now browsing by tag
Simplicity should underpin enterprise security in a Covid-19 world: Magda Chelly surveys the global infosec landscape | #corporatesecurity | #businesssecurity | #
Responsible Cyber co-founder will focus on education, communication, and more at this year’s RSA Conference
Infosec recruitment flaws and adapting cybersecurity posture for a global pandemic are two notable topics being discussed at tomorrow’s virtual RSA Conference.
These themes will be the focus of three talks from Magda Chelly, head of cyber risk consulting for Marsh Asia.
She is a certified CISO, on the advisory board for the Executive Summit of Black Hat Asia 2020, runs a popular YouTube channel focused on cybersecurity, and has won a string of accolades for being a cybersecurity influencer. Chelly is also the co-founder of Singapore-based security-as-a-service company Responsible Cyber.
Speaking to The Daily Swig, Chelly gives the inside track on her RSA presentations and reflects on the global disparities in cybersecurity maturity and the career opportunities open to female infosec professionals.
How did you get into cybersecurity?
I started being interested in cybersecurity when I was doing my PhD in telecoms engineering.
I evolved into an IT/CRM [customer relations management] consultant and even worked in sales and business development roles.
Since then I have had advisory roles [in cybersecurity], which have mostly evolved from governance to more technical cybersecurity – for example, cloud security with AWS, Microsoft Azure, Office 365 – to a more global approach when it comes to being a CISO.
That means building the whole cybersecurity strategy and rolling it out across one to three years, especially with regulated businesses like insurance. It was exciting because I needed to ensure that the company was not only getting up to speed, but also that they didn’t get themselves into trouble.
Please tell us about your role at Marsh…
Marsh Asia provides cyber risk consulting. It focuses on risk quantification, as companies are still facing challenges evaluating and quantifying cyber risks to find out the related financial losses.
Unlike other risks, there is limited historical data about cybercrime, mainly because it is a relatively new risk area, but also due to its constantly changing form.
Cyber risk management has not yet been ‘reduced to practice’ on a wide scale.
This approach enables point estimates of the financial cost – the severity – of cyber events with good accuracy.
YOU MIGHT ALSO LIKE Virtual cybersecurity conferences: An expanding list
Having credible quantitative estimates for both severity and likelihood will allow risk managers to answer the fundamental question: “What is the likelihood that our organization will experience a cyber event causing a loss of greater than, say, $100 million in the next 12 months?”
Most often, it is the likelihood question that derails many attempts at quantifying cyber risk, due to the unpredictable nature of a human-initiated threat.
So we’re talking dollars here – how data loss might happen, how much my business might lose, and how much I can get in terms of investment.
What can RSA Conference attendees expect to hear about ‘Getting the Security and Flexibility Balance Right in a Covid-19 World’?
I’ll be addressing how to be aware of the evolving risks within an uncertain environment.
And I’ll be [urging attendees to make] simplicity [a pillar of their cybersecurity approach] because fundamentals can be applied. You can, for example, apply your NIST compliance checklist every time a risk changes. I will be talking about alternatives.
I will be presenting about use cases and some additional changes that are super interesting.
I believe that cybersecurity professionals tend to be over confident about their capabilities.
We’re talking about an environment with a lot of factors that might impact our security. We’re not talking about traditional corporate security and enterprise boundaries. We cannot take the same approach.
RELATED How to become a CISO – Your guide to climbing to the top of the enterprise security ladder
If you go into an employee’s ecosystem and you understand how they work, you realize that they will find a way to [surmount] technical challenges by using their personal emails, etc, so that of course raises additional risks. And working in a quarantine environment raises risks that were not considered.
And the fact that some [employees] will go back to the office, some will stay working remotely – how do you manage that securely?
Cybersecurity professionals also have a challenge communicating with employees, who [sometimes] do not even know that there is a [security] team.
We tend to make employees feel that we are not reachable. If you’re a CISO of a big company then, obviously, you’re very busy. You have a team and you cannot spare time to talk to everyone, but it’s extremely important to go beyond just sending a newsletter and make sure that employees see cybersecurity as part of the culture.
So don’t talk about only corporate requirements. Talk about how they need to consider cybersecurity in everyday activities – no matter if it’s a corporate requirement or not.
This year’s RSA Conference is taking place virtually
And what about your other talk: ‘Hacking the Cybersecurity Job Market: A Primer for Students and Grads’?
This is about helping the student understand the different [available] career paths.
We hear about a big skills gap globally. Sometimes [this is exacerbated by] the fact that HR will request everything and anything in the job description. From a hacker to a compliance manager, to a CISO, [all skills and experience] is put in one job description, which is of course impossible. [Or they ask for] someone junior, but already with experience, so it just doesn’t make sense.
So [I will talk about] finding the right balance, and how to address the challenges and start the discussions with HR teams.
How does Singapore, or Asia more widely, compare to Europe or North America in terms of its cybersecurity maturity?
I would say it’s very different. The Asian market is very fragmented. Every country has different maturity, different initiatives, and different – especially regulatory – requirements.
Singapore is one of the most mature in terms of regulations – we have the PDPA privacy law, the Cybersecurity Act, the MAS TRM guidelines.
In countries where maturity is much lower, companies just do not feel that they need to do anything [to strengthen cybersecurity].
The Asian market compared to Europe or the US is still much, much lower in terms of general maturity, which means, again, there is a greater opportunity to help those companies.
You founded the Singapore chapter of Women of Security, or WoSEC. How would you summarize the chapter’s aims?
I’m trying to help female professionals get the right support, to give them a safe environment with talks, workshops, social gatherings where we can talk about challenges, we can give some job opportunities, and recommend mentors.
How much progress are you seeing in terms of achieving parity of opportunity between female and male professionals?
I think there are a lot of unconscious biases, but it is changing.
I’ve seen a very positive change in the US and Europe. Asia is still trying its best but it’s not there yet. There’s a lot of work to do.
Companies like Marsh have diversity programs, and they are supporting WoSEC, so the problem is not there as such.
But general feedback from the top of other companies in the region [suggests that] the problem is that the HR process doesn’t [encourage] that inclusion or diversity very well. And then unconscious biases don’t help female professionals [once they do get roles].
It really depends on the country and the culture.
Finally, you noted that cybersecurity is often seen as exclusively the domain of IT teams. Experts also often feel that cybersecurity’s status as a cost center devalues its importance. Are attitudes improving in the boardroom?
Small and medium-sized enterprises are generally focused on increasing sales.
They still lack awareness around cyber risk and do not consider it as a business risk. So they try to get it outsourced. But they are ignorant of the risks that they are exposed to, because the IT or managed service provider [might not be] doing anything about security because it’s not in the contract. This is something I have seen in Singapore and abroad.
What mostly drives change is the regulatory requirement. We cannot just assume that a company will raise their understanding of cybersecurity just because then they are aware [of the problem] – unless the business owner is technologically savvy.
It needs a regulatory push. In Singapore, we have the Monetary Authority of Singapore technology guidelines, for example.
READ MORE Strategies for combating increased cyber threats tied to coronavirus
View full post on National Cyber Security
The bogus news is generally known as the “Martinelli hoax”, because it starts like this:
If you know anyone using WhatsApp you might pass on this. An IT colleague has advised that a video comes out tomorrow from WhatsApp called martinelli do not open it , it hacks your phone and nothing will fix it. Spread the word.
When we last wrote about “Martinelli”, back in 2018, we noted that the hoax was given a breath of believability because the text above was immediately followed by this:
If you receive a message to update the WhatsApp to WhatsApp Gold, do not click!!!!!
This part of the hoax has a ring of truth to it.
Back in 2016, hoax-checking site Snopes reported that malware dubbing itself WhatsApp Gold, was doing the rounds.
The fake WhatsApp was promoted by bogus messages that claimed, “Hey Finally Secret WhatsApp golden version has been leaked, This version is used only by big celebrities. Now we can use it too.”
So WhatsApp Gold was actual malware, and the advice to avoid it was valid, so the initiator of the Martinelli hoax used it to give an element of legitimacy to their otherwise fake warning about the video.
The latest reincarnation of the hoax has kept the text of the original precisely, including the five-fold exclamation points and the weird extra spaces before punctuation marks.
The new hoax even claims that the video first mentioned several years ago still “comes out tomorrow.”
But there’s a new twist this time, with yet another hoax tacked on the end referring to yet another video “that formats your mobile.”
This time, the video is called Dance of the Pope:
Please inform all contacts from your list not to open a video called "Dance of the Pope". It is a virus that formats your mobile. Beware it is very dangerous. They announced it today on BBC radio. Fwd this message to as many as you can!
Ironically, Snopes suggests that this piece of the hoax – which is basically the same as the Martinelli hoax but with a different video name – is even older than the Martinelli part, dating back to 2015.
Quite why the hoax has reappeared now is not clear, though it may have been triggered by March 2020 news headlines about wunderkind Brazilian footballer Martinelli.
Martinelli currently plays for Arsenal in England, but has been tipped to appear in the Brazilian national squad at just 18 years of age; he’s also been the subject of media speculation that he might get poached from Arsenal by Spanish heavyweights Real Madrid.
Is it even possible?
In theory, playing a deliberately booby-trapped video file on your mobile phone could end up in a malware infection, if your phone has an unpatched bug in its media player software that a crook could exploit.
In practice, however, that sort of bug is very rare these days – and typically gets patched very rapidly and reported very widely.
In other words, if the creator of this warning knew enough about the “bug” to predict that it could infect any mobile phone, and could warn you about this “attack” in a video that isn’t even out yet, it’s highly unlikely that you wouldn’t have heard about the actual bug itself either from the vendor of your phone or from the world’s cybersecurity news media.
Additionally, even if there were a dangerous bug of this sort on your phone and your phone were at risk, it’s unlikely that “nothing would fix it”.
As for the imminent and unconquerable danger of an alleged double-whammy video attack of “threats” that first surfaced in 2015 and 2016…
…well, if the videos were supposed to “come out tomorrow” more than four years ago, we think you can ignore them today.
What to do?
- Don’t spread unsubstantiated or already-debunked stories online via any messaging app or social network. There’s enough fake news at the moment without adding to it!
- Don’t be tricked by claims to authority. Anyone can write “they announced it today on BBC radio,” but that doesn’t tell you anything. For all you know, the BBC didn’t mention it at all, or announced it as part of a hoax warning. Do your own research independently, without relying on links or claims in the message itself.
- Don’t use the “better safe than sorry” excuse. Lots of people forward hoaxes with the best intentions, but you can’t make someone safer by “protecting” them from something that doesn’t exist. All you are doing is wasting everyone’s time.
- Don’t forward a cybersecurity hoax because you think it’s an obvious joke. What’s obvious to you might not be to other people, and your comments may get repeated as an earnest truth by millions of people.
- Don’t follow the advice in a hoax “just in case”. Cybersecurity hoaxes often offer bogus advice that promises a quick fix but simply won’t help, and will certainly distract you from taking proper precautions.
- Patch early, patch often. Security updates for mobile phones typically close off lots of holes that crooks could exploit, or shut down software tricks that adware and other not-quite-malicious apps abuse to make money off you. Take prompt advantage of updates!
- Use a third-party anti-virus in addition to the standard built-in protection. Sophos Intercept X for Mobile is free, and it gives you additional protection not only against unsafe system settings and malware, but also helps to keep you away from risky websites in the first place.
- Don’t grant permissions to an app unless it genuinely needs them. Mobile malware doesn’t need to use fancy, low-level programming booby-traps if you invite it in yourself and then give it more power that it needs or deserves.
The post WhatsApp “Martinelli” hoax is back, warning about “Dance of the Pope” – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
#nationalcybersecuritymonth | Moody’s, Nasdaq and many others choosing Lithuania for cyber security GBS functions
The following article by Invest Lithuania’s Senior Investment Advisor Monika Vilkelytė first appeared in the Outsourcing&More magazine. You can find the original here.
Assigning cyber security operations to GBS centres is a smart move for international companies. But finding the right location for such a centre can be a serious headache. Suitable locations need to have both fast, secure IT infrastructure and a strong pool (and future pipeline) of IT talent. Affordable locations offering this combination are few and far between. That’s why Lithuania, which is ranked 4th globally in the Cyber Security Index, is proving so attractive to global company groups in terms of cyber security operations. The likes of Oracle, Nasdaq and Outokumpu already have cyber security teams in Lithuania, while Moody’s is on the way to building its cyber security capabilities in Vilnius. With a strong pipeline of talent and a clearly defined National Cyber Security Strategy, there’s plenty of room for future growth.
The ever-changing face of cyber security
The number of cyber attacks made against organizations around the world is increasing every year. Worse still, the complexity and severity of these attacks is also growing, as criminals search for ever-more sophisticated ways to break through a company’s cyber defences. With huge amounts of both company and customer data in their systems, and processes that are more deeply interconnected than ever, a major cyber attack could have catastrophic consequences.
GBS and cyber security – a smart combination
To face this ever-changing threat, companies need to be innovative and responsive, constantly updating their cyber defences to meet the latest dangers. And increasingly, global companies are using the GBS model as the most effective way to manage their Cyber Security operations. By centralizing their cyber security team in one location, it becomes easier to adopt new innovative solutions. These teams are also more effective at focusing the limited time and resources a company has on mission-critical cyber services.
Finding a home for your cyber security team
Finding the right model for managing cyber security (a GBS approach) is an important first step, but executing this model well is just as important. And one of the critical decisions a company has to make is where to locate the GBS centre that manages their cyber security.
Two features characterise the ideal location for a cyber security team. The location needs to have fast, well-developed and robust IT infrastructure. It also needs a wealth of IT talent from which to build a team of experts capable of responding to the latest threats.
Finding this combination is already a tall order, without even factoring in cost. This is not an area of operations where you want to cut corners, so low cost locations that don’t offer the quality needed are out of the question. On the other hand, building a team of high quality IT experts is prohibitively expensive in many cities and countries.
Lithuania offers quality infrastructure and talent
Lithuania offers the IT infrastructure and talent businesses need for cyber security, and at competitive costs compared to other EU locations.
Ranked 4th in the Global Cyber Security index, Lithuania’s IT infrastructure is well suited to cyber security operations. It is robust, with a strong focus at the executive level on cyber readiness and resilience. In 2017 Lithuania established a National Cyber Security Centre, and the following year a National Cyber Security Strategy was approved. This strategy covers not only the government, but also a wide range of non-governmental organizations, private sector players, and scientific and educational institutions. This means the whole ecosystem is building resilience, as shown by the introduction of advanced warning systems at critical infrastructure facilities last year.
In terms of talent, there are currently 38,000 IT professionals in Lithuania, with a further 10,600 students enrolled in IT studies. Funding for IT studies was recently doubled, ensuring further growth in the flow of IT talent. The government has also invested in an upskilling project focused on key areas including cyber security and AI, with the aim of adding new specialists to the market. Universities in Lithuania’s two largest cities, Vilnius and Kaunas, offer dedicated programmes for cyber security specialists, including MScs in Information and Information Technology Security, a BSc programme in Information Systems and Cyber Security and an MSc in Cybersecurity Management.
This means the level of quality, in terms of both talent and infrastructure, is comparable to other leading EU destinations. But, unlike those locations, Lithuania is a far more cost-competitive option.
Cost advantages to help you build the right team
Junior IT staff such as database administrators of Unix / Linux administrators can be hired to a around €2,000 per month, including taxes. The average salary for a senior QA specialist with 5 years’ experience is €2,700 tax inclusive, while a Senior cyber security specialist with 5 years experience earns €3,360. This means assembling a skilled cyber security team which includes highly experienced professionals is affordable and sustainable in Lithuania.
What’s more, Lithuania has the 3rd most affordable internet rates in Europe, and office rental costs are also highly competitive. As a result, overheads for GBS centres are also low in comparison with other EU locations.
Nasdaq, Moody’s, Oracle and more
These strong fundamentals have attracted some of the world’s largest companies to set up cyber security teams in Lithuania. Moody’s established a GBS centre in Vilnius in early 2019 which is planned to include an advanced cyber security unit. In fact, the availability of talent in this area was one of the major reasons Moody’s chose Lithuania, as Duncan Neilson, SVP HR Regional Lead EMEA explained when the centre was announced:“Given our goals of hiring diverse talent and further developing our automation and cyber security capabilities, choosing Lithuania as our newest EU location makes good business sense.”
Nasdaq also operates an IT centre in Vilnius. This centre has been developing constantly since its establishment in 2015 – it grew from 30 to 300 FTEs in 3 years – and includes a cyber security team. On a visit to Lithuania, Nasdaq’s CEO and president Adena Friedman noted the strength of the IT talent available. “This place has a great talent pool,” she commented. “At first we thought Lithuania was a centre of low cost, but today Vilnius is a centre of professionalism for us. This city is going to be an ever more important player for us.”
Overall, almost 10% of the GBS centres in Lithuania perform cyber security functions. This includes GBS centres of companies such as Danske Bank, DXC Technology, Outokumpu, Devbridge Group, TransUnion and many more. And the number is growing all the time.
Cyber security products developed in Lithuania
Lithuanian cyber security teams are adept at product development as well. Oracle runs an office of 50 specialists in Kaunas who develop a range of products, including web application firewalls, and advanced API, DDoS, and cloud-based malware protection. According to Leon Kuperman, Vice President of the company’s software development division Oracle Dyn, the Kaunas team will be further expanded: “We are planning significant growth in the region, so we may need to move to a bigger office.”
TransUnion has a special team of Lithuanian cyber security specialists who continuously monitor the online security of more than 1,200 company employees and the information systems of TransUnion’s corporate customers worldwide. “The platform monitoring teams who are working on cyber security are the only TransUnion UK teams that operate 24/7, ensuring the uninterrupted and stable operation of all systems,” says Jonas Lukošius, Manager of TransUnion’s Kaunas office.
There are a number of other cyber security development teams operating in the Kaunas-Vilnius hub. NRD Cyber Security focuses on offering protection for public service providers, law enforcement, critical infrastructure and more, while US-based Arxan offers guarding solutions injected directly into its clients’ binary code. “We currently have offices in the US, the UK, and Japan,” says Andrew Whaley, Arxan’s SVP Head of Engineering. “In the near future, Vilnius has the potential to become our largest software development office.” Then there is CUJO AI, a Lithuanian tech company that develops AI-based online security solutions.
More talent and expertise
This developed ecosystem, combined with the range of cyber security training opportunities offered by local universities, means there is plenty of know-how and experience on offer in Lithuania. Existing players are actively involved in training up new talent – Moody’s cooperates with ISM business school, Oracle offers its own multi-level training programme, and Danske Bank offers flexible arrangements to students so they can begin working while they complete their studies.
Therefore, as the sector matures, an even deeper pool of expertise in cyber security will be available to companies looking to establish GBS centres in Lithuania.
The original article can be found here.
View full post on National Cyber Security
Noscript 11.0.17 should solve this issue. Automatic updates of Noscript are enabled by default, so you should get this fix automatically.
Things could be worse. Last year, a problem with digital signatures caused Firefox and Tor to temporarily stop trusting lots of add-ons, including NoScript. Unsure of what was going on, cautious users who understood NoScript’s importance had stopped using Tor until the problem was fixed.
Latest Naked Security podcast
View full post on National Cyber Security
Consumers and businesses alike have been scrambling to take steps to protect themselves from the coronavirus, from flocking to stores to buy out supplies of hand sanitizer, to encouraging workers to avoid large gatherings and work remotely. While we hope our customers are taking the necessary steps to stay healthy (check out best practices from the World Health Organisation here), in addition to health risks, there are increased cybersecurity risks, too. The European Central Bank recently issued a warning to banks about the heightened potential for cybercrime and fraud, as many users are opting to stay at home and use remote banking services during the coronavirus outbreak. At a time of uncertainty and vulnerability for many, hackers and fraudsters are taking advantage of fear surrounding the virus as it continues to spread across the globe. We pulled together the following tips to help you improve your cybersecurity hygiene during this time:
1) According to recent PCI Pal research, almost half (47%) of Americans use the same password across multiple sites and apps. We all know this is a big cybersecurity no-no, but it’s especially important during times of heightened risk that we ensure our passwords are unique and secure. Consider updating your passwords and using a password manager tool to improve account security.
2) In addition to varying passwords, consider adopting two-factor authentication for accounts – most services offer some sort of two-factor authentication, yet 23% of Americans report they have never used these tools to protect passwords or payments! Take advantage of these tools – especially if you’re going to be engaging with more digital services while you stay home to wait out coronavirus.
3) In addition to online fraud, there’s also an increased risk for phone fraud – whether you’re engaging with a customer service agent from your bank over the phone or simply ordering takeout. When speaking with a customer service representative, make sure you double check their credentials and only use the phone number provided by the company’s website.
4) For businesses looking to protect customer data during this time, consider PCI compliance, the strongest standard for payment security. PCI compliance standards can help protect your customers from data breaches and hacks – even when they ignore the above steps to protect themselves!
5) Phishing scams relating to Coronavirus will be prevalent, including emails pretending to offer advice from governments and the World Health Organisation. Scammers will use such techniques to infect your laptop/PC and gain access into your systems. Every care should be taken before opening such communications.
Contact us today to learn how PCI Pal’s solutions can help ensure your customers’ sensitive payment information is safe from opportunistic fraudsters.
The post Coronavirus and cybersecurity crime appeared first on PCI Pal.
*** This is a Security Bloggers Network syndicated blog from Knowledge Centre – PCI Pal authored by Stacey Richards. Read the original post at: https://www.pcipal.com/en/knowledge-centre/news/coronavirus-and-cybersecurity-crime/
View full post on National Cyber Security
Anyone who’s seen the 1984 hit movie Ghostbusters likely recalls the pivotal scene where a government bureaucrat orders the shutdown of the ghost containment unit, effectively unleashing a pent-up phantom menace on New York City. Now, something similar is in danger of happening in cyberspace: Shadowserver.org, an all-volunteer nonprofit organization that works to help Internet service providers (ISPs) identify and quarantine malware infections and botnets, has lost its longtime primary source of funding.
Shadowserver provides free daily live feeds of information about systems that are either infected with bot malware or are in danger of being infected to more than 4,600 ISPs and to 107 national computer emergency response teams (CERTs) in 136 countries. In addition, it has aided the FBI and other nations’ federal law enforcement officials in “sinkholing” domain names used to control the operations of far-flung malware empires.
In computer security lexicon, a sinkhole is basically a way of redirecting malicious Internet traffic so that it can be captured and analyzed by experts and/or law enforcement officials. Typically, a sinkhole is set up in tandem with some kind of legal action designed to wrest control over key resources powering a malware network.
Some of these interventions involving ShadowServer have been documented here, including the Avalanche spam botnet takedown, the Rustock botnet takeover, the Gameover malware botnet seizure, and the Nitol botnet sneak attack. Last week, Shadowserver was instrumental in helping Microsoft kneecap the Necurs malware network, one of the world’s largest spam and malware botnets.
Sinkholing allows researchers to assume control over a malware network’s domains, while redirecting any traffic flowing to those systems to a server the researchers control. As long as good guys control the sinkholed domains, none of the infected computers can receive instructions about how to harm themselves or others online.
And Shadowserver has time and again been the trusted partner when national law enforcement agencies needed someone to manage the technical side of things while people with guns and badges seized hard drives at the affected ISPs and hosting providers.
But very recently, Shadowserver got the news that the company which has primarily funded its operations for more than 15 years, networking giant Cisco Systems Inc., opted to stop providing that support.
Cisco declined to respond to questions about why it withdrew funding. But it did say the company was exploring the idea of supporting the organization as part of a broader support effort by others in the technology industry going forward.
“Cisco supports the evolution of Shadowserver to an industry alliance enabling many organizations to contribute and grow the capabilities of this important organization,” the company said in a written statement. “Cisco is proud of its long history as a Shadowserver supporter and will explore future involvement as the alliance takes shape.”
To make matters worse, Shadowserver has been told it needs to migrate its data center to a new location by May 15, a chore the organization reckons will cost somewhere in the neighborhood of $400,000.
“Millions of malware infected victims all over the world, who are currently being sinkholed and protected from cybercriminal control by Shadowserver, may lose that critical protection – just at the time when governments and businesses are being forced to unexpectedly stretch their corporate security perimeters and allow staff to work from home on their own, potentially unmanaged devices, and the risk of another major Windows worm has increased,” Shadowserver wrote in a blog post published today about their financial plight.
The Shadowserver Foundation currently serves 107 National computer emergency response teams (CERTs) in 136 countries, more than 4,600 vetted network owners and over 90% of the Internet, primarily by giving them free daily network reports.
“These reports notify our constituents about millions of misconfigured, compromised, infected or abusable devices for remediation every day,” Shadowserver explained.
The group is exploring several options for self-funding, but Shadowserver Director Richard Perlotto says the organization will likely depend on a tiered “alliance” funding model, where multiple entities provide financial support.
“Many national CERTs have been getting our data for free for years, but most of these organizations have no money and we never charged them because Cisco paid the bill,” Perlotto said. “The problem for Shadowserver is we don’t blog about our accomplishments very frequently and we operate pretty quietly. But now that we need to do funding it’s a different story.”
Perlotto said while Shadowserver’s data is extremely valuable, the organization took a stance long ago that it would never sell victim data.
“This does not mean that we are anti-commercial sector activities – we definitely believe that there are huge opportunities for innovation, for product development, and to sell cyber security services,” he said. “Shadowserver does not seek to compete with commercial vendors, or disrupt their business models. But we do fundamentally believe that no-one should have to pay to find out that they have been a victim of cybercrime.”
Most immediately, Shadowserver needs to raise approximately $400,000 by the end of this month to manage the migration of its 1,300+ servers out of Cisco’s California data center into a new facility.
Anyone interested in supporting that migration effort can do so directly here; Shadowserver’s contact page is here.
Update 10:46 a.m., ET: Added comment from Cisco.
Tags: Cisco Systems, Richard Perlotto, Shadowserver Foundation
View full post on National Cyber Security
13 March 2020 at 12:45 UTC
Updated: 13 March 2020 at 12:49 UTC
Don’t Panic: Potentially wormable flaw only present in latest systems
Microsoft released an out-of-band security update to patch a remote code execution (RCE) vulnerability impacting Server Message Block (SMB) on Thursday, just two days after its regular Patch Tuesday releases.
The software vendor was obliged to rush out a fix after security partner inadvertently disclosed details of the flaw, which is of a type previously exploited by high-profile threats such as the WannaCry worm.
If left unaddressed, the vulnerability (CVE-2020-0796) in Microsoft SMB 3.1.1 (SMBv3) could be exploited by a remote attacker to plant malicious code on vulnerable systems.
Exploitation would involve sending a specially crafted, compressed data packets to a targeted SMBv3 server.
The flaw stems from bugs in how “Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests”, an advisory from Microsoft explains.
New flaws on the Block
SMB is a networking protocol that’s used for sharing access to file and printers. The same protocol that was vulnerable to the EternalBlue (CVE-2017-0144) exploit harnessed by the infamous the WannaCry ransomware.
The vulnerability exists in a new feature that was added to Windows 10 version 1903, so older versions of Windows do not support SMBv3.1.1 compression are immune from the security flaw.
Both Windows 10 clients and Windows Server, version 1903 and later, need patching
Preliminary scans by security experts suggest only 4% of publicly accessible SMB endpoints are vulnerable.
Server-side workarounds have been released for organizations running affected software but unable to rapidly roll out patches. This includes disabling compression for SMBv3 as well as blocking TCP port 445 at the perimeter firewall.
Satnam Narang, principal security engineer at security tools vendor Tenable, commented: “The vulnerability was initially disclosed accidentally as part of the March Patch Tuesday release in another security vendor’s blog.
“Soon after the accidental disclosure, references to it were removed from the blog post.”
At the time of writing, no proof of concept exploit code for CVE-2020-0796 has been publicly released.
Narang added that how readily exploitable this vulnerability might prove to be currently remains unknown.
“This latest vulnerability evokes memories of EternalBlue, most notably CVE-2017-0144, a remote code execution vulnerability in SMBv1 that was used as part of the WannaCry ransomware attacks,” Narang explained.
“It’s certainly an apt comparison, so much so that researchers are referring to it as EternalDarkness. However, there is currently little information available about this new flaw and the time and effort needed to produce a workable exploit is unknown.”
RELATED Microsoft Exchange Server admins urged to treat crypto key flaw as ‘critical’
The post #hacking | Windows SMB: Accidental bug disclosure prompts emergency security patch appeared first on National Cyber Security.
View full post on National Cyber Security
Intel’s March security updates reached its customers this week and on the face of it, the dominant theme is the bundle of flaws affecting the company’s Graphics drivers.
There are 17 of these all told, including six high-severity flaws, starting with CVE-2020-0504, a buffer overflow leading to a denial of service flaw whose CVSS score of 8.4 suggests the need for urgent attention.
Intel doesn’t offer much detail on the individual flaws beyond the fact they allow the usual trio of privilege escalation, information disclosure and denial of service, all of which require local access.
Beyond this lie fixes for another 11 flaws affecting product lines including SmartSound, BlueZ, the Max 10 FPGA, the NUC firmware, and the Programmable Acceleration Card (PAC) N3000.
However, the star flaw of the month is CVE 29, the Load Value Injection (LVI) weakness (CVE-2020-0551) publicised this week by a diverse group of mainly academic security researchers.
Following in the footsteps of a series of chip-level flaws with impressive names (Spectre, Meltdown, Fallout, ZombieLoad, RIDL, CacheOut), this one is what might light-heartedly be called a ‘NOBWAIN’ (Not a Bug With an Impressive Name).
According to the researchers, LVI is unlike previous side-channel processor attacks:
Instead of directly leaking data from the victim to the attacker, we proceed in the opposite direction: we smuggle – ‘inject’ – the attacker’s data through hidden processor buffers into a victim program and hijack transient execution to acquire sensitive information, such as the victim’s fingerprints or passwords.
Reported to Intel last April, it’s a novel technique which could, for example, be used to steal data from Software Guard eXtension (SGX) enclaves, a secure memory location inside post-2015 Intel processors used to store things like encryption keys, digital certificates, and passwords.
There is no simple fix for LVI, researchers claimed, but Intel said it would, from this week, release mitigations for the SGX platform and software development kit from this week. Beyond that, it downplayed the issue:
Due to the numerous complex requirements that must be satisfied to successfully carry out the LVI method, Intel does not believe LVI is a practical exploit in real-world environments where the OS and VMM are trusted.
The full list of affected processors can be found on Intel’s website, essentially all processors that come with SGX.
For now, because LVI is a theoretical exercise, it isn’t an issue the average Intel user needs to worry about. There are no known exploits of this, or any of the previous hardware flaws found since Spectre and Meltdown were made public more than two years ago.
However, it’s clear that chip designers have some work on their hands building defences against these attacks into future hardware. These days, buyers largely upgrade to achieve higher processor performance. It now looks as if security might soon be just as compelling a reason.
Latest Naked Security podcast
The post Intel patches graphics drivers and offers new LVI flaw mitigations – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
It’s a rule of thumb in cybersecurity that the more sensitive your system, the less you want it to touch the internet. But as the US hunkers down to limit the spread of Covid-19, cybersecurity measures presents a difficult technical challenge to working remotely for employees at critical infrastructure, intelligence agencies, and anywhere else with high-security networks. In some cases, working from home isn’t an option at all.
Companies with especially sensitive data or operations often limit remote connections, segment networks to limit a hacker’s access if they do get in, and sometimes even disconnect their most important machines from the internet altogether. Late last week, the US government’s Cybersecurity and Infrastructure Security Agency issued an advisory to critical infrastructure companies to prepare for remote work scenarios as Covid-19 spreads. That means checking that their virtual private networks are patched, implementing multi-factor authentication, and testing out remote access scenarios.
But cybersecurity consultants who actually work with those high-stakes clients—including electric utilities, oil and gas firms, and manufacturing companies—say that it’s not always so simple. For many of their most critical customers, and even more so for intelligence agencies, remote work and security don’t mix.
“Organizations are realizing that work-from-home would be very difficult to execute,” says Joe Slowik, who previously led the computer emergency response team at the Department of Energy before joining the critical-infrastructure-focused security firm Dragos. “This should be a fairly good wake-up call. You need to figure out a way that if individuals cannot physically access the control system environment for a service that cannot stop, like electricity, water, and wastewater or similar services, you ensure continuous operation—even in the face of an environment where you might be risking your employees’ lives if they continue to commute into the office.”
For many industrial networks, the highest standard of security is an “air gap,” a physical disconnect between the inner sanctum of software connected to physical equipment and the less sensitive, internet-connected IT systems. But very few private-sector firms, with the exception of highly regulated nuclear power utilities, have implemented actual air gaps. Many companies have instead attempted to restrict the connections between their IT networks and their so-called OT or operational technology networks—the industrial control systems where the compromise of digital computers could have dangerous effects, such as giving hackers access to an electric utility’s circuit breakers or a manufacturing floor’s robots.
Those restricted connections create chokepoints for hackers, but also for remote workers. Rendition InfoSec founder and security consultant Jake Williams describes one manufacturing client that carefully separated its IT and OT systems. Only “jump boxes,” servers that bridge the divide between sensitive manufacturing control systems and non-sensitive IT systems, connected them. Those jump boxes run very limited software to prevent them from serving as in-roads for hackers. But they also only support one connection at a time, which means the company’s IT administrators have found themselves vying for access.
“Administrators are bumping each other off as they try to work and log in,” says Williams. “These jump boxes that were built to facilitate secure remote access in emergency situations weren’t built to support this situation where everyone is performing routine maintenance and operations remotely.”
For the most critical of critical infrastructure, however, like power plants and oil refineries, remote work isn’t just leading to technical snafus. It’s often impossible for many staffers, says Chris Sistrunk, a security consultant for FireEye who formerly worked as an electrical engineer for power utility Entergy. “There’s no way to fully remotely run some of those plants,” Sistrunk says. “You don’t work from home. Essential engineers and operators will always be there 24/7.”
In those scenarios, Dragos’ Slowik says, companies have to instead try to limit the biological exposure of their most critical operations teams to prevent them from being quarantined—which is often easier said than done, given that they’re free to mingle with potentially infected people during their off-hours. “It’s a real touchy subject,” says Slowik. “You need them available at the office, and you can only restrict them to a certain extent—because we’re not China–so how does that balance out?”
The post High-Stakes Security Setups Are Making Remote Work Impossible appeared first on National Cyber Security.
View full post on National Cyber Security
Top law enforcement and intelligence community officials briefed members of Congress on election security in a pair of panels Tuesday afternoon, telling lawmakers they had “nothing to support” the notion that Russian President Vladimir Putin favored one candidate or another or had ordered actions on any given candidate’s behalf. They said the Russian government’s objective was to sow discord in U.S. political processes, sources said.
Three sources familiar with Tuesday’s briefing said there were inconsistencies between the election security assessment delivered Tuesday and the one given to the House Intelligence Committee last month.
It appeared to two sources familiar with both February’s and Tuesday’s briefings that the assessment delivered Tuesday was crafted to avoid saying thehad established a preference for Mr. Trump, a conclusion that had been expressed by representatives from multiple intelligence agencies before that panel in February.
Lawmakers were also briefed last month on Russia’s efforts to.
Separately, three sources also said the intelligence community has not yet furnished intelligence that members of both parties had requested in the February closed-door session that supported the assessment that the Russian government had developed a preference for President Trump.
Richard Grenell, the acting director of national intelligence, was not among the officials briefing members of the House and Senate. President Trump made the controversial decision to tap Grenell as acting DNI last month. Grenell, the U.S. ambassador to Germany, has virtually no national intelligence experience.
Members heard from FBI Director Christopher Wray, Acting Homeland Security Secretary Chad Wolf, Cybersecurity and Infrastructure Security Agency Director Chris Krebs, and Assistant Attorney General John Demers, among other officials. Instead of Grenell, Bill Evanina, the director of the National Counterintelligence and Security Center, represented the Office of the Director of National Intelligence (ODNI).
An ODNI spokesperson said that the FBI and DHS are in charge of securing the U.S. elections, and the intelligence community was participating in the briefings “in support of that mission.” The intelligence community’s efforts are focused on “detecting and countering foreign election-related threats,” the spokesperson said.
, the election security threats executive at ODNI, also did not appear at the briefing. Pierson’s position at ODNI appeared to be in jeopardy after the president learned she had delivered a February 13 assessment on, among other things, Russian election interference before lawmakers on the House Intelligence Committee. The assessment, which was based on intelligence collected by multiple agencies, indicated that Russia had established a preference for Mr. Trump, multiple sources familiar with the briefing told CBS News.
The president was infuriated that Democrats on the committee, including Chairman Adam Schiff, who served as lead House manager during last month’s impeachment proceedings, were briefed on information that Mr. Trump feared could be used as a political weapon against him. He was informed of the briefing by House Republicans, though it is not clear how the substance of the briefing was characterized.
After learning of the briefing, Mr. Trump summoned Joseph Maguire, who had been serving as acting director since August, to explain why it had taken place. Days later, the president named Grenell to the role, and Maguire resigned from government. Administration sources have contended that Maguire’s ouster was unrelated to the president’s displeasure with the House briefing.
However, Pierson said in February that she would not be dismissed from her position and that she had the support of Grenell.
“Ambassador Grenell has not asked me to leave,” Pierson said. “In fact, he has encouraged and affirmed his support for my position here in the organization. I have not asked to depart nor discussed resignation in any way.”
Grace Segers contributed to this report.
View full post on National Cyber Security