Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for October 2019

Domini Clark, Blackmere Consulting, Celebrates Milestone with Forbes Human Resources Council

Forbes Human Resources Council Member

Forbes Human Resources Council Member

Forbes Human Resources Council is an Invitation-Only Community for HR Executives Across All Industries

Domini ClarkDomini Clark, CEO and Founder of Blackmere Consulting, is celebrating her one-year anniversary as a member of the Forbes Human Resources Council, an invitation-only organization for senior leaders to publish original content, connect and excel.

“We are so pleased to have Domini Clark entering year two as a member of Forbes Human Resources Council,” said Scott Gerber, founder and CEO of Forbes Councils. “Our mission with Forbes Councils is to bring together proven leaders from every industry, creating a curated, social capital-driven network that helps every member grow professionally and make an even greater impact on the business world, and Domini Clark is an important part of that community.”

“I am excited to celebrate our first anniversary as a Forbes Human Resources Council member,” Said Domini Clark. “The values of the community are in perfect alignment with Blackmere’s dedication to making a powerful impact through intelligent connections.  Our participation has definitely helped us further cement our leadership role in the cybersecurity and technical talent acquisition industry.

ABOUT FORBES COUNCILS
Forbes Councils is a collective of invitation-only communities created in partnership with Forbes and the expert community builders who founded Young Entrepreneur Council (YEC). In Forbes Councils, exceptional business owners and leaders come together with the people and resources that can help them thrive. More information is available at forbescouncils.com.

ABOUT BLACKMERE CONSULTING

Blackmere Consulting is a Technical and Executive Recruiting firm dedicated to Cybersecurity and Information Technology.  From Fortune 100 companies to emerging growth organizations, our focus is to pair talented professionals with companies who value them.

For more information about Blackmere Consulting, visit blackmereconsulting.com.

#BSidesBelfast: Threat Hunting Requires Curiosity and Culture

#BSidesBelfast: Threat Hunting Requires Curiosity and Culture

Building a threat hunting team requires finding people who are prepared to be inquisitive of data, are keen to be the first to find a threat and having the right culture for them to work in.

Speaking at Bsides Belfast 2019, Martin Lee, outreach manager and Technical Lead at Cisco Talos, said that the team at Talos “work on analyzing the intelligence we have got, spot what is different and understand it, and as there is no manual on how to manage and function a threat research and intelligence team, the research team has grown organically.

He said that there is a common belief that threat hunting involves “putting data in and mixing it with tools using SIEM, and using procedures to find threats,” when threat hunting should be thought of as a “stack of technology” where you do not need a “secret store of data that only you can access.” 

Lee added: “We look for the most significant new threat on the internet, and see our role as to protect the entire internet. We want to hunt down and find the bad guys and be the first people to protect customers and inform the community.”

A lot of threat hunting “is classic engineering,” as if you put processes in at the beginning and follow them, you will come to a predicable end with a clean answer, and Lee called that “the holy grail” situation. In most cases, threat hunting involves looking through indicators of compromise and comparable data, and the resolution is affected by attackers using different domains, different IP addresses and different data. 

Lee also said that when there is a successful effort at threat hunting, this can be turned into an automated process.

“We find bad guys, find them first and hunt them down on the internet,” he said. “We have a strong sense of mission and a high degree of success as people want to hunt and encourage each other to keep going, it is not a job, but a lifestyle.”

Lee also said that very little of threat hunting is the common perception of “get a SIEM and go on the dark web” as a SIEM shows the analyst one view, which makes it difficult to ask different and innovative questions of the data.

As for the dark web, he acknowledged that there is malicious activity in the dark web “as you can find bad guys discussing [things] before they happen,” but the set of things that happen versus things discussed on the dark web often means “a lot of it can just be noise and people discussing things that may not happen.”

He said that “more important than tooling is people with skills” who will thrive in the right culture as you “can kill people with tooling if you have the wrong culture.” Also, you need to have some idea of what you want to find, and if you have no idea what you are looking for, you will never find it. 

Lee recommended building a strategy on what you’re hoping to find and what you would like to find, and decide what you would do with it and how to improve the goals of an organization. Also, use tools that allow you to ask questions of data easily, and hire people who are curious of things “and get to the root cause of what is going on.”

Source: Information Security Magazine

Major Cyber-Attack on APAC Ports Could Cost $110bn

Major Cyber-Attack on APAC Ports Could Cost $110bn

A major cyber-attack on Asia’s ports could end up costing the global economy as much as $110bn due to business interruption and other knock-on impacts, according to a new report.

Backed by Lloyd’s of London, the University of Cambridge and other organizations, the report was developed by the Singapore-based Cyber Risk Management (CyRiM) project.

It paints a hypothetical picture of a computer virus, dubbed ‘Shen,’ which exploits a vulnerability in port management software from a major shipping management company. It’s not made clear whether the virus is ransomware, but the effect is to infect systems on-board ageing ships, and then to “scramble” key database records at major ports in the region.

“While cyber-attacks have impacted individual ports in the past, an attack on systematic vulnerabilities across ports on this scale has never been seen,” the report claimed. “However, the combination of ageing shipping infrastructure and global complex supply chains, makes the shipping industry vulnerable to extreme losses.”

In this scenario, not only port owners themselves, but a range of supply chain organizations including logistics companies, cargo owners, ship owners, ship management companies and port management system providers would be affected.

Every country which operates bilateral trade with the affected ports would suffer heavy losses, due to delayed delivery and the impact on perishable items waiting to be shipped. For example, port closures in Japan would directly affect the US, China, Taiwan, South Korea and Hong Kong, the report said.

The heaviest losses were predicted to affecte the transport and aviation sectors, followed by manufacturing, retail and then real estate.

An attack affecting 15 Asian ports would range from $41-$110bn, the report claimed.

However, CyRiM warned that, 92% of total economic costs are currently uninsured, leaving an insurance gap of $101bn.

“Cyber-risk is one of the most critical and complex challenges facing the Asia Pacific maritime industry today. As this risk grows with the increasing application of technology and automation in the industry, collaboration and future planning by insurers and risk managers is critical,” argued Lloyd’s Singapore country manager, Angela Kelly.

“With nine out of 10 of the world’s busiest container ports based in Asia, and high levels of underinsurance in the region, this exposure must be addressed.”

Source: Information Security Magazine

Facebook Removes Russian Networks Targeting African Users

Facebook Removes Russian Networks Targeting African Users

Facebook has been forced to take action again to remove illegal Russian attempts to influence its users — this time in African countries.

The “coordinated inauthentic behavior” has been linked to notorious Russian financier Yevgeniy Prigozhin, already indicted by the US for funding the Kremlin-linked Internet Research Agency (IRA), which was involved in information warfare efforts ahead of the 2016 US Presidential election.

Facebook removed three separate networks originating in Russia and which targeted Madagascar, Central African Republic, Mozambique, Democratic Republic of the Congo, Côte d’Ivoire, Cameroon, Sudan and Libya.

The first involved the take-down of 35 Facebook accounts, 53 Pages, seven Groups and five Instagram accounts focusing on users in Madagascar, the Central African Republic, Mozambique, Democratic Republic of the Congo, Côte d’Ivoire and Cameroon.

At least one of the Pages accrued around 475,000 followers, and around $77,000 in advertising was spent.

The next campaign centered around 17 Facebook accounts, 18 Pages, 3 Groups and six Instagram accounts, accruing over 457,000 followers. They re-posed Sudanese state news and Russia propaganda from RT and Sputnik.

Finally, Facebook removed a network of 14 Facebook accounts, 12 Pages, one Group and one Instagram account that originated in Russia and focused on Libya.

As per the other campaigns, they often posted a mix of local and global news from local and Russian sources, on multiple sides of political debate, and from authentic and fake accounts. In this case, the accounts and Pages gained over 241,000 followers and around $10,000 was spent on ads.

“Although the people behind these networks attempted to conceal their identities and coordination, our investigation connected these campaigns to entities associated with Russian financier Yevgeniy Prigozhin, who was previously indicted by the US Justice Department,” said Facebook head of cybersecurity policy, Nathaniel Gleicher.

“We’re taking down these Pages, Groups and accounts based on their behavior, not the content they posted. In each of these cases, the people behind this activity coordinated with one another and used fake accounts to misrepresent themselves, and that was the basis for our action.”

Source: Information Security Magazine

#BSidesBelfast: Focus More on Common Attacks, Less on Zero-Days

#BSidesBelfast: Focus More on Common Attacks, Less on Zero-Days

Spend less energy focusing on advanced attacks and zero-days, as attacks remain the same and cybersecurity needs to focus more on producing and enabling better professionals.

Speaking in the opening keynote at BSides Belfast 2019, BH Consulting CEO Brian Honan said that, as we mark the 50th anniversary of the internet, we have to realize that whilst we were once unconnected, we now have huge dependency on the internet and this has led to economies and democracies being under attack. With the Cambridge Analytica case still in the mind, and with a UK election likely for December, Honan suspected that we will see more online influence.

Looking at cyber-attacks, Honan said that data suggests that we are seeing “more of the same,” as in the 1980s we were talking about viruses as the main threat, “and that is the same now, but we call it ransomware” – and business email compromise and ransomware have been around for years.

“Criminals use the same techniques as they work, and the biggest risk is the common run of the mill cyber-attack that is known to work,” he argued. “Attackers are not using zero-days and advanced cyber-attacks, they are using email and phones to break into companies.”

This has led to a culture of repeating the same mistakes over and over again, and we are not learning from them. Honan called for an end to “victim blaming” as if we “keep making the same mistakes, then there is an insecure future ahead.” He also called for more transparency into incident response reports, as too often investigations are not revealed.

Drawing comparisons with the aviation industry, Honan highlighted the frequent checks and tests on planes, and the fact that pilots need to be qualified and trained to fly, and “rigorous procedures” are followed. “However, we don’t do that in IT, as we launch things on the internet and hope they will work and if they don't, we fix the problem in the next release. You cannot do that at 10,000 feet.”

Concluding, Honan called for better collaboration as “business people demand better security” now, as we now talk to boards “and not geeks.

“Don’t stand alone, work outside industry and your community to fix problems, and make sure we embrace the business side and talk to them and continue hacking stuff to improve the systems we rely on,” he said.

Source: Information Security Magazine

North Korean Malware Found at Indian Nuke Plant

North Korean Malware Found at Indian Nuke Plant

A malware infection at one of India’s nuclear power plants has been confirmed by its owner, with researchers speculating that it is North Korean in origin.

News began circulating on social media earlier this week that the Kudankulam Nuclear Power Plant (KNPP) may have been hit by an attack. A third party contacted cyber-intelligence analyst Pukhraj Singh who in turn notified the country’s National Cyber Security Coordinator on September 3, he said.

He added that the malware in question was later identified by Kaspersky as Dtrack.

Although initially KNPP officials said an attack on the plant was “not possible,” they changed their tune in a letter dated Wednesday.

The government-owned Nuclear Power Corporation of India (NPCIL) released a statement saying the original reports had been correct, and handled by CERT-In when the organization was notified on September 4.

“The investigation revealed that the infected PC belonged to a user who was connected in the internet connected network used for administrative purposes,” it clarified. “This was isolated from the critical internal network. The networks are being continuously monitored. Investigation also confirms that the plant systems are not affected.”

Dtrack was first revealed in late September by Kaspersky as linked to the infamous Lazarus Group. It discovered over 180 samples of the malware, which is said to take advantage of weak network security, password management and a lack of traffic monitoring to deploy information stealing and remote access capabilities to victim systems.

It’s unclear what the attacker’s goals were in this raid — whether it was an accidental infection, a deliberately targeted multi-stage IP-stealing mission, or something more sinister still.

However, at the time of discovery, Singh tweeted about a causus belli (act of war) in Indian cyberspace. He later clarified this was a reference to a second, as-yet-unnamed, target.

“Actually, the other target scared the sh*t out of me. Scarier than KKNPP in some ways,” he said.

Source: Information Security Magazine

#ISC2Congress: IoT Devices Pose Off-Network Security Risk

#ISC2Congress: IoT Devices Pose Off-Network Security Risk

Internet of Things (IoT) devices can still be a serious security threat even when they are off network.

Speaking on day three of the (ISC)² Security Congress in Orlando, Florida, 802 Secure CSO Michael Raggo shared research that demonstrated the risks posed by everyday IoT devices. 

In his talk titled "Cyber Physical Security: Addressing IoT Risks," Raggo cited examples of threat actors gaining access to data centers via WiFi thermostats and spying on conferences by hacking into smart TVs mounted on boardroom walls.

"The problem goes far above and beyond the potential breach of data or risks to that data. It also has an impact on safety, privacy, and the whole operation of your entire network, especially if it's an industrial IoT type of network," said Raggo.

"What that means in terms of your policies and how you approach the problem, is that this is more than just protecting data and avoiding data exfiltration. Now we are talking about the safety and the privacy of people and employees."

The impact of IoT security issues is far-reaching. According to Raggo, "roughly 50% of the new buildings being built in the United States have some kind of IoT functionality."

Raggo said that ensuring the reliability and security of the lighting, power, and HVAC systems of your home and your business is a real challenge if those systems aren't connected to your own network.

Although many people are familiar with Wi-Fi and Bluetooth, according to Raggo they often don't have a clear understanding of how IoT devices are configured and who can actually connect to them.   

Raggo referenced experiments conducted in his own lab that had produced worrying results, exposing vulnerabilities in smartphones and surveillance cameras. In one test, he used a wireless thumb drive to access data on a hub.

"I simply plugged it into a USB port in the back of the hub and immediately videos started being recorded to my thumb drive. There was no authentication required," said Raggo.

One threat Raggo drew attention to was Bluetooth skimming, where threat actors steal money by breaching credit card details used in transactions. After being asked to investigate a fast-food restaurant that had suffered a breach, Raggo used readily available Bluetooth scanning tools to detect a long-range Bluetooth device placed under the cash register that had been used to skim data.

Source: Information Security Magazine

Facebook Finally Pays £500K Cambridge Analytica Fine

Facebook Finally Pays £500K Cambridge Analytica Fine

Facebook has finally reached an agreement with the UK’s privacy regulator to pay a £500,000 penalty related to the Cambridge Analytica scandal, a year after the fine was levied.

The social network had lodged an appeal against the Information Commissioner’s Office (ICO), and in June a tribunal agreed that the watchdog’s decision-making process should be scrutinized as part of the case, to investigate allegations of bias. The ICO appealed this judgement in September this year.

However, the two parties have now agreed to withdraw their respective appeals, which means Facebook will pay the £500,000 but accept no liability relating to the penalty notice. Both parties will pay their own legal costs.

“The ICO’s main concern was that UK citizen data was exposed to a serious risk of harm. Protection of personal information and personal privacy is of fundamental importance, not only for the rights of individuals, but also as we now know, for the preservation of a strong democracy,” argued deputy commissioner, James Dipple-Johnstone.

“We are pleased to hear that Facebook has taken, and will continue to take, significant steps to comply with the fundamental principles of data protection. With this strong commitment to protecting people’s personal information and privacy, we expect that Facebook will be able to move forward and learn from the events of this case."

The original penalty notice alleged that Facebook had processed user information “unfairly” under the old Data Protection Act 1998. It did this by allowing developers to access the data without adequately “clear and informed consent,” and by allowing access to users who had not downloaded an app but were friends of those who had.

The social network was also accused of failing to check how this data was being secured or used by developers. That is said to have led to one developer, Aleksandr Kogan, harvesting info on 87 million users without their knowledge and subsequently sharing some of this with Cambridge Analytica parent SCL Group. It was then purportedly used to target wavering voters ahead of the 2016 US presidential election.

The ICO also claimed at the time that Facebook failed to take swift enough action to ensure this highly sensitive data was deleted when, in December 2015, it discovered what had happened. SCL Group wasn’t suspended until 2018.

The penalty issued was a rare maximum fine under the old data protection regime, although commissioner Elizabeth Denham said it could have been much greater had the incident happened during the GDPR era.

In the US, Facebook was fined $5bn by the FTC earlier this year.

Facebook associate general counsel, Harry Kinmonth, was quick to point out that the ICO had found no evidence that users in the EU had their data transferred by Kogan to Cambridge Analytica.

“As we have said before, we wish we had done more to investigate claims about Cambridge Analytica in 2015,” he added.

“We made major changes to our platform back then, significantly restricting the information which app developers could access. Protecting people’s information and privacy is a top priority for Facebook, and we are continuing to build new controls to help people protect and manage their information.”

Source: Information Security Magazine

Facebook Takes Spyware Firm NSO Group to Court

Facebook Takes Spyware Firm NSO Group to Court

Facebook is taking spyware vendor NSO Group to court over allegations that the Israeli firm developed and helped to deploy malware that was used to target over 1000 WhatsApp users.

The threat in question was discovered back in May, targeting video call users without them even needing to pick up. Victims would receive a call while in the background a specially crafted series of SRTCP packets allowed the attacker to install the NSO Group’s Pegasus spyware on either iOS or Android devices.

Facebook rolled out a fix for the buffer overflow vulnerability in the WhatsApp VOIP stack, but did not release any further details at the time.

Now it is claiming the Israeli firm, which claims only to sell its wares to help legitimate law enforcement and government intelligence agencies, was directly behind the attacks on 1400 WhatsApp users.

It alleged that the “attackers used servers and internet-hosting services that were previously associated with NSO.”

Moreover, the attacks themselves were not used for legitimate policing efforts, but targeted journalists, human rights activists, political dissidents, and senior government officials — with the majority of victims located in Bahrain, the United Arab Emirates and Mexico, Facebook claimed.

“We agree with UN pecial rapporteur for Freedom of Expression David Kaye’s call for a moratorium on these attacks. There must be strong legal oversight of cyber weapons like the one used in this attack to ensure they are not used to violate individual rights and freedoms people deserve wherever they are in the world,” the firm noted in a lengthy statement.

“Human rights groups have documented a disturbing trend that such tools have been used to attack journalists and human rights defenders. Working with research experts at the Citizen Lab, we believe this attack targeted at least 100 members of civil society, which is an unmistakable pattern of abuse.”

WhatsApp alleges that NSO has violated US and California laws and its own Terms of Service, which prohibits such abuses.

Source: Information Security Magazine

FCC Issues Plan to Remove and Replace Huawei Kit

FCC Issues Plan to Remove and Replace Huawei Kit

The Federal Communications Commission (FCC) has published a new two-part plan revealing how it will remove Huawei and ZTE kit from US telecoms networks.

The plan focuses around the $8.5bn Universal Service Fund (USF), an FCC subsidy used by mainly smaller carriers. It’s thought that these firms, often located in rural areas, have invested or are more likely to invest in the Chinese-made equipment, as it is cheaper.

Under FCC chairman Ajit Pai’s proposals, the new rules would prevent any carrier using USF money to purchase from providers which pose a national security threat.

It would also require an audit of existing USF recipients to see how many have Huawei/ZTE kit in place and how much would cost to remove and replace it. Then, they would be required to remove the equipment.

The FCC said it would “seek comment” on how to assist these firms financially to replace the technology and transition to more trusted suppliers.

“When it comes to 5G and America’s security, we can’t afford to take a risk and hope for the best. We need to make sure our networks won’t harm our national security, threaten our economic security, or undermine our values. The Chinese government has shown repeatedly that it is willing to go to extraordinary lengths to do just that,” said Pai in a penned statement.

“Chinese law requires all companies subject to its jurisdiction to secretly comply with demands from Chinese intelligence services. As the United States upgrades its networks to the next generation of wireless technologies — 5G — we cannot ignore the risk that that the Chinese government will seek to exploit network vulnerabilities in order to engage in espionage, insert malware and viruses, and otherwise compromise our critical communications networks.”

However, as China and other countries ramp up roll-outs of 5G technology, there will be fears that the rip-and-replace approach adopted in the US may set the country back significantly, throttling the innovation and growth expected on the back of the coming networks.

Reports over the weekend suggested key US ally the UK is set to allow Huawei supply "non-contentious" parts of its 5G networks.

Source: Information Security Magazine