Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
British cybersecurity researcher Marcus Hutchins, known for his actions that helped stop the WannaCry ransomware attack, admitted in a U.S. court to aiding in the development and distribution of a banking Trojan. Known online as MalwareTech, Hutchins was called a “hero” after stopping the WannaCry ransomware attack in May 2017 by registering a domain that acted as a kill switch for the malware.
Find me an amazing whitehat of a certain age, and I’ll find a blackhat in their closet. That’s not as common a situation today as it used to be, and it’s certainly not a requirement to be a good practitioner, but a lot of people in this business are muttering under their breath, ‘there but for the grace of God…’. We were all kids. We all did stupid stuff. A life trajectory that plots a course into the light is worth special consideration, because if we banned anyone who had a shaded past from working in this business, there wouldn’t be many left.
Ecuador said on Monday it has suffered 40 million cyber attacks on the webpages of public institutions since stripping Wikileaks founder Julian Assange of political asylum. Patricio Real, Ecuador’s deputy minister for information and communication technologies, said the attacks, which began on Thursday, had “principally come from the United States, Brazil, Holland, Germany, Romania, France, Austria and the United Kingdom,” as well as from the South American country itself.
Good old fashioned hacktivism. And like most of such activity, a complete waste of time. No government has ever been moved to action based on a digital sit-in or blockade or defacement (humans and their pets defiling embassy office space however…). There is no arguing with the unsophisticated bleeding hearts about the difference between proper journalists and ex-hackers who just want to watch the world burn, you just need to understand that given half the chance people will throw bytes at you in righteous indignation, so be prepared.
Microsoft Office has become cybercriminals’ preferred platform when carrying out attacks, and the number of incidents keeps increasing, Kaspersky Lab researchers said during the company’s annual conference in Singapore. Boris Larin, Vlad Stolyarov and Alexander Liskin showed that the threat landscape has changed in the past two years and urged users to keep their software up-to-date and to avoid opening files that come from untrusted sources to reduce the risk of infection.
Hackers, like bank robbers, go to where the reward is. The widespread installation based of Office is also a strong motivator as it allows the bad guys to operate at scale. This is also a great time to point out that one of your best defenses against attacks isn’t an ‘advanced’ ‘next-gen’ security solution, but hitting ‘yes’ when prompted to update/patch your software.
Make no mistake: Even the most technologically mature organizations are struggling to keep in check the rising force of third-party cyber-risk. Recent high-profile security incidents, such as the Facebook data leak and the ASUS Shadowhammer attack, bring home the fact that third parties can introduce tremendous risk to business operations, data security, and even the technical integrity of products and services.
Cybersecurity 101: Know what you are protecting. 102? Know what you’re using that you can’t protect and watch it like a hawk. If you haven’t already, address related risks in contracts and other pertinent agreements. Put the onus on those who want to do business with you to step up their game just as you are your own. The interconnected nature of our world today means we’re all in this together whether we like it or not. If we don’t build up a herd immunity, the digital anti-vaxxers (and bad guys) win.
After years of dire warnings about hackers wreaking havoc on computers that run physical processes in factories and infrastructure, you’d think industrial firms would already have their top cybersecurity officers running cybersecurity at their plants. Today, that’s the case for only 35% of big facilities — but the situation is finally changing.
Life is different in the world of steel-toed boots. In the industrial space the analog to the security guy is the safety guy, and he started out with the firm 40 years ago sweeping the floor. You are not going to bedazzle him with your cyber war stories; his job is to keep the power on or the machines running and no one has foiled him yet. Bring your A-game, talk about business cases and the essentials, not the nice-to-haves, and you might succeed; talk TCP/IP and quarantine-and-rebuild and get thrown out on your fourth point of contact.
Some good news for privacy advocates this week: a big Fourth Amendment loophole has been closed in the state of Utah. Previously, state law enforcement only required a subpoena to access someone’s digital content — including emails, pictures, video and audio — from internet and cloud providers. Now, following the introduction of HB 57, the Electronic Information or Data Privacy Act, police need a warrant based on probable cause.
