STE WILLIAMS

Thousands of hackers were eager to hear the latest from the world of nation-state cybersecurity.

For a brief time on Friday morning, “Spot the Fed” was the easiest game to play at DEF CON. That’s because the fed was standing on a stage, talking to thousands of attentive hackers.

Rob Joyce, senior advisory for cybersecurity strategy at the NSA, is a freqent attendee but a first-time speaker at the event. That latter status was emphasized with a DEF CON tradition: First-time presenters drink a shot on stage to salute the convention (and, presumably, steady their nerves.) With that attended to, he quickly let the crowd know he was on their side, sharing his approval of activities such as publicly hacking past the security of voting machines.

“There are people who are going to try to find flaws in those voting machines whether we do it here publicly or not,” Joyce said, explaining that he sees the transparency provided by public hacking to be a valuable technique in fixing flaws where they exist. And those flaws are a critical component in the efforts of various nation-states to use the online world as a war-fighting theater where they can win advantages that transfer to the physical world.

In the arena of nation-state hacking, Joyce said, four actor are exceptions to a broad consensus of responsible Internet behavior: Russia, China, Iran, and North Korea.

Each one is using different techniques in the pursuit of different aims, Joyce explained. And each is a primary threat to a different part of society or the economy.

1. Russia: Russia has been quite visible in its use of cyberattacks as part of a larger state-craft strategy. Beyond the well-known attacks on elections, Russia is also engaged in constant campaigns against networks within the US government. Joyce said its cyberapproach echoes its military tactics in the physical world. Describing a successful intrusion in a State Department network, he described the effort to remediate the attack as “hand-to-hand combat” in which the attackers would respond to defensive moves with new tactics aimed at maintaining their position in the system.

2. China: China is most active in stealing intellectual property; it is known for the sheer volume of its attacks. Joyce said that after an accord on IP between the US and China, total intrusions dropped by nearly 90%. Whether or not in response, other activity has increased, including Cloud Hopper, which is targeting information theft and disruption of ISPs and MSPs. China is also quite active in cyberinfluence of mass behavior; social credit, Joyce said, is the most obvious government attempt to shape human behavior through social media-like prestige and gamification.

3. Iran: Iran is known for disruptive campaigns, including DDoS attacks, against its enemies. Joyce pointed out that its activity diminished markedly after the Paris Nuclear Accord went into effect. Then its efforts shifted toward targets in the Middle East, including campaigns against Israel and Saudi Arabia. The NSA is carefully watching activity that might increase once again with the reimposition of sanctions by the US, he said.

4. North Korea (DPRK): Joyce described North Korea as one of the most consistent actors, making cyberactivity part of every strategic encounter. It has constant campaigns in process against targets in South Korea, he said, noting one way in which it differs from the others on this list: North Korea regularly looks to steal hard currency, whether in national currency or cryptocurrency, for use by the government.

When he turned his attention to defense, Joyce had two main points: First, he said, cybersecurity is a team sport; government and private enterprise should share information on attacks and vulnerabilities so that the partnership can provide an asymmetric advantage against the attackers.

Second, he pointed out that the basics matter — things like multifactor authentication and regular software patching, which make the threat actors’ jobs much easier, shouldn’t be ignored. He also included in those “basics” something that has proved to be difficult for many organizations: “Know your network,” Joyce said. “Attackers don’t care about what you think you have — they attack what’s really there.”

Related Content:

• Iranian Hacker Group Waging Widespread Espionage Campaign in the Middle East
• White House Cybersecurity Strategy at a Crossroads
• North Korea Ramps Up Operation GhostSecret Cyber Espionage Campaign
• The ABCs of Hacking a Voting Machine

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/nsa-brings-nation-state-details-to-def-con/d/d-id/1332533?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

False alerts about floods, radiation levels are just some of the ways attackers can abuse weakly protected IoT devices, researchers warn.

Earlier this year, many residents in Hawaii were thrown into a temporary state of panic following an emergency alert on their mobile devices warning about an incoming ballistic missile.

The warning turned out to be the result of human error. But new research from IBM X-Force Red and Threatcare shows it would take little in the future for cyberattackers to deliberately cause widespread panic by triggering false alerts about catastrophic events, such as floods and radiation exposure.

Security researchers from the two firms recently tested multiple so-called smart city products deployed in a growing number of cities for uses like traffic management, monitoring air quality, and disaster detection and response.

In this case, the tested systems fell into three broad categories: industrial IoT, intelligent transportation systems, and disaster management devices. The products included those used for warning planners about water levels in dams, radiation levels near nuclear plants, and traffic conditions on highways.

The exercise unearthed 17 zero-day vulnerabilities, eight of them critical, in four smart city products from three vendors — Libelium, Echelon, and Battelle. Using common search engines like Shodan and Censys, the IBM and Threatcare researchers were able to discover between dozens and hundreds of these vulnerable devices exposed to Internet access.

With relatively little effort, they were also able to determine, in many cases, the entities using the devices and the purpose for which they were using it. For instance, they were able to identify an entity in Europe using smart devices to monitor for radiation levels and a major US city using smart sensors to keep track of traffic conditions. The research discovered the vulnerable devices deployed across major US and European cities and in other regions of the world.

All three vendors have since patched the vulnerabilities or issued software updates, and so have the entities that were identified as using the vulnerable products.

In a report this week, Daniel Crowley, research director of IBM’s X-Force Red, described the results as “disturbing.”

“According to our logical deductions, if someone, supervillain or not, were to abuse vulnerabilities like the ones we documented in smart city systems, the effects could range from inconvenient to catastrophic,” he said.

The researchers, for instance, found that an attacker could use vulnerabilities of the sort identified in their report to manipulate water sensors in such a manner as to report flooding in an area when there is none. More dangerously, the attacker could also manipulate the sensors and silence warnings of an actual flood event causing by natural or human causes.

Similarly, the researchers found that attackers could exploit the vulnerabilities to trigger a false radiation alarm in areas surrounding a nuclear plant. “The resulting panic among civilians would be heightened due to the relatively invisible nature of radiation and the difficulty in confirming danger,” Crowley said.

Another scenario that presented itself during the research was of attackers manipulating remote traffic light sensors, causing traffic gridlock on a massive scale.

Troublingly, most of the vulnerabilities that IBM and Threatcare unearthed were of the easily discoverable kind, meaning the researchers had to put little effort into finding them. “While we were prepared to dig deep to find vulnerabilities, our initial testing yielded some of the most common security issues,” Crowely said.

Examples included default passwords, hardcoded admin accounts, SQL injection errors, flaws that allowed authentication bypass, and plaintext passwords. The research showed that many smart cities are already exposed to threats that are well-understood and should have long ago been mitigated, he said.

The results of the IBM and Threatcare study are another confirmation of the security issues posed by the growing adoption of smart city technologies worldwide. Organizations such as Gartner have predicted that over the next few years, cities will connect many billions of devices to the Internet for a wide range of use cases, greatly expanding the attack surface in the process.

A global survey of smart city security issues by ISACA earlier this year showed many are especially concerned about attacks targeting energy and communication sectors. Sixty-seven percent said they believe that nation-state actors present the biggest threat to smart-city infrastructure, and only 15% consider cities to be well-equipped to deal with the threat. The survey also showed that a majority (55%) thought the national government is best-equipped to deal with smart city cybersecurity threats.

Related Content:

• How Smart Cities Can Minimize the Threat of Cyberattacks
• Smart Cities’ 4 Biggest Security Challenges
• Las Vegas Most Insecure Cyber City in US; St. Louis Least Vulnerable
• 8 Ways IoT Manufacturers Can Improve Security

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/vulnerable-smart-city-devices-can-be-exploited-to-cause-panic-chaos/d/d-id/1332534?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Twitter may be fighting the bot battle, but it’s still got plenty of multi-legged e-millipedes crawling around its ecosystem.

That was evidenced by a large, cryptocurrency scam-spewing collection of robot accounts – at least 15,000 of them – found by Duo Security researchers while they were conducting a three month study.

The researchers announced the find on Wednesday at the Black Hat security conference.

The bots in this case were aimed at parting you from your precious cryptocoins with bogus posts – posts of the #Blockchain #Crypto #tokens #bitcoin #eth #etc #loom #pundix #icx #ocn #nobs #airdrop #ICO #Ethereum #giveaway type.

Of course, Twitterbots can be useful: they help keep weather, sports and other news updated in real-time, and they can help find the best price on a product or track down stolen content.

Bad bots, however, are the bane of Twitter’s existence.

For example, Twitter has recently purged tens of thousands of accounts associated with Russia’s meddling in the 2016 US presidential election.

More recently, in June, Twitter described how it’s trying to fight spam and malicious bots proactively by automatically identifying problematic accounts and behavior.

The cryptocurrency scambots found by Duo led to some valuable insights into both how robot accounts operate and how they evolve over time to evade detection.

Right now, the Duo Security researchers say the bots are still functioning, imitating otherwise legitimate Twitter accounts, including news organizations, to bleed money from unsuspecting users via malicious “giveaway” links.

The researchers even found Twitter recommending some of the robot accounts in the Who to follow section in the sidebar.

Typically, the bots first created a spoofed account for an existing cryptocurrency-affiliated account.

That spoofed account would have what appeared to be a randomly-generated screen name – say, @o4pH1x­bcnNgXCIE – but it would use a name and profile picture pilfered from the existing account.

Bolstered by all that genuine-looking window dressing, the bot would reply real tweets posted by the original account.

The replies would contain a link inviting the victim to take part in a cryptocurrency giveaway.

The accounts responsible for spreading the malicious links used increasingly sophisticated techniques to avoid automated detection, the researchers said, including:

• Using Unicode characters in tweets instead of traditional ASCII characters.
• Adding various white space between words or punctuation.
• Spoofing celebrities and high-profile Twitter accounts in addition to cryptocurrency accounts.
• Using screen names that were typos of a spoofed account’s screen name.
• Performing minor editing on the stolen profile picture to avoid image detection.

Pumping up popularity

One job of these bots was to like tweets, in order to artificially pump up a given tweet’s popularity.

The researchers noticed that these “amplification bots” were also used to increase the number of likes for the tweets sent by other robot accounts, to give the scam an air of authenticity.

When the researchers mapped out the connections, they found clusters of bots that received support from the same amplification bots, thus binding them together.

The paper goes into far more detail regarding how complicated it is to research bots in the first place – one vexing problem, for example, is an ongoing lack of data on how many bots are on Twitter.

Does Twitter even know, itself? Can it at least give an estimate?

Unfortunately, it doesn’t matter if the answer to either question is “Yes”, given that the company doesn’t make such data public.

That made it tough for researchers to verify the accuracy of their “bot or not” models by comparing with public tweet data – instead, they had to cross-check classifiers against small data sets of already-identified bot accounts.

What next?

This is just the beginning, the researchers said in a post about the research.

They’ve open-sourced the tools and techniques they developed during their research and urged others to continue to build on the work and create new techniques to identify and flag malicious bots.

It’s all going towards keeping Twitter and other social networks “a place for healthy online discussion and community,” they said.

Readers, if any of you take the code and run with it, we’ll be interested to hear what you come up with, so please do let us know!

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Sfqm5oTKGac/

There is no comfortable way for an organisation to learn that its website is leaking customer data but one of the most alarming must surely be getting that bad news from a journalist.

This is what appears to have happened to US communications giant Comcast Xfinity, which has had to patch two significant web vulnerabilities after Buzzfeed News learned of the issues from researcher Ryan Stevenson.

Flaw #1

The first was found on the in-home authentication page through which customers can pay bills without the inconvenience of having to log in.

It seems the company authenticated users by asking them to choose their home address from one of four possibilities, selected by looking at one of the headers added to the HTTP request.

The HTTP header used to “identify” the user contained their public-facing Comcast IP address – data that isn’t suitable to use as a secret identifier.

An attacker who knew your IP number could therefore insert it into their own web requests, and keep refreshing the identification page – each time they refreshed, the list of home addresses returned would include your address plus three randomly chosen other addresses.

The address that showed up every time would, rather obviously, be yours – the attacker wouldn’t ever even need to guess and risk getting locked out.

This would seem to prove the maxim that while IP addresses might not in themselves be personal, when combined with other data they can easily become so – knowing someone’s IP number should not be enough to track them to their home.

Flaw #2

The second issue, which builds on the first, was found on a sign-up page for Comcast authorised retailers.

Having used the first vulnerability to gain access to a customer’s address from their IP number, this page could allow an attacker to enter this to carry out a brute force attack to discover the last four digits of their US social security number (SSN).

After entering a valid address, an attacker could cycle through all 10,000 four-digit numbers (0000-9999) until one of them turned out to be the four digits that matched the customer’s SSN – there was no limit on the number of guesses or the speed at which they could be tried.

Again, why would this be useful? The weakness here is that a lot of businesses use the last four digits of the SSN to verify someone’s identity, which means that:

Hackers can use this four-digit combination to steal your identity by tricking customer service representatives into handing over online account access.

Theoretically, they might also be able to match those digits against full SSN numbers floating around on the dark web from older data breaches and perhaps narrow their search for full numbers.

Comcast has already fixed both flaws, and there is no evidence that anyone knew of or exploited them before they were discovered.

Nevertheless, what this incident remind us of is the importance of bug bounties. Although these programs are often seen as being a channel for researchers to report software flaws to vendors in return for money, web vulnerabilities and design weaknesses in websites can be just as important for security.

Surprisingly, although Comcast Xfinity provides a channel to report flaws, it doesn’t appear to run or be part of a third-party bounty program to receive news of either.

There was a time when no-one would have blinked at that approach but it’s tempting fate in an era when every and any vulnerability has a market value.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/FwiHaKilJZU/

Here’s a cool fact: Macs run Unix.

OK, in some ways that’s only very loosely true, when you think of all the non-Unixy stuff on top of the Darwin base layer, and we welcome your comments below to explain just how carelessly loose we have been…

…but Macs are Unix computers – in fact, they’re UNIX computers – at least if they’re running a currently supported macOS, and that means lots of cool, useful, well-known and powerful tools for sysadmins, developers and power users, preinstalled and ready to go.

Here’s an eclectic, alphabetically-ordered subset of the utility programs that arrive on every brand new Mac, taken from the /usr/bin directory:

   2to3          indent         ruby                                          
   awk           json_pp        sed                                     
   banner        krb5-config    tail                                     
   caffeinate    less           umask                                   
   dc            man            vi                          
   env           nice           which                            
   file          openssl        xargs                                
   grep          perl           yes                             
   head          quota          zip                              

If Perl and Ruby don’t @float your $boat (language-war comments below, please, no need to hold back), you can also choose from other open-source programming languages such as Java, PHP, Python and Tcl.

Despite all this ready-to-go choice, however, Mac developers miss the ease with which their Linux chums can grab additional open source software packages.

Linux distros famously come with one or more package managers that can be told, with a single command in a terminal window, to call home, find the latest version of super-useful toolkit X, fetch it and install it.

No need to hunt down the X project online, find the right fork, identify the latest version, download the source code, inspect it, apply any needed tweaks, configure it, compile it, and install it.

Slackware, Debian, Gentoo, Arch and Void Linux, for a five-fold variety, have slackpkg, apt-get, portage, pacman and xbps – tools that make it easy not only to grab new software packages but also to keep your existing ones up to date.

Running a command-line package manager isn’t quite as easy to learn as clicking  → About This Mac → Software Update..., but package managers generally give you much better control over and visibility into the updating process.

Importantly, package managers make it easy not only to fetch new programs you need, but also to remove them when you don’t need them any more.

For example, if I were suddenly to decide that I needed Emacs on my Slackware box after all, this would do it:

    slackpkg search emacs
   . . .
   The list below shows all packages matching 'emacs'

   [uninstalled] emacs-26.1-x86_64-1
   [uninstalled] emacspeak-38.0-x86_64-1

    slackpkg install emacs
   
   -- and when I recovered my equanimity once more

    slackpkg remove emacs

It’s not quite the same thing as a package manager, but if you’re comfortable in a terminal window on your Mac, try the command softwareupdate --help or man softwareupdate. Once you’re used to softwareupdate --list, softwareupdate --download and sudo softwareupdate --install, you’ll never use the App Store GUI again for macOS patches.

Package managers for Macs

Over the years, various open source package managers have appeared on the Mac scene, aiming to bring the convenience and familiarity of tools like slackpkg and apt-get to the macOS ecosystem.

The big three are MacPorts, Homebrew and Fink – they’re as similar as they are different – and according to an entirely unscientific Naked Security poll on Twitter, they’re used in these proportions:

As the poll suggests, a significant proportion of Mac users use one of these tools [40%+11%+4% = 55%], and 73% of those that do are using Homebrew [40%/(40%+11%+4%) = 73%].

Package managers generally do some or all of these things whenever you install a new package or update an existing one:

• Download the needed code, scripts and executable files from an online repository.
• Run some of these downloaded scripts and programs immediately to build or configure the package.
• Install the newly-prepared packages so they are available for use.
• Repeat the above steps for any other packages that are needed to make the chosen package work.
• Repeat the above steps for any packages needed by the packages needed to make the chosen package work.
• And so on. (This recursive download of packages as an automatic by-product is known in the jargon as satisfying the dependencies).

In most cases, at least some of the stages in the package manager’s workflow require root access, meaning that the package manager software runs as root at least some of the time, notably when copying new files into place.

What could go wrong?

You can see that there’s a lot that could go wrong here.

One hacker with write access to the repository, or one buggy package in its midst, even briefly, and thousands of users – perhaps even hundreds of thousands – might end up with a deeply unpleasant surprise.

Ironically, in the event of a rogue modification to a package that is very widely depended upon, users who are more punctilious about keeping up to date will be more likely to download and therefore to be affected by a malicious dependency.

How safe are package manager ecosystems?

The potential impact of a well-thought-out hack into one of the many package management ecosystems out there is a pet concern of security researcher Eric Holmes.

Hacks against the very repositories that many of us rely upon for software updates are known in the jargon as supply-chain attacks – after all, the modern supply chain often doesn’t involve any factories, ships, trains, inventories, trucks, pallets or forklifts.

So, Holmes decided to take a look at the supply chain for Homebrew, or Brew for short – we’re guessing he picked Brew not only because he knew it was the most popular amongst the Mac community, but also because he uses it himself.

The results were, in a word, salutary.

For the details, be sure to read Holmes’s article (it’s superbly compact and clear, though some technical background to source code repositories and web authentication is helpful).

Very simply put, Holmes found a Homebrew server – one that was intended to be public – that tracks the details of which packages have been modified, rebuilt and tested recently.

Most companies with build-and-test servers of this sort (Homebrew uses a popular open source toolkit called Jenkins) keep them private, but it’s hard to fault Homebrew for being transparent in this way – the packages it builds and distributes are themselves open, free and public.

Unfortunately, Holmes quickly found a web page he could click through to that turned up this:

Don’t worry if tables of this sort aren’t something you’re used to – the important part is that Homebrew had accidentally leaked what’s called an API token.

This is essentially an access key that, when inserted into web requests made to Homebrew’s GitHub account, tells the server what access rights to grant to those requests.

API tokens are unique, so they can’t be guessed; they’re typically acquired by logging in with a username, password and perhaps a two-factor authentication code, so they’re only available to trusted users; they’re only ever sent over encrypted HTTPS connections, so they’re kept away from prying eyes…

…and they’re very definitely not meant to be published!

Longstoryshort, Holmes was able to copy this API token, paste it into his own web requests, and get read-and-write access to much of Homebrew’s GitHub content.

As he explains in his post, he could have hacked pretty much any Homebrew package, thereby infecting any and every Mac user who installed or updated that package – or, of course, any other package that depended on it.

And, as Holmes wryly pointed out, the most downloaded package in the last 30 days at Homebrew is itself all about cybersecurity: openssl, with more than half-a-million installs last month.

That’s a lot of Brew users – and by implication a lot of developers who themselves build software for distribution to other people – whom he could have put on the spot.

What to do?

If you’re a Brew user, there’s no need for alarm and no immediate action you need to take.

Holmes disclosed this responsibly to the Homebrew crew, who fixed the issue right away – within a few hours, in fact – and published a short, frank and informative disclosure notice.

As in the case of Gentoo’s recent supply-chain breach, the disclosure notice is worth reading whether the incident directly affects you or not.

Howebrew included some security precautions that the team is planning to add, and why.

So, that’s our suggestion in this case: read Homebrew’s security disclosure.

Supply-chain attacks can have wide-reaching effects, so ask yourself, “What can I and my own organisation learn from this?”

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/yKcuEx9-E7w/

Black Hat/DEF CON At midnight on Thursday Matt Linton, a senior Google engineer who was one of the key players in sorting out the Spectre security hole mess, went to his hotel room in Caesars Palace and found his room key no longer worked.

When he went to reception to find out what the problem was he was met by two security guards who took him to the room, told him pick up his stuff and escorted him off the premises. He was also given a written warning that he would be prosecuted if he stepped foot in the hotel again, which considering it’s the main venue for this year’s DEF CON hacking conference, is a considerable embuggerence, considering the show is one all hardcore hackers try to get to.

According to the hotel’s security director “They don’t take kindly to threats,” he said. “Sir, your speech has consequences so you better think about that in the future before you threaten,” was another comment from the security team.

This apparently stemmed from a jokey tweet earlier in the week, which you can read in full below:

If I had the time, budget, and motive to launch really good attacks in Vegas, I would:

❌ Attack random Defcon nerds who are probably mostly broke and powerless

✔️ Attack ppl at BlackHat who are way more likely to be in positions of power somewhere with 💰 to drop on tickets

— Matt Linton 🐦👨‍💻⚕️⚒️🥋🎻 (@0xMatt) August 8, 2018

While somewhat off-colour, anyone with an ounce of security knowledge could see that this was a joke about how hackers attack the dumbest and easiest low-hanging fruit. But it was enough to earn him a visit from the Las Vegas Police Department the next day.

By the account of one person who was there, the matter was quickly and amicably resolved. Once Linton explained the context of the comment the LVPD were completely satisfied and even liked and retweeted his explanation online.

Things get weird

So the matter appeared settled. But then Linton was booted out by Caesars and, to add insult to injury, he was charged half of the day rate for his room, despite being ejected into Las Vegas in the early hours of the morning with little hope of finding a hotel room.

Linton told The Register that “[the hotel] definitely told me that the conference organizers were worried about my ‘threat to their venue’”. This seems highly unlikely – DEF CON organisers would be able to see the tweet for what it was and understand the joke.

It’s doubly unlikely the organisers objected because the Black Hat and DEF CON hacking conferences have plenty of members who were persecuted by law enforcement in the early days of the industry. Nowadays the NSA, CIA and defense contractors routinely recruit at the two shows because they recognise the talented people who attend have skills that are needed.

What’s more likely is that the recent history of Las Vegas had something to do with this. On October 1 last year the city suffered one of the worst mass shootings in American history when a scumbag whose name isn’t worth remembering killed 58 people and injured 851 others shooting from his room in the Mandalay Bay hotel – which coincidentally hosts the Black Hat conference Linton spoke at this year.

The atrocity hit the city hard and inspired the #vegasstrong movement but also put the police on high alert to prevent any repeat of the incident. Noted security writer Kim Zetter, who was also attending this year’s conferences, had her room at the Mandalay Bay forcibly searched because she didn’t want housekeepers rummaging through her room.

Because I declined to have maid service in my hotel room at BlackHat, two security guys came to my room and demanded I open my door and let them do a walkthrough search. The hotel never gave me a headsup and the two guys thought I should just believe that they are hotel security.

— Kim Zetter (@KimZetter) August 10, 2018

Blowback

Given it’s the wee hours of the morning here in Las Vegas there has been no response from the hotel about the situation.

DEF CON organisers tell El Reg they haven’t seen any mention about the incident and are checking to see what happened. But this looks suspiciously like this is another case of overzealous big corporate butt-covering leading to blowback.

“I don’t actually think anyone at DEF CON complained – I think [the hotel employee] was just trying to make me feel like nobody was on my side so I would stop asking for escalations,” Linton told The Reg.

It was only last year that the FBI arrested Marcus Hutchins, the youthful hacker who killed off the mass Wannacry ransomware attack that nearly crippled the UK’s National Health Service, as he left DEF CON – on charges that alleged he might have written some malware as a teenager.

Revealed: El Reg blew lid off Meltdown CPU bug before Intel told US govt – and how bitter tech rivals teamed up

READ MORE

Hutchins has since been stranded in the US for a year while the Wisconsin department of the FBI tries to get its case together that he’s a dangerous criminal, seemingly on the evidence of a single stool pigeon. Linton’s case isn’t as serious, but it seems to be part of a pattern of paranoia.

In the opinion of this vulture someone at the Caesars probably panicked and decided to kick Linton out just to be on the safe side. This is, after all, the land of the lawsuit and corporates are terrified of getting sued.

After the Mandalay Bay murders, the litigation started flying and MGM, which runs the hotel, actually sued the survivors of the abomination so that it could get legal protection from legal suits against those who survived – the first time such a tactic had been seen.

Linton is well respected in the security industry – not just for his Spectre work but also because he does important work mentoring younger security talent. He is also is a volunteer emergency medical technician who heads to disaster zones when the need is there. His banning from DEF CON threatens to cast a shadow over the conference, and won’t help convince the elite hackers who attend that they are in a friendly environment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/10/linton_caesars_eviction/

US House Democrats are asking Republicans to subpoena the State Department over its decision to shut down a key government cybersecurity office.

Reps Elijah Cummings (D-MD) and Robin Kelly (D-IL) penned an open letter [PDF] to Oversight and Government Reform committee chairman Trey Gowdy (R-SC) this week asking that he issue a subpoena for documents relating to Secretary of State Rex Tillerson’s 2017 decision to close the Office of the Coordinator for Cyber Issues (CCI) – the organization responsible for threat response and security within the State Department.

The fear is that, absent a coordinator, this crucial department will be unable to adequately protect its systems from miscreants nor keep its IT setup in compliance with the Federal Information Security Management Act.

The two Democrats say that, since September of last year, they have been asking the State Department to hand over documents that could shed light on the decision to close the office, and what plans are or were in place to make sure its cyber security duties would be picked up by other parts of the department. Rather than produce the requested documents, the pair claimed, the department has been recirculating old documents.

“Since then, the Department has failed to produce the documents we requested on a bipartisan basis,” the letter stated.

“On November 1, 2017, the Department made a production of 20 pages that included nothing but the already-public 10-page letter from Secretary Tillerson to Congress and assorted cover letters to other Members of Congress.”

To get those documents, the Democrats want Gowdy to issue a subpoena that would force the State Department to produce the requested info. If Gowdy, a staunch Trump ally, decides not to issue the subpoena (a distinct possibility), the duo would instead ask that the matter be put up for vote by the Committee on Oversight and Government Reform.

“If you decide not to issue this subpoena, then we ask you to place this matter on the agenda for our next regularly scheduled business meeting so all committee members may have the chance to compel this information,” the duo wrote.

In the meantime, Congress has already taken action to overturn Tillerson’s decision. The Cyber Diplomacy Act of 2017 was passed by the House in January, and is currently awaiting a vote in the Senate. The bill would reinstate the CCI position at the level of an ambassador, protecting the office from being cut again by the State Department. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/10/tillerson_cyber_issues_shutdown_probe/

Updated Holiday camp and British institution Butlin’s has admitted 34,000 visitor records have been compromised.

Guest names, holiday dates, postal addresses, email and telephone numbers have been exposed. Butlin’s said payment card details are not at risk.

The breach was the result of staff responding to a phishing email that posed as a message from the local council. All breaches of personal information create a heightened risk from phishing emails and ID theft. The Butlin’s leak is worse than most lower-level breaches because it reveals when home owners are likely to be away from their properties.

The incident has been reported to the Information Commissioner’s Office. Butlin’s has also begun informing affected holidaymakers, something it promised to complete over the next three days.

Butlin’s joins the long and depressing list of organisations who have fallen victim to breaches for one reason or another. El Reg asked Butlin’s to comment on the incident but we’re yet to hear back. ®

Update

The Register received a statement from Butlin’s:

Butlin’s can confirm that up to 34,000 of their guest records may have been accessed by an unauthorised 3rd party.

Butlin’s would like to assure their guests that all their payment details are secure and have not been compromised.

The data which may have been accessed includes booking reference numbers, lead guest names, holiday arrival dates, postal and email addresses and telephone numbers.

Investigations, however, have not found any fraudulent activity related to this event. Guests who may have been affected are being contacted directly by Butlin’s to let them know what’s happened, what they should do and what is being done to resolve the situation.

Butlin’s have also reported this incident to the Information Commissioner’s Office.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/10/butlins_data_breach/

This year’s headlines have featured a number of high-profile exposures caused by third parties working on behalf of major brands.

Image Source: Adobe Stock (the_lightwriter)

According to data released earlier this year, the most expensive data breaches start with third parties. Whether it is from poor configuration of online resources managed by a service provider, insecure third-party software, or insecure communication channels with partners, working with third parties can expose organizations to a ton of risks if they don’t pay close enough attention.

This year has offered up some crucial examples of the consequences of lax partner and vendor management. Here are a half-dozen highlights.

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/6-eye-raising-third-party-breaches/d/d-id/1332522?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

We’ve only seen the beginning of what artificial intelligence can do for information security.

Alan Turing is famous for several reasons, one of which is that he cracked the Nazis’ seemingly unbreakable Enigma machine code during World War II. Later in life, Turing also devised what would become known as the Turing test for determining whether a computer was “intelligent” — what we would now call artificial intelligence (AI). Turing believed that if a person couldn’t tell the difference between a computer and a human in a conversation, then that computer was displaying AI.

AI and information security have been intertwined practically since the birth of the modern computer in the mid-20th century. For today’s enterprises, the relationship can generally be broken down into three categories: incident detection, incident response, and situational awareness — i.e., helping a business understand its vulnerabilities before an incident occurs. IT infrastructure has grown so complex since Turing’s era that it can be months before personnel notice an intrusion.

Current iterations of computer learning have yielded promising results. Chronicle, which was recently launched by Google’s parent company, Alphabet, allows companies to tap its enormous processing power and advanced machine learning capabilities to scan IT infrastructure for unauthorized activity. AI² quickly learns how to differentiate true attacks from merely unusual activity, alleviating a vexing problem for IT security teams: false positives. There are numerous other examples of AI-based solutions, such as Palo Alto Networks’ Magnifier, which uses machine learning to automate incident response, utilizing another strength of AI: speed.

These advances arrive at an opportune moment because the risks from cybercrime are rapidly growing; estimates of the cost worldwide is about $600 billion annually. The average cost of a data breach is estimated at $1.3 million for enterprises and $117,000 for small businesses, and companies are taking note. According to ESG research, 12% of enterprise organizations have already deployed AI-based security analytics extensively, and 27% have deployed AI-based security analytics on a limited basis.

Moreover, cybersecurity in the years ahead will be increasingly challenging. Enterprises and computers are relatively static and well-defined at present, but securing information amid the Internet of Things, in which almost every device will be programmable and therefore hackable, is going to be far harder. Soon, we won’t just have to safeguard unseen servers anymore but also our cars and household devices.

Unfortunately, AI has also become available to hackers as well. Dark Web developments to date merit serious discussion, such as machine learning that gets better and better at phishing — tricking people into opening imposter messages in order to hack them. Further down the road, machines could take impersonation one step further by learning how to build fake images. Experts are also worried AI-based hacking programs might reroute or even crash self-piloting vehicles, such as delivery drones.

I suspect that in the future, users on the front end will be blissfully unaware that behind the scenes battles between good and bad learning machines rage, with each side continually innovating to outsmart the other. Already, the synthesis of AI and cybersecurity has yielded fascinating results, and there is no doubt we are only at the beginning. I am reminded of a quote by Dr. Turing:”We can only see a short distance ahead, but we can see plenty there that needs to be done.”

Related Content:

• 5 Questions to Ask about Machine Learning
• 5 Things Security Pros Need To Know About Machine Learning
• The Double-Edged Sword of Artificial Intelligence in Security
• Why Artificial Intelligence Is Not a Silver Bullet for Cybersecurity

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early-bird rate ends August 31. Click for more info. 

Dr. Dongyan Wang is Chief AI Officer at DeepBrain Chain, the world’s first AI computing platform powered by the blockchain. Dr. Wang has almost 20 years of experience in AI and data science, including at several Fortune 500 companies. Among other accomplishments, Dr. Wang has … View Full Bio

Article source: https://www.darkreading.com/endpoint/the-enigma-of-ai-and-cybersecurity/a/d-id/1332464?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple