STE WILLIAMS

SecOps Success Through Employee Retention

To keep your turnover low, focus on these areas: compensation, advancement opportunities, training, and environment.

People, processes, and technology: the three most important components of security operations. Processes can be designed and documented, technology can be purchased and implemented, but people are most often the X factor in the equation. If you’ve worked in security operations, you know that people can make or break a team. An experienced analyst with a continuous drive to learn and an analytical mind capable of investigating complex threats can be worth his or her weight in gold. Compound that with the institutional knowledge gained over years of working within an organization’s infrastructure, and employee retention becomes one of the most critical components of any successful security operations team.

When we talk about the shortage of skilled analysts, the problem isn’t a lack of bodies to fill empty chairs; it’s the shortage of highly sought-after employees that is most crucial to address. Let’s look at some of the most important aspects of employee retention in a security operations environment and the most effective ways to address them.

Compensation
While compensation may not be the only factor employees consider in their career satisfaction, don’t take it for granted. Retaining the best employees requires competitive compensation across the board. Let’s start with monetary compensation. Salary is the most obvious form of monetary compensation and should be on par with comparable positions in the industry. However, employees are increasingly focused on other areas of monetary compensation when evaluating their satisfaction. Bonuses, retirement, paid time off, employee perks, and other benefits are highly effective ways to boost satisfaction when a salary increase may not be an option. These methods of compensation can be doubly effective when used as part of a well-planned incentive or reward program.

Advancement
Employees who are driven to succeed and advance are a tremendous asset to an organization, and this attitude should be rewarded with opportunities. Traditionally, advancement was seen as the opportunity to move to a management position. Not everyone aspires to be a manager or should be a manager, but this shouldn’t inhibit an employee’s opportunity for advancement. This is especially true in highly technical fields such as security operations, where some employees may wish to simply advance their technical skills, and skill in managing technical problems doesn’t always translate to skill in managing people.

Career paths should be defined for those who aspire to advance to management, as well as those who aspire to advance along a purely technical path. These paths should be clearly defined with unambiguous expectations, giving employees a visible route from where they are now to where they want to be.

Training
Training is undoubtedly critical for the organization itself. Technology and the threats we face are constantly evolving, and continuous training is key to remaining ahead of the curve. Aside from the obvious benefits to the organization itself, training can play a critical role in employee retention. Analysts who possess a continuous drive to learn are exactly the kind of employees an organization should strive to retain, and it’s critical to feed that drive to learn as often as possible.

Conferences, classes, and events are great ways to continuously educate your security staff. However, these options often come with a high cost and may be an extravagance that an organization can’t afford at scale. In these cases, it can be highly effective to use such events as a method of compensation or reward for senior or high-performing employees.

Whether conferences, classes, and events are annual occurrences or out of reach for your organization, providing other methods of education throughout the year is imperative. Chances are, most employees have a unique set of skills and knowledge that other employees can benefit from. Internal training conducted by the organization’s own employees can be a productive way to fill the training gaps and transfer knowledge between team members.

Internal training between groups within the organization is also a proactive way to provide employees with an understanding and appreciation for the roles of other teams and build relationships. Technical exercises and scenarios are a cost-effective way to reinforce technical skills and encourage healthy competition. Subscriptions for online training or education platforms that can be used on-demand are also a good way to feed the minds of analysts.

Environment
We can’t all be Google, but there are many environmental factors that can positively affect employee retention short of juice bars and pool tables. Circling back to the beginning of this post for a moment, proper processes and technology can have a tremendously positive impact on the environment. Clear, well-documented processes provide employees with straightforward expectations and stability. Technology, when implemented properly, can significantly reduce the workload and stress level on employees who often work in high-pressure, overloaded environments.

Fostering a collaborative, respectful team environment between all staff members, including management, can have an enormous impact on the efficiency of daily operations, as well as employee retention. This is especially true in security operations, where employees must often work closely with those inside and outside of their respective teams and trust that all team members are performing their tasks effectively.

The physical environment should also be optimized wherever possible; including adequate space, good lighting, collaborative spaces, and proper work areas. In an office environment, this can be easier to achieve. With the increasingly remote workforce in many security operations teams, controlling the physical environment can be much more challenging. Although the physical space may be outside the direct control of management for remote employees, organizations can still ensure that remote employees are properly educated on optimizing their home office and provided with access to the best technology and accessories to make them successful remote employees.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

John Moran is a product management, security operations, and incident response expert and currently holds the position of Senior Product Manager at DFLabs, where he is responsible for shaping the product road map, strategic planning, technology partnerships, and customer … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/secops-success-through-employee-retention/a/d-id/1335321?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Fed-up graphic design outfit dangles cash to anyone who can free infosec of hoodie pics

Uninspired by the stock imagery used by the media to depict cybersecurity, a graphic design group is offering cash prizes to anyone who comes up with something more original than dodgy hoodie-wearing laptop users with waterfalls of cascading 1s and 0s behind them.

Challenging the very foundations upon which El Reg‘s image library has been painstakingly honed by the finest and most sober minds* ever seen in the field of technology journalism, Open Ideo wants to pump cash at anyone who can shift the age-old stereotype of the hoodie hacker.

In a contest titled “How might we reimagine a more compelling and relatable visual language for cybersecurity?”, the foundation urges “creators from diverse backgrounds” to apply their skill set to “this important work”.

hacker

“Visuals in the cybersecurity space reflect surface level understanding influenced by sensationalist media”

Bemoaning the state of stock imagery everywhere, Open Ideo said: “We see pictures of locks, white men in hoodies, or green 1s and 0s that do little to convey the reality of this complicated, critically important topic.”

We here at The Register can’t see what the fuss is about. Who hasn’t been to Black Hat and seen cascading waterfalls of 1s and 0s everywhere?

hacker

Awful, isn’t it?

To stimulate the minds of graphics people, Open Ideo has published a brief about the target audiences for their challenge. They include a description of a “high-profile journalist”:

Kristin is a high-profile business journalist for a major national publication in the United States with a large national following. With the everheightening risk of privacy within her work to protect her sources, and knowing several colleagues who have been the victim of hacks, she has begun to write articles about the importance of data privacy for the business sector. She is frustrated by the complete lack of quality visuals to translate technical aspects of the stories she’s writing to her audience. Kristin hoped that by connecting with journalists who specialize in cybersecurity she would find visuals to meet her needs, however, she’s found this frustration is shared with journalists addressing a breadth of topics in the cybersecurity space.

We don’t know why low-profile journalists (cough cough) don’t get a look-in. Perhaps Open Ideo are resigned to the idea that the great unwashed outside America will continue gratuitously publishing imagery of hoodie hackers because nobody’s giving us anything better to work with – at least, not without charging megabucks in the process.

A similar pen picture for a low-profile journalist needing non-hoodie imagery might say the following:

Ringo is a low-profile tech journalist for a publication read mainly by hoodie-wearing techies and other journalists who secretly hope he’s got a story they can copy and paste and pretend is their own work. With the everheightening risk of expenses claims for long liquid lunches with “sources” being rejected, beer becoming more expensive by the day and editors asking where the day’s stories are, Ringo has begun writing ever more stories about hacked servers, unpatched software, Mavis from accounts clicking screamingly obvious phishing email links and all the other bad shit happening online every day. Ringo is frustrated that half the pics in his image library are too low-rez for the story because they date back to 2003 and the other half have all been used at least a dozen times each in the last fortnight and even the most myopic of readers has begun to notice this. If you gave just £2 a month…

“Up to 25 shortlisted contributors will receive mentorship from a cybersecurity expert and $500 each,” we are told by Open Ideo, while five more lucky non-hoodie-artists will have $7,000 bestowed upon each of them.

If you are a Russian or from Eastern Europe, however, bad news: you’re not eligible for the prize. Only folk from Argentina, Australia, Brazil, Canada, China, Colombia, France, Germany, India, Japan, Mexico, Netherlands, Peru, South Africa, Spain, United Kingdom, and the good ol’ US of A can claim their spondulicks.

Alright, the serious bit

Mickey-taking aside, the lack of useful imagery about what “cybersecurity” involves is a genuine problem for the industry as a whole.

Joe Public doesn’t know or care about the differences between a white hat and a black hat (grey hats are right out) and telly news stations, bound to compress the world’s complexities into 2m 30s of footage that even your granny could understand, grab the first easy image they can think of and run with that.

Hacker

Seriously. Everyone outside it thinks infosec is some bastard offspring of The Matrix and that dodgy underpass near your house where the bad kids hang out

By shifting that image of what a cybersecurity professional looks like, the wider industry stands to gain a lot and lose very little. Who doesn’t want to be taken seriously by the wider world, all those know-nothing civilians whose very digital-dependent way of life depends on the uptime underwritten by “those weirdos in hoodies down in the basement”?

As the allegedly porcine-fancying former UK Prime Minister David Cameron didn’t quite say, it’s time to stop hugging hoodies.

Get cracking. Your industry really does need you. ®

*Part of this statement may or may not be untrue

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/01/infosec_stock_image_non_hoodie_challenge/

If you could forget the $125 from Equifax and just take the free credit monitoring, that would be great – FTC

America’s trade watchdog has officially told millions in the US not to apply for the $125 it promised each of them as part of the deal it struck with Equifax – and instead take up an offer of free credit monitoring.

In a memo on Wednesday, FTC assistant director Robert Schoshinski said the regulator has been overwhelmed by people filing claims against Equifax after the biz was cyber-looted by hackers in 2017.

He then warned that, because the settlement with the mega-hacked outfit had been capped, it is very unlikely people will end up receiving that promised $125 each. In fact, the deal may be worth no more than 21 cents. We note that the FTC website folks can file claims through, ftc.gov/equifax, no longer mentions a $125 option, whereas the settlement website it redirects to still offers the cash lump sum.

“There is a downside to this unexpected number of claims,” noted Schoshinski.

“The pot of money that pays for that part of the settlement is $31 million. A large number of claims for cash instead of credit monitoring means only one thing: each person who takes the money option will wind up only getting a small amount of money. Nowhere near the $125 they could have gotten if there hadn’t been such an enormous number of claims filed.”

This is what the FTC’s announcement of its deal with Equifax, made on 22 July, stated:

If you were affected by the breach, you may be eligible for benefits.

  1. 1. Free Credit Monitoring or $125 Cash Payment…

It seems the FTC massively underestimated the number of people that already have credit monitoring, possibly thanks to the seemingly endless number of previous cyber-heists that also come with free credit monitoring.

Equifax-you-too

Plus, it’s worth pointing out that the very company at the heart of the claims – Equifax – is the same one offering the credit monitoring service that it claims is a “much better deal” than getting $125 in hard cash. Say what you like about American consumers, they aren’t stupid.

equifax

Tech security at Equifax was so diabolical, senators want to pass US laws making its incompetence illegal

READ MORE

It turns out that the wonderful deal that the FTC struck, which it advertised as worth “$575,000,000+,” is in fact worth $31m, the cap it put on the cash-reward part of the settlement. And the $125 that the FTC put on its own announcement? When you account for the 147 million people affected, it ends up being worth just 21 cents.

“If you haven’t submitted your claim yet, think about opting for the free credit monitoring instead,” prods Schoshinski before schilling for the very company that it supposed to be punishing. “Frankly, the free credit monitoring is worth a lot more – the market value would be hundreds of dollars a year. And this monitoring service is probably stronger and more helpful than any you may have already.”

How did the FTC say with a straight face just this month that it had struck a $575m settlement with Equifax?

Well, aside from the $31m in actual real money, and accounting for the full market cost of credit monitoring, the deal also includes, according to the FTC, an reimbursement element of up to $20,000 for…

Pull up your breaches

Schoshinski wants you to know that while you aren’t going to get any money from its cash component “there is still money available under the settlement to reimburse people for what they paid out of their pocket to recover from the breach.”

The sad truth is that the FTC pulls this kind of nonsense all the time: putting out massively inflated settlement figures to make it look like it is doing a great job when in fact it is massively constrained in resources and by the law to actually do anything that would cause business to think twice. There is a reason we at The Reg refer to it as “the toothless watchdog.”

Just look at the FTC’s largest ever fine, which it announced just this month: a massive $5bn fine for how Facebook completely ignored a previous FTC judgement against it. What happened after the enormous fined was announced? Facebook’s share price actually went up.

And then there’s the agency’s pathetic effort to scale back the problem of robocalls. Not a month goes by without the FTC levying some huge fine against a robocaller, but the truth is that the announcement is the only thing the FTC puts any effort into.

zuckerberg

Cough up, like, 1% of your valuation and keep up the good work, says FTC: In draft privacy deal, Facebook won’t have to change a thing

READ MORE

Since 2004, the FTC has fined robocalling companies a total of $1.5bn. And it recovered just $121m, or 8 per cent of those fines. Earlier this year we decided to dig into one recent case where the FTC had got a $2.5m judgment against Daniel Carver of Perfect Image Online.

At the exact same time as it was announcing this multi-million-dollar fine to the public, the FTC was in court and told Daniel Carver that if he sold his car and gave it the proceeds, it would forget all about the fine. No monthly installments, no minimum payoff, no five-year payment plan, just a car sale and off you go.

And in case you’re wondering, no it wasn’t an Aston Martin Vulcan, it was a garden-variety Lexus.

And so for all of you that heard about the $125 you could get from Equifax for splashing your personal details all over the internet, guess what? You’ve been screwed again. This time by the very US government agency that is supposed to be overseeing all this. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/31/ftc_equifax_settlement/

Flaws in SanDisk SSD Dashboard Present Malware & Data Loss Risks

Organizations using the utility should immediately install the latest version of the software, security vendor Trustwave says.

A utility program for managing SanDisk solid-state drives (SSDs) has two security vulnerabilities in it that heighten data loss risks for organizations using the application.

One of the vulnerabilities in SanDisk’s SSD Dashboard gives attackers a way to install malware disguised as legitimate updates on systems running the software.

The flaw (CVE-2019-13467) has to do with the fact that the SSD Dashboard uses HTTP, rather than HTTPS, for updates and other resource downloads, Trustwave said in a blog post Wednesday. This makes it trivial for attackers to target users running the application, the security vendor said.

A typical attack would be a man-in-the-middle approach in which a rogue server could pretend to be an official SanDisk server offering a new update when what it’s actually doing is serving up malware such as ransomware or a banking Trojan. “This could be done by gaining a foothold in the network, hijacking DNS lookups, or trolling public networks like cafes and airports,” says Karl Sigler, manager of threat intelligence at Trustwave. 

The other weakness that Trustwave discovered in the SSD Dashboard is tied to the use of a hard-coded password for protecting archived customer-generated system and diagnostic reports. The password completely negates the benefit of encrypting the data when it is sent to SanDisk for examination.

The hard-coded password vulnerability isn’t quite as severe as the HTTPS issues, Sigler says. Even so, error reports can often contain confidential information, he says. “An attacker that can gain access to an error report would be able to decrypt it with the hard-coded password and gain access to that information.”

Customers of SanDisk — and of parent Western Digital — that are currently using the Dashboard to monitor and maintain their SSDs should upgrade their application as soon as possible, Sigler advises. These flaws — hard-coded credentials and lack of encryption where needed — are unfortunately too common. They highlight the need for vendors to start including security assessments as a part of their overall software development life cycle, he says.

In an advisory, Western Digital confirmed the issues and urged customers to install the latest version of the company’s SanDisk SSD Dashboard and Western Digital SSD Dashboard. Installing the updates ensures that the Dashboard uses HTTPS for all resource downloads, the company said.

The updated dashboard application will also not encrypt and send system information report files back to SanDisk like it used to in previous versions. Instead, customers requiring support will in the future need to manually share the reports directly with SanDisk and Western Digital’s support team, the advisory noted.

Any organization that either uses the SanDisk Dashboard utility or allows their users to install it to manage their hardware may be at risk, Sigler says. Currently, there is no evidence that anyone has taken advantage of the two weaknesses in the SSD Dashboard. But exploiting either of these flaws would be extremely easy to pull off based on the nature of the vulnerabilities.

“If a single workstation inside an organization uses the unpatched Dashboard, they may be at risk of malware being presented to the workstation as a false update,” Sigler notes. “That foothold can then be expanded.”

Related Content:

 Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/flaws-in-sandisk-ssd-dashboard-present-malware-and-data-loss-risks/d/d-id/1335407?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Google Cloud Debuts New Security Capabilities

Updates include Advanced Protection Program for the enterprise and general availability of password vaulted apps in Cloud Identity and G Suite.

Google Cloud is getting a few new capabilities and updates intended to secure data in the cloud, alert administrators to cloud-based threats, and protect users from targeted attacks.

Google is bringing its Advanced Protection Platform, designed to boost security for high-risk individuals, to G Suite, Google Cloud, and Cloud Identity customers. Businesses can opt to enroll users at greatest risk for targeted attacks — for example, C-level execs, IT administrators, and employees in industries like finance or government, which are typically more security-sensitive.

For these employees, Google enforces an extra set of security policies. The program automatically blocks access to third-party apps not verified by the company and has more detailed scanning of incoming mail for phishing attacks or malware. Participants are also required to use a FIDO security key, or other compatible hardware, to block account takeover. Google says the Advanced Protection Program will be available in beta within the coming days.

On a related note, Google’s Titan Security Key, which launched in the US last year, will be made available in Japan, Canada, France, and the United Kingdom on the Google Store starting today. The Titan key can be used on any device that supports FIDO security keys.

