Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

#BHUSA: Schneier Advocates For Public Interest Technologists

#BHUSA: Schneier Advocates For Public Interest Technologists

In his talk at Black Hat 2019 in Las Vegas, Bruce Schneier emphasized the importance of tech experts being involved in setting public policy though the role of public interest technologist.

“No policy makers understand technology,” declared Schneier. “Technologists are in one world, and policy makers are in a different world. It’s no longer acceptable for them to be in separate worlds though as technology and policy are deeply intertwined.”

But technologists and policy makers don’t understand each other, said Schneier. “They speak different languages, they make different assumptions and they approach problem solving differently.

“Policy security has been pushed to the side. [There is] no regard for what has been built and the effect it will have.

“As internet security becomes everything security, the technology we make becomes important to overall policy. We can’t get policy right if policy makers get the technology wrong.”

To fix this, suggested Schneier, policy makers need to understand technology. “It seems impossible but it’s vital.” All policy decisions need to be made with technology in mind, he said, and policy makers need technologists on their staff. “All the major policy debates of this century will have strong cybersecurity influences,” he predicted.

To get more technologists involved in policy, Schneier suggested the answer is to get “more public interest technologists,” though he did admit that it’s still a developing term. “A lot of people doing it came out of the Obama White House," he said.

“In the last century, the people doing public policies needed to be economists. Today, people doing public policy need to be technologists,” he insisted.

Schneier also called out supply chain security as being in desperate need of technical expertise. “It’s insurmountably hard. You can’t trust anyone but have no choice but to trust everyone.

“Our industry is deeply international and any policy issues can’t just make snap decisions to ban certain technologies.” Elections too, he considered, “could use a lot of public interest technology and technologist input.”

Governments and corporations need to work together to form these jobs, said Schneier, adding that “society needs to understand that what is in the best interest of corporations isn’t necessarily in the best interest of society.” Further, he added, “technology is not politically mutual.”

Reflecting on the world we’ve built, Schneier considered “we’ve built a world where programmers have the inherent power to build technology as they see fit. That privilege needs to end. The next big disruption on the internet will not be about people, but about things. Things talking to each other and getting rid of the need for human interaction.”

As technologists, he said, we have a lot of power. “As consumers however, we don’t. As employees we have an extraordinary amount of power and we need to use that power inside companies to make change happen fast.”

The Government is largely advocating its work in this space, Schneier said, “but when IOT starts killing people, they will have to take notice.”

Source: Information Security Magazine

#dianainitiative2019: Fight Against FUD With Education

#dianainitiative2019: Fight Against FUD With Education

A movement needs to be created in the industry to better deal with the issue of fear, uncertainty and doubt (FUD).

Speaking at the Diana Initiative conference in Las Vegas, security engineer Olivia Stella explained that the term “FUD” was coined in the 1970s and used as a tactic for a potentially lost customer, “as it distilled fear into everyone.”

Stella said that FUD “is like calling fire in a crowded building: we just want the truth out and we talk on a daily basis about wanting transparency and truth and not FUD to confuse people.”

Looking at 50 years of technology, Stella said that in the 1970s there was “little to no technology and now it is everywhere and it is all connected to the internet.” Now kids have access to technology and “are born with technology in their hands.” However, there is a danger, she said, of “security fatigue,” where we are told of the constant problems in technology. “Add in the 24/7 news cycle,” she said, and it can be very overwhelming.

“How do we fight? Not with more technology but with education,” she said. “This needs to start for kids as it is the new sexual education.” She praised the partnership between the Girl Scouts of America and Palo Alto Networks to engage people and help their family and friends learn by proxy.

Stella said that there was need for better communication internally, with hard facts distributed “and to be an advocate to get the true data out there.” Also large companies need to do communications that are correct and timely, and need to train people outside of the security department on when and how to release info to public or internally.

She concluded by saying that the fight against FUD will be done when there is security education in place, “an area of passion to start….We need to have advocates, and I like to practice what I preach.”

Asked by Infosecurity if she would like to see more companies join her fight, she agreed, saying, “If they are saying that their product offers a service and it doesn’t, that contributes to FUD.” She also encouraged those with the ability to communicate via social media to do so and to ask the right questions.

Source: Information Security Magazine

#BHUSA: Why Standards and DNS Are Key to Email Security

#BHUSA: Why Standards and DNS Are Key to Email Security

The Dutch Tax and Customs Administration had a problem, their domain names were being abused in phishing campaigns and they had to figure out a way to fix the issue. As it turns out the solution is all about implementing standards that already exist, to help minimize risk and improve overall email hygiene.

At a session at Black Hat USA in Las Vegas, titled, 'How to detect that your domains are being abused for phishing attacks using DNS, Karl Lovink, technical lead for the Dutch Tax and Customs administration and consultant Arnold Holzel outlined the standard and techniques they used to combat phishing.

"Our main objective was trying to find phishing campaigns as quickly as possible," Lovink said.

There are no shortage of technologies that can be used to combat phishing, but the key for Lovink was to take a path that didn't impact business operations and more importantly is based on existing standards.

Among the multiple standards that can help to improve overall email security is STARTTLS, which is a specification that is used to upgrade an unsecure email server connection that isn't using TLS (Transport Layer Security) to one that is. The risk of not using TLS is that connections are not encrypted and data is sent in the clear.

STARTTLS however isn't the only way to get a TLS connection for email servers. There is also a specification known as DNS-Based Authentication of Named Entities (DANE), which enables a domain name server (DNS) to supply information about TLS support for a given domain through a resource record.

Another key standard outlined by Lovink is Mail Transfer Agent Strict Transport Security (MTA-STS). He explained that MTA-STS allows a receiving domain to publish their TLS policies to help ensure secure connections.

Looking beyond standards that can ensure security for email delivery with TLS are a series of standards for helping to enforce the integrity and authenticity of incoming and outgoing email. Lovink explained that the Sender Policy Framework (SPF) validates if an email is sent from a valid IP address or domain, by checking against an SPF record that is stored in domain's DNS records.

For outgoing email, there is the DomainKeys Identified Mail (DKIM) standard that digitally signs outgoing mail to prove that it came from the right domain. Lovink said that the digital key for DKIM is also stored as a DNS record.

Tying SPF and DKIM together with an additional layer of reporting is the Domain-based Authentication, Reporting and Conformance (DMARC) specification. Lovink commented that DMARC provides direction and visibility into how to deal with the results of SPF and DKIM reports.

Both Lovink and Holzel commented that overall there are some configuration complexities in some cases with each of the standards, but it's important for organizations to implement them to improve email security.

"You really have to implement standards if you want to prevent phishing attacks," Lovink said. "We are convinced that if everyone implemented these standards, there will be a lot less phishing in the world."

Source: Information Security Magazine

#dianainitiative2019: Save Remote Workers From Burnout

#dianainitiative2019: Save Remote Workers From Burnout

Speaking at the Diana Initiative conference in Las Vegas on “Working Remote Can Be Overwhelming and Lonely, Let's Change That,” Suzanne Pereira acknowledged that working from home can be attractive, as you “don’t get dressed and can do errands all day and go to lunch with friends,” and you will be told “you’re the luckiest person ever.” However, Pereira, whose 12 years in infosec include 10 years of working remotely, said that the reality is you can be pulled in many different directions at once, which can lead to burnout.

She said: “You can feel lonely and isolated and feel stressed." You wonder "if you’re doing something wrong as everyone tells you you’re lucky….Why do you not feel that way and why are you always stressed out?”

She recommended setting yourself guidelines of creating a working space out of the way and setting time limits for when you are working. Yet she acknowledged that this is an industry “where we like to learn and grow and research and work on something to make you better,” so when you work from 8 am to 11 pm, be clear that this is your own decision.

She recommended taking travel opportunities and joining video conferences to form better relationships. She also recommended saying no when appropriate. It can be a scary word, she said, but use it to be your own advocate to avoid taking on “something you cannot finish.”

“Also have no-calls or -messaging time, as [not having it] leads to burnout,” Pereira said. “Do a 9–5 and take no calls after that….If there is a message you will look at it tomorrow.”

The right balance can lead to “being less overwhelmed," Pereira concluded, "and it takes a lot of effort to say no, but the balance leads you to being less overwhelmed.”

Asked what a company can do to make life better for remote workers, Pereira said that companies should incorporate remote workers. “Don’t leave them on an island, as you may think you’re doing them a favor but they may hate it.”

Source: Information Security Magazine

#dianainitiative2019: Certifications, Careers and Prohibitors for Women in Cybersecurity

#dianainitiative2019: Certifications, Careers and Prohibitors for Women in Cybersecurity

Speaking on a panel at the Diana Initiative conference in Las Vegas, moderator Kathleen Smith, CMO of CyberSecJobs, asked the panelists about their careers, certifications and challenges. 

Saying that “no one has a straight path in the career,” Kathleen Smith asked the panelists, two of whom had military experience, how they had started their careers.

Andrea Limbago, who is a doctor of political science, had worked in academia and had moved on to startups in cybersecurity, said “For all of us playing a role in preserving democracy,” one of the “missions of our time was to ensure retention of women in their jobs," especially as there was more impact of cybersecurity on society. She noted that the other two panelists had got into cybersecurity via the Department of Defense.

Yolonda Smith, who works as a lead infosecurity analyst with Target, said her first interaction with technology was with a computer as a child, which she smashed when frustrated with a game. This led her to learn how it was put together.

She said: “IT is a capability and there are specialized training and certifications and the opportunity to deploy. There is the opportunity to ask and be curious.”

Susan Peediyakkal, a cyber-threat analyst who said she is currently on a career break and had spent 12 years in the military starting as a radar technician, was asked about education and certificates and whether to focus on experience “or letters on your résumé.” She said she had not finished her bachelor's degree but had done a course in eCornell for women in leadership and was starting with Carnegie Mellon University to do a CISO supervision course.

Said Limbago, “If you don’t keep learning and coming to conferences like this, you will be left behind.” Yolanda Smith responded that there is “an obligation as professionals in this field to seek opportunities to educate yourself,” which could be a certification or a boot camp, but it was “up to you to craft your message.”

Asked by Kathleen Smith how she could evaluate opportunities about a move into management, Yolonda Smith said it is about the understanding of “going to work and fighting to be heard and respect,” what opportunities there were for her, if there were things she could learn and if there were skills she could learn and apply that would always be of interest.

Kathleen Smith asked about prohibitive factors on job descriptions and how they could be overcome. Peediyakkal said that she looks at job descriptions and “I don’t let them intimidate me as I go for it anyway” if she doesn’t have all of the skills if it is a job she wants.

Concluding by giving their current mottos, Yolonda Smith said it was “never measure someone else by your yardstick.” Don't get frustrated by what others are doing and think “how come she got this?" she said. Instead, "make your next step yours.”

Peediyakkal said her was to “be humble.” One can be the ultimate high, while the next you can be “super frustrated." She added, "Never take any moment for granted.”

Limbago said that hers was to “push yourself and try something new” as what got you into a previous position may not work again. Kathleen Smith said that it was important that we be “comfortable with being uncomfortable.”

Source: Information Security Magazine

Apple's $1 Million Bug Bounty Comes Under Fire

Apple's $1 Million Bug Bounty Comes Under Fire

Apple’s decision to offer a $1m bug bounty has been criticized as potentially creating collusion opportunities and perverse incentives.

According to The Verge, Apple announced that it has expanded its existing bug bounty program to include macOS, tvOS, watchOS and iCloud. It will include rewards of up to $1m for a zero-click, full-chain kernel-code-execution attack.

Previously a maximum $200,000 payout, the $1m payout will be for iOS vulnerabilities that let attackers control a phone without any user interaction.

Another $500,000 will be given to those who can find a “network attack requiring no user interaction,” reported Forbes.

Speaking to Infosecurity, Luta Security CEO Katie Moussouris said that she was concerned about raising it to this level “as it will probably have some unintended perverse incentive consequences,” because she said that this “does nothing to compete with the offense market.”

Moussouris argued it also may also produce collusion with internal employees. Thirdly, she was concerned that this “may eventually cannibalize Apple's own hiring policy and its career retention pipeline” as if there are quality assurance engineers who feel that this is their only chance to earn big, having earned enough to know enough about the architecture. “It would be a good investment for them; when else would you get a windfall like that?”

She said that “perverse incentives in the offense and defense market have to be examined very carefully because this is a price hike that is unsustainable.” While this may produce new exploits and new talent willing to work for defense, the overall impacts on the bug market are yet to be seen “and I am worried.”

The original bug bounties were $500 from 1995 to 2010, with 2010 seeing the first Google bug bounties, which started at $1,337 and which led to Mozilla raising its bug bounty to $3,000. Prices were then raised across the board.

“People thought the more, the merrier; this is what every company should do – keep raising the prices. But if you think about it, there is a logical limit which defensive prices cannot exceed because if you exceed them you start to see perverse incentives emerge,” Moussouris said. “I think the offense market, also known as the black market, will very quickly adjust.”

Source: Information Security Magazine

Ransomware Soars 365% Year-on-Year in Q2

Ransomware Soars 365% Year-on-Year in Q2

Ransomware detections soared by 365% year-on-year in the second quarter of 2019, according to the latest report from Malwarebytes.

This figure is even higher than the 235% increase in overall threats aimed at businesses from 2018 to 2019, the security vendor claimed in its latest quarterly threat report, Cybercrime techniques and tactics (CTNT): Ransomware retrospective.

At the same time, consumer ransomware detections continued to decline, by 12% year-on-year, as hackers turn their attention to higher value targets.

Among the most frequently targeted organizations in Q2 were US cities, healthcare organizations (HCOs) and schools and universities. Legacy IT infrastructure and a lack of funding for security initiatives has left these sectors particularly exposed, Malwarebytes claimed.

Among the most prolific ransomware strains targeting organizations in Q2 were Ryuk, with detections increasing 8% from the previous quarter, and Phobos, which witnessed massive growth of 940% from Q1 2019.

GandCrab, Troldesh, Rapid and Locky were also notable in the quarter, although GandCrab detections slowed by 5% as new ransomware-as-a-service strain Sodinokibi took over using similar components.

Unsurprisingly, the US was the biggest victim globally, accounting for 53% of attacks, followed by Canada (10%) and the UK (9%).

Nearly half of all detections in 2018 happened in North America, with EMEA accounting for 35%, Latin America 10% and APAC 7%, according to the report.

“This year we have noticed ransomware making more headlines than ever before as a resurgence in ransomware turned its sights to large, ill-prepared public and private organizations with easy to exploit vulnerabilities such as cities, non-profits and educational institutions,” said Adam Kujawa, director of Malwarebytes Labs.

“Our critical infrastructure needs to adapt and arm against these threats as they continue to be targets of cyber-criminals, causing great distress to all the people who depend on public services and trust these entities to protect their personal information.”

Source: Information Security Magazine

#BHUSA Empathy is Key to Hiring and Retaining Women in Cybersecurity

#BHUSA Empathy is Key to Hiring and Retaining Women in Cybersecurity

At Black Hat Las Vegas on August 08 2019, Rebecca Lynch of Duo Security gave a talk on hiring, and just as importantly retaining, women in the cybersecurity industry.

The statistics for gender diversity in the industry, Lynch pointed out, are worrying. Not only is the industry not seeing positive trends in this space, but actually in many areas we are seeing worsening statistics. For example, there has been a steady decrease in women graduating with computer science degrees over the past 35 years.

Perhaps more worryingly, women exit the cybersecurity industry within a decade at twice the rate of men. Of those leaving the industry, 77% cited extreme pressure and a “hostile ‘macho’ culture” as their reasons for doing so.

Lynch blames implicit bias, amongst other things, for this trend. Examples of this are the male-orientated language used, crediting an idea to the wrong person, underestimating ability and making incorrect assumptions about someone else’s role,” she said.

There is also the stereotype threat, she explained. “There is a fear that one will fulfill existing and negative stereotypes,” said Lynch. “This is proven to increase anxiety and decrease productivity and performance.”

To counteract this, Lynch suggested an increase in visibility of women at all levels. “It’s important to convey the high value of diversity.” She also suggests mentors and sponsors providing endorsement and advocacy will make a positive difference.

“It’s a complicated problem but the solutions are simple,” concluded Lynch. “It comes down to empathy and showing up for one another.”

Source: Information Security Magazine

#BHUSA: Five Years of Google Project Zero Should Influence Similar Groups

#BHUSA: Five Years of Google Project Zero Should Influence Similar Groups

Speaking at Black Hat USA, Google Project Zero manager Ben Hawkes looked back at five years of the vulnerability research team and deemed the future success of the group to be focused on more groups forming.

Looking back at the formation of Project Zero, Hawkes said that there was a sense that the zero-day was a problem “for Google and society as a whole” and there has since been a shift for zero-days to be beneficial for offensive security. “So after five years, the question to ask is, is zero-day hard yet?”

Hawkes said that Project Zero was founded on principles including “good defense [which] requires a detailed knowledge of offense” and looking at the software that we rely on, not just Google Chrome and Android.

“When you think of Project Zero, autonomy comes to mind,” he added. “We are all bound by a mission and principles, and the key innovation is researchers have individual freedom to pursue their own independent research agenda.” 

He explained that the research includes: 54% manual review, 37% fuzzing, and 8% other types of testing. He also said that part of performing vulnerability research is what new methodologies you can create that the researchers did not have access to previously, and by “writing an exploit, you’re walking in the shoes of an attacker.” The development of an exploit requires five steps:

  1. Ensure that the security impact of the bug is well understood
  2. Establish an equivalence class of similarly exploitable vulnerabilities
  3. Generate appropriate amounts of urgency
  4. Surfaces new and improved exploit techniques
  5. Allows us to find areas of “fragility” in the exploit

Hawkes said that Project Zero is in a positon “to advocate for change” and a lot of the job is spent working out “how to be an advocate and what the vendor wants to achieve.”

Looking back at some of the research, Hawkes called the work around Spectre and Meltdown as “a moment” as it changed the way we think about hardware security, and led to substantial architecture changes and marked a redoubling effort to invest in security and build up processes and testing.

“On a side note, vulnerability research has been well received and led to structural improvements” and he thanked the vendors and open source community for the work done.

Looking at how to measure the “hard” element of zero-day research, Hawkes said that you can gauge it by the number of vulnerabiltiies, or how many exploits are sold on the “grey market,” or the number of vulnerabilities debugged. “We made an attempt to find something better and more aligned,” he said.

“Instead of marketing it about zero-days being hard, we need to step back and decide what does progress towards hard mean?

“Is it hard? The truth is it is harder, but not hard. If I could stand up and say in five years we are leading to an accomplishment that would be great, but we’re not there yet.”

Hawkes also explained that open attack research “provides the best path for making zero-day hard” and there is “something compelling and powerful in doing work that teaches users to do the right things.”

Looking forward, Hawkes said that we will never finish debating on vulnerability disclosure, and this can be done well “and can be profoundly impactful, but if done poorly there can be systemic risk.” He added that he sees this as an urgent problem, and if people can be promoted and empowered and connected with external researchers, this can “create a pipeline of work that leads to collaboration.”

Concluding, Hawkes said that the way forward is for other companies to follow the Project Zero model, and create their own research teams and “expand the amount of open attack research.”

He said: “We need to focus on our mission and principles and find an area where we see eye to eye as vulnerability disclosure is a distraction, and we need to focus on the common mission and principles.”

Source: Information Security Magazine

#BHUSA: Increase Social Media Awareness With Active and Passive Testing

#BHUSA: Increase Social Media Awareness With Active and Passive Testing

Speaking on “Testing Your Organization's Social Media Awareness” at Black Hat USA, Jacob Wilkin, network penetration tester and application security consultant, Trustwave SpiderLabs, said that social media phishing is on the rise and is now the “preferred vector for attackers” who now spread more malware via social media than on email.

“You’re three times more likely to get click-throughs on social media, and this is important as companies move to BYOD models and people have devices at home and use social media and bring them into work environments,” he said. 

Wilkin highlighted a passive testing tool that he released last year at the Black Hat Arsenal called “Social Mapper,” which allows you to “feed in a LinkedIn company name and it releases names and images of people at the company.” This will then deliver the names of employees who have been found online.

“This is less intrusive as you don’t interact with profiles, you identify them but not testing them and you don’t know if they accept connection requests or clicked on links,” he said. Instead, you get a report detailing people who are recognized as working at a company, and their corresponding social media accounts via facial recognition. 

To follow up, this week he released an active testing tool called “Social Attacker,” which requires a fake social media account to be created, and log into a social media site, feed in Social Mapper results and send connection or friend requests to those people to send a phishing test message. This gives you a report at the end to see which profiles have accepted and who clicked on what, with a timestamp.

Wilkin recommended that social media users not use the same name across websites to better protect themselves, as well as not accept connections or messages from people you don’t know and, in a more extreme case, not putting a picture on your social media profile.

“As attackers pivot, it is important to raise awareness and encourage social media sites to prevent and detect attacks and review laws to consider permitting security testing,” he concluded.

Source: Information Security Magazine