The legislature starts to get it right. The idea that our digital devices are anything less than an extension of our brains (and hearts) at this point is simply a position detached from reality. There is still the border exception to contend with but more and more courts and legislatures are starting to recognize fishing expeditions when they see them. Law enforcement could take a lesson learned from the NSA telecom vacuum; that you can collect a lot doesn’t mean you should, or that it will prove useful.
The annual HHS watchdog’s FISMA audit on HHS, FDA, CMS, and NIH deemed HHS information security didn’t meet the managed and measurable level of an effective program. The watchdog recently completed its annual Federal Information Security Management Act (FISMA) audit and determined that while HHS, FDA, CMS, and NIH continues to work toward strengthening its security program, the agencies’ security has weaknesses in its risk management, configuration management, identity and access management, data protection and privacy, security training, continuous monitoring, incident response, and contingency planning.
No one ever got fired for buying IBM…or failing a FISMA audit. When there is no sense of urgency, and no accountability, why are we surprised? Letter-graded audit results aren’t terribly useful (comparing HHS versus, say, NSA isn’t fair), but even so, how many “Fs” would your kid need to bring home before you started to light a fire under them? Is there a talent problem? Sure. Limited resources? Of course. Just like everyone in the private sector. At some point you have to accept that even in the government, no one is in the security business, they’re just in (the people’s) business.
Researchers have uncovered serious denial-of-service (DoS) and improper access control vulnerabilities in X-ray devices made by Japanese imaging giant Fujifilm. The flaws, described in an advisory published this week by ICS-CERT, affect Fuji Computed Radiography (FCR) XC-2 and Capsula X medical imaging products (CR-IR 357) — Capsula products are marketed as Carbon in the United States. The impacted devices are used in the healthcare sector worldwide.
It’s not quite the THERAC-25, and thank God for that. Cheerleaders will point out new legislation at the state level that mandates better IoT security, but none of that applies to the zillions of devices already in place, and that won’t be replaced for 10-20 years. Our relationship with medical technology is becoming, literally, personal. We’re not quite cyborgs, but every device connected to or implanted in us could just as easily kill us as support our well-being. That device manufacturers have never really given these issues serious consideration, learning at the temple of security-by-obscurity, isn’t a shame, it’s a scandal.
The French Government last week launched a custom messaging application called Tchap, touting it as being “more secure than Telegram.” One small snag however: The platform has already – quelle dommage! – been hacked. French security researcher Robert Baptiste, a.k.a. Elliot Alderson, downloaded the app from Google Play, and quickly discovered there to be an email validation error when it comes to creating accounts.
Zut alors! We’re rightfully concerned about government officials using commercial communications tools for official business, but at least those tools started from the ground up with a secure design and were made by security-minded experts, not the lowest bidder. The IC had the talent to create its own search engine, but they paid for AltaVista (and later Google) because why reinvent the wheel? There was ‘the cloud’ and now there is the government cloud. Rolling your own solutions, if you’re not in the solution business, is almost always a terrible idea.
An alarming percentage of workers are consciously avoiding IT guidelines for security, according to a new report. Based on a survey of 1,569 respondents from the US and UK who use collaboration tools at work. It found that 24% of those surveyed are aware of IT security guidelines yet are not following them. Another 27% knowingly connect to an unsecure network. And 25% share confidential information through collaboration platforms, including Skype, Slack, and Microsoft Teams.
If your security solutions or procedures aren’t frictionless (or nearly so), it isn’t a solution, its a speed bump. Something to be overcome or driven around in order to get s*** done. People are rewarded and lauded for going above and beyond, not meeting the minimum and not getting pwnd. Until that attitude changes, and developers engage designers to understand what is most likely to get used, get used to people looking after their best interests, verses complying with that security policy collecting dust on their cubicle bookshelf.
Members of underserved populations are less likely to know whether they have even been victimized by a cyber attack, and they have lower awareness of cybersecurity risks. Among the key findings outlined in the report: When underserved residents were asked about their knowledge of core cybersecurity concepts, 20 percent did not know about online crime, 21 percent didn’t know about email spam, 26 percent didn’t know about computer or phone “viruses,” and 31 percent did not know about anti-virus software.
Awareness: it’s what’s for dinner. I would argue that the vast majority of people – underserved or not – are in the same boat when it comes to not knowing what could hurt them. Our inability as an industry to get the awareness and training piece right after so many years is a serious detriment. Everyone buckles up when they get in a car. Hardly anyone smokes anymore. We could have a huge impact on the security posture of firms and individuals if we could figure out the information age equivalent of the crying Indian.
As the saying goes, experience is the best teacher. It’ll also make you a better and more well-rounded security pro. What types of skills and experiences do security pros need to develop to succeed?
Being well-rounded is not the end-all. The idea that one needs to experience a breach, participate in a CTF, etc., etc. is one of the major reasons why we have a talent problem. It plays into the mindset that if you can’t do a bit of it all, you’re not that good. No one demands an A/R technician prepare financials for an IPO, but we’re totally OK with requiring a Jr. SOC analyst have a CISSP. Some people like their niche, and they’re not lesser because of it. Treat security hiring like you would any other discipline and you’ll be surprised at how it’s not such a problem anymore.
Slack Technologies, the company behind the popular team collaboration platform Slack, faces a wide range of cyber threats, including attacks launched by sophisticated cybercriminals and nation-state actors, according to a document filed on Friday with the U.S. Securities and Exchange Commission (SEC). The company has warned that its financial results in the upcoming period may be harmed by unauthorized access to its systems or data, or the data of its customers. Slack is concerned not only about traditional hackers, malware, phishing, malicious insiders, denial-of-service (DoS) attacks, and password attacks, but also the threat posed by “sophisticated organized crime, nation-state, and nation-state supported actors.”
You rarely see this kind of openness and honesty in a corporate filing. Most are rote, pablum-filled, and meaningless, meant to address issues in a way that minimizes the threat of liability or claims of negligence. Everyone knows these issues to be real and true, but finding the intestinal fortitude to call it out suggests that security is far more ingrained in the culture of Slack than almost any other non-security-oriented company. I don’t know that that makes them a good investment, but it does suggest that if they trip and fall it won’t be over a phishing attack.
Millions of security cameras, baby monitors and “smart” doorbells are open to hijack – and no solution is currently available. The attack stems from peer-to-peer (P2P) communication technology in all of these Internet of Things (IoT) devices, which allows them to be accessed without any manual configuration. The particular P2P solution that they use, iLnkP2P, is developed by Shenzhen Yunni Technology and contains two vulnerabilities that could allow remote hackers to find and take over vulnerable cameras used in the devices.
At the risk of assaulting an expired equine: IoT security is for our grandchildren. This is a situation that will get far, far worse before it gets better. I don’t advise burning your Alexa and smashing your Nest thermostat, but you would do well to ensure that your ability to operate is not impeded should the technology in your life be turned against you (resilience).
The U.S. Department of Homeland Security this week issued a new Binding Operational Directive (BOD) instructing federal agencies and departments to act more quickly when it comes to patching serious vulnerabilities in internet-exposed systems. Specifically, BOD 19-02 gives government organizations 15 days to address critical vulnerabilities and 30 days for high-severity flaws. Agencies that fail to address vulnerabilities within the allocated time frame have been given three days to submit a remediation plan describing the constraints that prevent it from addressing the flaw, mitigations, and an estimated completion date.
Forward progress or merely movement? It’s the government, so of course there is an exception to the rule, but given the complexity of many federal systems, not entirely unwarranted. Having said that, if we’re 10 years into this directive and agency systems are not getting easier to patch and defend, we’re clearly not learning some very old and well-understood lessons. The existence of a waiver isn’t an excuse to not improve, but if we allow it to be so, we shouldn’t be surprised when agencies are in their 20th year of “F” cybersecurity audit grades.
About the Author
Michael Tanji spent nearly 20 years in the US intelligence community. Trained in both SIGINT and HUMINT disciplines he has worked at the Defense Intelligence Agency, the National Security Agency, and the National Reconnaissance Office. At various points in his career he served as an expert in information warfare, computer network operations, computer forensics, and indications and warning. A veteran of the US Army, Michael has served in both strategic and tactical assignments in the Pacific Theater, the Balkans, and the Middle East.
Informing your decisions with actionable intelligence
Informing your decisions with actionable intelligence