hit trouble.

“When migrating critical infrastructure to a cloud provider, it’s important to remember that whilst they have robust strategies for dealing with outages to core services, single points of failure can still impact availability," he added. "Spreading the workloads across multiple regions and having a plan in place to deal with catastrophic issues like S3 going down would be wise.”

Source: Information Security Magazine

New York Banks Face Cybersecurity Regulations

New York Banks Face Cybersecurity Regulations

The New York Department of Financial Services (DFS) has proposed regulations to ensure that institutions better protect themselves.

While praising the work that members have done to have ‘proactively increased their cybersecurity programs’, the regulation will require each company to assess its specific risk profile and design a program that addresses its risks in a robust.

It read: “Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted. While not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities.”

It encouraged senior management to ‘take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming

compliance with these regulations’.

It claimed that it is critical that ‘all regulated institutions’ to move swiftly and urgently to adopt a

cybersecurity program, and for all regulated entities to be subject to minimum standards with respect to their programs.

The DFS claimed that ‘adoption of the program outlined in these regulations is a priority for New York State’.

Commenting, Ed Adshead-Grant, general manager of payments at Bottomline Technologies, said: “In its current form, the cybersecurity regulation proposed by New York State for banks and insurers is missing the mark, as it fails to address one key consideration: open banking. With the adoption of the PSD2 regulation in Europe, we’re already seeing financial institutions across the pond implementing new technologies like open APIs, and it’s clear that the trend will come to the US as well.

“The introduction of these technologies will give way to new security threats, requiring banks and insurers to implement real-time monitoring systems to identify and flag suspicious activity. While the proposed regulation’s requirement of multi-factor authentication is a solid step toward heightening security, that alone will not solve security problems if auditors are not watching how users – both internally and externally – are behaving in real-time.”

Source: Information Security Magazine

Privacy Issue Discovered in Telegram Messaging App

Privacy Issue Discovered in Telegram Messaging App

Researchers from Fidelis Cybersecurity have unearthed an “interesting security issue” involving the popular messaging app Telegram.

One of the appeals of Telegram is that it has encryption options for Android and iOS, whereby it uses your contact list to prepopulate contacts inside the app. Also, when someone in your contact list signs up for Telegram, you receive a notification so you know you can contact them using the app. However, John Bambenek, threat systems manager, Fidelis Cybersecurity, revealed that the combination of these features has allowed the firm to uncover a big privacy problem.

“If a scammer signs up for Telegram and already has your phone number in their contact list, it will also notify them that you have also Telegram,” he said.

“So in addition to connecting you to your friends and contacts, the app will also connect scammers directly to you. Likewise, if you have scammers' numbers in your contact list for some reason, you will get push notifications when they join Telegram.”

What’s more, Bambenek explained that this issue didn’t occur just once or twice, and on multiple occasions Fidelis observed phone numbers associated with telemarketing scammers signed up to use Telegram.

“To complicate matters, we found no obvious way to prevent people from finding out if you are a Telegram user,” he added.

Further, Bambenek warned that it would not be difficult to come up with a way to find out if a phone number uses Telegram (or many of the other popular mobile messaging/voice applications, for that matter), highlighting the following as uses for this insight by third parties:

•    Intelligence agencies consider the use of such services as a "risk factor" when deciding on surveillance targets
•    Border control officials could detect the use of such services during border crossing interviews, and conclude that the user has something to hide
•    Criminals could use the knowledge that a user is on such a service to target them

"Whether people add themselves to your Telegram, Skype or even plain old Instant Messaging services, the same ground rules apply: try to ensure that they are who they say they are before revealing too much information. If in doubt, contact your associate directly using another service – just like you would if sent a "stranded with no money in a foreign land" message on Facebook.

From a practical perspective, people using Telegram tend to be doing so for the privacy features and so would generally be suspicious of random messages claiming to be tax inspectors, or missives offering up great deals on websites. It's tricky to tie advance knowledge of a potential target to a random number in a scammer's database, especially if they're automating things, so there's often a natural limit to how tailored a scam could be.

Users of Telegram can also block / delete contacts they don't want, so in theory this isn't any more of an issue than it is being messaged by porn spambots on a service like Skype."

“Encrypted messaging and voice applications create a new surface area for attacks to unfold and should not be entirely trusted,” Bambenek continued. “While these apps may be a great benefit to privacy, they shouldn’t be trusted any more than unencrypted calls. These systems do protect against spoofing, but if you have unknown callers on such applications, due caution is still required.”

However, Chris Boyd, lead malware analyst at Malwarebytes, was quick to point out that all VoiP and regular chat apps have the ability for strangers to add you to their contact list, depending on security settings, adding:

“Whether people add themselves to your Telegram, Skype or even plain old Instant Messaging services, the same ground rules apply: try to ensure that they are who they say they are before revealing too much information. If in doubt, contact your associate directly using another service – just like you would if sent a ‘stranded with no money in a foreign land’ message on Facebook,” he told Infosecurity.

Source: Information Security Magazine