STE WILLIAMS

Coming Soon to Dark Reading…

Event calendar: Dark Reading brings you threat intelligence tomorrow, boardroom communication next week, and coming in November, a brand new conference in the D.C. area.

THIS WEEK

Wednesday, Aug. 23 at 1 p.m. Eastern: Using Cyber Threat Intelligence Wisely, a Dark Reading webinar with Neal Dennis, senior ISAC analyst for R-CISC and Chris Pace, technology advocate, EMEA, for Recorded Future.

A wide range of threat intelligence feeds and services have cropped up to keep IT organizations up to date on the latest security threats. But without mechanisms in place to actually use the information, these alerts provide little benefit. Attend this webinar and learn how to: identify the threat intelligence sources most valuable — and least valuable — to your security efforts; develop processes to quickly analyze and digest threat data; and use threat intelligence when it counts most: BEFORE the attack hits.

 

NEXT WEEK

Wednesday, Aug. 30 at 1 p.m. Eastern: How to Talk to Your Management About IT Security, a Dark Reading webinar with Jim Hansen, COO of PhishMe and Josh Goldfarb, co-founder of IDDRA, former FireEye CTO of emerging technologies and author of Dark Reading’s popular “20 Questions” columns.

 

DOWN THE ROAD

Nov. 29 – Nov. 30: INsecurity – A Dark Reading Conference, For the Defenders of Enterprise Security. While “red team” conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the “blue team” will be the focus.

The event will mix traditional sessions with roundtables discuss hot topics with colleagues, on real-world challenges like “Preventing Lateral Movement in Your IT Environment,” “10 Ways to Stretch Your Security Budget,” and “Targeted Attacks: How to Recognize Them, From the Defender’s Point of View.” 

INsecurity will be held in the D.C. area, at the Gaylord National Harbor in Maryland, Nov. 29 and 30th. Have a look at the full schedule here and register today.  

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/careers-and-people/coming-soon-to-dark-reading/a/d-id/1329688?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Why Most Security Awareness Training Fails (And What To Do About It)

BLACK HAT USA 2017 — Arun Vishwanath, associate professor at the University at Buffalo and faculty associate at Harvard University’s Berkman Klein Center, visits the Dark Reading News Desk to discuss the need for better cybersecurity awareness “diagnostics.” Vishwanath says training often tries to apply the same cure to every ailment then blames the patient when the treatment doesn’t work.

Watch the full, two-day Dark Reading News Desk show and all 45 interviews at DarkReading.com/DRNewsDesk.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Article source: https://www.darkreading.com/endpoint/why-most-security-awareness-training-fails-(and-what-to-do-about-it)/v/d-id/1329691?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

ROPEMAKER Attack Turns Benign Emails Hostile Post-Delivery

The intersection of email and Web technologies has given attackers a way to mess with your email after it has been delivered to your inbox, Mimecast says.

Just because an email is secure when it arrives in your inbox doesn’t mean that it cannot be maliciously modified later.

The intersection of email and Web technologies in recent years has given attackers a way to undermine the security and non-repudiation of email, including those that are signed using PGP or SMIME, security vendor Mimecast warned this week.

The email security provider has discovered a new exploit that it has dubbed ROPEMAKER, which gives attackers a way to change the content of an email, at their will, after it has been delivered, and without direct access to the user’s email inbox. The exploit enables attackers to do things like swap out a benign URL in a delivered email with a malicious one, to edit text in the body of the email and turn entire chunks of benign text to a malicious URL.

Matthew Gardiner, cybersecurity strategist at Mimecast says the company has deliberately decided not to label the issue as either a product vulnerability or fundamental architectural flaw. “We think this is a topic area that needs to be further debated,” he says.

There are certainly measures that email application providers can do to better protect users against the kind of threat posed by ROPEMAKER. “[But] part of the challenge with the ROPEMAKER exploit is it doesn’t fall squarely into one particular organization’s area of responsibility,” he says.

The problem, according to Gardiner, stems from the manner in which PC-based email apps like Outlook and Apple Mail use Web technologies to make emails more visually attractive and dynamic compared to the purely text-based emails of a few years ago. Certain browser-based email clients such as Gmail, Outlook.com and icloud.com that Mimecast looked at were not susceptible to the issue.

“Fundamentally ROPEMAKER exists because Web technologies can and often do interoperate over a network, typically the Internet,” Mimecast researchers said in a blog on the topic this week. “To be more precise, two resources that are housed remotely from one another, but are linked via a network can interoperate; one affecting the execution of the other.”

For example, on the Web, remotely based and remotely controlled content and resources are routinely fetched or referenced without the local user having to do anything. Cascading Style Sheets (CSS) that organizations use to describe how the layout, fonts, colors, and other features of HTML content should be presented is a good example. CSS enables the separation of content from the components that control how the content should be presented, the company noted.

When used in the context of emails, a remotely hosted CSS file can give an attacker a way to control not just the presentation style of the email but its actual content as well, Mimecast said. Just like Web pages can continuously change text content, audio, and visuals, a remotely hosted CSS can enable changes to the content in email that has already been delivered.

“ROPEMAKER works as long as the email client automatically connects to the remote CSS to retrieve the desired ‘style’ for the email. This is at the core of the ROPEMAKER exploit,” Mimecast said.

In its advisory, the email security vendor described two ways in which an attacker could exploit the issue. One of them showed how an attacker could switch a good URL with a bad one. The other, which Mimecast has dubbed a Matrix Exploit, involved an attacker sending a matrix of ASCII text, character by character, and then using the remote CSS file to control what is displayed to the recipient.

“The Matrix Exploit is the delivery of all possible characters in an email,” such as a, A, b, B, c, C, Gardiner says. “And then, post-delivery, making whatever message you want to appear come to life for each individual email user. “This tactic makes it very difficult for an email security product to determine if an inbound mail is good or not because what it says is not determined until after the email has been delivered, Gardiner notes.

Apple Mail has a user setting that would allow email users to block automatic execution of a remote resource—like a remotely hosted CSS file for instance, he says. But few are likely using it.

Most email clients use local CSS for reasons of performance and network connectivity, adds Gardiner. However, remote CSS is supported with HTML and there’s no reason to believe attackers wouldn’t use it. “From the end users’ point of view they don’t have any idea where the CSS is hosted, unless they check the HTML source of the email. How many users do that?”

Mimecast has shared its research privately with all of the primary email client vendors, but so far not one of them has acknowledged ROPEMAKER as a vulnerability or exploit. Mimecast says it has not seen any evidence of ROPEMAKER-like attacks in the wild so far.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/ropemaker-attack-turns-benign-emails-hostile-post-delivery/d/d-id/1329696?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Dino Dai Zovi Dives Into Container Security, SecDevOps

BLACK USA 2017 — Dino Dai Zovi visits the Dark Reading News Desk to discuss the under-explored security aspects of containers and data center orchestration tools (like Docker, Kubernetes, and Mesos) and weighs in on whether the time has come for SecDevOps.

Watch the entire two-day News Desk show and all 45 interviews at DarkReading.com/DRNewsDesk.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Article source: https://www.darkreading.com/cloud/dino-dai-zovi-dives-into-container-security-secdevops/v/d-id/1329695?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Google Removes 500 Android Apps Following Spyware Scare

Android apps embedded with an advertising software development kit removed after researchers discover its potential for stealing users’ caller data.

Google has eliminated from its Play Store 500 Android apps that in all had been downloaded 100 million times following the discovery of an embedded Chinese advertising software development kit (SDK) that allowed spyware to pilfer users’ caller information.

Earlier this year, Lookout Security researchers discovered developers were embedding the popular Igexin advertising SDK into their apps without realizing it would remotely download plugins into those apps: one of which was a spyware plugin that would steal caller data, says Christoph Hebeisen, a member of the Lookout Security Intelligence team that made the discovery.

Developers typically use SDKs to save time in coding or because they lack the expertise to code it themselves. The advertising SDKs allow mobile app developers to use advertising networks and deliver ads, which in turn allows the developers to generate revenue from those ads. Developers, however, often do to audit SDKs for vulnerabilities or malicious software and, more than likely, were not aware of Igexin’s spyware plugin, Hebeisen notes.

He adds the Igexin case marked the first time an SDK was used as a vector to deliver a malicious payload and he expects attackers to turn to SDKs in due time.

“It is an interesting vector and something we need to be on the lookout for in the future,” he says. “It is a challenge for an attacker to get a malicious app in Google Play or the App Store. But an SDK is a way for them to bundle it in with a legitimate app maker and reach a much wider audience.”

Piggybacking onto a legitimate developer’s work is expanding. XcodeGhost, for example, disguised itself as a complier waiting to be used by developers in their work, Hebeisen says.

Unraveling Igexin’s SDK

Igexin’s SDK plugin can pilfer call data, including phone numbers, time of call and whether the call rang, stood idle, or was off the hook, before uploading this information to the Chinese company, Hebeisen says.

“This was over the line. It wanted personal data,” Hebeisen says, noting that some of the other Igexin plugins requested more benign information like a user’s location.  

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

But more importantly, Igexin’s ad SDK should not have had the capability to remotely allow plugins to be downloaded once the app was in Google Play, Hebeisen says.

Under normal circumstances, traditional app stores like Google Play and Apple’s App Store do not allow apps to make changes once they have been vetted, Hebeisen says. As a result, SDK creators like Igexin must receive approval from app developers before making changes and the app is resubmitted to Google or Apple for approval.

“Igexin was clearly aware they were doing something that was not acceptable to Google Play, because they took steps to hide the [plugin] file they were downloading by using simple encryption and trying to cloak the information they were uploading,” Hebeisen says.

He says it’s unclear whether Igexin was collecting the information for its own benefit or for another party and why.

“If you are an enterprise and this information was taken from your salespeople, this would be a serious information leak,” Hebeisen says.

Lookout informed Google of the Igexin plugins and either the apps were removed altogether, or the app developers were able to replace their apps with a new version of the software without the malicious plugin. Hebeisen says Google allowed Igexin to fix their SDK and did not ban it from Google Play.

“We’ve taken action on these apps in Play, and automatically secured previously downloaded versions of them as well. We appreciate contributions from the research community that help keep Android safe,” a Google spokesperson told Dark Reading.

Google removed the 500 apps with Igexin SDKs that it deemed had “bad functionality,” but allowed other apps that used Igexin to remain in Google Play, says Google’s spokesperson.

Google, which has an Android Play Protect program, was able to remove the 500 apps without any user action, the spokesperson says. 

Igexin was not immediately available for comment and did not respond to an email requesting information.

Unplugging the Plugin

Lookout made the discovery earlier this year, during a normal review of apps that communicate with servers and IPs that previously dished out malware. The researchers found that an app that previously was deemed “clean” by Google Play and was now behaving suspiciously.

“This SDK was downloading large files and that is a classic behavior of malware,” Hebeisen says. Upon further investigation, Lookout discovered Igexin’s call data spyware plugin.  

In a sampling of eight to 10 apps that used Igexin’s advertising SDK, more than half of them had the plugin that would steal call data, says Hebeisen. He notes that it is not clear how many of the 500 apps have the malicious plugins as part of Igexin’s SDK.

Game apps targeting teens had between 50 million to 100 million downloads that contained Igexin’s SDK, followed by weather apps and also photo editors with 1 million to 5 million downloads, respectively, and Internet radio with 500,000 to 1 million downloads, according to Lookout’s blog post.

Although Igexin’s advertising SDK has been around since at least 2014, Hebeisen says it is unknown when Igexin rolled out its malicious call data plugin.

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/google-removes-500-android-apps-following-spyware-scare/d/d-id/1329693?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Ransomware: The Tripflare in the Modern Cyberwar

What’s This?

With the frequency and scale of breaches on the rise, and our legacy security failing to protect us, is ransomware the catalyst we need to trigger improvement in our security postures?

May and June 2017 saw the outbreak and rapid spread of WannaCry and NotPetya across the world. Though the initial infection vectors differed, both of these worms leveraged the same Server Message Block (SMB) vulnerabilities for lateral propagation and privilege escalation, though NotPetya added a couple of extra tricks to its bag. 

These SMB vulnerabilities – EternalBlue and DoublePulsar – stemmed from a leak of NSA-authored hacking tools released by The Shadow Brokers.  In both cases, the malware delivered was overt in nature, contributing to fast detection times and, in the case of WannaCry, the rapid discovery of a kill switch which was used to halt the attack.

When The Shadow Brokers dumped the cache of tools onto the Internet, Rapid7 reported that security researchers went from feeling “like kids in a candy store” to being disinterested as they realized that “the exploits were antiques and had all been patched.”  However, as time and ransomware actors would go on to prove, “even though we thought we were safe against these non-zero-day, unexciting attacks, we were not.” And although vulnerable servers should not have been “exposed to the public Internet in an unrestricted manner,” over 250,000 machines were infected by WannaCry within the first day. This was also not the first time that a cryptoworm had leveraged vulnerabilities that had been patched years earlier by the vendor.

As the WannaCry and NotPetya attacks progressed, we saw reports of breaches from the NHS, telecommunications service providers, critical infrastructure providers, vehicle manufacturers, airports and logistics companies, and even speed camera operators.  But for each of these thousands of companies, across many industry verticals, the impact could have been much worse, if the payload had have been different. What if it had targeted and exfiltrated NHS patient records? What if it had modified shipping or customer manifests?  What if it had disabled speed cameras or worse, moved laterally and modified traffic light sequences? What if the attack was more covert in nature? Would we have ever known?

Over the last six years, Mandiant analysts have reported a reduction in the median breach detection time from 416 days (2012) to 99 days (2017). And while, on the surface, this looks positive, it worryingly corresponds to an increase in the percentage of breaches reported by internal sources from 6% (2012) to 47% (2017), during the period in which we have seen a massive boom in ransomware innovation and activity. 

So, I wonder, if ransomware attacks are leading to an increase in the percentage of internal breach notifications, and driving the median breach detection time down, thanks to their sheer volume and overt nature, how long are the covert attacks going undetected, before ransomware actors start leveraging their Tactics, Techniques and Procedures (TTPs), alerting us to the failings of our security architectures and policies, forcing us to make a change?

Until we see broader adoption of machine learning for discovering new threats, more automated sharing of threat intelligence between security vendors and security products, and the ability to leverage the network to shut down attacks at the source, we have to ask ourselves – is ransomware the tripflare in the modern cyberwar that we can’t afford not to have?

Brett White is a Senior Security Specialist with Juniper Networks in Australia.  He is a trained pen tester and ethical hacker who is passionate about leveraging threat intelligence to help educate people on the current threat landscape, improve their cyber-hygiene, and … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/juniper/ransomware-the-tripflare-in-the-modern-cyberwar--/a/d-id/1329692?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Why You Need to Study Nation-State Attacks

Want to know what attacks against businesses will look like soon? Examine nation-state attacks now.

Thinking like a cybercriminal can help predict what methods attackers are likely to develop in the future, so we can proactively build effective countermeasures, as I’ve described in the past. Similarly, nation-state attacks can help security researchers predict attacks against enterprises: methods exhibit a clear trickle-down effect, with tricks first used in nation-state attacks being seen in enterprise-facing attacks soon after.

One of the most important recent security developments is the rise of sophisticated, politically motivated attacks, such as the one carried out against Hillary Clinton’s campaign chairman John Podesta during the 2016 presidential election. However, such attacks have been against a broad spectrum of victims, ranging from individual lawmakers and staffers to think tanks and nongovernmental organizations (NGOs). These attacks involved clever identity deception methods combined with techniques used to circumvent traditional content-scanning methods.

Another event is the sudden rise of ransomware attacks, whether targeting lawmakers, health care institutions, transportation, or small businesses. Whereas most ransomware attacks aim to extort money, some have recently demanded nonmonetary “payments,” such as forcing a government organization to make a political statement.

What do such attacks have in common? They’ve become increasingly sophisticated. For example, in the Podesta attack, the attackers cleverly obfuscated some words (such as “password” and “account”) by replacing some of their letters with Cyrillic letters that look the same to humans, but which thwart keyword-based filters. Another example was the post-election attacks on think tanks and NGOs, in which malware files were cleverly hidden from the view of traditional antivirus tools by sending the corrupted files in encrypted zip files. Without access to the decryption keys, the contents can’t be scrutinized by traditional mail-filter technologies.

The use of advanced techniques to circumvent security tools has recently become much more common. What’s interesting (and worrisome) is that not just nation-state attacks use such techniques. That’s where the techniques were first used, but there has been a notable trickle-down effect, and tricks first used in nation-state attacks have been seen in attacks against enterprises a few weeks later. In a sense, this trend mimics the flow of insights gained just as technologies developed for the space program found themselves spun off as commercial products. This is why companies in the private sector need to quickly determine whether they would be vulnerable to these advanced attacks.

Take Active Measures Now
The security community should quickly roll out detection and protection measures in anticipation of trickle-down versions. For example, obfuscation attacks can be detected by automatically spotting deceptive mixtures of character sets and blocking such messages. Encrypted zip files are easily detected, but since they have important legitimate use, they can’t be blocked. One possible solution is for a security system that can “wrap” them with a trusted executable as the messages are delivered. The task of the wrapper is to request a PIN or password, then use this to decrypt the wrapped file and perform a security check in real time. If the file is determined to be safe, the user is given access to the plaintext file.

From the user’s perspective, nothing is different, except maybe for a short delay caused by the scanning of the decrypted files. The wrapper approach also works for other file types, such as encrypted PDFs. With this approach, one can take back the advantage of time from the attackers, since this enables on-the-fly scans of plaintext data without requiring independent software vendors to coordinate the protection of an end user, which is always difficult.

Even better, the wrapper can include information about the sender as well. Was a malicious file sent by a trusted party? If so, then the trusted party has been compromised and should be notified. The more we use contextual information, the better our defenses get. And much of this context is to be found in early attacks — so unless we study nation-state attacks and learn from them, we implicitly help enterprise attackers.

Although the sophistication of online crime has changed in the last year, and there is clear evidence of trends toward fraud becoming just another business, other things have remained very much the same. For example, email remains the principal attack vector. Similarly, identity deception is still at the core of most attacks, be they phishing, business email compromise, ransomware, or other malware attacks where the stolen identity is usually from an authority figure, well-known brand, or a trusted party. While attackers constantly try new ideas, one thing is clear: they don’t mess with a winning formula.

Moving forward, the security community must pay close attention to the nature and strategy of nation-state attacks and quickly address them, because the same techniques will be repurposed to attack enterprises. In addition, we must expect that every newly found and disclosed vulnerability will be used in attacks, whether by nation-state actors or enterprise-facing attackers.

Finally, society must recognize that threats are constantly evolving — in reaction to new-found adversarial opportunities as well as existing security technologies — and traditional technologies are unlikely to address them. In other words, if you think a spam filter is the answer to your problems, you are mistaken.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:


Markus Jakobsson, Chief Scientist for Agari, has spent more than 20 years as a security researcher, scientist, and entrepreneur, studying phishing, crimeware, and mobile security at leading organizations. In his role at Agari, he leads the company’s security research with a … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/why-you-need-to-study-nation-state-attacks/a/d-id/1329690?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Changing Face & Reach of Bug Bounties

Vincent Liu: Vulnerability disclosure [is] something that has grown organically over time. The community determined the social norms. How do you make security something that everyone can grasp?

Mårten Mickos: First, I sense orthodoxy in complex terminology. In the database industry [where I got my start], they developed complex words for everything because it was a small, tightly knit group. In the security space, it was similar. But then we thought, we need to bring the benefits of this to everybody. We needed bug bounty programs to be so easy to understand and to consume that any company could do it. And of course, it is demanding. You must commit to it; you must know what you are doing. There is a necessary skill level, but you don’t have to overcomplicate it. You should simplify it.

VL: Something that really stuck with me was that you expanded your team to not just people from the security industry but people from other disciplines. What’s your philosophy behind that?

MM: This idea of inclusiveness is something I learned and practiced while working at MySQL years ago. We decided early on that our mission was to make this superior database technology available and affordable for all — people who were in the industry as well as people who were not in the industry. We wanted to give it to everybody. When I came aboard to HackerOne, I had a similar thought. Security experts over the years had created this amazing concept of vulnerability disclosure, which as you know evolved into bug bounty. But it was still being kept as a secret practice among a select few, the “elite.” Not many organizations were bothering with bug bounties. I think we are still finding new areas where there’s unnecessary complexity or seclusion, where people are holding on to things very tight. They say, “Only invited people can come. And you can only come if you speak this language, if you’ve been in the industry for 20 years, if you’re cynical.” We want to break that perception. This is largely why we’ve been so open to inviting people from other industries to join HackerOne. It’s reflective of both our platform and our culture.

VL: Are there any other orthodoxies that could use some updating? 

MM: Another would be visual appearance. We introduced pink into our color palette last year. We wanted to bring in something that would be unusual and maybe shocking. We’ve also decided at HackerOne not to be cynical. We don’t talk about how security is a problem. People know that the sky is falling. But instead of dwelling on that, let’s look at the constructive things we can do.

VL: How do you envision the impact of bug bounty on the entire security landscape?

MM: Let’s say you get hacked. Then, the government presses charges against the hackers, and you start a bug bounty program to make sure you know about vulnerabilities before they’re exploited. Alternatively, you can start the bug bounty program and save yourself from any pain and humiliation in the first place. There is no perfect solution, though. We can never reach 100% perfection, but bug bounty programs are the most powerful way of preventing cybercrime.

VL: Do you think there will ever be a backlash against a bug bounty? What about from malicious hackers?

MM: If you have no detractors, you are not making an impact. We will have situations where a malicious hacker will do something. As a vendor, we must be careful how we handle such issues. We need to keep our database secure. We follow up with our hackers and take disciplinary action if they are meandering from the rules. 

PERSONALITY BYTES

HackerOne CEO Marten Mickos

On leadership: A leader needs to bring to the organization a certain level of confidence and stability in the face of fluctuating realities. A leader must lend confidence and balance to the situation. In security, there’s so many possible threats. Leadership must provide that environment of stability, of confidence, of acceptance. People will know that even when they make a mistake, they are still accepted, no matter what.

Advice lines: As far as resources, I’d choose Ryan McGeehan’s blog. He’s a security expert with clear ideas. As far as challenges, security is so important that you can’t delegate it to one person … [and] make sure there is security in everything. We often sacrificed security for ease of use. Ease of use is important, but security is more so. Then, there is the problem every CEO faces, which is that of priorities…. I say start small. Embed a little bit of security in everything you do.

Transparency versus paranoia: [At] HackerOne, we stand for inclusion, collaboration, and power. And that is a more prominent presence than paranoia. We default to disclosure. Many times, we share things that another company would keep in the C-suite. Growing up in Scandinavia, which is ostensibly the most open society, and working in open source for 15 years, made me comfortable with transparency. And I believe transparency is the only way for society to thrive.

Bio: Mårten Mickos is the CEO of bug bounty and vulnerability coordination platform HackerOne, Inc. Previously, Mickos was the CEO of Eucalyptus Systems, acquired by Hewlett-Packard, where he was the head of the cloud business. He was the MySQL AB CEO from 2001 to 2008 and a board member of Nokia from 2012 to 2015. Marten is a thought leader on leadership and disruptive business models.

Related Content:

 

Article source: https://www.darkreading.com/careers-and-people/the-changing-face-and-reach-of-bug-bounties-/a/d-id/1329694?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

72% of Government Agencies Hit with Security Incidents

The cause of the incidents large fell on human error and employee misuse.

Nearly three out of four government agencies experienced a security issue last year and 100% cite employees as their largest security threat, according to the 2017 IT Risks In Government survey released this week.

Given their concern with employee-related threats, 57% of government agencies say they focus on endpoint security.

The survey also found only 14% of government agencies believe they are well-prepared to defend against IT risks. The areas where survey respondents are willing to invest in include intellectual property protection, 43%; data breaches, 29%; and fraud, 14%.

In sizing up the challenges their organizations face, survey respondents noted their IT departments are mainly restrained by lack of time, 57%; followed by insufficient budgets, 43%; and IT infrastructure complexity, 43%.

Read more about the survey here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/72--of-government-agencies-hit-with-security-incidents/d/d-id/1329699?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Phish Bait: DMARC Adoption Failures Leave Companies Exposed

More than 90% of Fortune 500 companies leave customers and brand names vulnerable to domain name spoofing as a result of not fully implementing DMARC.

More than 90% of Fortune 500 companies have not fully adopted Domain-based Message Authentication, Report Conformance (DMARC), leaving customers, business partners, and brand names exposed to phishing and other attacks that impersonate corporate email domains.

DMARC is a standard technology designed to verify whether an email is from the domain it claims to be from. It creates a whitelist of verified senders, and ensures only authenticated emails are delivered; fake messages are deleted before users see them. It can also be used to see how scammers are misusing corporate information in their attacks.

The email verification standard is the product of a 2007 experiment by Yahoo and PayPal to prevent account-credential phishing. A group of industry organizations including Google, Bank of America, Agari, and others scaled the experiment into what came to be known as DMARC in 2012.

Researchers at Agari recently analyzed public DNS records to learn about corporate DMARC adoption and policies. Their findings, published in the Global DMARC Adoption Report, reflect an overall failure to deploy DMARC across Fortune 500, FTSE 100, and ASX 100 companies.

There are multiple levels of DMARC adoption: Monitor, where unauthenticated messages are monitored but delivered to inboxes; Quarantine, where unauthenticated emails are moved to spam folders; and Reject, which blocks all unauthenticated messages from delivery to any folder

Two-thirds of Fortune 500 companies have not deployed any level of DMARC, according to the report. One-quarter has adopted the Monitor level, 3% have implemented the Quarantine policy, and 5% use Reject.

Monitor level watches for DMARC abuse but does nothing to prevent it, meaning companies can collect information but consumers are vulnerable. DMARC adoption is of little use unless companies use Quarantine or Reject, which is why Agari reports 92% of the Fortune 500 is not protecting customers even though 25% have adopted the Monitor policy.

Patrick Peterson, Agari founder and executive chairman, desecribes DMARC’s Monitor level for a healthcare consumer this way: “Until the organization she does business with says ‘quarantine the phish’ or ‘reject the phish,’ they’re not actually protecting her and she’s still vulnerable,” he says.

Two-thirds of the Financial Times Stock Exchange (FTSE) 100 have not published any DMARC policy, 26% use Monitor, 1% have adopted Quarantine, and 6% have implemented Reject. Of the Australian Securities Exchange (ASX) 100, 73% have not adopted any level of DMARC, 23% use Monitor, 1% use Quarantine, and 3% have implemented Reject.

“It definitely shocked me,” says Peterson of the low DMARC adoption rate.

There are several reasons companies are hesitant to pursue full DMARC adoption or haven’t deployed any level of policy. The dominant reason is education, he says. There are many security teams in the Fortune 500 that still don’t understand how DMARC works. Oftentimes these companies are wary of new tech and don’t want to be the first to try it. This is the case for DMARC, even though the technology has been around for more than five years, Peterson says.

“This is new and different,” he explains. “Whether it’s easy or hard or there’s playbooks or there aren’t … any time they have something new and different, a lot of them run for the hills because they tend to be more conservative. They don’t like new and different, they like tried and true.”

Some security teams understand DMARC but don’t fully grasp the harm and abuse going on in company email channels. Business employees see email as their highest ROI form of communicating with customers and prospects, says Peterson, but security teams often don’t.

When they learn how widespread email security problems are, they realize how much business process change is necessary before email is “no longer the wild, wild West,” he notes. Those without strong leadership will opt to wait on DMARC adoption and say, “let’s worry about this later.”

It’s time for more CISO leaders to “wade into the business” and take control of the situation, says Peterson. The take-charge mentality is necessary to push DMARC implementation, both within the business and across the industry. There is a majority adoption rate in the business services, financial, technology, and transportation sectors.

Peterson points to financial services as a “champion” for DMARC. Industry leaders Bank of America and JP Morgan, both involved in its creation, demonstrated its workability to other businesses and motivated them to use DMARC as well. If other organizations and industries took the same leadership profile, he says, DMARC adoption would increase.

Related Content:

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/phish-bait-dmarc-adoption-failures-leave-companies-exposed/d/d-id/1329702?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple