STE WILLIAMS

A Nigerian man set up a number of U.S. bank accounts with bogus passports over a one year period, in which he managed to steal at least $500,000 through wire fraud and Internet scams.

A federal court convicted a Nigerian man of one count of wire fraud, stemming from creating numerous U.S. bank accounts with bogus passports and stealing at least $500,000 through wire fraud and Internet scams over the course of a year, the U.S. Attorney’s Office of the Southern District of Texas announced Thursday.

Wiseman Oputa, 25, pleaded guilty to opening bank accounts in the area surrounding Houston, using counterfeit passports. Once the accounts were created, Oputa and his associates conducted a number of Internet scams from romance schemes to hacking into company email accounts to make their phishing efforts appear more real.

The victims sent at least a total of $500,000 to these bank accounts via checks and wire transfers, which Oputa and his associates controlled. He would then use the bogus passports to withdraw the money from the accounts.

Oputa is scheduled to be sentenced on July 6 and faces up to 20 years in federal prison and a potential maximum fine of $250,000.

[A session on “Who are the Bad Guys? Cyber Criminals and Their Motivations” will be presented as part of the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 16, where Dark Reading editors and some of the industry’s top cybersecurity experts will share the latest data security trends and best practices.]

Read more about the U.S. Attorney’s case here. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/nigerian-convicted-in-passport-wire-fraud-and-internet-scam/d/d-id/1328702?_mc=RSS_DR_EDT

It’s now illegal for those serving in the United States Navy and Marines Corps to post nude images of service members without their having consented to the disclosure.

The new regulation came after the discovery last month of a private Facebook group – “Marines United” – where some male Marines swapped nude photos, some taken without their female colleagues’ knowledge. The group’s members included active-duty and retired male Marines, Navy Corpsman and British Royal Marines.

Navy Times reported that the regulation was made public Tuesday in an all-Navy message.

It’s an interim change, pending a formal amendment to Navy regulations:

The distribution or broadcasting [of an intimate image] is wrongful if the person making the distribution or broadcast does so without legal justification or excuse, knows or reasonably should know that the depicted person did not consent to the disclosure, and the intimate image is distributed or broadcast:
(a) With the intent to realize personal gain;
(b) With the intent to humiliate, harm, harass, intimidate, threaten, or coerce the depicted person; or
(c) With reckless disregard as to whether the depicted person would be humiliated, harmed, intimidated, threatened, or coerced.

Well, good luck getting that to stick, said Brian Bouffard, a former Navy JAG (Judge Advocate General) and now private defense attorney. Talking to Navy Times, Bouffard pointed out that, for example, the “reckless disregard” language is going to be tough to prove in court, given that you can be punished if you just don’t care that someone might be “humiliated, harmed, intimidated, threatened, or coerced”.

But if somebody posts an intimate photo of somebody they don’t know, how in the world will they know that it will harm the subject?

Bouffard:

If you don’t know a person, how could you know that about them? Ultimately, prosecuting these types of cases will probably require a witness to testify that they were either humiliated or harmed, etc., for the government to make an effective case.

Why does this need a decree unto itself? It’s apparently already illegal, under the Uniform Code of Military Justice (UCMJ), under “conduct unbecoming an officer and a gentleman.” (“Officer” refers to service members of both sexes.)

As far as the private sector goes, in the US, we currently have laws outlawing nonconsensual porn – what’s also known as revenge porn – in 35 states and the District of Columbia.

Last year ushered in the UK’s law against nonconsensual porn, which came to pass after we saw children as young as 11 victimized by the sharing of private sexual images without the subject’s consent.

Outside of the courtroom and new laws, how do organizations, be they public or private, actually get their people to stop surreptitiously taking and swapping nude photos?

After all, this issue certainly isn’t confined to the Marines and Navy. Among Edward Snowden’s many revelations about the National Security Agency was that employees routinely passed around nude photos they obtained via mass surveillance.

In October, there were allegations about Apple employees stealing lewd photos from customers’ broken phones. Four employees in Brisbane were suspected of also covertly photographing colleagues and customers in the store, allegedly using group messages to rate them on a scale of 1-10 (charges that Apple denied). Hell, if you think back to the Facebook history we’ve learned, rating college women was the very bedrock upon which the ever-burgeoning, utterly ubiquitous social network was founded.

Did the Apple employees really do what they were suspected of doing? Apple says no, but given the plethora of escapades employees get up to on social media, it certainly wouldn’t be surprising if they did.

The issue erects a huge, blinking, neon signpost that spells out this simple message: get a policy. Nolo, a legal site, has a post that can start organizations on the path to getting a workplace policy on employees’ social media posts, be they illegal content such as nonconsensual porn or a YouTube video depicting a pizza chain employee stuffing cheese up his nose before putting it on a pizza.

Back to the new Marine/Navy regulation: a Slashdot commenter, Fire_Wraith, made a cogent point about all this. Namely, part of what it means to be in the military – or, by extension, an employee of a business – is that you’re expected to look out for your buddies, “whether male or female.”… (you’re also expected to look out for customers’ well-being, which would preclude ingredients taking side trips to body cavities).

You’re supposed to be able to count on them to have your back, and you theirs. The military is expected to act as groups, not as a gaggle of individuals, and spends lots of time training to do exactly that…

… this kind of conduct is utterly toxic for any sort of unit, and I’m not in the least surprised that they’re cracking down on it.

Readers, what does your organization do to oversee employees’ social media activities? Does it have a clear policy in place regarding what’s acceptable/unacceptable? Does it actively monitor Facebook or Twitter, et al., for illegal content?

Please do let us know how you handle these issues in the comment section below.

Follow @NakedSecurity
Follow @LisaVaas

Image courtesy of Vytautas Kielaitis / Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/3c7XBJlBXzk/

The NSA’s Equation Group hacking tools, leaked last Friday by the Shadow Brokers, have now been used to infect thousands of Windows machines worldwide, we’re told.

On Thursday, Dan Tentler, founder of security shop Phobos Group, told The Register he’s seen rising numbers of boxes on the public internet showing signs they have DOUBLEPULSAR installed on them. These hijacked machines can be used to sling malware, spam netizens, launch further attacks on other victims, and so on.

DOUBLEPULSAR is a backdoor used to inject and run malicious code on an infected system, and is installed using the ETERNALBLUE exploit that attacks SMB file-sharing services on Windows XP to Server 2008 R2. That means to compromise a computer, it must be running a vulnerable version of Windows and expose an SMB service to the attacker. Both DOUBLEPULSAR and ETERNALBLUE are leaked Equation Group tools, now available for any script kiddie or hardened crim to download and wield against vulnerable systems.

In March, Microsoft patched the SMB Server vulnerability (MS17-010) exploited by ETERNALBLUE, and it’s clear that some people have been slow to apply the critical update, are unable to do so, or possibly just don’t care.

The fix is available for Windows Vista SP2, Windows 7, Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2008 SP2, Windows Server 2008 R2 SP1, Windows Server 2012 and Windows Server 2012 R2, Windows Server 2016, and Server Core. If you have an older vulnerable system, such as XP or Server 2003, you’re out of luck.

Tentler said that a preliminary scan of the public internet on Thursday using Shodan.io revealed 15,196 infections, with four-fifths of those coming from IP ranges in the US. These numbers increase with each followup scan. A DOUBLEPULSAR-riddled system can be identified by the way it responds to a special ping to port 445.

Some people just want to watch the world burn … Dan’s stats showing DOUBLEPULSAR infections

“The polite term for what’s happening is a bloodbath. The impolite version is dumpster fire clown shoes shit show,” Tentler said. “I’m hopeful this is the wakeup moment for people over patching Windows machines.”

The problem may be even more serious. A larger scan by infosec researcher Robert Graham showed around 41,000 infected hosts and more scans are going to be carried out, so expect that number to rise.

Tentler reckons that when the Shadow Brokers’ arsenal hit the web on Easter weekend, script kiddies around the world grabbed the cyber-arms, went out, and infected everything they could find.

An analysis of the infected machines suggests a lot of them are going to stay that way for some time. If they haven’t applied MS17-010 by now, they probably won’t do for a long while, if ever. DOUBLEPULSAR, being a nation-state-grade backdoor, is extremely stealthy and unlikely to be discovered on a hacked box unless whichever miscreant is using it gets clumsy.

Amazon’s AWS and Microsoft’s Azure showed up on the top 100 most-infected domains as you’d expect as large hosts of customer virtual machines. Then there are systems at big names such as Ricoh in India, various universities, and machines on Comcast connections.

Typically the numbers of infections in businesses are in the single digits, however – as Tentler points out – an attacker only needs one foothold in a corporate network to begin taking over the whole shebang. We’ll know more of the spread of DOUBLEPULSAR in the coming week as more comprehensive scans are performed. In the meantime, get patching. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/21/windows_hacked_nsa_shadow_brokers/

The CEO of computer security biz Tanium has admitted his staff logged into hospital networks and accessed live IT systems during product demos with potential customers.

Since 2014 Tanium sales executives have used healthcare systems at the El Camino Hospital in Mountain View, California, to demonstrate their endpoint protection software. The hospital had not given permission for its computers and data to be used in this way.

“We take responsibility for mistakes in the use of this particular customer’s demo environment. We should have done better anonymizing that customer’s data,” said Tanium boss Orion Hindawi confessed on Thursday.

“Viewers didn’t connect the demo environment to that customer for years, and we do not believe we ever put our customer at risk with the data we showed. Looking at those demos, we see there are easy things we should have done to obscure and anonymize further.”

A spokesperson for El Camino hospital told The Register “no patient data or personally identifying information was accessed by Tanium.”

And a representative at Tanium added:

Tanium did not expose any hospital records or patient data. We should have done better anonymizing that customer’s data but we do not believe we ever put our customer at risk with the data we showed.

Tanium’s software can quickly scan networks to build maps of endpoints and list which applications and services are running. Administrators can search the maps for particular machines, and gain remote control of the boxes.

Hindawi said that since 2015, his biz has always explicitly asked its customers if it could use their data and IT gear in demonstrations, and has obtained written consent. Only a few customers are willing to do this, and Tanium – based in Emeryville, California – is fine with that, the chief exec said.

While hammering away at his keyboard today, the errant CEO took time to savage some of the press coverage his organization has received over the past few weeks. There have been reports of turmoil in Tanium, with nine senior executives leaving in the last eight months; tales of staff being fired just before their stock options vested; and insulted staff being called stupid or fat.

“It is true that I personally can be hard-edged, and that I’ve had to apologize to people at Tanium when I’ve gotten too sharp at times,” Hindawi said.

“It is true that we fire people when they don’t meet our ethical or performance standards, and we understand that from the outside that may raise questions about the number of people leaving. What is not true is that we have a toxic culture. Mission-oriented, hard-charging, disciplined, even intense, but not toxic.”

It’s not clear what effect, if any, these allegations will have on Tanium’s plans for an IPO. The privately held family-owned firm is VC funded and has a valuation of around $3.5bn, and that figure is unlikely to fall unless customers start fleeing. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/20/tanium_hospital_it_demo/

Mastercard has unveiled its new biometric card which adds a fingerprint sensor to the chip as a replacement security measure to the four-digit PIN.

When the biometric card is placed into a retailer’s EMV terminal, the owner will be able to place their finger on the embedded sensor. Their fingerprint will then be verified against a template stored on the card, at which point the transaction can be approved.

The card will work with existing EMV card terminal infrastructure, without requiring any new hardware or software upgrades, says Mastercard, which has trialled the technology in South Africa ahead of additional testing in Europe and Asia Pacific and a full rollout later this year.

Ajay Bhalla, president of enterprise risk and security at Mastercard, said: “Whether unlocking a smartphone or shopping online, the fingerprint is helping to deliver additional convenience and security. It’s not something that can be taken or replicated and will help our cardholders get on with their lives knowing their payments are protected.”

This is not exactly true, of course. Successful and cheap attacks against fingerprint sensors have been demonstrated since at least 2002, and although sensor technology has improved over the last 15 years, even Apple’s TouchID lock was bypassed a few years ago by the Chaos Computer Club.

The biometric sensor is the latest in a line of attempted security upgrades for the EMV (Europay, Mastercard, Visa) standard and its competitor, the Payment Card Industry Data Security Standard (PCI DSS), both of which have been criticised.

In 2010, researchers from the University of Cambridge demonstrated a man-in-middle attack against the PIN verification mechanism of EMV cards during retail transactions. The lead researcher on that project, Dr Steven J Murdoch, now at University College London, told The Register today that the addition of a biometric sensor was “an interesting development, and quite an achievement to put an ordinarily bulky biometric sensor in the form factor of a EMV card”.

Dr Murdoch continued: “There will be no doubt issues to be ironed out, so questions I expect the trial will set out to answer include: How reliable is the technology, and how physically robust are the new cards?”

A frequent issue of biometrics is customer acceptance. Here South Africa is at an advantage because welfare payments made through the Net1 product have been protected by biometrics for a long time, so the use of biometrics in payments should not be totally surprising.

The example given is for attended use, where there is a person watching the transaction. This provides some resistance against people presenting a fake fingerprint, but someone could still put a fake fingerprint on top of their finger. Having an attendant also resists the “cut-off-finger” technique.

If this card is the one that Zwipe advertise then it doesn’t have a battery and so can only do verification of fingerprints when inserted into a terminal. This won’t allow it to work in typical ATMs where the card disappears into the card reader.

Both the biometric sensor and template are on the card, which means that the terminal cannot record the fingerprint. There are advantages to this, but since we leave our fingerprints everywhere they should not be considered secret. Having the sensor on the customer’s card also avoids some hygiene concerns that come up related to shared fingerprint sensors. Also, because the card is doing all the extra work, it can interoperate with existing terminals and require little or no changes to them.

This is a different approach than the updated EMV specifications. Here the fingerprint reader would be on the terminal, which sends the encrypted image of the fingerprint to the card, and the card compares this against the template it stores. This makes the cards cheaper (they need to be upgraded to store and process fingerprints but don’t need a new sensor) but terminals would need to have a fingerprint reader added.

Fingerprints have advantages and disadvantages over PINs but being better than a PIN is not a particularly high bar. Customers don’t find PINs easy to use and they are not particularly secure.

“An important question is: how will this affect customer liability for fraud?” said Murdoch, who has written at length about end-user comfort with security for UCL’s infosec publication, Bentham’s Gaze.

“In Europe consumer protection isn’t anywhere near as good as the US, so what will happen if a customer loses their card and a criminal is able to bypass the biometric protection? Will the bank conclude that it is more likely the customer performed the transaction and so must pay the cost? Customers often don’t know what the bank TsCs say, and if they do they often don’t understand.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/20/mastercard_launches_fingerprint_sensor_to_replace_pins_with_cards/

Analysis On January 6, president-elect Donald Trump had a meeting with the heads of the intelligence services and came out with one action point: cybersecurity.

“Whether it is our government, organizations, associations or businesses we need to aggressively combat and stop cyberattacks,” an official statement read. “I will appoint a team to give me a plan within 90 days of taking office. The methods, tools and tactics we use to keep America safe should not be a public discussion that will benefit those who seek to do us harm.”

A week later, he named former New York mayor Rudy Giuliani as his cybersecurity tsar (despite a total lack of relevant experience). Two weeks later he became president of the United States; 90 days later is today. So where is the cybersecurity team and plan?

It’s hard to tell, but based on some shoe-leather reporting by Politico the answer seems to be: absolutely nowhere.

The cybersecurity focus did seem to be there at the start of the Trump presidency. Only a week after taking office, a draft cybersecurity executive order was leaked to the Washington Post.

That order largely followed the Obama Administration’s view of cyberspace: it’s a vital national resource and a source of economic value and the government should actively ensure its security.

Where it differed was that it took a more authoritarian view of the internet and suggested new legal powers would be given to government agencies over what is overwhelmingly a privately owned network.

Speed reading

Critically, the leaked order called for a report within 60 days to provide the president with recommendations – a timeline that fitted closely with his 90-day promise, given the time taken to approve an executive order and sign it.

Things then sped up rapidly: just four days later, on a Tuesday, the entire day at the White House became built around the new cybersecurity order.

Officials briefed the press that the new order would “hold the heads of federal agencies accountable for managing their cyber risk.” They held up a cybersecurity framework developed by NIST, the National Institute of Standards and Technology, as the new standard.

The executive branch’s Office of Management and Budget (OMB) would also be given a new, powerful role in cybersecurity. It would be asked to assess the federal government’s efforts and would be put in charge of updating the system.

That afternoon, Trump and his cybersecurity tsar Giuliani held a roundtable, the first part open to the White House’s press corps. Both went heavy on the need to secure networks against attacks, and both implied they would apply pressure on corporations to work with the federal government to that end.

Giuliani warned that “the private sector is wide open to hacking, and sometimes by hacking the private sector, you get into government.” The order, he said, would “get the private sector to wake up.”

Trump was scheduled to sign the executive order in the Oval Office just a few hours later.

And then it all fell apart.

Executive disorder

It’s hard to know exactly what happened, but the collapse of Trump’s immigration order – which restricted people from a list of countries from entering the United States but was struck down by a federal judge – was almost certainly a huge part of it.

The immigration order was a disaster: it caused widespread chaos; was roundly attacked; was ruled unconstitutional and illegal; and invoked the ire of several government departments who had not been properly briefed on its contents – let alone consulted.

Then there was the fallout from a new National Security Council order that was reportedly edited by presidential advisor Steve Bannon without the president’s knowledge to include himself on the council and diminish the role of the Joint Chiefs of Staff – a huge departure from tradition, and a significant power grab that left many in government fuming (Bannon was unceremoniously kicked off the council a few months later).

The upshot of these failures was that the White House put an immediate freeze on new executive orders and instituted a new system (actually the previous system), which saw broader consultation and input before new orders were put before the president.

And that was despite the fact that many cybersecurity experts were broadly supportive of the draft cybersecurity order. In particular, many were encouraged by the idea of a centralized approach after years of in-fighting between different government departments over who was in charge of cybersecurity.

Version poo-point-zero

With the new consultation policy in place and Trump desperate to show he was on top of his priorities, the White House then reached out to different departments – including Defense, Commerce, Homeland Security, State, Treasury and Justice – and put together a new cybersecurity executive order.

And the end result was, predictably, an absolute dog’s dinner: a 2,200-word extravaganza that, far from being a high-level guidance document, read like a policy wonk’s wet dream. The new draft ordered no fewer than 10 new reports, six of which would go directly to the president.

The centralization effort was lost and the White House’s OMB was moved from being in charge to being the recipient of other departments’ reports. The order proposed a degree of inter-departmental collaboration that only someone who hasn’t worked in Washington could imagine would ever happen. We predicted stasis.

That was back on February 9. It is now April 20 – and nothing has been heard about how the new cybersecurity order is progressing.

And it seems that no one inside government has heard anything either. When Politico approached the National Security Council, a spokesperson said they were unaware of any such effort or any effort to create the planned 90-day report. A spokesperson for Senate Intelligence Committee chairman Richard Burr said pretty much the same.

And then the more damning reports: not only did the White House refuse to comment on where the cybersecurity plan was, but Trumps’ own cybersecurity tsar himself, Rudy Giuliani, confirmed that he wasn’t working on a cybersecurity report.

This failure to come through on a promise is not the first time the Trump Administration has over-promised and under-delivered. Nor it is a new occurrence for new administrations – every enthusiastic new president is hit by the reality of actually running a country as opposed to talking about what’s wrong with it.

However, Trump’s failure to provide a report, or an executive order, or a team – or even a process and timeline for one his “number one priority” – is stark and contributes to the feeling that his administration is overwhelmed by the size of the task and is spinning its wheels. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/20/trumps_cybersecurity_deadline_is_up/

The CEO of Tanium has admitted staff at his computer security biz logged into live hospital networks for product demos with potential customers.

Since 2014 Tanium sales executives have used production healthcare data to demonstrate their endpoint protection software. In doing so, staffers accessed systems at the El Camino Hospital in Mountain View, California, exposing identifying information. The hospital had not given its permission for the records to be used in this way.

“We take responsibility for mistakes in the use of this particular customer’s demo environment. We should have done better anonymizing that customer’s data,” said Tanium boss Orion Hindawi in a confessional blog post.

“Viewers didn’t connect the demo environment to that customer for years, and we do not believe we ever put our customer at risk with the data we showed. Looking at those demos, we see there are easy things we should have done to obscure and anonymize further.”

Hindawi said that since 2015, his biz has always explicitly asked its customers if it could use their data in demonstrations and has obtained written consent. Only a few customers are willing to do this, and Tanium – based in Emeryville, California – is fine with that, he said.

The errant CEO also took time, however, to savage some of the press coverage his organization has received over the past few weeks. There have been reports of turmoil in Tanium, with nine senior executives leaving in the last eight months; tales of staff being fired just before their stock options vested; and insulted staff being called stupid or fat.

“It is true that I personally can be hard-edged, and that I’ve had to apologize to people at Tanium when I’ve gotten too sharp at times,” he said.

“It is true that we fire people when they don’t meet our ethical or performance standards, and we understand that from the outside that may raise questions about the number of people leaving. What is not true is that we have a toxic culture. Mission-oriented, hard-charging, disciplined, even intense, but not toxic.”

It’s not clear what effect, if any, these allegations will have on Tanium’s plans for an IPO. The family-owned firm is VC funded and has a valuation of around $3.5bn, and that figure is unlikely to fall unless customers start fleeing. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/20/tanium_abused_hospital_data/

Google has been ordered by a US court to cough up people’s private Gmail messages stored overseas – because if that information can be viewed stateside, it is subject to American search warrants, apparently.

During a hearing on Wednesday in California, magistrate judge Laurel Beeler rejected [PDF] the advertising giant’s objections to a US government search warrant seeking data stored on its foreign servers. The Mountain View goliath had filed a motion to quash the warrant, and was denied.

The warrant, issued on June 30, 2016, ordered Google to hand over information on a number of specific Gmail accounts, including message content, attachments, metadata, and locational data.

While Google complied with the warrants and handed all of the requested records for several accounts over to Uncle Sam’s agents, it refused to cough up information on two accounts and declined to access attachments on two others, arguing that because the data was held outside the US it was not covered by the warrant, as was decided in the Microsoft email brouhaha.

Judge Beeler, however, disagreed with the Chocolate Factory’s assessment, reasoning that if Google was able to pull up the data on its own machines in the US, then it should fall under a US court’s jurisdiction and, because it would be pulled from Google’s HQ in Mountain View, it was not considered overseas content the way Microsoft’s Ireland-based info was.

“The service provider – Google – is in the district and is subject to the court’s jurisdiction; the warrant is directed to it in the only place where it can access and deliver the information that the government seeks,” Beeler wrote.

“Unlike Microsoft, where storage of information was tethered to a user’s reported location, there is no storage decision here. The process of distributing information is automatic, via an algorithm, and in aid of network efficiency.”

Google has now been ordered to produce all of the Gmail account and message information the government requested in the warrant. The biz declined to comment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/20/google_must_provide_overseas_gmail_data/

IoT “things” such as security cameras, smart thermostats and wearables are particularly easy targets for kill chain intruders, but a layered approach to security can help thwart an attack.

The concept of a kill chain attack has been around for several years. The term originated from the military, but computer scientists at Lockheed-Martin Corporation were the first to use this term in the field of cybersecurity, describing a kill chain framework to defend computer networks in 2011. Its relevance has taken on new meaning in our current era of IoT devices and botnet attacks. IDC predicts that by 2020, 30 billion connected “things” will be a part of the digital infrastructure.

The  “kill chain” lays out the stages of a cyber-attack, starting from early reconnaissance to completion of the attack with the goal of data theft and enabling more attacks. These stages are:

1. Reconnaissance – The intruder selects its target device, researches it, and searches for vulnerabilities

2. Weaponization – Intruder uses a remote access malware weapon, such as a virus or worm, addressing a vulnerability  

3. Delivery – Intruder transmits weapon to the target device, whether through e-mail attachments, websites, USB drives, etc.

4. Exploitation – Malware weapons program code to triggers the attack. This then takes action on target network to exploit vulnerability.

5. Installation – Malware weapon installs access points for the intruder to use.

6. Command and Control – Malware then enables intruder to have “hands on the keyboard” persistent access to the target network, also enabling future attacks.

IoT devices, particularly items like security cameras, smart thermostats, wearables, and even coffee makers, are easy targets for kill chain intruders. They often have little or no security system, making step #2 of the kill chain rather easy.  For example, last year 80 Sony IP security camera models were found to have back doors, giving hackers easy access.

Don’t Break the Kill Chain! Prevent it 
The best way to prevent a kill chain from infiltrating enterprise IoT security is to invest in a layered approach. There are four steps to this approach:

1. Assessment:  Start with a  network discovery process of all the existing IoT devices, including managed and partially managed devices. Understand what each type of device is, what operating system it is running on and which application and processes are installed on it.

2.  Segmentation:  IoT devices should not be in the same network segment as other devices, or within reach of the organization’s mission critical systems and data. Deploy firewalls between these segments to prevent “things”  from reaching the “crown jewels” of your network.

3. Detection:  Regularly analyze your network behavior to detect every IoT device which joins the network, and carefully examine if it behaves similarly to other typical devices. A compromised device or a fake device might look the same but behave differently.

4. Response:  Because manual alerts can take hours or even days to process, the best practice should involve some type of backup plan that will block or limit the access of a specific device within seconds.

This layered approach is designed to both prevent the likelihood of a kill chain attack, and also to break a live attack if one does occur. Once a vulnerability in the IoT device is detected and an attack is underway, breaking the final steps of the kill chain is most crucial, as it is often where the biggest gap lies in an organization’s advanced threat protection strategy. These last stages provide the best picture of who might be attacking and infecting your corporate network. They also require the least amount of time to remediate. For example, if a vulnerable security camera continues to communicate to an Internet forum, even after segmentation, it’s an easy call to block it entirely from the network. 

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 16, where Dark Reading editors and some of the industry’s top cybersecurity experts will share the latest data security trends and best practices.]

Related Content:

• Deconstructing The Cyber Kill Chain
• Leveraging The Kill Chain For Awesome.
• Researchers Find Backdoors, Bugs In Sony, White Box IP Cameras
• Commercial IoT: Big Trouble in Small Devices
• IoT Liability: How Organizations Can Hold Themselves Accountable

 

Ofer Amitai is CEO and co-founder of Portnox, where he is responsible for day-to-day operations and setting the company’s strategic direction. He has over 20 years’ experience in network security, during which time he established the first IT security team in the Israeli Air … View Full Bio

Article source: http://www.darkreading.com/endpoint/kill-chain-and-the-internet-of-things-/a/d-id/1328681?_mc=RSS_DR_EDT

Hollywood has struggled to portray cybersecurity in a realistic and engaging way. Here are films and TV shows where it succeeded.

(Image: NiP Photography via Shutterstock)

Films and TV series have famously blundered their depictions of cybersecurity. NCIS, Scorpion, and CSI: Cyber, are a few examples that made tech pros scratch their heads.

Directors’ challenge: security — and tech plotlines overall — aren’t visually interesting. What’s so glamorous about someone sitting at a computer, or a seemingly endless pile of code?

“Historically, Hollywood has struggled with the fact that the nuts and bolts of computing are not very photogenic,” says ESET senior security researcher Stephen Cobb. It’s tough to create a “rich visual environment” while offering a realistic portrayal of security and hacking.

The classic depiction of Hollywood hacking looks like someone at a computer with amazing graphics dancing across the screen. It’s a conversation between two characters that sounds like this:

“I need someone to hack into the CIA.”

“Oh, why didn’t you just ask? I can do that.”

While some of the fundamental concepts behind security-focused productions have been correct, the tech community has generally disliked how their profession is portrayed because each film or series skews in a different direction.

“Filmmakers say they want to portray hacking as being sexy and cool, but a lot of the time, sitting at a terminal isn’t very cool,” says Matthew Devost, managing director at Accenture Security and special advisor for the film Blackhat.

Not all films fail to get it right. Here, Cobb and Devost share the films and TV series where security is the focus and there are real takeaways for both security pros and general audiences. These productions may have some overdramatic moments, but they are more realistic than most:

 

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/6-times-hollywood-got-security-right/d/d-id/1328696?_mc=RSS_DR_EDT