STE WILLIAMS

You know what’s coming next: FBI is upset it can’t get into Texas church gunman’s smartphone

FBI agents investigating the murder-suicide of 26 people in a church in Sutherland Springs, Texas, on Sunday, have said they can’t yet unlock the shooter’s smartphone.

In a press conference on Tuesday, special agent Chris Combs said that investigations into the motives and actions of the gunman was ongoing, but that his mobe was a closed book to them.

“With the advance of technology, and the phones, and the encryption, law enforcement at the state, local or federal level is increasingly unable to get into phones,” Combs said. “I’m not going to say what kind of phone it is, I’m not going to tell every bad guy what phone to buy to harass our efforts to try to find justice here.”

The cops say the mass shooting was sparked by a family dispute, and that the murderer’s mother-in-law was living in the town. She was not at the church service, though, when the gunman, armed with an AR-15 assault rifle, entered and killed two dozen people, who were aged 18 months to 77 years, and injured a further 20 folk.

It looks as though the FBI is going to get into another showdown with a phone manufacturer over the unlocking of a handset, as it did with the San Bernardino shooter and Apple. In that case the killer destroyed all of his laptops and cellphones, except his work iPhone.

The Feds tried to force Apple to unlock the mobe after the agency failed to get past the PIN screen. The iGiant refused to make special software to bypass the security mechanisms in the device, and aggressively fought the US government in court to resist the order. Later, the agency gave up the battle, and found a third party to break into the phone for it.

According to its latest statements, the FBI has almost 7,000 smartphones that it can’t get past the passcode screens or otherwise access. However, with the church mass-murder such an emotive case, it may use this one to take another legal stand, and force a handset maker to unlock and decrypt the Texas gunman’s phone, as part of its wider campaign for breakable encryption in consumer electronics. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/08/fbi_texas_church_gunman/

  • 08/11/2017
  • adm

Burnout, Culture Drive Security Talent Out the Door

Security’s efforts to bridge the talent gap mean little when workers don’t want to stay in the industry.

We hear a lot about security’s struggle to acquire talent but little about its inability to retain employees. The skill shortage is doomed to worsen if security can’t improve tenure.

Earlier this year, Dr. Andrea Little Limbago, chief social scientist at Endgame, polled 300 security professionals to learn about their perspective on retention. Three-quarters had been in the industry for at least five years; 35% for over 11 years.

People normally describe the talent gap as a pipeline problem: the issue is getting people in the door. This is a “positive challenge” for the industry, she says. It has driven a strong focus on improving university security programs and introducing security into K-12 classes.

“It feels so much better to inspire kids to go into cybersecurity, but what’s harder is looking at the industry itself and the all the parts that might need fixing,” Limbago explains. All of these efforts are negated when industry norms force talented employees out the door.

Burnout

Survey results indicate burnout, industry culture, and ill-defined career paths are three key reasons people leave cybersecurity. Limbago says she was expecting the first two. Burnout is commonly mentioned at conferences and from friends in the industry, she notes.

Survey questions asked why respondents had left previous roles, and burnout and stress were common. When she followed up, Limbago learned businesses weren’t taking them seriously, despite reports employees were working long hours and weekends without taking time off. More than 70% of respondents report working 41-60 hours each week; 10% work over 60.

“They felt their leadership, or their company, interpreted [burnout] as not being committed to their job, as opposed to taking it seriously as a problem,” she explains. “It’s something where organizations need to focus.”

While stress was common, only one-third of respondents felt they were professionally challenged, followed by 28% who were somewhat challenged. Security can be stimulating but many tasks are redundant and don’t leave time for critical thinking and technical skills.

“There’s so much in processes that is so mundane to do hours and hours on end, day after day, especially things that could be automated by now,” says Limbago. “You could see how that leads to burnout.”

Industry Culture

The cultural aspect is a key challenge for both attracting and retaining talent. Nearly all (85% of) non-male respondents had experienced some level of discrimination at professional conferences, and more than half had experienced harassment at those events, Limbago found.

On a corporate environment level, the numbers are lower but still bleak. Nearly 60% of non-male respondents had experienced discrimination at their company, and 44% had experienced harassment within their company or a company events.

Limbago, who has experience working in academia and national security, which also has few women, says she didn’t notice the gender dynamics as much as she has in security. While she reports a great community at her own company, she says oftentimes the conference environment can be “dispiriting.”

“Little things here and there, you get used to overlooking and ignoring [them], but over the years it builds up a lot,” she says. “Company culture becomes so much more important,” she adds, and eventually internal corporate culture can affect conference culture as well.

Ill-Defined Career Path

Lack of professional advancement and growth was the main reason respondents left their previous roles, Limbago found, with more than half saying it was a key factor. Almost 20% of respondents cited limited advancement or growth as a factor when deciding to leave security.

“So much is written about the workforce openings, the shortage, and how important tech leadership is, but so often the biggest pushback is a lack of career growth,” she says. Good tech leadership is necessary, but companies don’t provide the paths to prepare future leaders.

Security isn’t necessarily a new industry, but it’s evolving quite a bit for many organizations. A lot of new corporations building infosec teams for the first time don’t have resources to build big departments or a definite career track for the people they hire. When a team only has one or two members, those employees generally don’t stay too long.

What can be done?

Limbago’s research suggests acknowledging the need for time off and creating social events can make a tremendous difference in lowering burnout and driving inclusivity. It’s important for this type of culture to start internally, with leadership buy-in to foster greater engagement.

She also emphasizes the need for more realistic performance metrics, which “should not be based along the binary of breach or no breach.” Metrics for security professionals should be more nuanced and include their successes and failures, and an understanding of the business threat model, while considering the availability of resources.

Retention will be an increasingly critical problem as the need for security professionals continues to grow. Data from CyberSeek, a free workforce and career resource from CompTIA and Burning Glass Technologies, reports US employers posted 285,681 cybersecurity job openings during the 12-month period ending in Sept. 2017.

Across all US jobs, there were 5.6 employed workers for each job opening from Oct. 2016 through Sept. 2017. In security, there are 2.6 employed workers per vacancy. This means the security talent pool would need to more than double overnight to meet the market average.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/careers-and-people/burnout-culture-drive-security-talent-out-the-door/d/d-id/1330352?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 08/11/2017
  • adm

Sick of Twitter’s 140-character limit? These guys gave themselves 30,000!

When Twitter launched in 2006, it had to decide what the longest possible message could be.

The limit chosen was 140 characters – which, not at all co-incidentally, means that tweets fit easily into the 161 characters available in mobile phone SMS messages, better known as texts.

This very handily made the newfangled microblogging platform compatible with all mobile phones, back in the days when smartphones with proper internet access and on-screen keyboards were a rarity.

In fact, Twitter-via-SMS never became a thing, but Twitter stuck to 140 characters nevertheless.

Indeed, it’s only recently that Twitter has been toying with the idea of allowing longer tweets, with selected users getting the right to use up to 280 characters in a single message.

Over the weekend, however, a couple of naughty Germans realised that they could beat the 140-limit, and indeed the heady new 280-character experimental limit, by miles (or kilometres, perhaps, given that they were German).

The trick they used has now been blocked by Twitter, but as far as we can see, it was absurdly simple.

Autoshortening

In the early days of Twitter, putting a clickable link into a tweet cost you the full length of the URL, so that a URL like https://nakedsecurity.sophos.com/ used to take up a full 33 characters.

Nowadays, however, URLs are converted automatically by Twitter into a shortened form, such as https://t.co/t3gWnOLePX. (Twitter owns the t.co domain for exactly this purpose.)

The fixed-length code at the end of the new shortened URL (above, that’s the text t3gWnOLePX automatically redirects visitors to the original URL you typed in.

Your tweet is only “billed” for the length of the shortlink, even if your original URL was much longer.

So the German pranksters used a very, very long URL indeed – one that didn’t and couldn’t exist, not least because domain names can never be longer than 64 characters:

https://Tpry6iry6iwy3ziwi35dwdw35iu3wtduayetwuyt33udwtuwy3tdweutu
wyetywwsuuwytuqsetuswtuw..[about 27,000 characters]..wutdw5uu.cc/
tsyaut..[about 3000 characters]..auyatyuatutsysutusytysuteusyyust

Despite the unusability and illegality of the enormously long URL in the submitted tweet, it seems that Twitter not only shortened it and accepted it, but also faithfully reconstructed and printed it out whenever the tweet was displayed.

The pranksters didn’t try to embed any sort of legible message in their uebertweet – it looks as though they just hammered down on the keyboard (or used a random keypress generator), but they did manage a length of more than 30,000 characters.

Leute! [Wir] können der Zeichen Limit überschreiten!
Ihr glaubt uns nicht? Hier der ca. 35k Zeichen Beweis.

Dudes! [We] figured out how to exceed the character limit!
Don’t believe us? Here’s a 35,000 character proof.

As you can imagine, a tweet of that length played visual havoc with users who tried to look at it, so Twitter wasn’t pleased at all, and kicked the German pair off Twitter for violating the site’s terms of service.

Apparently, the naughty boys have been readmitted after one of the said that they were sorry – after all, no malware was disseminated; no unlawful content disseminated; no fake news dispersed; and no lasting harm done.

What to do?

If you’re a programmer, there’s a vital lesson in this incident.

Watch out for the sort of security flaws that can happen when you measure things in different ways at different times!

Twitter counted a 30,000-character string as being just 10 bytes long (the length of its t.co shortcode) when figuring out if it would fit into the 140-character limit, but expanded it back to its full 30,000 characters when formatting it for display.

In this case, nothing malicious happened, but there are many analogous cases where exploitable security vulnerabilities could have arisen from this sort of blunder.

For example, if you allocate a memory buffer of 256 bytes to hold a message, then you can’t blindly assume that your buffer is big enough for every possible message of 256 characters.

After all, not all characters fit into one byte. (Chinese characters don’t, for example; nor do emojis and the characters of many other writing systems.)

As any carpenter will remind you, “Measure twice, cut once”!


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8Yd7oD1IwpE/

  • 07/11/2017
  • adm

Oh Brother: Hackers can crash your unpatched printers – researchers

Security researchers have said they’ve uncovered a new way for hackers to crash Brother printers.

More specifically, they’ve put out an advisory saying a vulnerability in the web front-end of Brother printers (the Debut embedded http server) allows an attacker to launch a Denial of Service attack. The attack might be carried out simply by sending a single malformed HTTP POST request, they claim.

“The attacker will receive a 500 error code in response, the web server is rendered inaccessible and all printing will cease to function,” Trustwave explains. “This vulnerability appears to affect all Brother printers with the Debut web front-end.”

More than 16,000 vulnerable devices are accessible from the internet, according to figures from a search using the Internet of Things search engine Shodan.

Trustwave went public with the flaw – and suggestions for mitigation – after failing to get a response from Brother. El Reg asked Brother for response via its web form and customer support Twitter feed early on Tuesday but we’ve yet to get a reply either. We’ll update this article as and when more information comes to hand.

Enterprise sysadmins were advised by the researchers to restrict web access to Brother printers using a firewall or similar device.

Hacktivists and other types are known to target printers as a means to attack corporate networks or simply out of pure devilment. Trustwave warned it would be mistake to dismiss such denial of service attacks as a mere nuisance since they tie up resources and reduce productivity at any organisation.

There’s also the possibility, as Trustwave points out, that hackers might crash the printers of a targeted organisation before showing up as its office while posing as a technician who has come to resolve the problem. Impersonating a technician would allow the attacker direct physical access to IT resources that they might never have been able to access remotely, the security vendor warns.

Trustwave SpiderLab’s full advisory on the Brother printer DoS risk, featuring a proof-of-concept attack, can be found here. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/07/brother_printers_crash_vuln/

  • 07/11/2017
  • adm

Mirai, Mirai, pwn them all, who’s the greatest botnet on the whole?

The Mirai botnet is alive and kicking more than a year after its involvement in a DDoS attack that left many of the world’s biggest websites unreachable.

DNS provider Dyn reckons about 100,000 Mirai-infected gadgets knocked it out back in October 2016. A study by security ratings firm SecurityScorecard, out Tuesday, found that even a year after its initial release, Mirai botnet infections are still widespread.

From July to September 2017, SecurityScorecard identified 34,062 IPv4 addresses on the public internet that showed symptoms expected from an embedded device infected with the Mirai IoT malware. This contrasts with 184,258 IPv4 addresses of IoT devices infected with Mirai IoT malware from August 1, 2016, to July 31, 2017.

Even though the botnet is smaller and more fragmented, it still poses a threat to internet hygiene.

Other security experts back this assessment. The decline in numbers of the Mirai zombie horde may have nothing to do with improved IoT security, such as users patching the DVR devices and the like that are most susceptible to infection.

Ken Munro, of UK security consultancy Pen Test Partners, said: “We believe the main reason that the botnets are small is that Mirai is not persistent. The infection does not survive a reboot. Mirai attacks XiongMai-based DVRs, which are pretty unstable – indeed, it’s trivial to reboot them remotely, unauthenticated.

“As a result, no single botnet herder can create a single large botnet – the DVRs reboot randomly and there’s then a race to pwn then again.”

Other more recent IoT botnets – most notably Reaper – represent a worse risk to security, according to Munro.

The attack on Dyn was preceded by one on infosec sleuth Brian Krebs’ website and followed by DDoS attacks using Mirai variants on the routers of Deutsche Telekom and TalkTalk. All of this malfeasance took place last year. Quite why we’ve not seen a continuation of high-profile DDoS attacks that use IoT devices as a platform is something of a head-scratcher, not least because the potential for harm is undiminished.

For example, last month security researchers Troy Mursch and Dr Neal Krawetz uncovered a Mirai-like botnet made up of EnGenius routers. Mursch told El Reg that he’s seen 90,000 drones in the network since February.

Mirai source code leaked in early October 2016, three weeks or so before the Dyn DDoS spectacular. This has opened up the door to copycat botnet cultivation.

What’s the sitch?

SecurityScorecard’s Mirai sitrep provides a contemporary analysis of the devices infected with the IoT malware.

The education sector was the industry most affected by Mirai variants during Q3 of 2017, ahead of energy, manufacturing, entertainment, and financial services, according to figures from SecurityScorecard.

mirai pie chart

Mirai spread by industry sector pie chart [source: SecurityScorecard]

The most affected country for Mirai activity in Q3 of 2017 is Mexico, ahead of China, the US, Brazil and Turkey.

mirai map

Geographical map of spread of the Mirai botnet

The prevalence of Mirai infections in Mexico is likely a byproduct of efforts to roll out IoT systems, such as the recent availability of a regional dedicated communications service specifically geared towards the Internet of Things. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/07/mirai_botnet_sitrep/

  • 07/11/2017
  • adm

Parity calamity! Wallet code bug destroys $280 MEEELLION in Ethereum

There’s a lot of hair-pulling among Ethereum alt-coin hoarders today – after a programming blunder in Parity’s wallet software let one person bin $280m of the digital currency belonging to scores of strangers, probably permanently.

Parity, which was set up by Ethereum core developer Gavin Woods, admitted today that a user calling themselves devops199 had “accidentally” triggered a bug in its multi-signature wallets that hold Ethereum coins. As a result, wallets created after July 20 are now locked down and inaccessible, quite possibly permanently, thus nuking $90m of Woods’ own savings.

Multi-signature wallets mean more than one person has to sign off on a transaction before funds are moved, and are popular with companies and investment groups looking to protect their assets. Unfortunately, Parity’s technology is seriously flawed: in July a hacker managed to exploit errors in the multi-signature code to steal about $30m in Ethereum.

In response to that cockup, Parity updated its wallet software to address the vulnerability, and rolled out a new version. However, that update contained another disastrous bug, one that would lock people out of their wallets. It was set off by devops199 on Monday, affecting anyone who had installed the new code since its release.

“That code still contained another issue – it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function,” Parity’s advisory stated.

“It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.”

In a series of posts on GitHub, devops199 said they were a newbie to the crypto-currency system, and had created a multi-signature wallet in a way the software did not expect. When devops199 tried to delete the buggy money pouch, it bafflingly locked down all multi-signature Parity wallets created after the last software update.

A full list of 70-odd affected wallets has been uploaded to Pastebin.

Parity has confirmed the above sequence of events leading to this week’s catastrophe with The Register. So far there’s no response on whether it will be possible to unlock the wallets, or if there are any plans to recover punters’ digital dosh. We’ll post more information when it becomes available.

One Ethereum coin is right now worth about $293. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/07/parity_wallet_destroys_280m_ethereum/

  • 07/11/2017
  • adm

Don’t worry about those 40 Linux USB security holes. That’s not a typo

The Linux kernel USB subsystem has more holes than a donut shop. On Monday, Google security researcher Andrey Konovalov disclosed 14 Linux USB flaws found using syzkaller, a kernel fuzzing tool developed by another Google software engineer, Dmitry Vyukov.

That’s just the tip of the iceberg. In an email to The Register, Konovalov said he asked for CVEs for another seven vulnerabilities on Tuesday, and noted there are something like 40 that have not been fixed or triaged.

Konovalov downplayed the risk posed by the flaws, based on the fact that physical access is a prerequisite to an attack. In other words, to exploit these vulnerabilities and potentially hijack a machine or infect it with spyware, you have to be be able to actually insert a malicious USB gadget into a Linux-powered system.

Still, there are plenty of these ports around – like on your Linux-powered in-flight entertainment unit on an airplane, and on your Linux-powered Android handheld and ChromeOS laptop.

“The impact is quite limited, all the bugs require physical access to trigger,” said Konovalov. “Most of them are denial-of-service, except for a few that might be potentially exploitable to execute code in the kernel.”

In an online discussion of the flaws, it was suggested that the WebUSB API might provide a way to take advantage of the bugs remotely, but Konovalov expressed skepticism.

“I might be wrong here, but as far as I understand, WebUSB API can be used by a web page to interact with a USB device (or USB device driver) from user space (which can potentially be used to exploit bugs in the kernel),” he said. “Those 14 bugs that I found are triggerable externally by connecting malicious USB devices, so in this case we attack the kernel kind of ‘from the other side.’ In theory it might be possible to exploit a vulnerability in a USB device itself, and then use the compromised device to externally trigger a kernel bug.”

Nonetheless, such flaws are just the sort of thing hackers and other miscreants may appreciate were they looking to conduct dropped-drive attacks – leaving a booby-trapped gizmos in a parking lot, say – which happen to be rather more effective than they should be. ®

The CVEs so far…

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/

  • 07/11/2017
  • adm

4 Proactive Steps to Avoid Being the Next Data Breach Victim

Despite highly publicized data breaches, most companies are not taking the necessary actions to prevent them.

Over the last few years, companies around the world have experienced cyberattacks in which personally identifiable information (PII) of consumers was stolen. Even though the Yahoo data breach took place in 2013, it was only recently reported that 3 billion accounts were affected, which is more than three times as many accounts as initially reported.

This year, Equifax experienced a significant breach as well. What isn’t well known is that the breach could have been avoided by a patch in the software program Apache Struts, which is used by consumers to dispute information in Equifax’s credit reports. Even before the breach, the US Department of Homeland Security advised Equifax that a patch was recommended. Unfortunately for more than 140 million consumers, the patch was never implemented and their PII was stolen, which included names, addresses, birth dates, Social Security numbers, and driver’s license numbers.

The Equifax data breach exposed the fact that, despite highly publicized data breaches, most companies still are not taking the necessary actions to prevent them. Most companies are not adequately protected against data breaches or prepared to respond to a breach and mitigate the adverse effects, including the purchase of applicable insurance. Here is what you need to do. 

Step 1. Adequately protect databases containing PII. Equifax made a series of mistakes that businesses should avoid. For example, it had large unsecured databases containing PII, and those databases were not segmented to reduce the size of potential breaches. In addition, the databases were not subject to rigorous access controls. Given the widespread coverage of data breaches, there is no excuse for failing to take simple steps that can significantly increase the security of the PII in your computer systems and reduce the chance of a data breach or the scope of one should it happen.  

Step 2. Put policies in place to reduce risk. Although Equifax was in the business of selling consumer data, its data retention policies were weak or nonexistent. In addition, while the company instructed the responsible personnel to install the Apache Struts patch, it appears that it had no management policy that would have exposed the failure to install the patch. Moreover, it does not appear that the scans that were conducted were tailored to look for the vulnerability that was supposed to be addressed by the patch. It is also unclear whether the monitoring was continuous. Establishing policies and protocol to ensure routine updates, patches, and testing are easy. They are some of the most effective measures a company can take to prevent data breaches.

Step 3. Quickly take action to protect consumers and shareholders. Equifax’s CEO waited over a month to advise the board of directors. Although there are valid reasons to delay revealing a data breach, some shareholders will argue that this delay was a breach of fiduciary duty. Equifax waited even longer to advise the public, resulting in consumers losing valuable time in which they could have protected themselves. All of those mistakes not only resulted in the massive data breach but also damaged the reputation of the company, creating the potential liability for Equifax’s officers and likely further damaging consumers.

After a data breach occurs, companies should notify their attorneys, law enforcement, and their insurance company. The Department of Homeland Security also recommends reporting the data breach to www.us-cert.gov. In California, companies should also comply with the notification requirements in Civil Code section 1798.82. Even if there is no state or federal rule mandating notification, companies should still notify who was affected so that they can mitigate potential harm (and liability to themselves). Finally, companies should assess and preserve the evidence of the breach and the damage.

Step 4. Buy insurance to cover data breaches. Most courts have held that standard commercial general liability policies provide insurance coverage only for losses to tangible property, and that the loss of electronic data isn’t covered. To make sure that you are protected, purchase insurance policies that cover data breach losses and resulting damage to companies, such as business interruption. If there is insurance coverage for the loss, companies should document the time spent to deal with the breach as well as the costs to do so.

Unfortunately, cyberattacks involving data breaches are likely to become more frequent and more damaging when they take place. However, if you protect your databases, put policies in place to reduce risk, quickly take action to protect consumers and shareholders, and buy insurance to cover data breaches, you can try to avoid being next, and mitigate a breach if one occurs.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

A partner in Newmeyer Dillion’s Walnut Creek office, Joshua Bevitz has experience practicing in a wide range of legal specialties, including cybersecurity, civil litigation, real estate litigation, construction litigation, insurance litigation, professional liability … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/4-proactive-steps-to-avoid-being-the-next-data-breach-victim/a/d-id/1330320?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 07/11/2017
  • adm

How I Infiltrated a Fortune 500 Company with Social Engineering

Getting into the company proved surprisingly easy during a contest. Find out how to make your company better prepared for real-world attacks.

I infiltrated a Fortune 500 company with social engineering techniques (with authorization). Want to know how?

Here’s the background: This fall during a security exercise at DerbyCon VII, I won the Social Engineering Capture the Flag (SECTF) contest, in which we all utilized social engineering techniques to collect information that could be used to compromise a company. It was a challenging competition against five top-notch competitors, and I am pleased to say I emerged victorious.

Before the convention, we were each assigned a Fortune 500 company in the Louisville, Kentucky, area and given three weeks to compile a report about them using open source intelligence, or OSINT, which is a means of collecting information from public sources such as search engines, company websites, and social media. At DerbyCon, we made live phone calls from a soundproof box in front of an audience to collect more information. The informational “flags” captured in the report and phone calls were then scored. (A detailed report from Defcon 24 that contains all flags available to capture is available here.)

How I Did It
For the sake of the security of my target company, I will not mention it by name, because I will discuss tactics, techniques, and descriptions of the findings.

To begin, I searched for the company name on both LinkedIn and Facebook. This provided me names to associate with the company, which provided some flags.

Using recon-ng (a software tool used to collect and analyze OSINT) to parse the metadata of publicly hosted files yielded a key piece of information: the phone number syntax on official documents. I used the following search term on Google and found a gold mine: “REDACTED COMPANY NAME+(123) 456-.” This provided me several names, email addresses, and phone numbers.

One former employee had even emailed a mailing list for help troubleshooting the backup system about a year prior. This allowed me to move to his GitHub account and ascertain data about technologies used internally based on his comments in the code and the code itself.

Other notable findings:

1. From résumés on Indeed.com:

a. Which VoIP system was previously used, and to which system it was upgraded
b. Which type of badge reader (and thus badges) were used
c. Which security company manned the gates

2. From social media:

a. The PR team had uneventful accounts, but they followed all the C-suite executives and most of the VPs
b. An employee posted pictures of his old and new badges on Facebook

3. From Google Street View:

a. Shipping companies used
b. Dumpster company used

I submitted my report and waited for DerbyCon and my time to sit in the booth. In this phase of the competition, I called a few numbers but only reached voicemail. I kept trying. Finally, a nice woman answered, and I explained that I was from “IT security” and that we were preparing for an external audit and needed to validate some information.

I built rapport with her using the topic of craft beer, which was a common theme I observed in researching people around Louisville. I started asking basic questions from my approved pretext (that is, the ruse or scheme used), and she willingly answered. I finally told her that I had deployed a security policy and instructed her to go to a specific website, and she obliged. I thanked her and terminated the call.

I dialed more numbers. All voicemail. Then a woman in the receiving department picked up. I gave the same story, and I was forwarded to a gentleman who later revealed that he worked in IT. Note: I was spoofing an internal IT number for Microsoft Office 365 email migration issues. I explained the pretext to him, this time without mentioning craft beer. I began to ask questions similar to the previous call, and he answered. When I mentioned Bitlocker, he informed me that it was installed because he was using Windows, but a different product was used for encryption and malware protection. When I asked him to go to the website, he grew suspicious and asked for an internal ID number. I made one up and when he put me on hold to validate it, my 20 minutes expired and I terminated the call. 

How Could This Have Been Prevented?
The easiest way to for this company to have prevented this infiltration is through training and simulation. A company’s personnel should be wary of unsolicited phone calls and emails asking for network access or credentials. The training should be administered more frequently than once a year. I recommend quarterly training to address new threats and trends as well as to keep it fresh in team members’ minds. Some technical security controls may have slowed the process down, but the administrators for those systems could also be targeted and the systems circumvented.

For the phone calls themselves, simply responding to requests by saying, “I am about to step into a quick meeting; could I call you back in X minutes?” would have stopped me in my tracks. Instead, I leveraged Dr. Robert Cialdini’s 6 Principles of Persuasion and was able to convey urgency/scarcity and likeability to get the data.

People are going to fall victim to social engineering efforts. I have found that a nonpunitive company policy in response to self-reporting is a great step toward fostering a culture for preventing such attacks. People need to be empowered to report in order to allow incident response to activate early instead of after all systems have been encrypted with ransomware. Additionally, rewarding employees for reporting and helping to thwart attacks will encourage security awareness. A simple example would be a monthly drawing for the most unique phishing email forwarded to the security team.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Joe Gray joined the US Navy directly out of high school and served for seven years as a submarine navigation electronics technician. Joe is an enterprise security consultant at Sword Shield Enterprise Security in Knoxville, Tennessee. Joe also maintains his own blog and … View Full Bio

Article source: https://www.darkreading.com/endpoint/how-i-infiltrated-a-fortune-500-company-with-social-engineering/a/d-id/1330335?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 07/11/2017
  • adm

Majority of US Companies’ DDoS Defenses Breached

Survey finds 69% of companies’ distributed denial-of-service attack defenses were breached in the past year – despite confidence in their mitigation technologies.

A whopping 88% of US companies claim confidence in their DDoS mitigation technologies, yet 69% have suffered an attack in the past 12 months, according to a report released today by CDNetworks that surveyed 500 senior IT professionals from the US, UK, Germany, Austria, and Switzerland.

Some 82% of respondents from Germany, Austria, and Switzerland, were also confident in their DDoS mitigation technologies, but 57% had suffered an attack in the past year.

Despite US companies spending an average of $34,750 a year on DDoS mitigation, these companies sustained a higher percentage of attacks than those in Germany, Austria, and Switzerland, which spent an average of $29,000, according to the report.

Nonetheless, 66% of US companies plan to increase their DDoS mitigation spending over the next 12 months, the report states.

Read more about US companies’ DDoS defense failures here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/majority-of-us-companies-ddos-defenses-breached/d/d-id/1330340?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 07/11/2017
  • adm