Starting today, anomaly detection will be available in beta for G Suite Enterprise and G Suite Enterprise for Education. G Suite Enterprise admins can automatically receive anomalous activity alerts in the G Suite alert center to learn about potential security risks, including data exfiltration or other policy violations related to suspicious external file sharing and downloads.

Support for password-vaulted apps will be generally available for Cloud Identity within the coming days. Cloud Identity and G Suite already allow single sign-on for apps using SAML and OIDC identity standards; now Google is bringing support for password-vaulted apps to Cloud Identity so businesses can continue supporting legacy apps that still require a username and password. The combination of standards-based and password-vaulted app support is intended to provide one-click access for users, as well as a single point of management and control for admins, Google officials explain in a blog post.

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/google-cloud-debuts-new-security-capabilities/d/d-id/1335405?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

‘Urgent/11’ flaws affect 200 million devices – from routers to elevators

Researchers at Armis Labs have discovered 11 potentially serious security flaws affecting the Wind River VxWorks real-time operating system (RTOS), described by the company as “the most widely used operating system you may never have heard about”.

Collectively named ‘Urgent/11’ by Armis Labs, the flaws affect an estimated 200 million devices going back to an earlier version of VxWorks in 2006, including routers, modems, firewalls, printers, VoIP phones, SCADA systems, IoT, and even MRI machines and elevators.

That diversity and volume of devices creates a huge patching job because many of their current owners might not even realise they’re using VxWorks, especially when a device dates back years.

The specific issue is in the VxWorks’ TCP/IP stack (IPnet), part of a software stack that first appeared in 1987 which apparently has suffered barely any security flaws during that time.

Real time

But what is an RTOS? The short answer is that it’s used by a device that must guarantee fast response (hence ‘real time’) and where reliability is more important than brute computing power.

For example, vehicle airbag systems use RTOS to ensure the bag inflates at precisely the right moment – neither too early nor too late.

That, and its 32-year-old heritage, explains why Wind River’s VxWorks is used by two billion devices even if the newly discovered flaws affect only a subset of those.

Writes Armis Labs:

The actual extent of VxWorks devices is astonishing, including Siemens, ABB, Emerson Electric, Rockwell Automation, Mitsubishi Electronic, Samsung, Ricoh, Xerox, NEC, and Arris, among others.

It was even used by NASA’s 2018 InSight Mars Lander mission, although there’s no suggestion this is affected (being 40 million miles away also helps).

The vulnerabilities

Reported to Wind River some time ago, the list of 11 CVEs (see the official alert for details) comprises six critical remote code execution (RCE) flaws, plus five less serious issues that could lead to denial of service, information leaks, or logic errors (although a DoS state in an RTOS could still cause big headaches).

The main worry is that where devices are accessible from the internet, or locally, exploiting the flaws would be relatively easy while being difficult to detect.

According to Armis Labs, attackers could exploit them to take control of affected devices via the TCP/IP stack without user interaction. Firewalls wouldn’t be able to detect or stop such attacks and any using affected software would be at direct risk themselves.

So far, there is no evidence that any flaw has ever been exploited in an attack.

Affected versions and fixes

All versions of VxWorks since 6.5, released in 2006 are affected (the year Wind River acquired the software) although some older versions where the software was used as a standalone TCP/IP stack might also be affected in addition to discontinued versions of Wind River Advanced Networking Technologies.

VxWorks 653 and VxWorks Cert Edition, used in safety-critical systems, are not affected.

Wind River issued patches for the flaws on 19 July, which should be applied urgently. In some cases, it might be possible to mitigate the flaws using firewall rules (after applying any patches to these of course) or through source code tweaks, Armis Labs said.

Because of the diversity of devices, owners are advised to contact their device makers for updates.

This will sound reassuring – researchers have uncovered potentially serious flaws before attackers got to them and the affected vendor has produced the fixes to patch the holes.

The problem, of course, is actually applying those patches to a large number of devices that owners might not understand in detail and which often require specialist knowledge to work with.

Urgent/11 might turn out to be the world’s trickiest IoT challenge.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/nC9Xn3LZE9k/

Watch as 10 cops with guns and military camo storm suspected Capital One hacker’s house…

Vid Newly released footage showing cops storming the house of the woman accused of hacking Capital One’s cloud servers to steal 106 million people’s personal information, has again raised questions about the over-militarization of the American police force.

Software engineer Paige Adele Thompson, 33, was cuffed on Monday after the FBI tracked her down to her home address close to Seattle airport and raided it. Her housemates were seemingly unaware of Thompson’s alleged illegal activities and provided footage from a number of security cameras in and around the house to local TV news.

That footage shows an extreme amount of force – with nine or 10 men in military outfits and armed with machine guns storming the single-story house. The camouflaged super-plod smashed the glass on two vehicles outside, knocked down the cameras, and caused significant damage in their efforts to arrest Thompson, who was unarmed and went quietly.

The tactics immediately came under fire given that the cops were aware that they were collaring an apparently non-violent alleged hacker. Except…

Except the police later revealed that they have found no less than 20 firearms in the house – including assault rifles and handguns as well as a wide range of related equipment including bumpstocks, scopes, and ammunition. The guns were in a different bedroom to where Thompson, and her computer that she may have used to carry out the hack, were located.

In a bizarre twist, the owner of the house in which Thompson lived with two other housemates, and who is thought to be the owner of the firearms has some alarming prior history. Park Quan, 66, was convicted of possessing explosives in 1983, and of having an unregistered machine gun in 1991. He was reportedly linked to a failed contract killing in which a bomb was attached underneath a pick-up truck but failed to go off.

Quan was charged this week with being a felon in possession of a firearm following Monday’s swoop.

The security footage displays the wrong date and time but clearly shows the same house that Thompson lived in on 28th Avenue, south of Seattle, and despite the video saying it is 2000 at night, it is clearly early in the morning: 0600 according to her housemates.

Bananas pajamas

One of the housemates complained to Ranji Sinha of telly news outlet Kiro7 that he had “woke up to a loud bang and was dragged out the house in my pajamas.” The other housemate – neither of whom wanted to give their names or show their faces on screen – said that the cops had also taken Thompson’s “$10,000 computer” and that she “hadn’t worked for some time.” They say they had no idea what she was up to and when asked about her motivation suggested that “she did it because she could.”

Circa 2015, Thompson, aka “erratic,” worked as an engineer for Amazon Web Services, which hosted Capital One’s cloud storage servers that she allegedly broke into and downloaded the contents of earlier this year.

The Feds claim she left her fingerprints all over the cyber-theft, including using the same VPN service to siphon off the data from Capital One’s AWS S3 buckets and log into her GitHub account, and used her GitHub account – which had the username paigeadelethompson – to post a public Gist explaining how to hack Capital One’s S3 buckets, and linked to her GitLab account, which hosted a copy of her resume complete with full name and home address, from her GitHub profile.

Capital One bank card from Shutterstock

Capital One gets Capital Done: Hacker swipes personal info on 106 million US, Canadian credit card applicants

READ MORE

And, in a jokey private message, Thompson claimed that she had “basically strapped myself with a bomb vest, fucking dropping Capital Ones [sic] dox and admitting it.” Needless to say none of this ended well for her.

The systems engineer has already appeared in court, charged with violating the US Computer Fraud and Abuse Act, and will remain in custody until her next hearing on August 1. She faces up to five years in the clink, and potentially a $250,000 fine, if convicted. She wept in court as these early proceedings unfolded.

In related news, New York’s Attorney General Letitia James said on Tuesday that her office had opened an investigation into the hack.

“Though Capital One’s breach was internal, the fact still remains that safeguards were missing that allowed for the illegal access of consumers’ names, Social Security numbers, dates of birth, addresses, and other highly sensitive, personal information.

“It is becoming far too commonplace that financial institutions are susceptible to hacks, begging the questions: Why do these breaches continue to take place? And are companies doing enough to prevent future data breaches?… We cannot allow hacks of this nature to become every day occurrences.”

Also, Thompson’s Slack messages to pals, obtained by the FBI, list references to data seemingly acquired from other businesses, so this yarn may not end with Capital One. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/30/capitalone_hacker_arrest/

New UK Home Sec invokes infosec nerd rage by calling for an end to end-to-end encryption

Priti Patel has declared war on encryption safeguards, demanding they be torn up for the convenience of police workers.

Patel, the social conservative appointed Home Secretary by British Prime Minister Boris Johnson last week, used this morning’s Daily Telegraph to call for end-to-end encryption to be broken with backdoors inserted for illicit law enforcement access.

In this morning’s front-page newspaper story, a sentence attributed to the Five Eyes spying alliance which appeared to support Patel’s personal views on breaking encryption was not, however, in the agreed version of the communique, as spotted by tech lawyer Graham Smith.

The sentence quoted by Smith from a low-resolution picture of the Telegraph splash article says: “The Five Eyes nations’ communique said: ‘Tech companies should include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can obtain access to data in a readable and usable format’.”

El Reg has preserved a copy of the original Five Eyes communique here (PDF), just in case the official version on GOV.UK is altered. The proposal mirrors one floated by GCHQ’s Ian Levy some months ago, referred to as the ghost user plan.

On behalf of Patel, the Home Office pointed us to a different version of the communique (PDF) where the wording differs in many respects from what appears to be the agreed ministerial version.

barr

Low Barr: Don’t give me that crap about security, just put the backdoors in the encryption, roars US Attorney General

READ MORE

“Where systems are deliberately designed using end-to-end encryption, which prevents any form of access to content, no matter what crimes that may enable, we must act,” Patel wrote in a separate Telegraph article also published today, specifically referring to Facebook’s recently announced plans.

“This use of end-to-end encryption in this way has the potential to have serious consequences for the vital work which companies already undertake to identify and remove child abuse and terrorist content,” she continued, invoking the two routinely used justifications – and echoing similar sentiments from former home secretaries – for governments that want to harm individual privacy, safety and security online.

Patel also chucked in some throwaway lines about “proportionality and appropriate safeguards”.

Facebook, having been singled out by the Home Secretary, said it would maintain its plans to roll out encryption.

Antigone Davis, Facebook’s head of global safety, told The Register: “Facebook appreciates the discussion with the Five Country Ministerial. People should expect that we will do everything we can to keep people safe on our services within the limits of what’s possible in an encrypted service. As our CEO Mark Zuckerberg promised, we’ll consult with safety experts, law enforcement and governments through 2019 and beyond on the best ways to implement safety measures before fully implementing end-to-end encryption. We’ll also work together with other platforms to make sure that as an industry we get this right because many open questions remain. The more we can create a common approach, the better.”

Amber Rudd

Home Sec Amber Rudd: Yeah, I don’t understand encryption. So what?

READ MORE

It’s not looking good for the future

In the UK, laws permitting state workers to covertly spy on individuals and groups of individuals contain no meaningful safeguards. What lax safeguards do exist only kick in after the point at which councils, police and others are allowed to covertly record who you are communicating with, when and over what medium. An audit agency called the Investigatory Powers Commissioner’s Office (IPCO) reviews bulk spying logs and occasionally writes strongly worded letters if snoopers look like they broke the law.

No state employee has been arrested, prosecuted or convicted of unlawfully accessing communications or ignoring Britain’s lax surveillance laws, despite IPCO finding that such blunders were still getting innocent people arrested and treated like criminals.

Under Patel’s control of the Home Office, Britain looks set to continue down its existing path of becoming a less safe and secure country in which to use the internet, set up a business – or carry out infosec threat research. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/31/home_sec_priti_patel_five_eyes_encryption_controversy/

Cybercrooks attempted credential-stuffing banks 3.5 BEEELLION times in the last 18 months alone

Content delivery network Akamai Technologies reckons that despite the time and effort spent convincing people not to fall for phishing and other frauds, the bigger threat might actually be credential-stuffing attacks.

In the latest edition of its State of the Internet Report (PDF), Akamai said it picked up around 3.5 billion cred-stuffing attempts over the past 18 months. Worryingly, half of those attacks targeted the financial services sector alone.

Credential stuffing is more or less a synonym for brute-forcing access into a passworded system, except using previously breached login credentials rather than a rainbow table or some other setup of commonly reused username/password combinations.

Virtually all (94 per cent) of the attacks on financial institutions used just four techniques: SQL injection; local file inclusion (where world+dog can upload, read and potentially execute files on a remote server); XSS; and OGNL Java injection, as infamously used in the Apache Struts vuln and which accounted for in excess of 8 million attempts counted by Akamai.

Akamai said its data shows that online criminals ran a cool 3.5 billion cred-stuffing attempts during an 18-month period. Separately, between December last year and this May, the company identified precisely 197,524 phishing domains – of which two-thirds directly targeted consumers.

Two miners (cosplay) carrying coal up mine shaft -

Hackers latch onto new Apache Struts megavuln to mine cryptocurrency

READ MORE

“We’ve seen a steady rise in credential-stuffing attacks over the past year, fed in part by a growth in phishing attacks against consumers,” said Martin McKeay, editor of the State of the Internet Report’s security edition. “Criminals supplement existing stolen credential data through phishing, and then one way they make money is by hijacking accounts or reselling the lists they create. We’re seeing a whole economy developing to target financial services organisations and their consumers.”

Not all of the nefarious activity Akamai saw was a sophisticated attempt to part banks from your money. 800 attacks were old-fashioned DDoS attempts against financial services companies.

“There is a deep level of irony in the fact that criminals are targeting the very industry they need to survive. While financial institutions are becoming better at detecting these attacks, adversaries continue to find success with old tricks, and that’s a problem,” concluded a philosophical McKeay. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/07/31/black_hats_hate_banks_says_akamai/

The Attribution Trap: A Waste of Precious Time & Money

Aiming for attribution doesn’t help most organizations become more secure. It can actually have the opposite effect.

When it comes to cybersecurity, the world is obsessed with attribution. We see sensational headlines all the time that question, speculate on, and purport to confirm the identities of attackers. Often, there’s an immediate impulse to answer “who” when triaging and responding to incidents, but that’s not the correct path in most cases. Many security leaders operate under the false premise that “who” equates to “how,” a notion that is not only counterproductive but dangerous.

Companies are under constant attack, often struggling to respond and mitigate quickly to assess the damage. Teams need to move fast to figure out how attacks happened so they can take steps to prevent them from happening again. This means directing attention to the impacted data and devices, the specific attack method, and how to shut the access points that may be left exposed. Fixating on the threat group behind the attack takes time, energy and resources away from performing the practical measures that are necessary to keep the organization’s network secure.

Consider the following scenario: the CFO of your organization has fallen victim to a well-crafted request to transfer funds to a third party (a technique known as business email compromise). Trying to figure out who is behind the attack won’t protect against similar attacks or help recover stolen funds, trade secrets, or other pilfered property.

Attribution research is a distraction that most IT and security teams can’t afford, a waste of precious time and budget. Instead, teams should gain a thorough understanding of what happened and perform a technical analysis to answer questions like: How did the intruders get in? How did they access the data? Where was the money transferred to? Which accounts were used?

Let’s use a ransomware attack as another example. As attackers move away from spray-and-pray techniques and toward more manual opportunistic attacks, organizations need to understand how ransomware is deployed, instead of focusing on which “Spider” group is deploying which malware. Organizations should address this risk from a perspective of “how does X facilitate Y?” In this case, understanding how externally accessible management protocols enable ransomware deployment is a far more critical consideration for defenders than researching attribution.

In my 10 years as a security analyst, I’ve found that the top priorities after an incident should be these:

1. Understand your assets.
Security teams are chronically understaffed, underfunded, and undersupported, and time is the most expensive and limited asset. Cycles spent on determining attribution are better spent elsewhere. Teams should be laser-focused on learning their networks, understanding how mistakes happen, and developing plans to prevent future incidents. They should ask questions about their network and endpoints, prioritize visibility, and learn from previous mistakes and known architectural quirks.

2. Use your threat data.
Most organizations don’t capitalize on the massive wealth of threat data available to them or effectively use their own environments to validate threat data. Instead they rely on the data’s source to dictate prevalence. But robust overall defense posture and threat assessment via hunting contribute more value than attacker identification.

Experienced threat hunters understand and distill fundamental, actionable intelligence and use this data to proactively identify potential compromise. To them, “who” is just one of many labels that can help organize tactics, techniques, and procedures (TTPs) and should be considered a postmortem activity, a component of an “after-action report” or lessons-learned phase.

3. When the “who” matters.
There are some exceptions to the “ignore attribution” rule. Knowing who is behind an attack can be helpful for mature organizations that have defined defensive practices, adequate visibility, and well-constructed threat hunting and intelligence teams. For the companies that can handily answer the “how” and the “what,” attribution can be part of assessing potential adversaries and allowing organizations to prioritize their defensive efforts.

Attribution is helpful for investigations conducted by the larger security community, too. Approaching investigations from a perspective of “how would threat actor X do this?” can be a useful construction for threat researchers and law enforcement in their threat hunting. Distinctive groupings of adversary behaviors also allow for more streamlined threat sharing among peers, creating space for greater industry collaboration.

While it may be tempting to let curiosity govern your first steps, organizations should avoid falling into the attribution trap. Instead, they should examine their overall security programs, learn what and where their assets are, and analyze the data. Aiming for attribution doesn’t help most organizations become more secure. Instead, it can actually have the opposite effect when you put off more basic and effective incident response measures to conduct “who done it?” research.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Brandon Levene leads the Applied Intelligence team at Chronicle (VirusTotal). Prior to Chronicle he was a founding member of threat organizations at Salesforce.com and Palo Alto Networks. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/the-attribution-trap-a-waste-of-precious-time-and-money/a/d-id/1335353?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple