STE WILLIAMS

Police busted two alleged SIM-jackers in Massachusetts on Thursday and charged them with draining fat cryptocurrency wallets and hijacking OG social media accounts.

OG is short for “original gangster” and refers to high-value social media account names: tempting to account kidnappers either because they’re short – such as @t or @ty – or because they’re considered cool, such as @Sex or @Eternity, or then again, because they belong to celebrities, such as, say, the Twitter accounts of Wikipedia co-founder Jimmy Wales, comedian Sarah Silverman, or NASA, to name just a few with a history of getting hijacked.

An 11-count indictment charges the two men – Eric Meiggs, 21, of Brockton, Massachusetts, and Declan Harrington, 20, of Rockport, Massachusetts – with wire fraud, conspiracy, computer fraud and abuse, and aggravated identity theft for their alleged crime spree, which stretched from November 2017 to May 2018 and stripped $550,000 worth of cryptocoins from at least 10 victims in the US.

The Justice Department (DOJ) said that besides SIM swaps, the two also allegedly used computer hacking to get what they were after.

Prosecutors allege that Meiggs and Harrington took over their targets’ mobile phone and email accounts via SIM-swapping: One would allegedly call a mark’s phone provider and, pretending to be that person, would sweet-talk the provider into transferring the number to a new SIM card.

How they get away with SIM swaps

As we’ve explained, SIM swap fraud, also known as phone-porting fraud, works because phone numbers are actually tied to the phone’s SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network.

Most mobile phone shops out there can issue and activate replacement SIM cards quickly, causing your old SIM to go dead and the new SIM card to take over your phone number… and your telephonic identity.

That comes in handy when you get a new phone or lose your phone: your phone carrier will be happy to sell you a new phone, with a new SIM, that has your old number.

But if a SIM-swap scammer can get enough information about you, they can just pretend they’re you and then social-engineer that swap of your phone number to a new SIM card that’s under their control.

By stealing your phone number, the crooks start receiving your text messages along with your phone calls, and if you’ve set up SMS-based two-factor authentication (2FA), the crooks now have access to your 2FA codes – at least, until you notice that your phone has gone dead, and manage to convince your account providers that somebody else has hijacked your account.

Of course, it takes time to discover that you’ve been SIM-swapped, and it takes time to notify your provider and explain it all. Crooks take advantage of that lag time to rifle through your accounts. Doing so gives them the ability to do many things, none of them good. We recently saw a victim who had his sex tapes whisked out from under him – after which the crook tried to sextort him, threatening to release the material if he didn’t pay up. We’ve seen bank account balances melt, and we’ve seen Bitcoin wallets drained.

Mixed results

Prosecutors say that Meiggs and Harrington didn’t always pull it off: their first two alleged attempts at getting at a would-be victim’s cryptocurrency wallet failed. They allegedly swapped the SIM, took over the target’s email accounts, and tried to communicate with one victim’s contacts, but then they couldn’t access the victims’ cryptocoin wallets.

They allegedly had better luck in four other cases.

In one case, they allegedly took over a mark’s Facebook and Gmail accounts and changed the passwords, locking out the victim. They allegedly reached out to that victim’s contacts, requested funds, and succeeded, talking the mark into sending them about $100,000 worth of cryptocurrency. As far as “Victim 5” goes, the duo allegedly took over their LinkedIn, Facebook, and Twitter accounts, as well as their cryptocurrency exchange accounts. They allegedly got $10,000 worth of cryptocurrency from that one, went on to phone his wife, and sent a text to his daughter telling her to…

TELL YOUR DAD TO GIVE US BITCOIN.

Ring a bell? It should if you savor stories about SIM swappers getting busted. That’s the same message, sent to a cryptocurrency investor’s daughter, linked to a then 20-year-old college student from – hello again, Massachusetts! – Boston who was arrested at the LA International Airport in July 2018.

Bound for Europe, the SIM swapper, Joel Ortiz, was lugging a Gucci bag: only one piece of swag among many that prosecutors said were bought with the proceeds of cryptocurrency that he ripped off in SIM-swap scams. He was accused of stealing $5 million in Bitcoin, copped a plea and, in February 2019, was sentenced to 10 years in prison.

The DOJ didn’t say that Ortiz was working with Meiggs and Harrington, but it wouldn’t be surprising if he were, given that all three are from Massachusetts and that they’ve all been linked to that “TELL YOUR DAD” text.

Besides the 2017-2018 cryptocurrency thefts, prosecutors allege that from 2015 to 2017 Meiggs also tinkered with taking over OG accounts via SIM swapping. He’s charged with taking over a victim’s phone number and then holding it for ransom in exchange for access to the targeted account.

In another case, Meiggs allegedly couldn’t be bothered with a SIM swap. Instead, he allegedly chose to threaten to kill the victim’s wife if they didn’t hand over the account.

What to do?

Here’s our advice on how to avoid becoming a victim:

• Set up a PIN or password on your cellular account. This could help protect your account from crooks trying to make unauthorized changes. Check your provider’s website for instructions on how to do it, or just call so they can walk you through it.
• Real companies don’t ask for passwords or verification codes. If somebody calls, says they’re one of your financial companies or your phone service provider, and asks for your password or verification code, get off that call: they’re a scammer. If you need to talk to your cellular provider or financial institution, look up the phone number, on the back of your card or on a legitimate website, and call them yourself.
• Watch out for phishing emails or fake websites that crooks use to acquire your usernames and passwords in the first place. Generally speaking, SIM swap crooks need access to your text messages as a last step, meaning that they’ve already figured out your account number, username, password and so on.
• Avoid obvious answers to account security questions. Consider using a password manager to generate absurd and unguessable answers to the sort of questions that crooks might otherwise work out from your social media accounts. The crooks might guess that your first car was a Toyota, but they’re much less likely to figure out that it was a 87X4TNETENNBA.
• Use an on-access (real-time) anti-virus and keep it up-to-date. One common way for crooks to figure out usernames and passwords is by means of keylogger malware, which lies low until you visit specific webpages such as your bank’s login page, then springs into action to record what you type while you’re logging on. A good real-time anti-virus will help you to block dangerous web links, infected email attachments and malicious downloads.
• Be suspicious if your phone drops back to “emergency calls only” unexpectedly. Check with friends or colleagues on the same network to see if they’re also having problems. If you need to, borrow a friend’s phone to contact your mobile provider to ask for help. Be prepared to attend a shop or service center in person if you can, and take ID and other evidence with you to back yourself up.
• Consider switching from SMS-based 2FA codes to codes generated by an authenticator app. This means the crooks have to steal your phone and figure out your lock code in order to access the app that generates your unique sequence of login codes.

Having said that, Naked Security’s Paul Ducklin advises that we shouldn’t think of switching from SMS to app-based authentication as a panacea:

Malware on your phone may be able to coerce the authenticator app into generating the next token without you realizing it – and canny scammers may even phone you up and try to trick you into reading out your next logon code, often pretending they’re doing some sort of “fraud check”.

If you’ve already been SIM-jacked …

• Contact your cellular service provider immediately to take back control of your phone number. Then, change your account passwords.
• Check your credit card, bank, and other financial statements for unauthorized charges or changes. If you see any, report them.
• If you think somebody’s already got your information, such as your taxpayer ID or the number of your payment card number or bank account, the Federal Trade Commission (FTC) has advice on steps to take. If you’re in the UK, check out tips and resources from the Information Commissioner’s Office (ICO) and/or Action Fraud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/J1Y9CgBcaSw/

When it comes to open source software security, nobody could accuse Microsoft-owned development platform GitHub of not thinking big when it came up with the idea for Security Lab.

Launched last week at its GitHub Universe developer conference, the idea sounds simple enough – create a global platform for reporting and fixing security vulnerabilities in open source projects before they do serious damage.

It sounds so obvious, it’s surprising that nobody’s thought of it before. That might have something to do with the size of the job, admitted GitHub’s vice president of security product management in Security Lab’s launch blog:

Securing the world’s open source software is a daunting task.

The JavaScript ecosystem alone encompasses more than a million projects, not helped by the dauting 500:1 ratio of developers to security experts with the knowledge of how to fix things.

