now browsing by tag
#sextrafficking | FinCEN Issues Human Trafficking Advisory (Part II of II) | Michael Volkov | #tinder | #pof | #match | romancescams | #scams
[author: Elizabeth Slim] Elizabeth Slim, Senior Consultant at The Volkov Law Group, joins us for part II of her postings on the problem of human trafficking and recent guidance issued […]
View full post on National Cyber Security
Since 2015, the blockchain industry has generated a variety of economic concepts and supported them with relevant technologies: initial coin offerings, initial exchange offerings, security token offerings, data access object, permissioned ledgers, stablecoins, decentralized finance, etc. In a short time frame, some of these went all the way from their heydays to oblivion. Emerging concepts, […] View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans Key thinkers on the biggest security stories and trends in 2019 2019, what to say? From keynote speaker controversies, to hacktivism of a Google Chromecast variety, the year in infosec has certainly been a test of what divides us can only make us stronger – plus […] View full post on AmIHackerProof.com
Will AG Barr succeed in his fight to empower the U.S. government with the ability to break strong encryption against tech companies?
U.S. Attorney General Bill Barr once again is decrying the fact that tech companies are proposing strong security standards for data at rest and data in transmission. By using encryption to protect data, the nation’s chief law enforcement official explains, companies will enable terrorists, pedophiles and mass murderers to communicate without fear that government officials, armed with warrants, will be able to listen in on their communications, read their emails and direct messages and discover the contents of their cloud applications and hardware devices. It’s time to empower law enforcement to break strong encryption—of course, with a warrant. Because, in the same breath, Barr also decries what he calls systematic abuse of the warrant application process through multiple layers of the FBI and U.S. Department of Justice (DoJ), through two political administrations, in one of the most sensitive and highly regulated and supervised criminal and national security investigations.
Trust us. We’re the FBI.
AG Barr added another arrow in his quiver to attempt to compel tech companies to comply with his demand that they make the internet less secure: removing their immunity. Section 230 of the Communications Decency Act (CDA) provides that “carriers” of information are not “publishers” of that information when posted by third parties. There are good and bad consequences to this policy decision. The good is that tech giants are not required to read and censor every internet posting, every instant message or direct message, every comment and every website. It means a more free and open sharing of opinions and a more free and open internet in general. The bad is that tech giants are not required to read and censor every internet posting. It means that individuals defamed or injured by such postings, who suffer loss of reputation or who are doxed or stalked online, who are victims of revenge porn, fake news or trolling attacks have little recourse both against the tech companies that disseminate and “broadcast” (in the general sense of making available to the public) the injurious content and against the actual creator or poster of the content, who can generally hide behind various legal and technological shields of anonymity.
Section 230 immunity is a great boon to tech giants who want the benefits of collecting massive amounts of information from individuals about their use of these services without the muss and fuss of having to police the trolls. That’s someone else’s problem.
So now the DoJ and Congress are threatening to remove Section 230 immunity (or to limit it in some fashion). Among the “concessions” the administration wants is for the tech giants to give some additional leeway to law enforcement and the intel community on the issue of data encryption. “Dat’s a nice little free and open internet youze got there … it would be a shame should sumthing happen to it …”
Both Section 230 and the so-called “going dark” problem present nuanced and difficult public policy choices. Weaken encryption to go after child molesters and you invite more hacking of banking systems, less privacy and more abuse even by law enforcement and the intel community. Make crypto unbreakable and you destroy accountability—sort of. Give absolute 230 immunity and there’s little incentive to create safe spaces on the internet or to provide information from which users can be held accountable for their actions. Remove immunity and the quantity and quality and openness of the internet is destroyed. Conflate the two policies and the problems are exponentially more difficult to solve.
I have written on the “going dark” problem many times before, and I am firmly in the camp of a stronger, safer and more secure internet without back doors for one government or another. The perception that the Huawei technology behind our 5G backbone is riddled with actual or potential back doors was enough for Congress and the FCC to demand that the infrastructure be ripped out root and stem. Imagine the international reaction if such “back doors” were perceived to be an integral part of communications, telecom and OSes? Not pretty.
There are plenty of reasons and ways to regulate big tech. These may not be the best ones.
The post #cybersecurity | #hackerspace |<p> Encryption Wars, Part IV: Barr vs. Big Tech <p> appeared first on National Cyber Security.
View full post on National Cyber Security
#cybersecurity | #hacking | Google Online Security Blog: How Google adopted BeyondCorp: Part 4 (services)
This is the final post in a series of four, in which we set out to revisit various BeyondCorp topics and share lessons that were learnt along the internal implementation path at Google.
The first post in this series focused on providing necessary context for how Google adopted BeyondCorp, Google’s implementation of the zero trust security model. The second post focused on managing devices – how we decide whether or not a device should be trusted and why that distinction is necessary. The third post focused on tiered access – how to define access tiers and rules and how to simplify troubleshooting when things go wrong.
This post introduces the concept of gated services, how to identify and, subsequently, migrate them and the associated lessons we learned along the way.
High level architecture for BeyondCorp
Identifying and gating services
How do you identify and categorize all the services that should be gated?
Google began as a web-based company, and as it matured in the modern era, most internal business applications were developed with a web-first approach. These applications were hosted on similar internal architecture as our external services, with the exception that they could only be accessed on corporate office networks. Thus, identifying services to be gated by BeyondCorp was made easier for us due to the fact that most internal services were already properly inventoried and hosted via standard, central solutions. Migration, in many cases, was as simple as a DNS change. Solid IT asset inventory systems and maintenance are critical to migrating to a zero trust security model.
Enforcement of zero trust access policies began with services which we determined would not be meaningfully impacted by the change in access requirements. For most services, requirements could be gathered via typical access log analysis or consulting with service owners. Services which could not be readily gated by default ACL requirements required service owners to develop strict access groups and/or eliminate risky workflows before they could be migrated.
How do you know which trust tier is needed for every service?
As discussed in our previous blog post, Google makes internal services available based on device trust tiers. Today, those services are accessible by the highest trust tier by default.
When the intent of the change is to restrict access to a service to a specific group or team, service owners are free to propose access changes to add or remove restrictions to their service. Access changes which are deemed to be sufficiently low risk can be automatically approved. In all other cases, such as where the owning team wants to expose a service to a risky device tier, they must work with security engineers to follow the principle of least privilege and devise solutions.
What do you do with services that are incompatible with BeyondCorp ideals?
It may not always be possible to gate an application by the preferred zero trust solution. Services that cannot be easily gated typically fall into these categories:
- Type 1: “Non-proxyable protocols”, e.g. non-HTTP/HTTPS traffic.
- Type 2: Low latency requirements or localized high throughput traffic.
- Type 3: Administrative and emergency access networks.
The typical first step in finding a solution for these cases is finding a way to remove the need for that service altogether. In many cases, this was made possible by deprecating or replacing systems which could not be made compatible with the BeyondCorp implementation.
When that was not an option, we found that no single solution would work for all critical requirements:
- Solutions for the “Type 1” traffic have generally involved maintaining a specialized client tunneling which strongly enforces authentication and authorization decisions on the client and the server end of the connection. This is usually client/server type traffic which is similar to HTTP traffic in that connectivity is typically multi-point to point.
- Solutions to the “Type 2” problems generally rely on moving BeyondCorp-compatible compute resources locally or developing a solution tightly integrated with network access equipment to selectively forward “local” traffic without permanently opening network holes.
- As for “Type 3,” it would be ideal to completely eliminate all privileged internal networks. However, the reality is that some privileged networking will likely always be required to maintain the network itself and also to provide emergency access during outages.
It should be noted that server-to-server traffic in secure production data center environments does not necessarily rely on BeyondCorp, although many systems are integrated regardless, due to the Service-Oriented Design benefits that BeyondCorp inherently provides.
How do you prioritize gating?
Prioritization starts by identifying all the services that are currently accessible via internal IP-access alone and migrating the most critical services to BeyondCorp, while working to slowly ratchet down permissions via exception management processes. Criticality of the service may also depend on the number and type of users, sensitivity of data handled, security and privacy risks enabled by the service.
Most services required integration testing with the BeyondCorp proxy. Service teams were encouraged to stand up “test” services which were used to test functionality behind the BeyondCorp proxy. Most services that performed their own access control enforcement were reconfigured to instead rely on BeyondCorp for all user/group authentication and authorization. Service teams have been encouraged to develop their own “fine-grained” discretionary access controls in the services by leveraging session data provided by the BeyondCorp proxy.
Allow coarse gating and exceptions
Inventory: It’s easy to overlook the importance of keeping a good inventory of services, devices, owners and security exceptions. The journey to a BeyondCorp world should start by solving organizational challenges when managing and maintaining data quality in inventory systems. In short, knowing how a service works, who should access it, and what makes that acceptable are the central tenets of managing BeyondCorp. Fine-grained access control is severely complicated when this insight is missing.
Legacy protocols: Most large enterprises will inevitably need to support workflows and protocols which cannot be migrated to a BeyondCorp world (in any reasonable amount of time). Exception management and service inventory become crucial at this stage while stakeholders develop solutions.
The BeyondCorp initiative would not be sustainable at Google’s scale without the involvement of various Site Reliability Engineering (SRE) teams across the inventory systems, BeyondCorp infrastructure and client side solutions. The ability to successfully achieve wide-spread adoption of changes this large can be hampered by perceived (or in some cases, actual) reliability issues. Understanding the user workflows that might be impacted, working with key stakeholders and ensuring the transition is smooth and trouble-free for all users helps protect against backlash and avoids users finding undesirable workarounds. By applying our reliability engineering practices, those teams helped to ensure that the components of our implementation all have availability and latency targets, operational robustness, etc. These are compatible with our business needs and intended user experiences.
Put employees in control as much as possible
Employees cover a broad range of job functions with varying requirements of technology and tools. In addition to communicating changes to our employees early, we provide them with self-service solutions for handling exceptions or addressing issues affecting their devices. By putting our employees in control, we help to ensure that security mechanisms do not get in their way, helping with the acceptance and scaling processes.
Throughout this series of blog posts, we set out to revisit and demystify BeyondCorp, Google’s internal implementation of a zero trust security model. The four posts had different focus areas – setting context, devices, tiered access and, finally, services (this post).
If you want to learn more, you can check out the BeyondCorp research papers. In addition, getting started with BeyondCorp is now easier using zero trust solutions from Google Cloud (context-aware access) and other enterprise providers. Lastly, stay tuned for an upcoming BeyondCorp webinar on Cloud OnAir in a few months where you will be able to learn more and ask us questions. We hope that these blog posts, research papers, and webinars will help you on your journey to enable zero trust access.
Thank you to the editors of the BeyondCorp blog post series, Puneet Goel (Product Manager), Lior Tishbi (Program Manager), and Justin McWilliams (Engineering Manager).
View full post on National Cyber Security
Officials from Serbia recently detained a Belgrade resident who’s doubted as belonging to a hacking group named DarkOverlord or The Dark Overlord.
The resident, a man aged 38, uses the initials “S.S” for his name and is a Belgrade citizen.
Except for these, nothing about his identity is known.
The Federal Bureau of Investigation has kept silent giving no remarks about the arrest. However, Serbian officials state they executed the detention when they were conducting an operation for exposing the people using the moniker “The Dark Overlord” online.
Running active from 2016, DarkOverlord has gained notoriety for hacking schools and medical providers to seize their personal files followed with blackmailing the institutions into paying money if they don’t want their information to be sold on the underground world. Earlier, the hackers had apparently seized addresses, phone numbers and Social Security Numbers belonging to innumerable medical patients that could’ve been utilized for committing ID-theft. In.pcmag.com posted this, May 17, 2018.
Beginning from June 2016, The Dark Overlord infiltrated the systems of 50-or-so victims, stealing a variety of data such as intellectual property and crucial health information followed with demanding ransoms in exchange of leaving the filched data safe.
The hackers’ syndicate is well-known with regards to executing one cyber-crime series spanning 2-yrs and comprising extortion along with hacking followed with revealing episodes contained in a Netflix sequence namely “Orange-is-the-New-Black” and also breaking into U.S. school computers as well as threatening the country’s students with murder.
At times the crooks weren’t satisfied with hacking they’d start physical violence threat against the hacked entities. During 2017, an infamous campaign carried out in USA included breach of systems of high schools and then theft of personal data to be followed with holding those data for ransoms. And in case the schools did not pay up, the gang would find out the contact details of staff and students from the filched data and then threaten them.
It’s not clear whether The Dark Overlord group consists of one person or several individuals. However on Twitter, it frequently uses the words “us” and “we” as reference to the gang while blackmailing hacked victims.
View full post on National Cyber Security Ventures
Rapper Nicki Minaj has been away from the limelight for a few months now and the last time she posted on social media was in December 2017. She is reportedly keeping herself busy with her upcoming album. But she is in news now after a song she didn’t want to be a part of surfaced online.
It seems Nicki Minaj originally featured in Canadian rapper Tory Lanez’s song Shooters but she decided to back out after the latter’s comment about her verse. The Bang Bang singer told him to delete her portion of the song and that was it.
“She (Nicki Minaj) was on Shooters originally. She was on the record first and I had like…I was telling her something about the verse. I wasn’t saying it was bad or anything, her verse was incredible and I’m also like a super-Nicki fan. But I was telling her something the verse I think maybe …It may have come cloud texting her, so it may have come off just like in a different way..she might have read it differently than i said it,” Tory told HotNewHipHop in an interview.
“I shouldn’t have said about her verse and she was like well, it’s just not that serious, take my verse off the thing,” he added.
The post Hackers #leak song #Nicki Minaj didn’t want to be part of appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
The view from the 128-foot M/VGrand Floridian in the center of the Fort Lauderdale International Boat Show overlooked hundreds of yachts rigged with intricate electronics. For this month’s Triton From the Bridge lunch we gathered 11 captains to learn how they handle these yachts’ potential cybersecurity risks.
Large yachts, like other businesses, try to stay ahead of hacks, spams, viruses, intrusions or otherwise compromised electronics. Yacht captains respond to these threats in the same way they handle a yacht fire, accident or flooding: They focus on prevention and implement solutions when there is a problem.
Each of the captains tries to stay educated, but most have had a cybersecurity incident related to the yacht.
“My experience has been with vendors and contractors being hacked,” a captain said. “Someone duplicating the invoice and following up for payment. They are very slick. It will even have the picture of the vendor and the full thread of all previous correspondence.”
In this case, the vendor called the captain to say he had been hacked. Fortunately, the payment was not sent.
“It never got to that point, but it was headed that way,” the captain said. “I could have paid a rather large invoice to a source that was mimicking as someone else.”
Individual comments are not attributed to encourage candid discussion; attending captains are identified in the accompanying photograph.
Most of the group had experience with emails from a friend or contact that had been hacked. And there were other common themes.
“We were locked out of our computers in Mexico; someone had tried to log in too many times,” a captain said.
Several yacht credit card numbers had been stolen. One was charged $27,000 and another was hit for $5,000 at Target. One captain switched credit cards after frequent small unauthorized purchases.
Most anyone connected to a computer is exposed to cybersecurity problems. Captains are aware of global incidents, as well as issues that may be tailored to yachts, and implement policies to try to prevent them on board.
“We are proactive,” a captain said. “We try not to log into any open source marina Wi-Fi; that’s usually where the trouble comes into play. The crew are required to use the boat system. And I cut down on opening of attachments and things that are recognizable as problems.”
Another captain protects yacht business by connecting via hardwire instead of wireless or bluetooth, and he requires crew to use their own laptops for personal emails. Several captains protect the owners by separating their access from the yacht business and crew.
“The owner has his own network,” a captain said. “It is important to separate bands and sites to monitor and set controls for everyone. I can block and set timers on the crew.”
By isolating each IP address, which identifies specific users, this captain can monitor and protect crew bandwidth use, and he can block specific internet sites such as social media. When crew use is too high, this captain has gone to extremes to make a point.
“Sometimes I’ll walk to the rack and turn it off,” he said.
“Crew should be careful with their social media anyway,” another captain said. “Most crew agencies check Facebook and those sites.”
Another captain uses different emails and changes passwords on a regular basis.
Several captains said well-defined crew confidentiality agreements address privacy issues in regard to electronics.
“But it can be contentious,” a captain said. “Crew live and work on board. It is hard to shut everything down.”
Confidentiality agreements vary by yacht, but one common clause is that no pictures of crew on board or pictures of the yacht are allowed for the public, a captain said.
“As captains, we have to define clearly what the owner wants,” he said.
Charter guests present a challenge. Celebrity guests are common on some yachts, and several captains had stories of fans and paparazzi waiting at the dock.
“If it’s a charter, you have to figure out how to handle the guests because they do not have a nondisclosure,” a captain said.
“You can watch TMZ [celebrity news] and see the boats, so I don’t know how you can control that,” another captain said. “They can check online and see who’s on board.”
One yacht owner said to a captain, “If Google can find my name, it doesn’t matter – there’s nothing you can do.”
There are other systems on board that link yachts to the cloud of information. Automatic Identification System (AIS) is required on many yachts to display vessel location through a satellite system. This can include ship name, course and speed, classification, call sign and registration number.
The captains agreed that AIS is vital to navigation, but is typically turned off when not underway. But the system is popular with yacht owners who follow their yacht’s locations through a public website that shares AIS information.
“The boss calls when he’s using it,” a captain said. “I can see you are using a lot of fuel, can you throttle back?”
Another owner was watching the yacht online and called when he saw it had not moved for several hours.
Basically captains don’t have a choice because the system is helpful and often mandated. But there are a few precautions available.
“AIS yachts are allowed to turn it off in dangerous situations,” a captain said.
“There is a stealth mode where the yacht does not broadcast,” another captain explained.
And there is a delay with Marine Traffic, the online private version of AIS. A captain said yachts can pay for premium services to increase security on the program.
Several captains were familiar with a 2013 experiment in which a yacht was taken off course by GPS spoofing.
“I read about that,” a captain said. “There can be transmitters that confuse the signal to navigation.”
Spoofing and loss of power or electronic contact are a couple of reasons why several captains have the crew plot a course on a paper chart.
“I had a crew say, ‘The electronic navigation is down, how are we going to get into port?’” a captain said. “They had no idea.”
“If something looks wrong, they should check,” the first captain said. “It’s important to teach them how to use the charts.”
Many yacht electronic systems are complex and not under crew expertise; that is why two of the yachts have remote information technology companies.
“We have an IT guy in Indiana who controls the boat,” one captain said. He said the technician recommended that the yacht’s satellite service run through the United States instead of other countries so he could better monitor service.
So much of the technology frequently changes, it’s difficult to keep current. A captain recommends people ask for help.
“When techs are on board servicing your sat system, make sure to have the security checked,” this captain said.
Many yachts have monitoring systems and most have camera security systems. Many captains receive messages when the bilge runs or an alarm sounds. One captain logs in and monitors the systems remotely. Another captain recommended that all systems be evaluated by a trusted technology company to confirm systems cannot be compromised.
We asked what the future holds for cybersecurity risks in yachting.
“There’s nothing different in yachting than in other industries,” a captain said.
So, like anyone in business or using personal electronics, the captains seek good technical advice and try to stay alert to what could happen.
“I’ve heard of many different things that can happen, and it doesn’t take long,” a captain said. “I think it’s going to be a concern from here moving forward. All our information is out there anyway.”
“I think in the future there could be a meltdown,” another captain said. “Maybe everyone is hacked all at once.”
“We were in the Bahamas with no communication for two days; the cell towers were down,” another captain said. “We could use our old sat phone but we really could see the limitations.”
“The government can shut down the satellite system, but we have other nations’ satellites to use,” a third captain said.
“Or we can use our Stargazer app,” another captain said with a laugh as he held his phone to the sky.
“Yes, maybe sometime in the future, whether weather- or terror-related, we will have to function without,” a captain said. “But for now, it’s a tool.”
It is a reason to know celestial navigation, and one captain noted yachts still need their compasses.
“If it turns out our power is completely out and everything is down, we can’t make it to shore anyway,” a captain said. “Everything runs on power now.”
“We’ve been careful,” another captain said. “But lucky is probably the real word.”
View full post on National Cyber Security Ventures