Archive

Category Archives for "Security"

People can’t read (Equifax edition)

One of these days I'm going to write a guide for journalists reporting on the cyber. One of the items I'd stress is that they often fail to read the text of what is being said, but instead read some sort of subtext that wasn't explicitly said. This is valid sometimes -- as the subtext is what the writer intended all along, even if they didn't explicitly write it. Other times, though the imagined subtext is not what the writer intended at all.


A good example is the recent Equifax breach. The original statement says:
Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers.
The word consumers was widely translated to customers, as in this Bloomberg story:
Equifax Inc. said its systems were struck by a cyberattack that may have affected about 143 million U.S. customers of the credit reporting agency
But these aren't the same thing. Equifax is a credit rating agency, keeping data on people who are not its own customers. It's an important difference.


Another good example is yesterday's quote "confirming" that Equifax is confirming the "Apache Struts" vulnerability was to blame:
Equifax has been intensely Continue reading

New BlueBorne Vulnerability to Bluetooth Devices – What happened and what to do about it

Billions of Bluetooth-enabled devices may be exposed to a new remote attack called “BlueBorne”, even without user interaction or pairing. Affected systems include Windows, iOS (older than iOS 10), the Linux kernel, and Android. What should you do about it?

Bluetooth is ubiquitous, commonly connecting accessories like headsets and keyboards, but is also used throughout the brave new Internet of Things (IoT) world. An attacker exploiting these BlueBorne vulnerabilities can mount a man-in-the-middle attack, or even take control of a device without the user even noticing it.

The vulnerabilities were discovered by a security company called Armis earlier this year. Researchers reached out to the companies responsible for vulnerable implementations that lead to the coordinated disclosure (and patches) on September 12. (You can read more about our views on responsible disclosure and collaborative security in Olaf Kolkman’s blog post here.)

This case once again highlights how crucial it is that software update mechanisms are available to fix vulnerabilities, update configuration settings, and add new functionality to devices. There are challenges, both technological and economic, in having update capabilities ubiquitously deployed, as discussed in the recently published Report from the Internet of Things Software Update (IoTSU) Workshop 2016.

Vulnerabilities Continue reading

Making the World Better by Breaking Things

Ben Sadeghipour, Technical Account Manager, HackerOne, and Katie Moussouris, Founder & CEO, Luta Security

Moderator: John Graham-Cumming, CTO, Cloudflare

Photo by Cloudflare Staff

JGC: We’re going to talk about hacking

Katie Moussouris helps people how to work around security vulnerabilities.

Ben Sadeghipour is a technical account manager at HackerOne, and a hacker at night

JGC: Ben, you say you’re a hacker by night. Tell us about this.

BS: It depends who you ask: if they encourage it; or, we do it for a good reason. “Ethical hacker” - we do it for a good reason. Hacking can be illegal if you’re hacking without permission; but that’s not what we do.

JGC: You stay up all night

BS: I lock myself in the basement

JGC: Tell us about your company.

KM: I was invited to brief Pentagon when I worked at Microsoft; The pentagon was interested in the implementation of this idea in a large corporation like Microsoft.
“Hacking the pentagon” The adoption of Bug Bounty has been slow. We were interested in working with a very large company like Microsoft. There was interest in implementing ideas from private sector at Pentagon. I helped the internal team at Continue reading

The View from Washington: The State of Cybersecurity

Avril Haines, Former Deputy National Security Advisor, Obama Administration

Moderator: Doug Kramer, General Counsel, Cloudflare

Photo by Cloudflare Staff

Avril began her career on the National Security Council, and went on to become the first female deputy at the CIA.

DK: How will cyber will play a role in military operations?

AH: We look at it from the perspective of “asymmetric threats”; state actors (those who have high-value assets that they can hold at risk with no threat to them). The US is more technologically advanced and relies on cyber more and more; we are as a consequence more vulnerable to cyber threats. Asymmetric threats thus hold at risk those things that are most important to us.

In the cyber realm we can’t quite define what constitutes a use of force, and saying so can be used against us. So this is an area that is crucial to continue working in; in many respects the US has the most to lose from using a framework that doesn’t work.

“The private sector is utterly critical in creating a framework that is going to work.”

We want to have widely-accepted norms and rules so that we can ask other countries Continue reading

Will Ransomware Die?

Ransomware has been one of the more prevalent security topics for past few years. Some probably think this form of digital destruction is here for the long haul. While this may be an accurate prediction, I can imagine a turn of events that would end this form of attack. To be clear, my theory is not that enterprise networks will plug every possible entry point. My prediction is that the ransomware business model COULD cease to be viable.

Let me expand on my position. For a business model to work, it has to have a monetization strategy. For ransomware, that strategy includes the victim sending money (typically bitcoin) to the attacker—trusting that they will be given the keys to decrypt their files. In this model, the victim has to trust their attacker [to do the right thing]. In and of itself, that seems to be an oxymoron and a plea in desperation.

So if these types of attacks fail to produce recovery options and gain widespread coverage, this trust is further eroded. To some degree this has already happened with Nyetya.

TALOS – New Ransomware Variant “Nyetya” Compromises Systems Worldwide

 

Without analyzing the key generation or key storage components, Talos believes Continue reading

Will Ransomware Die?

Ransomware has been one of the more prevalent security topics for past few years. Some probably think this form of digital destruction is here for the long haul. While this may be an accurate prediction, I can imagine a turn of events that would end this form of attack. To be clear, my theory is not that enterprise networks will plug every possible entry point. My prediction is that the ransomware business model COULD cease to be viable.

Let me expand on my position. For a business model to work, it has to have a monetization strategy. For ransomware, that strategy includes the victim sending money (typically bitcoin) to the attacker—trusting that they will be given the keys to decrypt their files. In this model, the victim has to trust their attacker [to do the right thing]. In and of itself, that seems to be an oxymoron and a plea in desperation.

So if these types of attacks fail to produce recovery options and gain widespread coverage, this trust is further eroded. To some degree this has already happened with Nyetya.

TALOS – New Ransomware Variant “Nyetya” Compromises Systems Worldwide

 

Without analyzing the key generation or key storage components, Talos believes Continue reading

Will Ransomware Die?

Ransomware has been one of the more prevalent security topics for past few years. Some probably think this form of digital destruction is here for the long haul. While this may be an accurate prediction, I can imagine a turn of events that would end this form of attack. To be clear, my theory is not that enterprise networks will plug every possible entry point. My prediction is that the ransomware business model COULD cease to be viable.

Let me expand on my position. For a business model to work, it has to have a monetization strategy. For ransomware, that strategy includes the victim sending money (typically bitcoin) to the attacker—trusting that they will be given the keys to decrypt their files. In this model, the victim has to trust their attacker [to do the right thing]. In and of itself, that seems to be an oxymoron and a plea in desperation.

So if these types of attacks fail to produce recovery options and gain widespread coverage, this trust is further eroded. To some degree this has already happened with Nyetya.

TALOS – New Ransomware Variant “Nyetya” Compromises Systems Worldwide

 

Without analyzing the key generation or key storage components, Talos believes Continue reading

Secure Multi-Tenancy at Scale with Docker Enterprise Edition

With the latest release of Docker Enterprise Edition (EE), enterprise organizations are able to extend the benefits of containers across their entire application portfolio. Docker EE enables rapid modernization of traditional Windows and Linux applications as well as Linux applications running on IBM Z mainframes. By addressing all of these applications, Docker EE provides the opportunity to standardize around a common packaging format for greater portability, agility, and with an additional layer of security, resulting in more teams bringing their workloads into Docker EE.

The key to operating this diverse environment is to have a way to secure and isolate the applications and the multiple teams who build, ship, and deploy them. This release of Docker Enterprise Edition makes it possible for organizations to modernize traditional applications of every variety and to do so in a secure manner that aligns to complex organizational needs.

Building a Secure Software Supply Chain for Windows Applications

 

Windows applications make up about half of all enterprise applications. Docker has been working closely with Microsoft to ensure that the same security benefits that are available to Linux containers are also available to Windows Server containers. When Windows containers are managed with Docker EE, organizations Continue reading

Ensuring Good with VMware AppDefense

co-author Geoff Wilmington

Traditional data center endpoint security products focus on detecting and responding to known bad behavior. There are hundreds of millions of disparate malware attacks, with over a million getting added every day.  In addition, there is the threat of zero-day attacks exploiting previously unknown vulnerabilities. It becomes a never-ending race to “chase bad” without ever staying ahead of the threat landscape.  What if we took an opposite approach to security?  What if, instead of  “chasing bad” we started by “ensuring good”?

VMware AppDefense is a new security product focused on helping customers build a compute least privilege security model for data center endpoints and provide automated threat detection, response, and remediation to security events. AppDefense is focused on “ensuring good” versus “chasing bad” on data center endpoints.  When we focus our attention on what a workload is supposed to be doing, our lens for seeing malicious activity is much more focused and as a result, we narrow the exploitable attack surface of the workload down to what we know about.

 

Changing The Way We Secure Compute

AppDefense applies the concept of “ensuring good” by using three main techniques:

Capture

AppDefense starts by capturing Continue reading

DNS over TLS: experience from the Go6lab

After the experiment with DPRIVE at IETF99, we thought we’d try to implement it in the Go6lab and see how this actually works in day-to-day reality.

The first step was to take a look at https://dnsprivacy.org/wiki/ as we had a feeling this might be the best source for information around this topic. There’s a ton of info about DNS over TLS, but what we were really looking for was simple instructions on how to setup a recursive DNS server to serve DNS responses over TLS (port 853), as well as how to setup a local client on our device that could talk to the server and accept local DNS queries over TLS, thereby protecting our DNS communications over the Internet.

We decided that running a  TLS proxy was not the way to do it, so we used CentOS 7 VPS with Unbound installed. After some time and with extensive help from Willem Toorop from NLnet Labs (thanks Willem!!!) we managed to navigate the setup process for server and client.

Firstly, we installed the default Unbound from the CentOS7 default yum repositories, which turned out not to be a very good idea, as this version is 1.4.20 Continue reading

1 112 113 114 115 116 177