A Recent Survey of Security Professionals

April 3, 2019

NISC interviewed 300 security professionals from the US, France, Germany, Italy, Spain, and the UK about current threats.  DDoS attacks ranked as the highest threat and this is definitely tied to the growing concern of IoT bots being weaponized.  48% of respondents said that DDoS attacks intensified in the months of November and December of 2018.  At a close second concern was system compromise, which is kind of a broad definition and could cover a lot of things.  Ransomware ranked third and when you compare its rank to the average score of surveys it is evident that it is becoming relatively less of a concern.  Financial theft and intellectual property are tied with ransomware as a leading threat, but when considering second and third leading concerns, they rank at fourth and fifth respectively.  Insider threat takes sixth place. 

There is some overlap in the definition of these threats.  As I’m reading about DDoS, I’ve found that while availability is the primary target of these attacks, they can also plant malware in a system and companies are reporting theft at the same time as a DDoS attack.  So for DDoS to take first place and perhaps encapsulate some of the lower concerns as well is quite amazing.  DDoS is hard to protect against since you are outnumbered to begin with and it takes a lot of resources to not only detect and fight against but to then be able to service legitimate customers at the same time. 

https://www.bleepingcomputer.com/news/security/ddos-attacks-ranked-as-highest-threat-by-enterprises/

SonicWall’s Cyber Threat Report

March 26th, 2019

SonicWall released there 2019 Cyber Threat Report today which shows significant increases in cyber attacks and malware.  They also discovered over 74,000 new types of attacks, some of which were side channel attacks.  Side channel attacks are when a byproduct of some system  (like execution time or even heat generated) gives off information that turns out to be of use when exploiting it.  The concern over processor vulnerabilities is growing and could have an unprecedented impact.  19.2% of malware attacks are using non-standard ports, an 8.7% increase from the previous year.  In all, 10.52 billion malware attacks were detected, an increase of 22%.  Ransomware’s growth from last year was 11%.  Encrypted malware grew 27% to 2.8 million.  There were many other noteworthy results, but no summary of the results would be adequate without mentioning the IoT.  There was a 217.5% increase in IoT attacks totaling 32.7 million.

https://siliconangle.com/2019/03/26/sonicwall-report-paints-sobering-picture-cyberthreat-trends/

https://www.marketwatch.com/press-release/annual-sonicwall-cyber-threat-report-details-rise-in-worldwide-targeted-attacks-2019-03-26

End of Support for Windows 7

March 20, 2019

Microsoft is ending routine security patches for Windows 7 and Windows Server 2008 in January 2020.  While Extended Security Updates (ESU) are available via paid subscription in one year increments for 3 years for Windows 7 Enterprise, extended support is not offered for Windows Server 2008.  Attackers are certainly more aware of this vulnerability than those people running these older Operating Systems, so Microsoft is pushing for people to upgrade to Windows 10.  They recommend moving to new PC’s as well but anything running Windows 7 should be able to run Windows 10.  Upgrading shouldn’t be a problem but there will still remain many out there who won’t do it.  When you think of how attackers can use a compromised system, you can see how this is more than just a security concern for the end user. 

https://www.microsoft.com/en-us/windowsforbusiness/end-of-windows-7-support

https://www.technewsworld.com/story/85885.html

Opt-in vs. Opt-out

March 13, 2019

The Senate held a hearing on Tuesday discussing privacy policy with representatives from tech companies like Google and Intel and also organizations such as Californians for Consumer Privacy and the Center for Democracy and Technology.  They talked about how current privacy policies are flawed and used Google’s as an example.  There are always loopholes in the fine print and words only mean what they say to a certain extent.  The goal is to draft a federal privacy law and learn something from the EU’s GDPR which has an opt-in consent policy rather than an opt-out option.

Following the enactment of the GDPR, millions of users were flooded with opt-in requests for new privacy practices.  It is comical that some tech giants say this causes click fatigue and they don’t want to overwhelm their users.  It is depressing that they might be right.  Another argument against this opt-in policy is that it gives the tech companies more power in that they can refuse to sell their products and services to someone who does not opt-in.  In that regard, it is all the same to me.  Opt-in or opt-out, they can still refuse a sale or user.  Some of the conversations in this hearing are like reality imitating theatre. 

https://www.cnet.com/news/lawmakers-chide-google-for-making-you-work-to-get-out-of-its-services/

NSA Makes Open Source Software Tool

March 6, 2017

On Tuesday, at the RSA security conference in San Francisco, the NSA demonstrated a software tool called Ghidra that is used to reverse engineer malware.  It helps to analyze software in order to find out what it does, how capable it is, and where it came from.  Being open source and free, the demonstrator, cybersecurity advisor Rob Joyce, touted it as a contribution to the cybersecurity community and a recruitment tool for those that would work for the NSA in the future.  Ghidra was one of the many hacking tools discussed in Wikileaks�� Vault 7 data dump back in March of 2017.  Joyce also sought to preemptively put to rest the paranoia of any people who would ever question the NSA’s intentions. He assured the audience that there is no backdoor in the software.

https://www.wired.com/story/nsa-ghidra-open-source-tool/

Vulnerability in e-Ticketing of Airlines

February 24, 2019

Wandera, a mobile security vendor, discovered a vulnerability in several airlines’ e-ticketing systems. Only 8 airlines were mentioned but the article seems to state that there were more involved.  Only those airlines that had responded were mentioned.  The mobile e-ticketing system sent unencrypted check-in links giving access to personally identifiable information (PII) and flight information.  A hacker on the same network can intercept log in credentials and use them to view PII, change the details of their flight, or even print boarding passes.

Wandera recommends the following solutions and suggestions to avoid getting your information stolen or altered.  Airlines should encrypt all communications and require two-factor authentication where PII and checking in are involved. They should also use one-time tokens within any email links.  Passengers should avoid logging in and viewing PII in public wifi networks.  Print your boarding passes at home.  

 https://www.technewsworld.com/story/85836.html

Concerns over Foreign VPN Software

February 16

Two senators sent a letter to the head of the cyber security department within the DHS addressing concerns over VPN software created by foreign companies.  Although the letter didn’t mention it, there was a recent study done that showed 86% of the VPN vendors offering products to Android and iOS users lacked proper security and privacy controls.  The senators want to ban the use of these foreign VPN’s for federal employees much like what was done with Kaspersky Labs, a security company based in Moscow.  

The concern doesn’t just involve federal employees but American citizens as well.  When this VPN is installed, the user is entrusting their data to the companies that make this VPN and these servers are often times based in foreign countries.  The guidelines of what they can and cannot do with users’  data in their privacy polices are sometimes undefined and sometimes an outright violation of privacy.

https://www.information-age.com/cyber-espionage-us-senators-vpns-123479201/

Browser Attacks

February 10, 2019

Researchers from UC San Diego have demonstrated attacks that can be used to identify websites visited from a victim’s browser.  The attack code is written in Javascript and hides itself in an ordinary looking advertisement.  When someone visits the page containing the ad, the code runs through a list of banking websites to see if that user visits it.  It does this by sniffing the victim’s browser.  It doesn’t even need to look at the browser history.  It can tell if the site has been visited before just by the way the browser responds to a URL.  Some code can compare 6000 URL’s per second against a browser.  After obtaining which sites a user uses, they’re phishing attacks are more successful.  They can present them with a fake page that looks like the actual page of a bank that they visit.  Google Chrome, Microsoft Edge, and Mozilla Firefox were all susceptible to this attack.  Only the Tor browser passed the test as it doesn’t store websites visited in history or any form of cache and so will not react differently to visited sites.

  https://www.sciencedaily.com/releases/2018/10/181030102802.htm

Chief Cyber Officer Position

February 3rd, 2019

With the demand on companies to secure their information systems increasing, there may come a push to introduce a new position called the Chief Cyber Officer.  It would be close to the current position of Chief Information Security Officer (CISO).  The difference, as delineated in this article, arises from the fact that the CISO position has been around awhile and was responsible for designing and implementing information security policy and still is.  They were also running IT departments, as I understand it, and the author argues the CCO should act as the executive as long as they have the managerial and communication skills necessary and relieve the CISO of this role.  As is the case with many IT people, that is not a skill they are inherent with and they struggle to acquire it.  This article is from 2016, but the second link is from December of 2018 still mentioning it as a possible trend that could pick up in 2019.

https://www.isaca.org/Journal/archives/2016/volume-4/Pages/chief-cyber-officer.aspx?utm_referrer=

https://www.information-age.com/10-cyber-security-trends-look-2019-123463680/

Enabling Macros on MS Docs

January 27, 2019

I thought it was very interesting to see the details of how a hacker can gain entry into someones computer.  Microsoft Word and Excel docs can be sent to you with embedded macros in them.  Just think of how many people don’t think twice about enabling macros when they open a MS document.  Pop ups are annoying and you naturally just want to click anything to get rid of them.

Obtaining what they want is a little more complex.  The macros run a PowerShell script that downloads malware from the internet.  The link below is of an article that describes a data-stealing trojan called Ursnif and a ransomware called GrandCrab.  

https://thehackernews.com/2019/01/microsoft-gandcrab-ursnif.html

Cyber Security from Israel’s Perspective

January 19, 2019

This video produced by Vice, does a good job of bringing awareness to the threat of cyber warfare. Regardless of what you think about Israel, it is a country surrounded by its rivals and so it is interesting to hear what Israelis have to say about cyber security. Israel is also a leader in the field of cyber security along with a few other countries. The market there continues to see a lot of investment. 

Not surprising to me, when asked if the private security industry is a child of the Israeli military, a journalist and defense correspondent said, yes absolutely. I wonder how much different that is from anywhere else like here in the US, the UK, or China. One difference is that military service in Israel is mandatory and people who are skilled and interested in it will get a very good education. There is a cyber security division in the military called Unit 8200 that has received attention in the news. You’ll have to watch the video. An organization called Cyberspark is a joint venture of the Israeli military, industry, and academia. According to the CEO of Cyberspark, one of the roles of the military is to act as the HR department scanning for talent. Some of the comments made later in the video about malware already set up in critical infrastructures around the world is quite alarming. 

https://www.youtube.com/watch?v=ca-C3voZwpM