Paranoid Technology All things cybersecurity

12Jan/21Off

(Cyber)Security Implications of the Capitol Attack

On January 6 – a mob of people attempted a civilian coup d’état on Capitol Hill… This post focuses on the cybersecurity aspects of this incident.

There has been a continuing targeted disinformation campaign within the U.S. for some time and the biggest enabler of this is social media. It feeds on the information-bias by providing targeted content for individuals based on their preferences and activities; effectively reinforcing self-radicalization – the only objective is to increase advertising revenue. As a result everyone has a different reality, and society cannot seem to agree on simple facts which is deepening social-fragmentation…

This is a significant threat to democracy - as Winston Churchill put it - “The best argument against democracy is a five-minute conversation with the average voter.”

And ironically once again the Capitol Hill incident was coordinated via the social media…

Identified threat vectors based on what happened that day:

11Jan/21Off

Reflections on 2020 and 2021 Cybersecurity Predictions

We are breaking our usual silence with our annual cyber security predictions….

Reflecting back on our 2020 predictions –

1. Year of the IoT CISO – 2020 did not quote on quote became the “Year of the IoT CISO”, but we certainly observed more demand for security professionals that understand full-stack IoT development. As things evolve this trend should continue.

2. Adoption of 5G will introduce a number of problems – 2020 was supposed to be the big transition for 5G, Covid-19 put a damper on that... 5G service is still spotty... The only observed problem so far were the attacks on 5G towers – there was an attack surface, but it was physical not software 🙂

3. More attacks on infrastructure – there were no major direct infrastructure attacks in 2020, but with COVID-19 pandemic showed the weaknesses and dependencies in the supply chain more clearly. Even though there were no major events in 2020, we suspect a major infrastructure attack is still not off the table in the future; it is just a matter of time. Also the fallout from SolarWinds incident may have some downstream effects on the infrastructure in 20201.

4. Cloud transition continues – COVID-19 definitely emphasized this prediction – transition to the cloud was stronger than ever.

5. Ransomware alive and well – unfortunately this year from county governments to technology companies to hospitals many entities were targeted by cyber criminals; for a reason, they were getting paid… We heard about some of these due to required disclosures, but a good chunk was handled under the table. Healthcare was especially targeted given the pressure they under due to the pandemic, which made them easier paying targets. Given the success in this style of attack we expect this to continue in 2021 as well.

6. Information warfare continues to evolve – In 2020 we saw that information warfare is used by domestic and foreign adversaries very effectively- but there were numerous examples of disinformation incidents fueled by social media adding to the already tense social climate… On the deep fake front - there were not  so many high-profile deep fake incidents as we predicted, there was definitely developments on detection and public awareness.

7. ML is a double edged sword – Based on the events observed in 2020 ML definitely failed on the defensive side; but malware is definitely getting smarter and harder to detect. We ended the year with SolarBurst - It provided a deep insight into how evolved cyber adversaries are; fallout from the incident still continues and we may never know the true impact on the U.S.

8. Privacy issues continue – a lot more states in the U.S. jumped on the California CCPA’s bandwagon; GDPR is in full-gear, privacy is definitely scrutinized more than ever before...

20Jan/20Off

Security Predictions (& Resolutions) for 2020

Our predictions from 2018, were still valid for 2019, so we skipped a year 😉 Since the decade has come to a close, sharing predictions for 2020 and beyond seems in order… starting with a strategic view of the trends and emerging business problems affecting CISOs today…

Predictions for 2020
1. Year of the IoT CISO – we did not reach Gartner’s 20 billion connected devices by 2020, but we are almost there… The attack surface is increasing rapidly – from personal wearables to medical devices to connected cars to toasters and more – as the proverb goes “where there’s entropy there is chaos” 😉 At least initially…

8Jan/18Off

7 Scary Security Predictions (& Resolutions) for 2018

Information security has become a source of fear and uncertainty for many organizations, so this year’s scary security predictions are backed up by recommended New Year’s resolutions. If you’re unsure of how to action this advice, just talk to us.

  1. Artificial intelligence (AI) is dead, long live artificial intelligence – AI is an overused term and hard to achieve; the early stages of AI are mostly machine learning and a long way from nirvana. Information security leverages machine learning to detect and understand complex patterns of machine-2-machine (m2m) and machine-2-human (m2h) interaction. Machine learning outputs will be fed to decision support solutions, driving automated outcomes via complex workflow engines. Before this vision can be realized, full integration of security operations automation is needed. Right now the market remains fragmented and solves for specific problems; the vision is to create solutions that address security’s complexity while integrated with the many facets of business operations. Before making the move to “AI”, it’s important to get your own house in order:
18May/17Off

Wanna Cry?!!! We do…

The cyber-attack that happened earlier this week reminded us of the questions posed in our March post – Initial Thoughts on Wikileaks Vault 7 Leak Series:

This wikileak points to increasing erosion of public safety - despite having these tools at hand, world governments (US, UK, Germany) continue to push for encryption back doors. Equation Group’s leak (NSA) late 2016 and this latest CIA leak once again prove all organizations have their OpSec issues - the three letter agencies are themselves at risk; backdoors, once discovered, work just as well for foreign spies, cyber-criminals and script kiddies.  Who is protecting the innocent? “

Apparently no one… Is the NSA going to step up and accept responsibility? Maybe if hell freezes over – “Cannot either deny or confirm the existence of these weapons…” Well, everybody else did – who cares if you do or don’t?!!

Interestingly, even Chinese state media called for the NSA to take some responsibility, how ironic… Like they should be talking…

21Mar/17Off

Thoughts on the Electronics Ban and How to Protect Your Privacy

Initially was a longer analysis of the whole situation, but we wanted to just focus on the security aspects - here it goes:

Those of us that has been in the field of security for a while knows the concept of security-in-depth… What this means in this context; imagine the airport layers as concentric rings until you get to the plane, there are many – why is this focus on the airplane itself? If the bad guys want to do damage, outer layers of the airport security; ticketing, luggage claim is more vulnerable than anywhere else in the airport because that is where a lot of people congregate in masses, more collateral damage…

Also, is an explosive device in the cargo bay safer than on flight deck? We are not experts on explosives, but logic dictates pressure change in a pressurized cabin in high altitude will not be safe wherever on deck you make it go off… According to the reports the Russian Airliner that went to down over Egypt's Sinai Peninsula in October 2016 was due to an explosive in the cargo hold.

8Mar/17Off

Initial Thoughts on WikiLeaks Vault 7 Leak Series

WikiLeaks issued a Press Release yesterday  announcing a new series of leaks from the CIA that they code named "Vault 7", claiming that it is the largest classified information leak from the agency.  The way the documents are distributed makes it difficult to confirm authenticity, but historically where there is smoke there is fire, and later releases may provide more proof. A quick glance reveals it is the continuum of the joint operation between the US and the UK – showing that the CIA has created an internal hacking capability for delivering signals intelligence and tailored access capabilities that rivals that of the NSA.  Exploit sets range from Android, iOS smartphones to Samsung TVs, Linux, Mac, Windows 0 day attacks and more.

What is also interesting is, it shows the distrust between the agencies...

From a review of the documents, the scale and scope of the CIA's hacking ability is significant – as WikiLeaks describes:

“By the end of 2016, the CIA's hacking division, which formally falls under the agency's Center for Cyber Intelligence (CCI), had over 5000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other "weaponized" malware. Such is the scale of the CIA's undertaking that by 2016, its hackers had utilized more code than that used to run Facebook. The CIA had created, in effect, its "own NSA" with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified.”

What is targeted? Pretty much everything that is connected…

15Feb/17Off

Who has my Data and Why?

Decided to dedicate this entry on how personal information is collected by everyday services we use and how it could impact our lives…

Security professionals quite often find themselves explaining how to protect one’s privacy, but the response is usually one of the following:

  • I have nothing to hide
  • This sounds like a conspiracy theory
  • Glazed eyes

People are focused on the menial conveniences they receive using these free applications in exchange for data… In technology if something is free – never forget – you are the product!!  Even applications and devices we pay for are disrespectfully collecting information in the name of customizing our experience. There is a massive information gathering wars between:

1Feb/17Off

Digital-Fog; Deceptive Personal Defenses and more…

We live in interesting times, times of transition in every aspect of our lives. Technology is improving non-stop; pushed down our throats sometimes willingly in the case of smartphones, and sometimes not; in the case of smart meters…. We as consumers are under siege by corporations for the data we generate rather they help us generate… And the interesting thing is we pay to give them our information in exchange of convenience and nobody seems to care… This is because for the untrained the lines are extremely fuzzy on how all this works, how it affects our privacy, and ultimately our freedoms.

All of us are on some sort of list and these lists are being bought sold by big businesses and governments for profit, influence and control and of course also to deliver the best personalized service – there is an information asymmetry in the favor of the institutions; these institutions know more about us then we know about ourselves. Data is cash and power...

4Jan/17Off

Simple OpSec Resolutions for Outside the Office

The New Year has citizens and organizations alike reviewing their operational security practices; the expectation is that privacy rights will diminish, government surveillance will increase, and yet attacks and breaches will continue unabated.  To protect yourself and to strengthen the human element of your organization, review the below list of 2017 operational security (OpSec) resolutions.  Improving organizational security maturity starts with you.

General Hygiene

  1. Browse privately: move to Firefox; it's highly functional and Mozilla doesn't track your web browsing; that said, Firefox does use Google Safe Browsing in the background, which means that Firefox checks sites for phishing risk before proceeding; the net result being that if you want truly private browsing, you need to turn safe browsing off.
  2. Protect your passwords: don't keep them on a post-it, or use the same password over and over again.  It's easy to get lazy with this one.  Use a password manager like KeePass, or if you can't bring yourself to invest in a tool, at least make your common passwords more complicated (yet understandable); something like "thing#year#iD".  We recommend that our clients use complex passwords, use long passwords, and rotate passwords.  Your corporate information security program is hopefully enforcing something similar already.
  3. Take care with sensitive searches: search companies make money by tracking what you search; if you have something sensitive to search for, even if it's just something health related, use an alternative browser like DuckDuckGo.  The results are less targeted, but your privacy remains intact.
  4. Avoid public wi-fi: it's free for a reason - large retailers and their wireless partners love your usage data; wi-fi networks of any sort are riskier, easier to spoof (and therefore hack), and cause your device to automatically broadcast to those connection points in the future, thus increasing your risk; if you must use public wi-fi, go through a VPN, or to avoid it, use a tethered smart phone connection.
  5. Treat PII like cash: be selective on when and who you disclose your personally identifiable information (PII) to, to avoid future headaches. For example, avoid disclosing your email or phone number to retailers in exchange for discounts; if you do, be aware that you've just become a permanent member of their database, to be marketed to and sold, over and over again, until you die (or change your identity).
  6. Beware of the shoulder surfers: if you are the kind of person who works in public places a lot, seriously consider investing in a privacy filter to protect yourself from prying eyes.
  7. Don’t get Phished: Although it's 2017, phishing is still in style; it's the single biggest attack vector, so be paranoid about every e-mail  you receive. Pay special attention to the ones with attachments and links; hover over the links and verify that the link is going to the address displayed in the message. Do not open attachments unless it is a trusted source.
  8. Anti-Virus (AV): Todays threat landscape is dynamic and while AV vendors are having a tough time keeping up, AV software will still protect you from a wide variety of known threat vectors.