Tag Archives: ‘Risk

Closing the gender gap at cybersecurity conferences

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss the under-representation of women at cybersecurity conferences and how it affects the infosec industry.

This week’s Risk & Repeat podcast looks at the lack of women at cybersecurity conferences and explores what can be done to improve those numbers, as well as to increase diversity as a whole in the infosec industry.

Earlier this year, RSA Conference came under fire for having just one woman keynote speaker among nearly two dozen keynote spots. The criticism led members of the infosec community to form a new event, dubbed Our Security Advocates, or OuRSA. And while cybersecurity conferences such as Black Hat 2018 will prominently feature women infosec professionals as keynote speakers, there is still a significant gender gap at cybersecurity conferences.

Why aren’t more women speaking at industry events? How can organizations increase the number of women attending and participating in these events? Is the lack of women at cybersecurity conferences a symptom of the larger gender gap in infosec or a contributor to it? SearchSecurity editors Rob Wright and Maddie Bacon discuss those questions and more in this episode of the Risk & Repeat podcast.

For Sale – Coloredge CX240

Ideal monitor for photographic work.

Collection only as I have no box and don’t want to risk packaging.

Price and currency: £300
Delivery: Goods must be exchanged in person
Payment method: Paypal or COD
Location: Burnley, Lancashire
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I prefer the goods to be collected

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

U.S. government eyes offensive cyberattacks

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss the risks of the U.S. Cyber Command engaging in offensive cyberattacks against foreign adversaries.

The prospect of the U.S. government using offensive cyberattacks against foreign adversaries appears to be gaining steam.

According to the New York Times, the Pentagon approved a policy that empowers the U.S. Cyber Command to initiate constant offensive cyberattacks designed to disrupt foreign networks. The Times report details a vision statement from military leadership that calls for cyber activities that are “short of war” to retaliate against hacking campaigns from adversarial nation states. The Pentagon’s new strategy for the U.S. Cyber Command, which has traditionally led the nation’s cyber defensive efforts, comes in the wake of many recent high-profile cyberattacks attributed to the governments of Russia, North Korea and Iran.

The concept of “hacking back” against cyber adversaries has gained momentum in both the private sector as well as the government. Some cybersecurity experts, however, have warned that the risks and unintended consequences of offensive cyberattacks can put private enterprises in the crosshairs of nation-state hackers.

What are the implications of the U.S. Cyber Command turning its attention to offensive hacking? What activities would be considered short of cyberwarfare? Could the Pentagon’s policy lead to an escalation of cyberattacks? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.

Container orchestration systems at risk by being web-accessible

Researchers found more than 21,000 container orchestration systems are at risk simply because they are accessible via the web.

Security researchers from Lacework, a cloud security vendor based in Mountain View, Calif., searched for popular container orchestration systems, like Kubernetes, Docker Swarm, Mesosphere and OpenShift, and they found tens of thousands of administrator dashboards were accessible on the internet. According to Lacework’s report, this exposure alone could leave organizations at risk because of the “potential for attack points caused by poorly configured resources, lack of credentials and the use of nonsecure protocols.”

“There are typically two critical pieces to managing these systems. First is a web UI and associated APIs. Secondly, an administrator dashboard and API are popular because they allow users to essentially run all aspects of a container cluster from a single interface,” Lacework’s researchers wrote in its report. “Access to the dashboard gives you top-level access to all aspects of administration for the cluster it is assigned to manage, [including] managing applications, containers, starting workloads, adding and modifying applications, and setting key security controls.”

Dan Hubbard, chief security architect at Lacework, said these cloud container orchestration systems represent a significant change from traditional security.

“In the old data center days, it was easy to set policy around who could access admin consoles, as you would simply limit it to your corporate network and trusted areas. The cloud, combined with our need to work from anywhere, changes this dramatically, and there are certainly use cases to allow remote administration over the internet,” Hubbard said via email. “That said, it should be done in a secure way. Extra security measures like multifactor authentication, enforced SSL, [role-based access controls], a proxy in front of the server to limit access or a ‘jump server’ are all ways to do this. This is something that security needs to be aware of.”

Lacework reported that more than 300 of the exposed container orchestration systems’ dashboards did not have credentials implemented to limit access, and “38 servers running healthz [web application health and security checker] live on the Internet with no authentication whatsoever were discovered.”

Hubbard added that “these sites had security weaknesses that could have enabled hackers to either attack directly these nodes or provide hackers with information that would allow them to attack more easily the company owning these nodes.” 

However, despite warning of potential risks to these container orchestration systems, Hubbard and Lacework could not expand on specific threats facing any of the nearly 22,000 accessible dashboards described in the report.

“Technically, they are all connected to the internet and their ports are open, so attackers can gain privileged access or discover information about the target,” Hubbard said. “With respect to flaws, we did not perform any password cracking or dictionary attacks against the machines or vulnerability scans. However, we did notice that a lot of the machines had other services open besides the container orchestration, and that certainly increases the attack surface.”

More trouble for federal cybersecurity

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss the recent federal cybersecurity report, which found the majority of agencies have significant security gaps.

The latest government report on the state of federal cybersecurity brought more bad news for Washington, D.C.

The Federal Cybersecurity Risk Determination Report and Action Plan, which was commissioned by the Office of Management and Budget and the Department of Homeland Security, found the vast majority of government agencies have significant gaps in their security postures. Specifically, the report found that 59 of 96 agencies are considered to be at risk, while 12 agencies are at high risk.

Key issues, according to the report, included ineffective and outdated identity and access management processes, a lack of communication between security operations centers, and a lack of accountability for agency leadership. The report also found that just 16% of agencies have deployed encryption for data at rest.

How serious are the federal cybersecurity report’s findings? What steps should be taken to improve the situation? What are the primary causes of the poor state of security in Washington? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.

Yokogawa Stardom vulnerability leaves hardcoded creds in ICS controllers

Industrial control systems around the world might be at risk as hardcoded credentials are found in flawed software.

The Yokogawa Stardom vulnerability (CVE-2018-10592) affects the FCJ, FCN-100, FCN-RTU and FCN-500 controllers running firmware version R4.02 or earlier. These industrial control systems (ICS) are used around the world in various infrastructure capacities including the energy sector, food production and manufacturing.

According to the security advisory for the Yokogawa Stardom vulnerability, an attacker could remotely log in with the hardcoded credentials and be able to execute system commands. The official advisory from Yokogawa and the advisory from ICS-CERT disagree slightly though: Yokogawa labels the issue as being of medium difficulty to exploit, while ICS-CERT notes that it takes “low skill level.”

Yokogawa suggests users upgrade to firmware version R4.10 and ICS-CERT adds that the National Cybersecurity and Communications Integration Center (NCCIC) also recommends that industrial control systems be isolated from networks if possible, protected behind firewalls or restricting logins.

It is unclear how widespread the Yokogawa Stardom vulnerability might be. Yokogawa did not respond to requests for comment at the time of this post.

Hardcoding passwords and other login credentials is a practice that security professionals have frowned upon for decades, but still affects products ranging from IoT to firewalls and more. Meanwhile, industrial control systems have become a bigger target for attackers looking to cause real-world havoc with cyberattacks.

Breaking down the Efail flaws

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss the Efail vulnerabilities in PGP and S/Mime protocols, as well as the rocky disclosure process for the flaws.

The unveiling of the Efail flaws in encryption client software led to spirited debates about the rocky disclosure of the vulnerabilities and who, ultimately, was responsible for them.

The vulnerabilities, which were discovered by a team of academic researchers in Germany and Belgium, affect some client software that implements two popular protocols for email encryption in Pretty Good Privacy (PGP) and Secure Multipurpose Internet Mail Extensions (S/Mime). The Efail flaws could allow threat actors to obtain the plaintext of messages encrypted with the affected client software.

The researchers’ technical paper pointed to faulty email clients rather than the protocols themselves, which sparked a debate about who was responsible for the Efail flaws. While some infosec experts argued the developers were on the hook, others such as Matthew Green, professor at Johns Hopkins University’s Information Security Institute, criticized organizations like GnuPG for not taking a more active role in addressing the problem. Additionally, a broken embargo for the branded vulnerabilities led to questions and concerns about coordinated disclosure processes.

Was there an overreaction to Efail? Who takes the majority of the blame for these vulnerabilities? Did the Efail disclosure actually fail? SearchSecurity editors Rob Wright and Peter Loshin discuss these questions and more in this episode of the Risk & Repeat podcast.

Okiru malware puts billions of connected devices at risk

A new variant of the Mirai malware puts ARC processors at risk of being exploited.

The Mirai variant, known as Okiru, is the first malware that is able to infect Argonaut RISC Core (ARC) processors, according to a researcher known as unixfreaxjp at the malware security group MalwareMustDie.

ARC processors are used in a wide range of internet-of-things (IoT) devices, such as cellphones, televisions, cameras and cars.

It’s thought that there are approximately 1.5 billion devices worldwide with ARC processors in them that could be vulnerable to Okiru.

In 2016, Mirai malware was used to create a botnet of 100,000 IoT devices that caused a series of problems, such as shutting down domain name system (DNS) provider Dyn.

However, in a tweet, security researcher Odisseus warned that Okiru could have a bigger impact than Mirai.

“The landscape of Linux IoT infection will change,” Odisseus said.

A Mirai malware variant called Satori, which was uncovered in December 2017, took down hundreds of thousands of Huawei routers. Satori was also sometimes called Okiru, but the two have significant differences, according to Security Affairs’ Pierluigi Paganini.

Okiru’s configuration is different because it “is encrypted in two parts,” but Satori’s is not, Paganini wrote in a blog post. “Also Okiru’s telnet attack login information is a bit longer,” Paganini explained, noting that the login information can be up to 114 credentials, but Satori has a “different and shorter database.”

At the time of this writing, the detection ratio on VirusTotal was 29-58. When Odisseus tweeted about the botnet threat earlier this week, it was only at 5-60.

In other news:

  • Google launched a new tool for enterprise security called G Suite Security Center. The tool will be available to G Suite Enterprise users and is automatically accessible in the admin console. In a blog post, Google stated the three objectives of the security center are to show a “snapshot” of security metrics, to help enterprises stay ahead of security threats and to recommend ways for enterprises to improve their security posture. “We want to make it easy for you to manage your organization’s data security,” Google product managers Chad Tyler and Reena Nadkarni wrote in a blog post. “A big part of this is making sure you and your admins can access a bird’s eye view of your security — and, more importantly, that you can take action based on timely insights.” The security center will consist of a dashboard that shows the security metrics and the “security health” recommendations.
  • A team of researchers discovered a way to hack the Android Pixel phone. The exploit involves combining two separate vulnerabilities. The first, which Google patched in September 2017, is a type confusion flaw in the V8 open source JavaScript engine. The second vulnerability is a privilege escalation flaw in Android’s libgralloc module. Google patched that one in December 2017. However, security researchers were able to exploit both vulnerabilities to inject arbitrary code into the system_server process. All they had to do to make the exploit successful was get the targeted user to click on a malicious link in Chrome. The research team received a total of $100,000 from Google for the find, through both the Android Security Rewards program and the Chrome bug bounty program.
  • The Internet Systems Consortium (ISC) put out a security advisory warning of a vulnerability in the Berkeley Internet Name Domain (BIND) DNS software. The vulnerability, with severity ranked “high,” was remotely exploitable and reportedly caused some DNS servers to crash. “BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named,” ISC said in its advisory. The vulnerability was found in BIND versions 9 and later, but not in earlier versions, so the ISC advised users to upgrade to the latest version. There have been no known active exploits, but the advisory stated that “crashes due to this bug have been reported by multiple parties.”

The Bitcoin boom and its infosec effects

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss the recent bitcoin boom and how the cryptocurrency’s rising value could affect the cybersecurity landscape.

The bitcoin boom that saw a dramatic rise in the cryptocurrency’s value in recent weeks could have big implications for information security.

In the last month, the price of a single bitcoin tripled, jumping from approximately $5,700 to more than $17,000. A number of factors, including interest in the opening of the first regulated bitcoin futures exchanges and a hard fork in the cryptocurrency, could be contributing to the bitcoin boom beyond a general increase in buying and selling volumes.

But the surge also comes at a time of rampant global ransomware attacks, many of which demand payment from victims in bitcoin. While some enterprises have disclosed ransomware attacks, experts generally believe that many more attacks are kept quiet.

Could cybercriminals and ransomware attacks be contributing to the bitcoin boom? What will the rising price of the cryptocurrency mean for the cybercrime economy? Will the high value of bitcoin lead to more cyberattacks on bitcoin owners and exchanges, like NiceHash, which recently lost approximately $80 million in bitcoin following a massive data breach?

SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more on the bitcoin boom in this episode of the Risk & Repeat podcast.

Analyzing the accidental data breach

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss the rise of accidental data breaches following a series of enterprise exposures of user data online.

Data breaches are so common these days that some of them don’t even include threat actors or malware of any kind.

Troy Hunt, security researcher and creator of the website HaveIbeenpwned.com, recently testified before Congress in a hearing titled “Identity Verification in a Post-Breach World,” in which he discussed how organizations are often committing accidental data breaches. Such incidents typically involve enterprises mistakenly making corporate or user data public on the internet through cloud services, web services and other technologies.

Hunt’s testimony comes on the heels of a number of accidental data breaches via Amazon Web Services (AWS); several organizations, including the NSA and U.S. Army, have exposed sensitive data through misconfigured instances of AWS’ Simple Storage Service. More recently, Kromtech Security Center revealed that mobile app developer Ai.type exposed more than 370 million personal records of users, including, in some cases, users’ contact lists, through a misconfigured MongoDB database.

During the congressional hearing last week, Rep. Morgan Griffith (R-Va.) asked Hunt why these accidental breaches keep happening. “Is it really that easy to accidentally share your cloud services with the world?” Griffith asked.

“The simple answer to the last question is, yes, it is that easy,” Hunt said. “It’s very often just a simple misconfiguration.”

Why are enterprises committing so many accidental breaches? Do these incidents reflect a lack of security competency? Should cloud providers and software developers do more to protect customers from making these types of errors? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.