STE WILLIAMS

Closing the cybersecurity gender gap won’t happen overnight, but women can take can take steps to begin leveling the playing field.

As most organizations race to close the gender gap, the cybersecurity industry lags behind. A recent study found women make up only 11% of the global information security workforce, and the majority of women are underpaid compared with their male counterparts and likely to experience some form of discrimination at work.

The gender disparity is particularly disappointing given the projected workforce gap: 1.8 million cybersecurity roles are expected to go unfilled by 2022. From unconscious bias to poor recruiting tactics, female professionals looking to enter the cybersecurity space find themselves face-to-face with a number of barriers to entry.

Cybersecurity’s gender discrimination problem is leaving its mark on the industry — demand for skilled security experts is quickly outstripping supply. Unless action is taken to attract, retain, and develop female professionals, the number of vacant positions will continue to grow.

Why Women Are Invisible in Security Ranks
Although some in the industry herald cybersecurity as one of the most progressive fields in which to work, it remains stuck in the past when it comes to diversifying the workforce. The security industry as a whole is commonly viewed as maintaining an old boy’s club mentality, one that discourages women from even considering a career in the field. Women who make it into the industry often have to go to greater lengths to prove their ability. Female professionals in cybersecurity were found to be more educated than their male counterparts, with 51% of women entering the profession holding a master’s degree or higher.

Visibility (or the lack of it) largely contributes to the low number of women in technology. Security is often considered a masculine area of expertise, deterring female job seekers from pursuing a career in such a male-dominated industry. Women already in the security industry are often left out of high-priority projects that could raise their profile both inside and outside an organization. This persistent trend of suppressing female professionals creates a number of obstacles that exclude women and challenge those seeking upward mobility.

Similarly, invisibility keeps women from attending and speaking at industry-specific conferences. While many cybersecurity events are in need of female guest speakers, they also demand high-level professionals who are established figureheads in the industry. Event organizers don’t want to hire a female speaker for the sake of diversifying a conference panel — inviting just any woman isn’t enough, and can even appear condescending or a form of tokenism.

To catapult more female professionals into the spotlight and make their presence felt in the industry, several changes need to occur from within security organizations.

Raising Awareness in a Field Dominated by Men
Resolving the cybersecurity gender gap won’t happen overnight, but women can take take several steps to begin leveling the playing field. For a female security professional, holding office hours and providing mentorship can help younger women carve out their own path in the industry. Women should also work with their company’s PR or marketing teams to get in front of the media whenever possible, proactively becoming thought leaders on subject matter they know inside and out.

In addition to boosting visibility, women can debunk existing stereotypes about who is “allowed” to work in the security field to usher more women into the industry. Public perception suggests only men with technological backgrounds can work in cybersecurity, though this is far from the case. Part of this confusion is because most job seekers don’t know what types of nontechnical careers fall under cybersecurity. Jobs like social engineer and security architect don’t necessarily require prior technology or security experience but are valuable roles in the cybersecurity industry. By partnering with educators to reach girls at younger ages, organizations can contribute to the growth of women in tech by dispelling common cybersecurity myths.

Achieving gender equality in the cybersecurity industry starts with raising awareness of the female professionals currently contributing to its success. From dispelling tech stereotypes to seeking out public speaking gigs, women have the ability to diversify the industry and satisfy the demand for much-needed talent.

Related Content:

• Desperately Seeking Security: 6 Skills Most In Demand
• 6 Steps to Find Your Next Dozen Cloud Security Experts
• Cybersecurity Faces 1.8 Million Worker Shortfall By 2022

Jodie Nel is the event organizer for the Cyber Security Event series hosted by Imago Techmedia. Nel is responsible for providing tech industry decision-makers with access to world-class conferences and events. Prior to working on the Cyber Security Event series, Nel served as … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/how-women-can-raise-their-profile-within-the-cybersecurity-industry/a/d-id/1329406?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Popular wireless networking hardware vendor Ubiquiti patched a couple of serious vulnerabilities back in March and April – without telling the people who reported the bugs.

If sysadmins weren’t paying attention, they might not have noticed the importance of the patches.

The bug patched in firmware version 6.0.3 was an open redirect at the administrative login, found independently by SEC Consult and a bounty-hunter. Both filed the big with HackerOne.

An exploit would be fairly straightforward, since all the attacker needed to do was append their own site as the login page’s target:

http://IP-of-Device/login.cgi?uri=https://www.sec-consult.com

Affected products include AirRouter, the TS-8-PRO switch, and various transceivers in the LBE, NBE, PBE, and RM2-Ti access points.

The other bug affected the company’s EdgeRouter products. An initialisation error in /files/index created a reflected cross-site-scripting vulnerability that would let an attacker hijack a user’s session.

The SEC Consult advisory says the attacker could then take over the device’s command line interface, to open router ports or launch a reverse shell. New firmware for the EdgeRouter is here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/25/ubiquiti_firmware_patch/

The arrest of a Hungarian bloke after he discovered a massive flaw in the website of Budapest’s transport authority – and reported it – has sparked a wave of protests.

Thousands of users have flooded the Facebook page of the capital city’s transport authority Budapesti Közlekedési Központ (BKK) – and its main website was taken down for several days by online attacks.

Meanwhile, a crowd of protestors gathered outside the main BKK offices in Budapest on Monday and the story has taken off in the Hungarian media, thanks in large part to conflicting accounts of what happened from the young chap himself and the CEO of BKK, Kálmán Dabóczi.

The tale started last week when an unnamed 18-year-old found that he was able to, when purchasing a ticket online, poke the BKK website in a particular way to modify the ticket’s price and buy it at that new price.

Rather than take advantage of virtually free travel in the country’s capital, however, he did the right thing and reported the security hole to the BKK, complete with a demo in which he was able to buy a $35 ticket for just 20 cents.

The response was not what he expected. Four detectives turned up at his door at 7:00am on Friday, photographed him and questioned him extensively over his actions. The BKK then held a press conference at which its CEO Kálmán Dabóczi proudly announced they had caught a hacker and had filed an official complaint against him. Dabóczi assured everyone that the website was now perfectly safe.

Um, no

That version of events was immediately questioned by the teenager himself however, in a Facebook post.

“I am an 18-year-old, now middle school graduate,” he wrote in a message that has since been posted hundreds of times to the BKK’s Facebook page. “I trust that I can help solve a mistake.”

In the message, he says he informed the BKK “about two minutes” after he discovered the flaw. “I did not use the ticket, I do not even live near Budapest, I never traveled on a BKK route. My goal was just to signal the error to the BKK in order to solve it, and not to use it.”

He continued: “The BKK has not been able to answer me for four days, but in their press conference today they said it was a cyber attack and was reported. I found an amateur bug that could be exploited by many people – no one seriously thinks an 18-year-old kid would have played a serious security system and wanted to commit a crime by promptly telling the authorities.”

He then asks others to help out: “I ask you to help by sharing this entry with your acquaintances so that the BKK will come to a better understanding and see if my purpose is merely a helper intention, I have not harmed or wanted to harm them in any way. I hope that in this case the BKK will consider withdrawing the report.”

And so they have shared the entry – in their thousands – putting the BKK on the back foot.

As the outcry against the company’s actions grew, Dabóczi was forced to defend himself Monday morning on the radio. He doubled-down, claiming that the boy has sent his emails to accounts that he knew the company would not read – one of which was [email protected] – and then posted his discovery of the hole online.

When that claim was met with skepticism, Dabóczi attempted to shift focus onto the company that operates the website’s backend, T‑Systems, saying he had asked its CEO to write a report explaining the error and noted that it was T‑Systems, and not BKK, that had filed the complaint.

Here’s a shovel

For his part, the T‑Systems’ CEO Zoltán Kaszás has also been forced to apologize, especially after it was revealed the company is paid $1m a year to maintain the system and its security.

In his own Facebook post, Kaszás acknowledged that the BKK’s systems were not up to date and he claimed that while he had sympathy for the “young man’s case,” that “under the circumstances, there was no other option than to report an unknown culprit.”

In a sign that public opinion had already turned against T‑Systems and BKK however, Kaszás said he “would like to offer the opportunity for future cooperation if he is open to it,” and announced that the company would start an “ethical hacking” program to work with security researchers.

But Hungarians are furious at what they see as the arrogant way in which BKK and T‑Systems handled the fact that an 18-year-old discovered an enormous flaw in their website and reported that fact to them.

With the BKK website down, its Facebook page swamped with over 46,000 one-star reviews, protestors outside its headquarters and the media interviewing the hacker and painting him as a put-upon hero – it is hard to imagine how BKK could have done a worse, and less grateful, job. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/25/hungarian_teenager_arrest_sparks_protests/

If you’re running the caching service Memcached, and particularly if you’re exposing it to the public internet for some reason, please make sure you’ve patched it. Tens of thousands of vulnerable systems haven’t.

Back in October, researchers at Cisco’s Talos security team found three major security vulnerabilities that would allow hackers easy access to running installations of version 1.4.31 of Memcached and earlier, with a critical flaw in the binary protocol and Simple Authentication and Security Layer (SASL) code. The holes were fixed, and users including big names like Facebook and Reddit were advised to get patching.

But from scans of the public internet, it seems that some people weren’t listening very hard. In February, Cisco did a sweep and found that:

• More than 85,000 public-facing instances were still unpatched and vulnerable.
• Only 22 per cent required any authentication for access.
• Of that 22 per cent, all but one per cent of the authenticated servers were not secure because patches hadn’t been properly installed.

“We made queries for all IP addresses to get contact emails for responsible organizations in order to send a notification with a simple explanation and suggestions to remedy this issue,” Cisco said. “This resulted in about 31 thousand unique emails which are pending notifications.”

Now you might think that – given the sensitive information many Memcached servers hold – Cisco’s warning emails might have had a beneficial effect on taking such systems off the public internet. Not so, as a scan earlier this month found a colossal number of servers still online and wide open.

In the five months since the warning emails were sent out, fewer than 10 per cent of vulnerable servers had been patched and hidden from view. Still vulnerable were 73,403 servers, and of those using authentication, only one per cent were properly patched.

“The severity of these types of vulnerabilities cannot be overstated,” said Cisco’s Talos team.

“These vulnerabilities potentially affect a platform that is deployed across the internet by small and large enterprises alike. With the recent spate of worm attacks leveraging vulnerabilities, this should be a red flag for administrators around the world.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/24/70000_memcached_servers_exposed/

G Suite business users: go and check your configuration, and make sure you’re not publishing enterprise information to the whole world.

That’s the warning coming from security outfit Redlock, which says it found “hundreds” of organisations leaking both organisational data and employees’ personal data.

As the company’s advisory explains, it’s a single radio-button setting that people are getting wrong: in G Suite Groups for Business’s Advanced Settings, they’re publishing groups to the Internet instead of keeping them private to the organisation.

The company says the IBM-owned Weather Company (weather.com), Intellicast, and Fusion Media Group were among those it spotted with misconfigured G Suite settings.

Cloud misconfiguration seems to be the new black: last week, Dow Jones leaked customer information via an AWS S3 bucket, imitating a similar feat from Verizon.

Indian company Tata leaked customers’ code on GitHub in June, and in a gold-medal performance, Sweden’s Department of Transport leaked its entire vehicle registration database last year – including secret identities such as those of its special forces. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/25/misconfigured_g_suite_data_leaks/

Nearly 10 million voter records sold for just $4 over last few days, according to LookingGlass Cyber Solutions.

Threat intelligence company LookingGlass Cyber Solutions says it has discovered over 40 million voter records from nine different states being traded in an underground forum for stolen credit card data and login credentials.

The voter records being offered for sale include the voter’s full first, last and middle name, voter ID, birthdate, voter status, party affiliation, residential address and other details. The data belongs to voters in Arkansas, Colorado, Connecticut, Delaware, Florida, Michigan, Ohio, Oklahoma and Washington State.

Over the last two days, voter databases from at least two of the states—Arkansas and Ohio—were sold for a mere $2 each, or a total of $4 for almost 10 million voter records. That suggests financial gain is not the primary reason for the activity, according to LookingGlass.

‘Logan,’ the individual who has advertised the data and is selling it on a site called RaidForums, has hinted at possessing voter records for an additional 20 to 25 states, says Jonathan Tomek, director of threat research at LookingGlass Cyber Solutions.

Logan appears to have obtained the voter information through Freedom of Information Act (FOIA) requests, website requests, and also through social engineering them from states where an entity would otherwise be required to purchase the information, he says.

What makes his activities additionally illegal is his attempt to sell the data for purposes other than political purposes, he noted. Many states prohibit the republishing of voter data or the use of it for commercial purposes. Violators can face fine and prison terms of up to five years.

“Logan is not affiliated with any group to our knowledge,” Tomek says. “We believe he is acting alone. I can say he is over 18, travels a bit internationally, and works for a cybersecurity company,” he says.

Tomek says LookingGlass does not have information on how many people might have purchased the voter information or what they might do with it. “We do know he is actively trading this information for other stolen items such as credit cards and login credentials,” he says. “The combination of the voter information plus the other data has potential to be very bad since the voter data contains birthday, home address, email, and full name.”

News of the sale of millions voter records in an underground cyber forum comes amid an ongoing controversy over the Trump Administration’s push to get publicly available voter registration records from each state in connection with an inquiry into potential voter fraud in last year’s general elections.  A Trump appointed election integrity commission in fact met for the first time just last Wednesday to discuss next steps into the matter.

A total of 24 states have so far complied with the Trump Administration’s request for voter data. But the District of Columbia and 17 states have so far refused to hand over the data. Some groups like the American Civil Liberties Union (ACLU) have sued the Trump election commission citing voter suppression fears.

The Help America Vote Act (HAVA) currently requires all 50 states to maintain a central voter file in electronic format. The content and availability of the data in these files varies dramatically by state, as can be seen in this U.S. Election Project interactive map maintained by the University of Florida, Gainesville.

Some states make all the information they have in their voter files available to those eligible to view or purchase the data. Others withhold certain information like the voter’s Social Security Number, date of birth and driver’s license number. As PBS noted in a report last week, 19 states consider an individual’s full birth date to be part of the public record, while a voter’s race and party affiliation is considered public information in six states and 32 states respectively.

Currently, only the registered parties, political committee and a candidate or their committee registered in all areas can purchase all available statewide voter data, according to the US Elections Project website. The total cost for a US citizen to purchase all available voter registration data for all states is around $126,500. Politically oriented non-profits, candidates, parties and their committee would pay around $136,000.

Related content:

• Why Hackers Are Getting ‘All Political’ This Election Year
• Russian Cyberspies’ Leaked Hacks Could Herald New Normal
• US Election: Feds Offer Security Help To States To Prevent Hacking
• 6 Ways To Hack An Election

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/voter-registration-data-from-9-states-available-for-sale-on-dark-web/d/d-id/1329451?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Can anyone – or anything – take on well-resourced nation state hacking groups?

Protected by anonymity and plausible deniability, conventional wisdom says not, but conventional wisdom ignores a company like Microsoft wielding a secret weapon with the power to hinder even the cleverest hacking group: lawyers.

This, it has emerged, is precisely how Microsoft has been fighting back against the notorious (and probably Russian) hacking group Strontium, better known to the world as Fancy Bear, or APT28.

After years of gradually worsening attacks on Windows PCs, in August 2016 the company’s Digital Crimes Unit (DCU) was handed the interesting task of suing the group in the US courts.

To cybersecurity engineers, this will sound a bit like throwing a sheaf of paper at a charging tiger, but court papers suggest the tactic has proved surprisingly effective, allowing Microsoft by March this year to have seized 70 web domains used by the group (including one used in the 2016 attacks on the Democratic National Committee).

The company also identified 122 new victims of Fancy Bear over and above an already long list that includes the German parliament, French TV, the World Anti-Doping Agency, and the Ukrainian military as well as, of course, the DNC during the US presidential elections.

It’s an interesting tactic. Instead of wrestling control of the servers themselves, Microsoft is taking the lateral approach of downing the domains associated with them, for example those used to host the phishing sites needed to grab credentials or for command control (CC).

The court papers also lay out a significant amount of information as to how Fancy Bears goes about its work, including “developing a list of 140 words most likely to appear in a Fancy Bear domain”.

As the Daily Beast points out, this is only a partial attack on Fancy Bear’s infrastructure, which also uses CC operated via numeric IP addresses that must be blacklisted manually – but it’s a start.

Microsoft’s tactics shouldn’t be a surprise. In recent years, the company has launched several high-profile legal attacks or “takedowns” on large botnets, for example on Waledac in 2010, and Rustock in 2011, Citadel in 2013, and Ramnit in 2015.

Over time, cybersecurity companies and agencies such as the FBI have joined in, but the expensive legal legwork done by Microsoft’s DCU has been a noticeable engine of almost every effort.

So, has Microsoft discovered a weak point others could use to fight back against hacking groups? If only it were that simple.

The company’s legal assault has been noticed by Fancy Bears’ hackers, with a reported 30 emails sent to its domains confirmed to have been opened. The group has also taken to using Microsoft-themed domains when it registers new ones, a symptom of annoyance perhaps.

Or one could argue that Microsoft’s strategy underlines the inaction of governments, which persist in seeing nation state hackers as political problems rather than legal or engineering ones.

Microsoft is doing this because it has the resources, a DCU full of experts and the will to keep at it for years if necessary. In the old days, governments did this sort of big, important stuff. If governments could be coaxed out of their slumber, groups such as Fancy Bears might find hacking more like a job involving hard work.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/9nNanWztJvc/

Your daily round-up of some of the other stories in the news

Beijing forces spyware on to minority group’s phones

China’s Muslim minority Uyghur community living in the Xinjiang region is being forced by Beijing to install spyware on their phones, according to reports from Radio Free Asia. People living in Urumqi, the regional capital, were sent notices in Uyghur and Chinese via WeChat telling them to install the app, which would “automatically detect terrorist and illegal religious videos, images, e-books and electronic documents” that might be stored on the device.

The Chinese authorities have followed up on the instruction, which was issued on July 10, by setting up checkpoints to make sure that the spyware app has been installed, and risk being detained by police for up to 10 days if they haven’t installed it. According to Infosecurity Magazine, a group of Kazakh women has already been arrested after their WeChat conversations were monitored and deemed to be illegal.

Beijing has been steadily cracking down on internet freedoms, banning VPNs and tightening controls on news media and bloggers. The minority Uyghur community has long been the focus of crackdowns by Beijing, which has been accused by human rights groups such as Amnesty International of surpressing “peaceful expressions of cultural identity”.

Microsoft signals an end to Paint

Microsoft is finally to stop developing its venerable Paint program, which has been part of the Windows operating system since 1985. The Redmond giant included Paint in a list of programs that would be deprecated in the Windows 10 Fall Creators Update which is, as you’d imagine, due to land in the fall (it’s to be known as the Autumn Creators Update if you’re in the UK).

It’s not an immediate death sentence, of course: while other longstanding elements of Windows are being killed off, including the Outlook Express email client, Paint will languish with no more attention devoted to it. Instead, Windows users already have Paint 3D, which landed with the Windows 10 Creators Update in April.

The long history of the app means it’s older than many of its users, and it’s been used as a quick and dirty way to do simple edits by generations of Windows users. Although there are plenty of alternatives, ranging from the open-source Gimp and the similarly venerable (and free) Paint.NET to the behemoth that is Photoshop, Paint has a special place in computing history.

Drone pilots face test and compulsory registration

UK drone-owners, stand by: you will soon have to register your aircraft and pass a safety test, the Department for Transport said over the weekend.

The move is in response to concerns about safety of the aircraft and are the result of a consultation looking at ways to make drones safer while maximising their potential, said the department. There’s been a lot of concern about near misses in the UK’s crowded airspace, with drones getting rather too close for comfort to other aircraft.

The test and the requirement to register will apply to drones weighing 250g or over, said the aviation minister Lord Callanan, who added: “Like all technology, drones too can be misused. By registering drones [and] introducing safety awareness tests to educate users we can reduce the inadvertent breaching of airspace restrictions to protect the public.”

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/NW2fK3_wMak/

An as yet unnamed 29-year-old pleaded guilty on Friday to charges relating to the hijacking of more than 1.25 million Deutsche Telekom routers, according to reports in the German press.

German news agency DPA and others quoted a court spokesman as saying the accused, who pleaded guilty to “attempted computer sabotage”, had “registered under the names ‘Peter Parker’ and ‘Spiderman'”.

Deutsche Telekom’s routers became infected with a modified version of the Mirai IoT malware late last year, causing over a million pounds’ worth of damage, the firm said at the time.

The man reportedly told the court (through a translator) that he’d been hired by a Liberian ISP to take out local competition in the African country for the relatively modest fee of $10,000 for a “good start into married life”.

He claimed the ISP hadn’t asked him to hack Deutsche Telekom, but rather to create a botnet that would cripple a competing business.

The self-taught programmer had been “studying computers since childhood”, but had not had any specialist training, the DPA reported.

In practice, his efforts had knocked DT’s routers offline, creating net outages in German homes and businesses in the process last November.

The Deutsche Telekom attack came a month after Mirai source code leaked online.

The suspect was arrested in a London airport at the end of February by police acting on an international arrest warrant and extradited to Germany.

His sentencing hearing before a Cologne court is scheduled for this Friday, 28 July. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/24/deutsche_telekom_brit_in_court/

UK spy agency GCHQ’s cyber security arm, CESG, was left without PGP encryption for more than four months, according to a government report.

This “prevent[ed] direct electronic receipt of evaluation reports”, it emerged in the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board (PDF) annual report.

“Internal processes were updated to ensure this issue does not recur,” said the report.

Meanwhile the report, intended to assess the perceived risks arising from the involvement of Huawei in parts of the UK’s critical national infrastructure, once again gave the Chinese kit-maker the green light.

Any risks to UK national security from Huawei’s involvement in the UK’s critical networks have been sufficiently mitigated, found the third annual probe from the HCSEC Oversight Board.

However, the report found the board had failed to verify Huawei’s source code. It said HCSEC has “provided less than ideal assurance to the operators, as part of their risk management regimes”.

It said: “The incomplete delivery of source code obviously means that HCSEC cannot provide assurance or risk management artefacts for the additional code.

“While this is a matter of significant concern, the [National Cyber Security Centre] does not believe this process is in any way malicious, but is based solely on Huawei supplying source code for the features procured and used by UK operators.

“This opinion is based on a targeted analysis of previously received source code and corresponding binary.”

Huawei has effectively been banned from bidding for US government contracts because of concerns over espionage.

However, the Chinese company has been working with the UK government for some time. Over the last five years, Huawei has invested £1.3bn expanding its operations in the UK. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/24/spooks_agency_cesg_left_without_pgp_for_four_months/