Paranoid Technology All things cybersecurity

7Jan/16Off

8 Scary Security Predictions for 2016

2016 Security Predictions
1) Back Doors Open in Corporate Encryption

Paranoid Technology has already opined on why “opening” encryption is bad for businesses and citizens alike, but not much has stopped calls from Washington for a “magic bullet” to let the good guys in and keep the bad guys out.  What’s concerning is the predictions of those like Robert S. Litt, general counsel in the Office of the Director of National Intelligence, who wrote “the legislative environment [for passing a law that forces decryption and backdoors] is very hostile today, it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”; it’s an eery and potentially prescient comment; right now strong encryption is winning, but it’s true that certain events would likely sway public opinion.

2) National Privacy Laws Weaken (Again)

While 2015 finally saw the USA Freedom Act passed, reining in NSA surveillance (including bulk collection of phone records) as of November 29th 2015 (but still not going far enough in the eyes of many civil liberties groups), the end of 2015 also saw Republican lawmakers introduce a new bill that would roll back the USA Freedom Act and reauthorize the government’s collection of phone records through 2017; that said, many lawmakers feel that the rollback is not enough, and senators like presidential candidate Marco Rubio would actually prefer to see a permanent reauthorization of key provisions of the Patriot Act.  The Republican response is a bellwether of what to expect in 2016, especially if there are terrorist or criminal events that demonstrate mass surveillance would have made some difference (see Litt’s crystal ball, above). 

1Dec/15Off

Moving to the Cloud? Don’t Leave Security Behind

Cloud SecurityAccording to Gartner, by 2018 at least 50% of enterprises will adopt cloud-enabled service offerings. Which means that more and more organizations – maybe even your organization – will soon be weighing the pros and cons of private and public cloud options. Yet regardless of which path you choose, your responsibility remains the same. Your organization is ultimately still responsible—and liable—for maintaining the confidentiality, integrity, and auditability of your data. You can safely put data out on both public and private clouds… just watch out for the problems that are caused by one or more of the following:

  • Disclosure of sensitive or regulated data
  • Disclosure of intellectual property
  • Inconsistent user access management
  • Lack of electronic discovery capabilities
  • Compliance issues due to the lack of security controls
  • Application QA issues

To keep reading and for additional details, see the Derivative Technology white paper, “Moving to the Cloud? Don’t Leave Security Behind” or contact us for more information here.

Filed under: General Comments Off
24Nov/15Off

Forget Weak Encryption, Rely on OpSec Fundamentals & Human Intelligence

LooseTweetsHillary Clinton recently joined the growing chorus of politicos suggesting that Silicon Valley tech giants need to stop treating the government like an adversary and calling for collaboration to “find solutions” to encrypted communication. “Finding solutions” meaning weakening encryption so that the US government has a legal means of eavesdropping on what would otherwise be private communications – not only among terrorists, but also among people in the (much) larger population.

This begs the question, is weakening encryption the only means of improving national security? Reviewing the recent attacks, there are a few important things to note: the terrorists in Paris were not using encrypted communications; that said, ISIS does have a sophisticated OpSec manual – which shows their heightened awareness of encryption technologies and means to maneuver around them; plus, several other nation states (the U.S. and Germany among them) shared intelligence with France on either the attacks or on the attackers that wasn’t acted on in a timely manner.

Putting aside these other programmatic gaps, let’s assume that weakening encryption is the only means of improving security. For the government to have “back door” access to any encrypted application or systems, the country would need to be operated as an enormous Public Key Infrastructure (PKI), with the government as the top level certificate authority (CA) for all domains and communications; it would issue all certificates for encryption, which would also conveniently enable surveillance.

17Nov/15Off

Cyberinsurance – why security fundamentals & service offerings matter

targetThe cost of cybercrime has become staggering with companies like Home Dept ($234M), Target ($264M), Sony and others being hit, CEOs are revisiting their cyberinsurance policies and wondering if they're doing enough.  While cyberinsurance definitely belongs in the CEO's risk management tool kit, avoid reacting to the latest panic about cybercrime.  Overspending on cyberinsurance means under-spending on critical functions - such as information security, risk, and even human resources - that
may be even more important to protecting your business than insurance.

If you're interested in cyberinsurance, know that insurers will look at your "proof of insurability", meaning the strength of your policy application and their estimate of your organization's risk across key categories.  They expect that you'll have done an in-depth review of your organization risk based on security measures in place and existing gaps.  Remember that you'll pay extra for coverage of weaknesses in your security program, so better to address security hygiene before you apply.

There's a long list of things cyberinsurers will want to know before signing you up.  For a full list, read the Derivative Technology white paper, "Protect your business from cybercrime the cost-effective way: with targeted cyberinsurance".  Or keep reading for more details ...

4Nov/15Off

No more Safe Harbor … now what?

evacuation-route-signThe recent EU ruling on Safe Harbor has US companies who do business in Europe scrambling to figure out what this means to their business, what the future holds, and where to go from here. Here’s a quick run down on what happened, how this came about, and what the implications are for your organization.

On October 6, 2015 the European Court of Justice (“ECJ”) invalidated the 15-year-old Safe Harbor program: a policy framework that allows US-based companies to freely transfer data between continents if they demonstrate compliance with an agreed-upon set of data protection principles. Austrian privacy activist Maximillian Schrems had challenged Facebook’s transfer of European users’ data to its American servers, citing the Snowden case and accusing Facebook of aiding US espionage efforts. And he won.

19Aug/15Off

And Now Look Who’s Going to Get Sued!

code-capture-1While many interesting topics came out of Black Hat recently, the one that caught my eye was in the opening remarks by Jeff Moss and the following article on software liability (’Software Liability is Inevitable’ - on ThreatPost), i.e. the idea that software developers, and the companies who employ them, should be liable for the quality of their code.

What’s that old Shakespeare saying? “The first thing we do, let’s kill all the lawyers!”  While I am generally speaking not a fan of lawsuits as a form of behavior modification, the idea of software liability is an intriguing one.  Who hasn’t been part of a company where’s software’s gone awry and caused anywhere from headaches to actual revenue loss?  What if you could make software developers responsible for that pain?  I can hear the developers groaning now - this is oppression!  Kill all the lawyers!  This is going to squash our creativity! …  Software development is actually going to be harmed, not helped.  No one will want to develop software if they’re afraid of getting sued.  Etc, etc.

But let’s think about it - what are the real Pros and Cons?

22Jul/15Off

A Stich in Time Saves 9 – the CFO Perspective on Cyber Security

deloitte-072115This recent article - CFOs are not confident about their level of security - got me thinking.  If you think about what keeps a CFO up at night, what comes to mind? Rising commodity prices? Company performance?  Is Greece staying in the Eurozone? You would be right, those things do - but according to Deloitte, so do cyber security threats -  only 1 in 10 CFOs feels well-prepared for an attack.  And that’s because they stand to lose a lot - data breaches mean not only potential data loss and angry customers, but also damaged reputations, distrust and new security requirements that the organization hadn’t even considered.  All of these things impact the bottom line.

We all know that risk avoidance comes at a price, and that that cost is difficult to measure.  No company (or government) wants to be plastered in the headlines for losing millions of users’ data; what they would have paid to avoid the whole situation in the first place is an interesting question… Yet what this article doesn’t discuss is what enterprises are investing in cybersecurity in response to this fear, uncertainty and doubt.  For most companies who have suffered, I am willing to bet they had an obvious hole in their security protocol; one that would have been discovered via a regular security audit. Or even worse, maybe they already knew about it, but were holding their breath and hoping (my motto: hope is not a strategy).

13Jul/15Off

Verizon’s 2015 Data Breach Investigations Report

verizon-dbir-2015Verizon's Data Breach and Investigations report for 2015 is out. This year's report contains 70 contributing organizations, 79,790 security incidents, 2,122 confirmed data breaches from 61 countries. The highlights from the report:

- Like the last 5 years the Threat actors attribution in 2015 stays similar ~80% External, ~20% Internal...

- Top Threat actions in 2015, Phishing, Spyware/Keylogging, RAM Scraping, and Credential Theft.

- In 60% of the cases attackers are able to compromise an organization within minutes.

- 23% of recipients now open phishing messages and 11% click on attachments.

- 99% of the exploited vulnerabilities were compromised more than a year after the CVE was published.

- 70-90% of malware samples are unique to an organization.

- 95% of the incidents recorded involve harvesting credentials stolen from customer devices...

- 60% of incidents were attributed to errors made by system administrators...

Looking at the above trends - the usual suspects Patch Management, Information Security Awareness & Training and Network/Log Monitoring tools are still quite relevant...

 

6Jul/15Off

HackingTeam Becomes HackedTeam… Who is Next?

hacked-teamIf you are in InfoSec you probably know who the Hacking Team is, but just in case you do not, they are the ones creating multi-platform surveillance / remote control software like Da Vinci and Galileo in the name of crime fighting in 6 continents... The software when installed on a target device essentially enables the operator to expose encrypted communications, the toolkit supports multiple-platforms iOS, Android, Blackberry, Linux, Windows, OS X; a.k.a  "Legitimized Malware".

Hacking Team sells its Da Vinci malware/surveillance software to private companies, law enforcement and governments, of course only to ethical ones (according to the Hacking Team). Many critics argue that Hacking Team is an enemy of the internet and that the toolkit is used by countries with questionable human rights records to spy on activists and journalists.

14Apr/15Off

This SSD will Self Destruct in….

ssd-destroy-01Here is a cool find SecureDrives' Autothysis SSDs, this device brings a new meaning to Full-disk-encryption. The concept is almost out of Mission Impossible... The drive itself is not that big, only 128 GBs, but it provides:

  • Two factor authentication through a provided token and a smartphone.
  • GSM Remote Control - Remotely destroy your drive sending text messages...
  • Physical Data Destruction - The drive monitors the SATA interface and the NAND shatters upon removal - ultimate data protection. This is also valid when forensic recovery is attempted on the drive.

Failing too many PIN prompts,  or activating a "tap-to-destroy" function on a touchscreen "token" accessory will also destroy the data on the device. The drives come equipped with their own built-in GSM access. If the signal is cut-off for too long, the drive is destroyed.

Given the possible number ways you can destroy data on this device, one cannot help, but wonder the possibility of a malicious entity deleting your data or devising a ransomeware like CryptoLocker - "Pay or we will destroy your data"!

A cool concept indeed, as expected not so cheap, around ~$1500 + GSM service.

Stop SOPA