Paranoid Technology All things cybersecurity

18May/17Off

Wanna Cry?!!! We do…

The cyber-attack that happened earlier this week reminded us of the questions posed in our March post – Initial Thoughts on Wikileaks Vault 7 Leak Series:

This wikileak points to increasing erosion of public safety - despite having these tools at hand, world governments (US, UK, Germany) continue to push for encryption back doors. Equation Group’s leak (NSA) late 2016 and this latest CIA leak once again prove all organizations have their OpSec issues - the three letter agencies are themselves at risk; backdoors, once discovered, work just as well for foreign spies, cyber-criminals and script kiddies.  Who is protecting the innocent? “

Apparently no one… Is the NSA going to step up and accept responsibility? Maybe if hell freezes over – “Cannot either deny or confirm the existence of these weapons…” Well, everybody else did – who cares if you do or don’t?!!

Interestingly, even Chinese state media called for the NSA to take some responsibility, how ironic… Like they should be talking…

21Mar/17Off

Thoughts on the Electronics Ban and How to Protect Your Privacy

Initially was a longer analysis of the whole situation, but we wanted to just focus on the security aspects - here it goes:

Those of us that has been in the field of security for a while knows the concept of security-in-depth… What this means in this context; imagine the airport layers as concentric rings until you get to the plane, there are many – why is this focus on the airplane itself? If the bad guys want to do damage, outer layers of the airport security; ticketing, luggage claim is more vulnerable than anywhere else in the airport because that is where a lot of people congregate in masses, more collateral damage…

Also, is an explosive device in the cargo bay safer than on flight deck? We are not experts on explosives, but logic dictates pressure change in a pressurized cabin in high altitude will not be safe wherever on deck you make it go off… According to the reports the Russian Airliner that went to down over Egypt's Sinai Peninsula in October 2016 was due to an explosive in the cargo hold.

8Mar/17Off

Initial Thoughts on WikiLeaks Vault 7 Leak Series

WikiLeaks issued a Press Release yesterday  announcing a new series of leaks from the CIA that they code named "Vault 7", claiming that it is the largest classified information leak from the agency.  The way the documents are distributed makes it difficult to confirm authenticity, but historically where there is smoke there is fire, and later releases may provide more proof. A quick glance reveals it is the continuum of the joint operation between the US and the UK – showing that the CIA has created an internal hacking capability for delivering signals intelligence and tailored access capabilities that rivals that of the NSA.  Exploit sets range from Android, iOS smartphones to Samsung TVs, Linux, Mac, Windows 0 day attacks and more.

What is also interesting is, it shows the distrust between the agencies...

From a review of the documents, the scale and scope of the CIA's hacking ability is significant – as WikiLeaks describes:

“By the end of 2016, the CIA's hacking division, which formally falls under the agency's Center for Cyber Intelligence (CCI), had over 5000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other "weaponized" malware. Such is the scale of the CIA's undertaking that by 2016, its hackers had utilized more code than that used to run Facebook. The CIA had created, in effect, its "own NSA" with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified.”

What is targeted? Pretty much everything that is connected…

15Feb/17Off

Who has my Data and Why?

Decided to dedicate this entry on how personal information is collected by everyday services we use and how it could impact our lives…

Security professionals quite often find themselves explaining how to protect one’s privacy, but the response is usually one of the following:

  • I have nothing to hide
  • This sounds like a conspiracy theory
  • Glazed eyes

People are focused on the menial conveniences they receive using these free applications in exchange for data… In technology if something is free – never forget – you are the product!!  Even applications and devices we pay for are disrespectfully collecting information in the name of customizing our experience. There is a massive information gathering wars between:

1Feb/17Off

Digital-Fog; Deceptive Personal Defenses and more…

We live in interesting times, times of transition in every aspect of our lives. Technology is improving non-stop; pushed down our throats sometimes willingly in the case of smartphones, and sometimes not; in the case of smart meters…. We as consumers are under siege by corporations for the data we generate rather they help us generate… And the interesting thing is we pay to give them our information in exchange of convenience and nobody seems to care… This is because for the untrained the lines are extremely fuzzy on how all this works, how it affects our privacy, and ultimately our freedoms.

All of us are on some sort of list and these lists are being bought sold by big businesses and governments for profit, influence and control and of course also to deliver the best personalized service – there is an information asymmetry in the favor of the institutions; these institutions know more about us then we know about ourselves. Data is cash and power...

4Jan/17Off

Simple OpSec Resolutions for Outside the Office

The New Year has citizens and organizations alike reviewing their operational security practices; the expectation is that privacy rights will diminish, government surveillance will increase, and yet attacks and breaches will continue unabated.  To protect yourself and to strengthen the human element of your organization, review the below list of 2017 operational security (OpSec) resolutions.  Improving organizational security maturity starts with you.

General Hygiene

  1. Browse privately: move to Firefox; it's highly functional and Mozilla doesn't track your web browsing; that said, Firefox does use Google Safe Browsing in the background, which means that Firefox checks sites for phishing risk before proceeding; the net result being that if you want truly private browsing, you need to turn safe browsing off.
  2. Protect your passwords: don't keep them on a post-it, or use the same password over and over again.  It's easy to get lazy with this one.  Use a password manager like KeePass, or if you can't bring yourself to invest in a tool, at least make your common passwords more complicated (yet understandable); something like "thing#year#iD".  We recommend that our clients use complex passwords, use long passwords, and rotate passwords.  Your corporate information security program is hopefully enforcing something similar already.
  3. Take care with sensitive searches: search companies make money by tracking what you search; if you have something sensitive to search for, even if it's just something health related, use an alternative browser like DuckDuckGo.  The results are less targeted, but your privacy remains intact.
  4. Avoid public wi-fi: it's free for a reason - large retailers and their wireless partners love your usage data; wi-fi networks of any sort are riskier, easier to spoof (and therefore hack), and cause your device to automatically broadcast to those connection points in the future, thus increasing your risk; if you must use public wi-fi, go through a VPN, or to avoid it, use a tethered smart phone connection.
  5. Treat PII like cash: be selective on when and who you disclose your personally identifiable information (PII) to, to avoid future headaches. For example, avoid disclosing your email or phone number to retailers in exchange for discounts; if you do, be aware that you've just become a permanent member of their database, to be marketed to and sold, over and over again, until you die (or change your identity).
  6. Beware of the shoulder surfers: if you are the kind of person who works in public places a lot, seriously consider investing in a privacy filter to protect yourself from prying eyes.
  7. Don’t get Phished: Although it's 2017, phishing is still in style; it's the single biggest attack vector, so be paranoid about every e-mail  you receive. Pay special attention to the ones with attachments and links; hover over the links and verify that the link is going to the address displayed in the message. Do not open attachments unless it is a trusted source.
  8. Anti-Virus (AV): Todays threat landscape is dynamic and while AV vendors are having a tough time keeping up, AV software will still protect you from a wide variety of known threat vectors.
28Dec/16Off

10 Scary Security Predictions for 2017

Given the accuracy of DT’s 2016 predictions, it’s exciting (and unnerving) to present DT’s 10 Scary Security Predictions for 2017.

  1. IoT zombie army (the sequel) – from TVs to toasters people are connecting everything to the Internet, a little too carelessly. In 2016 the Internet of Things (IoT) was used as a force-multiplier in DDoS attacks. This was only a dress rehearsal and the attacks will get more sophisticated in 2017. Expect to see:
    • Web Infrastructure Attacks – attacks like DynDNS at a larger scale.
    • Utility Infrastructure Attacks – Thousands of pieces of SCADA & PLC, ICS equipment is unprotected and exposed to the internet. Most of these are connected to critical infrastructure that could impact human life in significant ways. For example, recently a Ukrainian power company was attacked and could not deliver power to its customers. Temperatures that day ranged from 30.2F to 15.8F – nobody was hurt reportedly, but a longer outage without power would be a problem.
    • Human Life-Threatening Attacks –IoT may become an assassination tool this year. Connected pacemakers, insulin pumps and let’s not forget cars.
    • Expect other new forms of IoT activity – swarms of “things” used as relays, conducting passive and active recon activities as an example.
  2. Pre-emptive hacking by government – this happened with no congressional debate or vote. According to this, if you are using TOR or a VPN service or if you are infected by malware the FBI can hack you without a warrant to understand what kind of a threat you are, or in the case of malware infections to identify the culprits (or to fulfill their jump-host quotas to launch attacks to whatever target); and they don’t even have to tell you. It’s the dawn of a new Internet era. Minority Report anyone?
  3. Get ready for GDPR – U.S. companies doing business in the E.U., or with U.S. citizens who reside in the E.U. will need to comply with GDPR requirements. The effective date isn’t until May 2018, but compliance will require planning, investment, and on-going reporting to keep the regulators and consumers happy. Three main things to watch are for are the requirement for each affected company to appoint a Data Privacy Officer (DPO), the fact that data subjects have new rights (including the right to be forgotten, to data portability, and to be informed of data breaches), and that there are steep fines for non-compliance.
  4. Machines learn to hack – machine learning will result in more sophisticated and harder to attribute attacks ranging from phishing and DDoS to Automated Target Selection and others. With Mirai-like IoT attacks, the capacity of humans to respond will significantly diminish and security workflow automation will gain importance. At DEFCON24 this year DARPA had its CyberSecurity Grand Challenge All-Machine Hacking Tournament the goals included reverse engineering unknown binary software, authoring new IDS signatures, probing the security of opponent software, and re-mixing defended services with machine-generated patches and defenses.
  5. Cyber-warfare on the rise – Increasing global tensions, constant use of cyber-warfare to impose political will, and the rejuvenation of nationalism has increased paranoia levels worldwide.  Nations are rightfully improving their defensive positions. In 2017 expect an increase in tensions to the point where citizens will become indifferent to surrendering their freedom in exchange for security. Cyber-gangs will join forces with nation states to deliver intelligence in exchange for a harassment-free work environment. Expect more cyber-mercenaries in the form of “black hat-as-a-service” (BaaS). Despite growing awareness, expect an increase in fake news and perception management operations will be observed.
23Dec/16Off

2016 retrospective – 8 scary predictions that came true

Looking back at our 8 Scary Security Predictions for 2016 what’s really frightening is how accurate they were! It’s time to start a side business in fortune telling…  maybe there’s a certificate for that.

Here’s a quick recap of our 2016 predictions and what actually unfolded:

  • Back Doors Open in Corporate Encryption – now Congress feels that strong non-backdoor encryption is important, but Feds should be able to crack it 
  • National Privacy Laws Weaken (Again) – And they did – the FBI got more hacking powers but on the up side in early 2017 we will get a letter from the U.S. intelligence agencies on domestic surveillance.
  • No More Safe Harbor (for Good) – Safe Harbor was replaced by Privacy Shield and will be superseded by GDPR on 25 May 2018 after a two-year transition period… Intended to strengthen and unify data protection for individuals within the European Union (EU), it’s time to review the new requirements.
  • Mass Internet Surveillance Goes Global – And it did… We saw the U.S. Intel surveillance on Yahoo, Brits passing the Snooper Law
  • Sophisticated Malware / 0 day Attacks = More Breaches – Adobe Flash took the cake again this year; time for it to die already! This was also the year of ransomware, with hospitals getting hit especially hard; interestingly 0 days were not the most used attack vector – phishing was (humans create risk again)
  • Spending on Data Breaches & Cyber Threats Continues Unabated – Business as usual – some of the big breaches of 2016 were – IRS, DHS, Seagate, LinkedIn, 21st Century Oncology, Verizon Enterprise Services, Dropbox, Yahoo, San Francisco MTA and others.
  • Dawn of the (IoT) Zombie Army – If only this had been delayed a few more years, but Mirai did it. First the attack on KrebsOnSecurity (620Gpbs), then OVH (1Tbps with 150K devices) and then the DynDNS attack (a recordbreaking 1.1Tbps) that took out sites like Github, Twitter, SaneBox, Reddit, AirBnB, and Heroku.
  • Qualified CyberSecurity Professionals Will Still Be Hard to Find – it was hard and it will be; the gap of cybersecurity professionals remains wide and shows no signs of closing.

In the coming days look for 2017 predictions – the New Year promises to bring more of the same.

 

Filed under: General Comments Off
2Mar/16Off

Lessons on Trust and Apple’s Stance Against the FBI – Learned from the Syrian Refugee Crisis

Our team has been researching trust networks for a while, and this example from the Syrian Refugee Crisis was worth sharing as there are several hidden lessons in the story. You've probably been following the news about the Syrian refugee crisis.  This article is not about the significant humanitarian and political challenges and complexities of that situation, but rather what we can learn from their ordeal about trust-networks and apply it to Information Security, specifically to the current stand-off between Apple and the FBI…

Large numbers of men, women and children are trying to journey from Turkey to Greece every day, hoping for a better life and to escape from the horrors of war...The success to death ratio is quite high, but people keep trying; one can't help but ask oneself, why?  Why do the refugees trust these people traffickers, why do they get on leaky boats and make the trip, knowing there is a good chance that they will never make it? The answer to this question is Trust...

9Feb/16Off

Summing Up Safe Harbor’s replacement, Privacy Shield

monkeysOn February 2nd, the EU Commission and the US announced Safe Harbor's intended replacement - the "EU-US Privacy Shield" - while the EU Commission, trade associations and businesses announced support, numerous privacy advocacy groups (not to mention Data Protection Agencies, including those in France, Germany and Spain) were quick to voice concerns.

Here's what the new framework claims to put in place:

  • US companies now have "robust" obligations to protect European's personal data; the Department of Commerce will monitor these commitments, which are enforceable by US law
  • The US has given the EU written assurance that access to data for law enforcement or national security will be subject to limitations, safeguards and oversight; no more mass surveillance on EU personal data; exceptions are allowed "to the extent necessary"; this arrangement will be monitored by both countries
  • EU citizens now have redress options - meaning, companies have to reply to complaints, Data Protection Agencies can refer complaints to US agencies, and a State Department ombudsperson will be available

While all that sounds like progress, the devil is in the details, hence a few areas of concern:

Stop SOPA