Lots of developers crank out vulnerable code, leaving a tiny clean-up squad to pick up the mess of a problem that sprawls across thousands of companies.

Feeling depressed yet? Don’t be – that’s where GitHub’s Security Lab steps in.

To boost credibility, GitHub has already signed up big companies – namely Google, Oracle, Mozilla, Intel, Uber, VMWare, J.P. Morgan, F5, NCC Group, IOActive, Trail of Bits, HackerOne, as well as Microsoft and LinkedIn.

This has already borne fruit, with these companies collectively finding more than 100 CVE-level security vulnerabilities in open source code. Anyone who joins them will qualify for bug bounties of up to $3,000, GitHub said.

Vulnerability count

The list of goodies goes on, such as Security Lab making available a free-to-use analysis engine, CodeQL which GitHub acquired when it bought Semmle in September:

If you know of a coding mistake that caused a vulnerability, you can write a query to find all variants of that code, eradicating a whole class of vulnerabilities forever.

Perhaps the simplest innovation of all is that Security Lab will operate as a CVE Numbering Authority (CNA) – a critical piece of security architecture for a project that aims to shine a wider light on security problems in open source projects.

Currently, GitHub says at least 40% of security flaws affecting open source don’t receive a CVE when they’re announced, which means they are excluded from public databases that tell customers they have something to patch.

Security Lab will sort this with security advisories for users of affected projects, backed by automated security updates when patches are available and a Security Advisory API to integrate the flaw database into third-party tools.

There’s even a neat token-scanning system to spot hard-coded credentials in the formats used by 20 different cloud providers:

When we detect a match, we notify the appropriate service provider and they take action, generally revoking the tokens and notifying the affected users.

Will it work?

Let’s return to the sheer scale of the open source security problem and the difficulty of enrolling enough of this base to make a difference.

Open source is, and always has been, a world of the long and hard-to-reach tail. GitHub is hopeful its Security Lab will hack off a chunk of this but that might still leave a lot of barely monitored projects in the wild.

There’s also the small issue of whether open source developers will trust something that is a collaboration between Microsoft and lots of other makers of big-brand proprietary software.

The optimistic argument is that the real innovation here isn’t simply the setting up of a single open source vulnerability management platform, but the way it might embed the use of scanning tools and methodologies.

The best way to secure anything is to make it secure before it is released and to accelerate the process of finding, publicising and fixing flaws when they are found.

On a separate front, GitHub also announced its Archive Code Vault, a sort of cold storage vault for open source code located in an underground Arctic bunker.

Just like lifeforms, it turns out that code can go extinct too. If developers can’t find every flaw today, at least in years to come they’ll know where to look.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/pPayEpWTksQ/

US intelligence agencies won’t harvest US residents’ geolocation data in future investigations, revealed the US government this month. In fact, it hasn’t done so since last summer.

The last 18 months have seen significant changes to the US’s collection of phone location data. Since 1994, law enforcement agencies in the US had been able to access court records thanks to an amendment to the 1996 Stored Communications Act. Under this legislation, a judge could give prosecutors access if they could justify that call records were relevant and material to an ongoing investigation.

That all changed in a lawsuit brought by Tim Carpenter, who was convicted in 2011 after federal prosecutors trawled location cell phone data, tying his phone to the time and location of several robberies. Carpenter sued in appeals court, claiming that the trawling violated his Fourth Amendment rights. He lost on appeal, but then the case went to the Supreme Court, which ruled in his favour in a 5-4 vote.

That decision stopped the warrantless collection of phone location data by police and federal law enforcement, but what about for the intelligence community?

In 2001, section 215 of the USA PATRIOT Act amended Title V, Section 501 of the Foreign Intelligence Surveillance Act (FISA), allowing intelligence agencies to collect metadata on calls (known as call detail records, or CDRs) which it stores in repositories and secure networks. The NSA can query the metadata when it has reasonable suspicion that the call could be associated with foreign terrorist organizations.

Section 215 is on the Congressional agenda right now because it is set to expire under the 2015 US Freedom Act, which was created to preserve the CDR program in a constrained form. Unless Congress renews Section 215 it will cease to exist on 15 December 2019.

The NSA’s track record on CDRs has been patchy. In 2018, it flushed the CDRs that it had collected since the inception of the 2015 program, admitting that “technical irregularities” meant it had collected the details of calls that it didn’t have the rights to access. Then, this year it asked the White House for permission to terminate the program because it wasn’t worth the effort.

In March this year, Senator Ron Wyden wrote to the Director of National Intelligence Daniel Coats asking him about the intelligence community’s intentions following the Supreme Court ruling. Coats reportedly replied that he still hadn’t provided guidance to intelligence agencies on the subject. Wyden wrote again on 30 July 2019, pressing the point:

If Congress is to reauthorize Section 215 before it expires in December, it needs to know how this law is being interpreted now, as well as how it could be interpreted in the future.

Coats has since resigned. Last week, the Office of the Director of National Intelligence wrote back, explaining that it hadn’t reached a position on the status of criminal investigations under Title V.

In the letter, Benjamin T Fallon, assistant director of national intelligence for Legislative Affairs, explained that neither the DOJ or the intelligence community had reached a legal conclusion about Title V phone metadata searches following the Carpenter case, and that the issue was such a constitutional and statutory hot potato that they hadn’t done so since the Supreme Court ruling. Currently, they use Titles I and III of FISA to get access to phone metadata, the letter said.

Things seemed clearer when counterterrorism investigations were involved. The letter added that CDRs don’t legally include phone location data (otherwise known as cell site location information):

Finally, with respect to an application under Title V for the production on an ongoing basis of call detail records relating to an authorized counterterrorism investigation, the statute expressly provides that the term “call detail record” does not include “cell site location or global positioning system information…

Thus the government may not obtain CSLI or GPS-based location information in the case of such applications under Title V of FISA.

Since its request to terminate the CDR program, the NSA has asked that it maintain its right to reintroduce it. The latest word from the Democrats is reportedly that they will drop authorisation for the NSA’s metadata collection program altogether, taking it off the table as of next month.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/OAnWer77ZhM/

It’s time for another Register security roundup of the week’s smaller stories you may have missed.

FedEx says exposed driver database was a ‘test system’

US parcel delivery company FedEx has acknowledged that it left an exposed database containing detailed driver and delivery information, but says the infomation was part of a test system.

Security researcher Devin Stokes found and responsibly disclosed the open database to FedEx. Once it was removed (after more than a week of trying to get the company’s attention), Stokes exclusively shared with El Reg the details on what was within: detailed information on driver trips and reports on accidents, including the cause.

Stokes said the database also included stats on day-to-day operations, with things like geofencing data and even alerts for when drivers were going over the speed limit in their delivery vehicles.

“[FedEx] can confirm this site was used for testing and contained no sensitive information,” a spokesperson told El Reg. “It has since been decommissioned.”

We imagine the drivers whose speeding patterns were being tracked might not agree with that assessment. Either way, congrats to Devin on the find.

Pemex popped

One of the largest oil companies in the world had to deal with a ransomware infection recently, as Mexico’s Pemex said it fell victim to a malware infection in one of its corporate networks.

📌Pemex opera con normalidad. pic.twitter.com/IF7kf6VIEk

— Petróleos Mexicanos (@Pemex) November 12, 2019

The oil giant said that its operations were not impacted by the attack, and none of its industrial systems or any safety gear was touched by the ransomware.

Symantec patches vulnerability in AV offering

Once again, a bug in a popular security suite is, ironically, putting users at risk of malware infections.

This time, it’s Symantec’s EndPoint Protection software that is vulnerable, according to researchers with SafeBreach.

The flaw is nearly identical to the found earlier in McAfee antivirus and is related to insecure loading of DLL files. An attacker who exploited the flaw could run arbitrary code and commands on the target machine and, more importantly, maintain persistent access even after a restart.

There is one major mitigating factor here: the attacker already has to have access to the machine with admin clearance. If that is the case, there’s not much need for this sort of exploit, so while you should update your software with the patch, it shouldn’t be a massive security concern.

Checkpoint breaks down Qualcomm’s TPM code isolation

Those interested in the intricacies of on-chip security protections should give a look to this report from Checkpoint detailing how its team was able to uncover flaws in the TPM protections of Qualcomm processors.

The in-depth report shows how the researchers were able to uncover the vulnerabilities that would let unprivileged code elevate itself to privileged status, potentially allowing for sensitive information within the secure enclave on the chip to be read.

WhatsApp warns of remote code via video bug

Facebook’s WhatsApp has posted notice of a vulnerability in the mobile versions of the messaging app that could potentially allow for remote code execution. The flaw is due to a buffer overflow that is exposed when viewing a specially-crafted MP4 file.

Users can protect themselves against exploits by making sure to update to the latest version of the Android, iOS, or Windows Phone app.

$200m to 1

Security tool 1Password has been around for more than a decade now, but that doesn’t mean it can’t still kick up some VC bucks. The developer this week revealed that it had just finished up a $200m Series A funding round, giving it more than enough cash for expansion.

US Postal Service the latest malware lure

The team at ProofPoint says that among a series of new scam emails being used to spread malware is a message claiming to come from the US Postal Service.

The fake notices include a Word file that has been poisoned with the exploit code itself. Opening up the file will result in the attempted installation of a banking trojan.

With the holiday shopping season set to kick off, users should be wary of any message claiming to be from the USPS or other delivery service.

Cisco Talos warns of custom dropper malware

Researchers with Talos are warning that a long-running malware campaign has been reinvigorated with the use of customized dropper tools. The hackers are believed to have taken existing malware and slightly modified it, allowing the droppers to potentially skirt detection by security software. ®

Sponsored:
How to get more from MicroStrategy by optimising your data stack

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/18/security_roundup_15_november/

Some 14 years after it was founded and with no external funding taken in during that time, 1Password has finally succumbed to the charms – and $200m in cash – of venture cap biz Accel.

1Password was founded by Dave Teare along with Roustem Karimov in 2005 and he noted the shock the decision may cause.

“As a completely bootstrapped company that has never taken a dime of outside investment, this announcement may come as a bit of a surprise,” he wrote on Medium.

Teare said staff numbers have now grown to 174 but that the “TODO list has been growing, and the growth rate of our list has been accelerating”. Exactly what that list contains is not stated, but he did say that privacy and security are the two areas of focus.

Arun Mathew and Ethan Chou at Accel said that the investment in 1Password is “our largest initial investment in any company in our more than 35-year history”, claiming that “1Password’s Enterprise Password Management solution is the critical third pillar of the enterprise identity stack.”

Single sign-on is insufficient, they said, because it does not integrate with all applications, and multi-factor authentication “creates an additional layer of friction for users”. They pointed to 1Password’s work on SCIM (System for Cross-domain Identity Management) bridges as evidence of the company’s innovation. SCIM is a standard API for exchanging user identities between systems and is supported by identity providers including Azure Active Directory and Okta.

Not everyone is impressed with the deal. David Heinemeier Hansson, creator of Ruby on Rails and a vocal opponent of venture funding, commented on Twitter: “I fully expect them to go to shit. 1PW now need to become a many billion-dollar company OR DIE TRYING. That usually leads to desperate/shitty decisions.”

Password leakage and successful phishing attacks remain a huge problem in the industry, suggesting that there remains scope for innovation, but the challenge for 1Password will be growing its enterprise business, since password management alone is thoroughly commoditised. ®

Sponsored:
Technical Overview: Exasol Peek Under the Hood

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/15/1password_goes_for_growth_with_200_million_series_a_funding/

A US court has sentenced the operator of a massive DDoS service to 13 months in prison.

Sergiy Usatyuk, 21, from Orland Park, IL was handed the term – along with a $542,925 forfeiture order – after pleading guilty earlier this year to one count of conspiracy to cause damage to internet-connected computers. He will also have to serve three years supervised release, the North Carolina Eastern US District Court ruled.

Usatyuk and an unnamed conspirator from Canada owned and operated a group of “booter” sites that offered for-hire DDoS attacks. Prosecutors said [PDF] that from August, 2015 through November, 2017 Usatyuk and his partner ran more than a half-dozen different sites all offering “booter” or “stresser” services. Customers would pay the pair to launch sustained floods of traffic at target sites and network, taking them down for days at a time.

“In just the first 13 months of the 27-month long conspiracy, the [booter] users ordered approximately 3,829,812 DDoS attacks,” the court was told.

“As of September 12, 2017, ExoStresser advertised on its website (exostress.in) that its booter service alone had launched 1,367,610 DDoS attacks, and caused targets to suffer 109,186.4 hours of network downtime (-4,549 days).”

Back-2-school hacking: Kaspersky blames pesky script kiddies for rash of DDoS cyber hooliganism

READ MORE

Some of the targets of the attacks included video game developers and a Pennsylvania school district. In the latter, collateral damage from the DDoS resulted in the crash of not only the school district’s network, but also those of several county offices and the local Catholic Diocese.

Prosecutors say that, when all was said and done, Usatyuk and his partner managed to make north of $550,000 from the attacks.

“DDoS-for-hire services pose a malicious threat to the citizens of our district, as well as districts across the country, by impeding critical access to the internet and jeopardizing safety and security in the process,” said US Attorney Robert Higdon Jr, one of the prosecutors in the case.

“The operation and use of these services to disrupt the operations of our businesses and other institutions cannot be tolerated. Anyone who weaponizes web traffic in this manner will be vigorously pursued and prosecuted by my office.” ®

Sponsored:
Technical Overview: Exasol Peek Under the Hood

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/11/15/ddos_owner_13_months_prison/

Attend this London event next month for the latest on how security researchers are finding (and solving) security vulnerabilities in all of your favorite Internet-connected devices.

As the year winds down around us, people around the world are spending more time at home, visiting friends and family. Many of those homes are filled with vulnerable smart devices connected to the Internet of Things, and at Black Hat Europe in London next month you’ll have a prime opportunity to learn about the latest IoT security tricks and techniques.

This year the list of Internet of Things Briefings at Black Hat Europe is packed with practical content like BlueMaster: Bypassing and Fixing Bluetooth-based Proximity Authentication, a Briefing all about the security pitfalls of Bluetooth-based proximity authentication. You’ll hear researchers analyze implementations of Android Smart Lock and Windows Dynamic Lock and demonstrate new attacks on these implementations. Based on their analysis, expect to walk away with a better understanding of the weaknesses in these systems, as well as three new attacks that allow attackers to bypass device proximity authentication.

Experts from Panasonic will present a few Briefings, including Understanding the IoT Threat Landscape and a Home Appliance Manufacturer’s Approach to Counter Threats to IoT. As a device manufacturer, Panasonic collected information on IoT threats by connecting its own devices in the development / pre-shipment phases to its own honeypot.

Since its deployment, Panasonic has been able to find 179 million attack cases and 25 thousand malware samples, of which 4,800 were unique samples targeting IoT. You’re going to learn all about it (including insights on some interesting 0-day attacks against the SMB protocol) in this Black Hat Europe Briefing.

For information on how to deal with IoT threats at scale, check out OEM Finder: Hunting Vulnerable OEM IoT Devices at Scale. Researchers developed this new tool to help raise awareness about the threat that vulnerabilities in OEM hardware pose to customers who buy (rebranded) hardware from other companies. OEM Finder can automatically detect OEM device candidates based on the similarity of its appearance between the OEM and original device. In this Briefing you’ll learn how the team achieved fast, automatic and precise OEM device detection by adopting an object recognition algorithm (KAZE) with k-NN. You’ll also learn how to use it effectively to safeguard your devices and those of your clients

Get more information on these and lots of other cutting-edge content in the Briefings schedule for Black Hat Europe, which returns to The Excel in London December 2-5, 2019. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/black-hat/black-hat-europe-brings-a-bevy-of-iot-security-insights/d/d-id/1336382?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Don’t let yourself be stuck in an unhealthy work environment with a toxic manager who takes advantage of your talent.

In my experience, top security performers love nothing more than to solve problems and improve the state of security where they work. These star professionals give much of themselves to any organization to which they belong. There are good managers who treat this type of exemplary employee in a healthy, constructive manner. There are also more than a few bad managers who use a variety of manipulative techniques to put problem solvers down.

Worse, while the personality type of many top performers empowers them to excel in our field, it also sets them up to be taken advantage of and exploited. Here are 12 warning signs to show how to distance yourself out of a toxic work environment and into a healthy one, before too much time has elapsed.

1. No straight answers: Ask a question, get an answer, right? Not in an unhealthy situation. If you find yourself asking straightforward questions and not getting straightforward, direct answers, take notice.
2. The story keeps changing: A famous quote attributed to Mark Twain says it all: “If you tell the truth, you don’t have to remember anything.” When the story keeps changing to suit whatever point is being made or whatever narrative is being told, be aware.
3. Lack of focus: It’s easier to move from one shiny object to the next than to focus on strategy, vision, goals, and objectives. Further, distraction and noise are great ways to cover lack of progress. If the security targets keeps moving, it’s a sign.
4. Lack of clarity: Do you find it hard to get any type of commitment or clarity in writing? Does written communication contain only vague statements or a promise to get back to you later? That makes it much easier to say “I never said that” or to change the story later.
5. Blame game: A good manager will accept responsibility when things go wrong and distribute the credit when things go right. If your manager does the opposite, that’s not a good sign. In particular, if you, as a top performer, always seem to be the problem, it could mean that your manager sees you as a threat and wants to keep you from succeeding. 
6. No visibility: Even the most open of managers will have topics that they cannot share with their employees. That being said, a good manager will provide a decent amount of visibility into what they’re up to. If, instead, he or she shrouds themselves in secrecy, be wary.
7. No tangible accomplishments: At the end of every week, month, or year, a good manager should be able to provide a tangible list of their accomplishments to both senior leadership and his or her employees. Be worried if all you get is circular talk that gives you a headache.
8. Lack of monetary success: At the end of the day, monetary success is hard to argue against. Whether it’s a revenue target, investment capital, or a budgetary number, a good manager will work diligently to meet and exceed his or her goals in this area. If the manager talks a good game but can’t deliver, that’s an indication that something is not right.
9. A shred of truth: One proven tactic of manipulators is to include a shred of truth in every lie. That makes what their saying much harder to argue with, refute, or dismiss outright. If you find this happening over and over again, it’s time to find a healthier place to work. 
10. Prying for details and offering none: Does your manager ask repeatedly for more information and more details while offering none in return? This is a common trick, and one that can take a long time for many employees to pick up on. 
11. Seeking leverage at every opportunity: If every conversation with your manager seems like a debate team contest, that’s another signal that something is awry. Those who can’t succeed on merit often try to extract leverage in every possible interaction. This also involves putting down, blaming, or insulting the other person. 
12. Taking: Some say that there are two types of people in the world: givers and takers. The best managers are givers — they want to do what’s best for their employees and the organization as a whole. A manager who’s a taker, on the other hand, will work to maximize his or her own personal gain. That’s toxic, and a sure sign to move on.

Related Content:

• 7 Stats That Show What It Takes to Run a Modern SOC
• Keeping Too Many Cooks out of the Security Kitchen
• Taking a Fresh Look at Security Ops: 10 Tips

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “8 Backup Recovery Questions to Ask Yourself.”

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO – Emerging Technologies at FireEye and as Chief Security Officer for … View Full Bio

Article source: https://www.darkreading.com/12-tips-for-dealing-with-a-manipulative-security-manager-/a/d-id/1336337?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Degrees, certifications, and experience are all important to career development, but mastering the people side of the equation may matter a whole lot more, CISOs say.

Close to two-thirds (62%) of Fortune 500 companies now have a CISO overseeing their security strategies, according to a recent report from Bitglass.

But as more chief information security officers have emerged onto the scene in the past decade, their responsibilities have grown and evolved. Once a more technically focused position, CISOs are increasingly being called on not only to implement security for defense, but also to drive business objectives forward, manage teams that collaborate, and serve as an ambassador for security around the company.

That requires more of those so-called soft skills you don’t necessarily get in college.

In fact, when we asked CISOs and other executives to cite what it takes to run a security program today, they hardly mentioned technical skills or a security background at all. Here’s what they told us.

The Ability to … Earn Respect
Jon Hill, CEO of staffing and management firm The Energists: “Some officers are leading departments with dozens of employees, so they must be able to garner respect from their employees and lead their teams to success. [For example], as a CISO, you’re often struggling to get budget from the organization. But if you don’t get the resources you need, your entire network can end up vulnerable to cyberthreats, and you’ll be the one that takes the blame. So you have to be able to communicate the importance of your department to the company, even when other departments are fighting you for resources.”

The Ability to … Work Across the Organization
David Menichello, CISO advisory practice director at IT service management company BTB Security: “Building relationships across the organization, regardless of their ties to security, will open up lines of communication, allowing you and your security team to get information faster, and will enable the CISO to influence security behaviors across an organization. Being able to break down technical concepts and draw parallels to the rest of the organization is important for any CISO’s success.”

The Ability to … Pay Extra Attention to DevOps
Christopher Gerg, CISO of data-recovery services firm Gillware: “[DevOps] have to make security part of everything they do – requirements gathering, writing code, peer code reviews, QA testing, and deployment all need to have information security considered as an integral part of what they do. This requires the CISO in this small scale to develop a strong buy-in from the team, and, as much as possible, automated solutions should be used to enable the security aspects of all of these tasks – static code analysis libraries integrated into the development tools, automated testing, built-in approvals. Trying to ‘bolt on’ security after the fact is doomed to fail.”

The Ability to … Foster Team Comradarie
Jon Hill, CEO of staffing and management firm The Energists: “I’d say that the best CISOs have strong conflict management skills. In order for your organization to be safe and secure, every member of your team must get along. When rivalries start brewing and employees start fighting, the system becomes vulnerable. Your entire team has to trust each other and understand that they’re working toward a common goal, even if they don’t much like each other.”

The Ability to … Demonstrate Credibility
Armond Cagler, principal of business and technology consultancy Liberty Advisor Group and co-founder of its business threat intelligence unit: “A vast majority of the CISO job is to implement real organization change – this requires backing, credibility, and adroit powers of persuasion. The position ultimately requires the leadership of a champion who can independently represent security’s needs and vision. This person needs to be perceived as being credible by the decision-makers above him or her and should have a seat at the table with other executive stakeholders.”

The Ability to … Talk Business
Robb Reck, CISO of identity and access management solution provider Ping Identity: “As security and privacy demands from customers and governments increase, the role has become increasingly business-oriented. That change has resulted in CISOs moving out from a portion of IT and into a full-fledged place on the executive team. CISOs are responsible for working closely with, and directing the work of, engineers in security, IT, and development. Therefore they need to have a strong background in technology and architecture. On the other hand, a CISO is responsible for translating technical risks to the executive team and board of directors. The ability to explain complex technical issues in the language of business leadership is difficult and important.”

(Image: Ico Maker via Adobe Stock)

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/soft-skills-6-nontechnical-traits-cisos-need-to-succeed/b/d-id/1336381?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Illinois-based man operated a criminal service that launched millions of DDoS attacks and brought in hundreds of thousands of dollars.

Sergiy P. Usatyuk, a 21-year-old resident of Orland Park, Ill., has been sentenced to 13 months in prison, followed by three years of supervised release, for his role in running illegal booter services responsible for millions of DDoS attacks. Usatyuk was also ordered to forfeit $542,925 and dozens of servers as part of the sentence.

According to information brought to the trial, from August 2015 through November 2017 Usatyuk and a co-conspirator developed, controlled, and operated a series of booter services and related web sites. The illegal services included ExoStress.in, (“ExoStresser”), QuezStresser.com, Betabooter.com (“Betabooter”), Databooter.com, Instabooter.com, Polystress.com and Zstress.net.

Government prosecutors said that Usatyuk had made hundreds of thousands of dollars running DDoS-for-hire services. The booters and stressers are considered inexpensive ways of forcing a victim’s site off the web by overwhelming it with unrequested traffic. In many cases, servers that are not targets but merely share an ISP, hosting service, or address block with the victim are also forced off the web.

For more, read here and here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “8 Backup Recovery Questions to Ask Yourself.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/illegal-booter-connected-with-ddoses-sentenced-to-prison-fine-/d/d-id/1336383?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple