Paranoid Technology All things cybersecurity

4Jan/17Off

Simple OpSec Resolutions for Outside the Office

The New Year has citizens and organizations alike reviewing their operational security practices; the expectation is that privacy rights will diminish, government surveillance will increase, and yet attacks and breaches will continue unabated.  To protect yourself and to strengthen the human element of your organization, review the below list of 2017 operational security (OpSec) resolutions.  Improving organizational security maturity starts with you.

General Hygiene

  1. Browse privately: move to Firefox; it's highly functional and Mozilla doesn't track your web browsing; that said, Firefox does use Google Safe Browsing in the background, which means that Firefox checks sites for phishing risk before proceeding; the net result being that if you want truly private browsing, you need to turn safe browsing off.
  2. Protect your passwords: don't keep them on a post-it, or use the same password over and over again.  It's easy to get lazy with this one.  Use a password manager like KeePass, or if you can't bring yourself to invest in a tool, at least make your common passwords more complicated (yet understandable); something like "thing#year#iD".  We recommend that our clients use complex passwords, use long passwords, and rotate passwords.  Your corporate information security program is hopefully enforcing something similar already.
  3. Take care with sensitive searches: search companies make money by tracking what you search; if you have something sensitive to search for, even if it's just something health related, use an alternative browser like DuckDuckGo.  The results are less targeted, but your privacy remains intact.
  4. Avoid public wi-fi: it's free for a reason - large retailers and their wireless partners love your usage data; wi-fi networks of any sort are riskier, easier to spoof (and therefore hack), and cause your device to automatically broadcast to those connection points in the future, thus increasing your risk; if you must use public wi-fi, go through a VPN, or to avoid it, use a tethered smart phone connection.
  5. Treat PII like cash: be selective on when and who you disclose your personally identifiable information (PII) to, to avoid future headaches. For example, avoid disclosing your email or phone number to retailers in exchange for discounts; if you do, be aware that you've just become a permanent member of their database, to be marketed to and sold, over and over again, until you die (or change your identity).
  6. Beware of the shoulder surfers: if you are the kind of person who works in public places a lot, seriously consider investing in a privacy filter to protect yourself from prying eyes.
  7. Don’t get Phished: Although it's 2017, phishing is still in style; it's the single biggest attack vector, so be paranoid about every e-mail  you receive. Pay special attention to the ones with attachments and links; hover over the links and verify that the link is going to the address displayed in the message. Do not open attachments unless it is a trusted source.
  8. Anti-Virus (AV): Todays threat landscape is dynamic and while AV vendors are having a tough time keeping up, AV software will still protect you from a wide variety of known threat vectors.
28Dec/16Off

10 Scary Security Predictions for 2017

Given the accuracy of DT’s 2016 predictions, it’s exciting (and unnerving) to present DT’s 10 Scary Security Predictions for 2017.

  1. IoT zombie army (the sequel) – from TVs to toasters people are connecting everything to the Internet, a little too carelessly. In 2016 the Internet of Things (IoT) was used as a force-multiplier in DDoS attacks. This was only a dress rehearsal and the attacks will get more sophisticated in 2017. Expect to see:
    • Web Infrastructure Attacks – attacks like DynDNS at a larger scale.
    • Utility Infrastructure Attacks – Thousands of pieces of SCADA & PLC, ICS equipment is unprotected and exposed to the internet. Most of these are connected to critical infrastructure that could impact human life in significant ways. For example, recently a Ukrainian power company was attacked and could not deliver power to its customers. Temperatures that day ranged from 30.2F to 15.8F – nobody was hurt reportedly, but a longer outage without power would be a problem.
    • Human Life-Threatening Attacks –IoT may become an assassination tool this year. Connected pacemakers, insulin pumps and let’s not forget cars.
    • Expect other new forms of IoT activity – swarms of “things” used as relays, conducting passive and active recon activities as an example.
  2. Pre-emptive hacking by government – this happened with no congressional debate or vote. According to this, if you are using TOR or a VPN service or if you are infected by malware the FBI can hack you without a warrant to understand what kind of a threat you are, or in the case of malware infections to identify the culprits (or to fulfill their jump-host quotas to launch attacks to whatever target); and they don’t even have to tell you. It’s the dawn of a new Internet era. Minority Report anyone?
  3. Get ready for GDPR – U.S. companies doing business in the E.U., or with U.S. citizens who reside in the E.U. will need to comply with GDPR requirements. The effective date isn’t until May 2018, but compliance will require planning, investment, and on-going reporting to keep the regulators and consumers happy. Three main things to watch are for are the requirement for each affected company to appoint a Data Privacy Officer (DPO), the fact that data subjects have new rights (including the right to be forgotten, to data portability, and to be informed of data breaches), and that there are steep fines for non-compliance.
  4. Machines learn to hack – machine learning will result in more sophisticated and harder to attribute attacks ranging from phishing and DDoS to Automated Target Selection and others. With Mirai-like IoT attacks, the capacity of humans to respond will significantly diminish and security workflow automation will gain importance. At DEFCON24 this year DARPA had its CyberSecurity Grand Challenge All-Machine Hacking Tournament the goals included reverse engineering unknown binary software, authoring new IDS signatures, probing the security of opponent software, and re-mixing defended services with machine-generated patches and defenses.
  5. Cyber-warfare on the rise – Increasing global tensions, constant use of cyber-warfare to impose political will, and the rejuvenation of nationalism has increased paranoia levels worldwide.  Nations are rightfully improving their defensive positions. In 2017 expect an increase in tensions to the point where citizens will become indifferent to surrendering their freedom in exchange for security. Cyber-gangs will join forces with nation states to deliver intelligence in exchange for a harassment-free work environment. Expect more cyber-mercenaries in the form of “black hat-as-a-service” (BaaS). Despite growing awareness, expect an increase in fake news and perception management operations will be observed.
7Jan/16Off

8 Scary Security Predictions for 2016

2016 Security Predictions
1) Back Doors Open in Corporate Encryption

Paranoid Technology has already opined on why “opening” encryption is bad for businesses and citizens alike, but not much has stopped calls from Washington for a “magic bullet” to let the good guys in and keep the bad guys out.  What’s concerning is the predictions of those like Robert S. Litt, general counsel in the Office of the Director of National Intelligence, who wrote “the legislative environment [for passing a law that forces decryption and backdoors] is very hostile today, it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”; it’s an eery and potentially prescient comment; right now strong encryption is winning, but it’s true that certain events would likely sway public opinion.

2) National Privacy Laws Weaken (Again)

While 2015 finally saw the USA Freedom Act passed, reining in NSA surveillance (including bulk collection of phone records) as of November 29th 2015 (but still not going far enough in the eyes of many civil liberties groups), the end of 2015 also saw Republican lawmakers introduce a new bill that would roll back the USA Freedom Act and reauthorize the government’s collection of phone records through 2017; that said, many lawmakers feel that the rollback is not enough, and senators like presidential candidate Marco Rubio would actually prefer to see a permanent reauthorization of key provisions of the Patriot Act.  The Republican response is a bellwether of what to expect in 2016, especially if there are terrorist or criminal events that demonstrate mass surveillance would have made some difference (see Litt’s crystal ball, above). 

24Nov/15Off

Forget Weak Encryption, Rely on OpSec Fundamentals & Human Intelligence

LooseTweetsHillary Clinton recently joined the growing chorus of politicos suggesting that Silicon Valley tech giants need to stop treating the government like an adversary and calling for collaboration to “find solutions” to encrypted communication. “Finding solutions” meaning weakening encryption so that the US government has a legal means of eavesdropping on what would otherwise be private communications – not only among terrorists, but also among people in the (much) larger population.

This begs the question, is weakening encryption the only means of improving national security? Reviewing the recent attacks, there are a few important things to note: the terrorists in Paris were not using encrypted communications; that said, ISIS does have a sophisticated OpSec manual – which shows their heightened awareness of encryption technologies and means to maneuver around them; plus, several other nation states (the U.S. and Germany among them) shared intelligence with France on either the attacks or on the attackers that wasn’t acted on in a timely manner.

Putting aside these other programmatic gaps, let’s assume that weakening encryption is the only means of improving security. For the government to have “back door” access to any encrypted application or systems, the country would need to be operated as an enormous Public Key Infrastructure (PKI), with the government as the top level certificate authority (CA) for all domains and communications; it would issue all certificates for encryption, which would also conveniently enable surveillance.

17Nov/15Off

Cyberinsurance – why security fundamentals & service offerings matter

targetThe cost of cybercrime has become staggering with companies like Home Dept ($234M), Target ($264M), Sony and others being hit, CEOs are revisiting their cyberinsurance policies and wondering if they're doing enough.  While cyberinsurance definitely belongs in the CEO's risk management tool kit, avoid reacting to the latest panic about cybercrime.  Overspending on cyberinsurance means under-spending on critical functions - such as information security, risk, and even human resources - that
may be even more important to protecting your business than insurance.

If you're interested in cyberinsurance, know that insurers will look at your "proof of insurability", meaning the strength of your policy application and their estimate of your organization's risk across key categories.  They expect that you'll have done an in-depth review of your organization risk based on security measures in place and existing gaps.  Remember that you'll pay extra for coverage of weaknesses in your security program, so better to address security hygiene before you apply.

There's a long list of things cyberinsurers will want to know before signing you up.  For a full list, read the Derivative Technology white paper, "Protect your business from cybercrime the cost-effective way: with targeted cyberinsurance".  Or keep reading for more details ...

   
Stop SOPA