STE WILLIAMS

Russian national Andrei Tyurin, who was extradited to the US last year by Georgian officials for allegedly hacking JP Morgan Chase in 2014 as well as several other cyberattacks on US financial and other organizations, now faces sentencing after a guilty plea in US District Court.

Tyurin, 35, was involved in a wide-ranging hacking campaign that targeted US financial organizations, brokerage firms, financial news publishers, and other companies, from 2012 to mid-2015, stealing information from more than 100 million customers. The JP Morgan attack was a record-breaking breach of more than 80 million customers of the US bank.

His co-conspirators include Gery Shalon, Joshua Samuel Aaron, and Ziv Orenstein, according to a US Department of Justice release. He pleaded guilty to one count of conspiracy to commit computer hacking, one count of wire fraud, one count of conspiracy to violate gambling laws, and one count of conspiracy to commit wire and bank fraud, among other charges. The various charges carry anywhere from five to 30 years in prison, and he will be sentenced February 13, 2020.

Read more here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “‘Playing Around’ with Code Keeps Security, DevOps Skills Sharp.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/jp-morgan-hacker-pleads-guilty/d/d-id/1335887?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Put six adults together for 41 hours with a pile of parts and a vague goal and what do you get? In my case, amplified lessons in secure software development — and a game where you take a robot to do battle.

So last weekend I participated in a make-a-thon. Described as “like a walk-a-thon with less walking and more making,” it was a fund-raiser and a way for me to scratch my ongoing geek itch. Since mechanical engineering isn’t my forte, I was assigned to be half the programming team. And, as is true for so many real-world dev projects, we began on Friday night with only a vague sense of what the hardware would ultimately look like.

So the first thing I did was sit down, write careful specifications, and start hand-crafting the finest in artisinal code, right? Of course not: I headed for the Internet and started grabbing routines described as doing what I wanted to do. And just like that, I was neck-deep in the reality of most agile and dev-ops software shops.

Now, I was lucky in several respects: I was doing classic OT stuff in a variant of C — I could look at the code and tell what was going on. But the thing that struck me in retrospect was just how easily I was grabbing routines and throwing them into my application, and just how little regard I was giving the variables and code that didn’t have an immediate impact on my job.

So that’s the first amplified lesson: do a security scan on downloaded code before you slap it into your application. GitHub’s Semmle acquisition should make this easier for a lot of open source projects, but it’s got to be considered a critical step regardless of where the code comes from.

The next amplified lesson comes straight out of the instructions for blue jeans: Shrink to fit. At times during the development process we had great herds of unused variables and function names roaming across the rolling plains of our code. The combination of code from repositories and debugging routines left detritus that we ultimately had to clean up late in the process because things were getting confusing.

Unused variables and routines left in code are catnip for attackers. In the heat of a sprint (or a 41-hour deadline), it’s too easy to leave things in place rather than cleaning up as you go. But even in cases where you go back at project end and clean up the code, be careful — it’s all too easy to miss lines tucked up under comments or buried in the middle of complex routines.

As the hardware specs matured, we were able to do more testing and pruning, but we were also passing code back and forth more and more frequently. And that brings up the third amplified lesson: be sure your team communication mechanisms are secure.

In our case, security wasn’t a great concern — in the worst case of intrusion, a toy robot would get whacked by a wooden hammer. But where we ended up tossing code back and forth on our team’s Slack channel, code that truly matters to, oh, anyone, should be shared in a secure private repository. Since there were only two of us, we also didn’t have a lot of trouble figuring out who had last touched a given piece of code. With a larger team a more rigorous change process is critical for both security and reliability.

The last amplified lesson I learned is the one that will, I think, have the longest impact: It’s important to get out there and do stuff. It had been a while since I buckled down to a software project with a deadline and expectations that came from someone other than me. It was fun, it was exhausting, and it was educational in all the best ways. It’s easy to fall into a pattern of tossing out opinions gathered from other sources, but it’s important to get some hands-on time to check your assumptions and find out just why those opinions are right (or wrong).

Oh, and the make-a-thon? My team won, largely because the teammates who took on those mechanical engineering roles were really good. As for the code — well, we’ve still got two months before the next time the project shows up in public and there’s some display driver code that needs serious attention…

Related content:

• A Safer IoT Future Must Be a Joint Effort
• MITRE Releases 2019 List of Top 25 Software Weaknesses
• A Definitive Guide to Crowdsourced Vulnerability Management
• Meet FPGA: The Tiny, Powerful, Hackable Bit of Silicon at the Heart of IoT
• To Navigate a Sea of Cybersecurity Solutions, Learn How to Fish

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/playing-around-with-code-keeps-security-devops-skills-sharp-/b/d-id/1335867?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A “massive” series of account takeover attacks has for the past few days targeted YouTube creators, many of whom are influential members of the automotive and car review community.

The high-profile channels targeted include Built, Troy Sowers, MaxtChekVids, PURE Function, and Musafir. Creators in other industries were also targeted in the coordinated campaign, which manipulated account holders into visiting phishing sites to steal their login credentials.

According to a report from ZDNet, which investigated the attack, this is likely how the takeovers unfolded: Phishing emails lured targets onto fake Google login pages, which collected credentials attackers used to access Google accounts. The attackers then assigned popular YouTube channels to new owners and changed the channels’ vanity URLs so the accounts appeared to be deleted.

Some victims were looped into group email chains including other creators in the same community; others received individual phishing messages. It seems the attackers were able to successfully bypass multifactor authentication in order to break into the accounts of some YouTube creators.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “‘Playing Around’ with Code Keeps Security, DevOps Skills Sharp.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/youtube-creators-hit-in-account-hijacking-campaign/d/d-id/1335879?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Question: I bought cyber insurance, but I still worry. If I experience a breach or other security incident, how will the cyber insurance company be likely to weasel out of paying my claim? 

Jeff Wichman, Practice Director, Enterprise Incident Management, Optiv — In most cases, your cyber insurance company isn’t going to weasel out of paying a claim. My advice is to be prepared! 

Your provider is going to have a specific process/requirement for engaging with them and outside resources for an incident. Follow that process, and take these steps to be better prepared: 

• Validate with your provider that your preferred partner is approved as either an on-panel or off-panel firm you can work with.
• Update your incident response plan to include when and how to engage with your claim process. Now is the time to start building that into your documents.
• Test, test, test your incident response processes using an applicable scenario-based exercise with your trusted third party. This can help you identify gaps in your efforts.

Do you have questions you’d like answered? Send them to [email protected].

Related content:

• Any Advice for Assessing Third-Party Risk?
• What are the First Signs of a Cloud Data Leak?
• 5 Things to Know About Cyber Insurance
• Akamai 2019 State of the Internet Report / Security: Financial Services Attack Economy

The Edge is Dark Reading’s home for features, threat data and in-depth perspectives on cybersecurity. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/how-can-i-ensure-cyber-insurers-will-pay-my-claim/b/d-id/1335878?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Microsoft today released an off-cycle patch for a zero-day memory corruption vulnerability in Internet Explorer. 

CVE-2019-1367 is a flaw that can corrupt memory in such a way that an attacker could execute arbitrary code in Internet Explorer, and do so in the context (at the permission level) of the current user.

In the worst case, an attacker could install programs, view, change, and delete data, and create new user accounts with full user privileges, while the legitimate user is logged in as an admin.

According to Microsoft, the patch remediates the vulnerability by changing the way in which the scripting engine handles objects in memory.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “The 20 Worst Metrics in Cybersecurity.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/microsoft-issues-out-of-band-patch-for-internet-explorer-/d/d-id/1335881?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

It’s time for organizations to reevaluate their approach to risk management and consider new, more effective techniques and strategies, Jack Jones, chairman of the FAIR Institute and executive vice president of RD at RiskLens, told attendees this week at the FAIR Conference.

Modern businesses are increasingly aware of risk management’s importance; however, many fail to implement the right approach for their specific needs, Jones explained in an interview with Dark Reading ahead of this year’s show, taking place this week in Washington, DC.

“Over the last several years, the conversation around risk quantification and risk analysis has evolved from ‘can it be done’ to ‘should we do it,’ and now, ‘how do we do it,'” he said. The “how” is a problem for many risk professionals who try to implement change and are challenged by organizational and industry inertia that pushes back against them, Jones said.

Some of the pushback they normally hear: “We already do risk management,” “What we’ve been doing works; why change?” and “What you’re proposing is not yet ‘best practice.'”

Jones’ focus today is on the value proposition of risk management programs. “Part of what we expect to provide to this conference is helping people have those conversations and helping them describe the value proposition for change,” he said. There are multiple paths to risk quantification and risk management; Jones wants people to understand which is best for them.

One of the major holes in modern programs is they aren’t actually managing risk. “What’s they’re doing is controls management,” said Jones, explaining how this approach is more checklist-based than compliance-based. “That’s superficial from a risk perspective because they’re not applying any rigor to measuring how those controlled instances matter,” he added.

Compounding the problem are tools and technologies the industry relies on. He pointed to the Common Vulnerability Scoring System (CVSS) as an example. “It’s great at characterizing certain aspects of technical deficiencies, but it’s not a risk measurement,” Jones explained.

If an organization has two systems with the same deficiency – for example, a SQL injection flaw – CVSS would call that critical. But if one of those systems is Internet-facing, doesn’t hold sensitive data, and doesn’t provide a path to other systems, it may not be as critical as it seems.

When something like CVSS labels “a tremendous number of things” critical when they may not be, it can generate a lot of noise for a business. “It’s a losing battle,” said Jones. “You have to have better metrics than that to be cost-effective in risk management.”

Tips for Better Risk Management

There are four components to determine how well an organization can manage the risk landscape: models, the data applied to those models, skills of people doing the work, and the tools they use. Oftentimes, risk analysis is performed by anyone in the business who happens to be assigned to the work, Jones noted, and many companies lack risk measurement tools.

The first step should be training people assigned to risk analysis. “Training accomplishes two things: it normalizes mental models around what risk is and how to measure it, and it also teaches them how to make estimates and use data effectively,” he said. Regardless of whether the organization is a Fortune 100 company or smaller, and regardless of the path they want to take or how far they plan to take risk analysis, “having that sort of clarity is huge,” Jones added.

How to know if a risk management program is actually working? “I would argue noise reduction,” he said. As an example, he describes the “risk register,” or one of the biggest sources of noise in most risk management programs. This might be a spreadsheet or governance, risk, and compliance (GRC) tool where a business lists top worries and concerns.

The risk register should not be a “dumping ground” for things you’re worried about, Jones said. It should contain risk factors, and if you’re going to measure and manage something you must be sure what you’re measuring and managing against. “What we’re actually trying to manage is the frequency and magnitude of loss events,” said Jones. If you stuff things into a risk register that aren’t risks but are measured as risk, it messes with the ability to effectively prioritize.

One of the first things organizations are encouraged to do is reconcile the risk register. Businesses often list hundreds of “risks” that aren’t risks, said Jones. Reconciling the risk register can help them cut down on noise and prioritize risks that matter most to the company.

Related Content:

• 7 Ways VPNs Can Turn from Ally to Threat
• How Network Logging Mitigates Legal Risk
• A Beginner’s Guide to Microsegmentation
• BSIMM10 Emphasizes DevOps’ Role in Software Security

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “The 20 Worst Metrics in Cybersecurity.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/risk/rethinking-risk-management/d/d-id/1335883?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple