STE WILLIAMS

Nest’s Dropcam and Dropcam Pro security cameras can be wirelessly attacked via Bluetooth to crash and stop recording footage. This is perfect for burglars and other crooks who want to knock out the cams moments before robbing a joint.

The three vulnerabilities are in camera firmware version 5.2.1, and no patch is publicly available, we understand. Security researcher Jason Doyle, based in Florida, US, spotted the holes, and alerted Google-stablemate Nest about them in October – but there’s been no software updates to correct the programming cockups. This month, Doyle went public with details of the flaws, including example exploits.

For the first bug, an attacker can trigger a buffer overflow in the camera by pinging it an overlong Wi-Fi SSID parameter via Bluetooth Low Energy (BLE). This causes the gadget to crash and reboot. The second flaw is similar, but in this case the miscreant sends a long Wi-Fi password parameter to the camera. This too will cause the camera to crash and restart, we’re told.

The third issue is more serious. The crook can send the camera a new Wi-Fi SSID to connect to, forcing it to disconnect from the current network, try joining the new SSID which presumably doesn’t exist, and reconnect to the previous wireless network about 90 seconds later. During this time, the device stops recording footage to its cloud-connected backend. Nest deliberately designs its cameras to use internet-hosted storage for video, not local storage, so any downtime is bad news.

By repeatedly exploiting these holes, a device is knocked offline and stops keeping a record of what it sees – thus rendering it rather useless as a remote security cam.

All of these flaws require the attacker to be in BLE range, but that’s not a problem for someone about to break into your house or office. The reported shortcomings highlight a serious design fault within the cameras that can’t be mitigated at the moment. Bluetooth is enabled by default in the cameras, and stays on at all times so the gadgets can be reconfigured over the air. This leaves them vulnerable to attack.

“As far as workarounds, since you can’t disable Bluetooth, I’m not sure there are any,” Doyle told The Register on Monday.

“There doesn’t seem to be any reason why [Nest] leaves Bluetooth on after setup unless they need it for future or current integrations. Some cameras like the Logitech Circle turn Bluetooth off after setting up Wi-Fi.”

Doyle said Google has acknowledged it had received his bug report, but unusually hadn’t let him know if they are patched. Nest had no comment at time of publication. A source familiar with the matter said a patch has been prepared and will be pushed out shortly. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/21/nest_security_cameras_bluetooth_burglar/

Domain-name lookups only tell you site visits, not pages viewed, right? Wrong: the interaction between a user and the Domain Name System is more revealing than previously believed, according to a paper from German postdoc researcher Dominik Herrmann.

In work published at pre-print server Arxiv (in German – thank you, Google Translate), Herrmann writes that behavioural tracking using recursive name servers is a genuine privacy risk.

DNS – the infrastructure that converts, say, www.theregister.co.uk into the IP address 159.100.131.165 – does, of course, reveal which sites a user visits. However, as Herrmann writes, that is an association between the user’s public-facing IP address and the requests they make. Since ISPs have to use dynamic IP addresses to cope with the IPv4 address shortage, a user’s address changes, making it harder to track them over time.

However, Herrmann writes, someone with access to the infrastructure can easily watch a user’s behaviour while they have one IP address, create a classifier for that user, and look for behaviour that matches that classifier when the IP address changes.

“Each user pursues his interests and preferences while surfing, and … each user has a unique combination of interests and preferences,” the paper states.

Visits from one IP to Google followed by favourite newspapers, shopping sites, government services or transport are enough to identify a user when they pop up under a different IP, Herrmann reckons, and this “behavioural chaining” doesn’t have to rely on tracking cookies.

To put this idea to the test, Herrmann ran a naive Bayes classifier over five months of anonymised DNS data from the University of Regensburg, covering thousands of users.

In a sample of 3,800 students over two months, behavioural chaining correctly identified 86 per cent of individuals from one IP address to the next; and when the experiment was run for 12,000 students the accuracy remained high, at 76 per cent.

Why worry?

Herrmann offers two observations about why this is more worrying than it may appear first sight. While people will correctly point out that DNS resolves only as far as (for example) www.wikipedia.org – a DNS record doesn’t show law enforcement that someone read en.wikipedia.org/wiki/Alcoholism, so their privacy is intact.

Not so, he responds: “Many websites produce a so distinctive DNS retrieval pattern” that requests can be recognised “more or less unequivocally.” An analysis of retrieval of 5,000 Wikipedia entries, 6,200 news posts on Heise, and the top 100,000 websites, most pages showed unique demand patterns, he writes.

In many countries’ data retention regimes, the IP addresses a user visits are recorded, but browser histories are off limits. Herrmann asserts law enforcement to use DNS records, IP address records, and behavioural chaining to reconstruct a more detailed browsing history than most users expect.

It can, however, be disrupted by ISPs, should they wish, by refreshing users’ IP addresses more frequently. With an hourly change to IP address, Herrmann writes, the reconstruction fails 45 per cent of the time, and at five-minute changes, accuracy drops to 31 per cent – and if the user is inactive for enough intervals, “the trail disappears.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/21/dns_records_more_revealing_than_you_think_says_german_boffin/

Your daily round-up of some of the other stories in the news

FBI probes Russian ‘meddling’

The FBI is investigating alleged Russian interference in last year’s US presidential election and possible ties to President Donald Trump’s campaign, FBI director James Corney told the House Intelligence Committee on Monday.

The probe “includes investigating the nature of any links between individuals associated with the Trump campaign and the Russian government, and whether there was any co-ordination between the campaign and Russia’s efforts,” he added.

Corney also told the committee that there is “no information that supports” Trump’s allegations that the then-president Barack Obama had ordered the wiretapping of phones in Trump Tower during the election campaign.

Police ‘scrambling’ to find stolen Secret Service laptop

Stolen laptops are a common source of data leaks – and not even the the US Secret Service is immune: a laptop containing floor plans for Trump Tower and details of its investigation into Hillary Clinton’s private email server has been stolen from an agent’s car in Brooklyn, according to the New York Daily News.

CCTV video apparently showed a man dressed in black running to the parked car and grabbing items including the laptop, other “sensitive” documents, a radio and an access keycard.

The agency said that while the laptop itself doesn’t contain classified information, it could be used to access sensitive information. Police were reported to be “scrambling like mad” to recover the laptop.

A bigger slice of the Raspberry Pi

The Raspberry Pi, the cheap-as-chips tiny computer that’s fuelled projects from a smart doorbell to a tweeting catflap (full disclosure: that’s my catflap) has just outstripped the venerable Commodore 64 as the world’s third best-selling computer, founder Eben Upton told guests at the fifth birthday party for the Pi.

Raspberry Pi has sold more than 12.5m of the various iterations of the pocket-sized computer in its five-year history, with the Raspberry Pi 3B the biggest seller, with 30% of overall sales, the MagPi magazine reported this week.

Upton told the party guests: “We are now the third most popular general purpose computing platform after the Mac and the PC.”

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/hbVTAd74XX4/

The identity fraud went down like this: in January, a man who identified himself as the customer of a Minnesota bank called to ask for a wire transfer of $28,500 from a line of credit to another bank.

To verify his identity, he gave the bank his name, date of birth, and taxpayer ID. The purported customer also faxed in a copy of what looked like his passport.

It wasn’t. It was fake, and the transfer was fraudulent. The crook had faxed it over with a phone number spoofed to masquerade as the victim’s phone number.

The image wasn’t actually of the victim, but it was of an individual close to the victim’s age. Police in Edina, Minnesota, searched for the image online, but they couldn’t find it via Yahoo or Bing searches. They did however find it on Google, so they hypothesized that the fraudster must have used Google to search for the image subject’s name when making the fake passport.

Thus were they led to seek a warrant with a massive scope: one that sought “any/all user or subscriber information” related to searches on the victim’s name for a period of five weeks.

The warrant, which Edina police applied for in February, was signed off on by Hennepin county judge Gary Larson. Here’s how broad the document was: the warrant sought the specific times and dates of the searches, along with names, addresses, telephone number(s), dates of birth, social security (taxpayer) numbers, email addresses, payment information, account information, IP addresses, and MAC addresses of any and all persons who ran a search on a handful of variations on the victim’s name between December 1 and January 7.

The warrant application was discovered and published by Tony Webster, who calls himself a web engineer, public records researcher and policy nerd. He’s put up a version of the document on his site, with the victim’s full name redacted so as to protect his privacy.

Webster told Ars Technica’s David Kravets that language in the warrant that says “located in city or township of Edina, County of Hennepin, State of Minnesota” is standard, pro forma language, often contained in the county’s warrants. The language doesn’t mean that the warrant’s limited to those who searched the victim’s name from within the city limits of Edina.

But the warrant goes far beyond Edina. In fact, it’s a sweeping dragnet looking for details about an untold number of people on a global scale, the vast majority of whom are assuredly innocent of any wrongdoing.

Webster likens it to taking out a warrant for anybody who bought a pressure cooker on Amazon a month before the Boston bombing. He also questions how police access to those people’s personal details might play out:

Could this type of search warrant be used to wrongly ensnare innocent people? If Google were to provide personal information on anyone who Googled the victim’s name, would Edina Police raid their homes, or would they first do further investigative work? The question is: what comes next?

He also compared it to tower dumps: a warrantless, large-scale interception of mobile phone data that gives police the identity, activity and location of any phone that connects to targeted phone towers, generally within one or two hours.

For those, law enforcement agents use stingrays: suitcase-sized cell site simulators that they use to mimic a cell tower and trick nearby phones (as in everybody’s phones, not just crooks’) into connecting and giving up their identifying information and location.

The warrant for the people who searched on the wire fraud victim’s name is similar to tower dumps in that both entail police sweeping up a vast amount of non-public data on people who aren’t wanted for any crime. As Webster noted, it represents “an opportunity for police to arrest or convict the wrong person through a flurry of circumstantial evidence”.

Andrew Crocker, a staff attorney for the Electronic Frontier Foundation (EFF), called out the warrant as unconstitutional on Twitter:

Holy shit. Case name should be In re Minnesota Unconstitutional General Warrant. Nice job unearthing @webster https://t.co/lGUd6s32dt

— Andrew Crocker (@agcrocker) March 16, 2017

According to the warrant application, Edina authorities had first sent Google an administrative subpoena “requesting subscriber information for anyone who had performed a Google search” for the victim’s name. Google refused to comply with that administrative subpoena, which is similar to a search warrant but without a judge’s signature.

Officer David Lindman wrote in the warrant application that he was after the judge-signed warrant to save time:

Though Google’s rejection of the administrative subpoena is arguable, your affiant is applying for this warrant so that the investigation of this case does not stall.

Google hinted, in an email to Ars, that it plans to fight the warrant:

We aren’t able to comment on specific cases, but we will always push back when we receive excessively broad requests for data about our users.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/1757JEdxuRU/

Scammers are exploiting a new batch of leaked celebrity nudes, using the stolen selfies to lure in gawpers and make a fast buck.

Voyeurs are told to install a smartphone app that promises to reveal comprising photos of British WWE star Paige – whose intimate private photos and videos were leaked online this month without permission. The wrestler is among a clutch of celebs whose nude pics and sex tapes were very recently snatched and spread on the web, an act dubbed The Fappening 2.0 after similar leaks in 2014.

Pervs hoping for an illicit glimpse of Paige are tricked into allowing the app to access their Twitter account, and then led along a warren of URLs that go nowhere and serve no purpose other than to make crooks money from affiliate marketing and advertising link clicks.

Determined gawpers will eventually wind up on an internet survey page that promises to reward you with an Amazon gift card after you hand over details about yourself. “Filling this in hands your personal information to marketers,” said Chris Boyd, a malware intelligence analyst at Malwarebytes. A writeup of the scam – complete with screenshots – can be found in a blog post by Boyd, here.

While surfers are looking through all these links, the dodgy phone app spams out tweets from their accounts, complete with yet more pictures and URLs as bait. It’s another example – only days after the Twitter Counter app was hacked to send out propaganda branding the Dutch and Germans as Nazis – why netizens should be wary of third-party Twitter apps.

This month’s Fappening 2.0 leak has cropped up in other cybercrime scams. For example, message board denizens are warning others of dodgy download links and random zip files claiming to contain stolen nude photos and video clips.

“As freshly leaked pictures and video of celebrities continue to be dropped online, so too will scammers try to make capital out of image-hungry clickers,” Boyd warned.

“Apart from the fact that these images have been taken without permission so you really shouldn’t be hunting for them, anyone going digging on less-than-reputable sites is pretty much declaring open season on their computers. Do yourself a favor and leave this leak alone. It probably won’t be long before the Malware authors and exploit slingers roll into town.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/20/wwe_paige_survey_scam/

The US Third Circuit Court of Appeals today upheld a lower court ruling of contempt against a chap who claimed he couldn’t remember the password to decrypt his computer’s hard drives.

In so doing, the appeals court opted not to address a lower court’s rejection of the defendant’s argument that being forced to reveal his password violated his Fifth Amendment protection against self-incrimination.

In the case under review, the US District Court for the Eastern District of Pennsylvania held the defendant (referred to in court documents as “John Doe” because his case is partially under seal) in contempt of court for willfully disobeying and resisting an order to decrypt external hard drives that had been attached to his Mac Pro computer.

The defendant’s computer, two external hard drives, an iPhone 5S, and an iPhone 6 Plus had been seized as part of a child pornography investigation.

“Doe voluntarily provided the password for the Apple iPhone 5S, but refused to provide the passwords to decrypt the Apple Mac Pro computer or the external hard drives,” the appeals court ruling states. “Despite Doe’s refusal, forensic analysts discovered the password to decrypt the Mac Pro Computer, but could not decrypt the external hard drives.”

Forensic examination of the computer indicated that the device had been used to visit known child exploitation sites and to download thousands of files with the same hash values as known child pornography files.

The files themselves, however, were not present on the computer. They are assumed to be stored on the external hard drives.

Authorities in Delaware investigating the case already had a sense of the contents of the drives because, according to court documents, the defendant’s sister had told police investigators “that Doe had shown her hundreds of images of child pornography on the encrypted external hard drives.”

Further interaction with authorities led the defendant to provide access to his iPhone 6 Plus, but not to an encrypted application on the phone that contained over 2,000 images and videos.

In August, 2015, the judge hearing the case issued “an order pursuant to the All Writs Act requiring Doe to produce his iPhone 6 Plus, his Mac Pro computer, and his two attached external hard drives in a fully unencrypted state.”

The defendant subsequently unlocked the images on the iPhone 6 Plus, which contained adult pornography and images of the defendant’s four- and six-year-old nieces in underwear.

‘Entered several incorrect passwords’

“Doe, however, stated that he could not remember the passwords necessary to decrypt the hard drives and entered several incorrect passwords during the forensic examination,” the appeals court’s ruling says.

The Magistrate Judge hearing the initial case, however, did not believe the defendant’s claim. The judge “found that Doe remembered the passwords needed to decrypt the hard drives but chose not to reveal them because of the devices’ contents.”

The appeals court found that forcing the defendant to reveal passwords was not testimonial in this instance because the government already had a sense of what it would find.

Courts currently distinguish between acts of production – being compelled to reveal evidence – and acts of testimony – being compelled to reveal information in the mind – except where the testimony would not provide new information. In some courts at least, this distinction allows courts to demand a fingerprint to unlock a device but not to demand a password.

In a phone interview with The Register, Mark Rumold, senior staff attorney at the Electronic Frontier Foundation – which filed an amicus brief in this case arguing against compelled password production – said the ruling was disappointing but not entirely surprising and noted that the EFF’s position is that individuals should not be compelled to provide passwords.

“Any time suspects are forced to disclose the contents of their mind, that’s enough to trigger the Fifth Amendment, end of story,” said Rumold.

Others take issue with the idea that technology might be allowed to trump legal process. In a 2015 California Law Review article arguing that forced decryption is necessary to balance individual rights and government power, Dan Terzian, presently an associate at Duane Morris LLP, argues that the EFF’s view is too expansive.

“Scores of companies now encrypt their data,” Terzian wrote. “In the EFF’s alternate universe, these companies are effectively immune from discovery and subpoenas.”

Rumold said the the Third Circuit has adopted a test accepted by the Eleventh Circuit that hinges upon how much the government already knows. He said he expects the Supreme Court will ultimately have to weigh in on the issue, adding he wouldn’t be surprised if this case seeks Supreme Court review. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/20/appeals_court_contempt_passwords/

Vid Monday mornings are never pleasant, are they? Take FBI director James Comey and head of the NSA Admiral Mike Rogers, for example, who kicked off their week by being grilled by the US House Select Intelligence Committee.

The meeting was scheduled to give Congress an update on claims of Russian meddling in the presidential election, President Donald Trump’s obvious bullshit that he was wiretapped by Barack Obama during the White House race – and whether the intelligence community has any idea who is slipping classified documents to the press.

The first point addressed by the dynamic duo was that of fears hackers had altered the nation’s election results. Both Comey and Rogers stressed to the committee that they had seen no evidence of anyone compromising electronic election terminals to directly influence the outcome, although some voter registration records were obtained.

Both men also shot down wild claims by a Fox News analyst – and later tweeted by Commander in Chief Trump – that then-President Barack Obama ordered that Trump and his associates be wiretapped, possibly by British agents at GCHQ. Director Comey was unequivocal on the matter.

“With respect to his tweets: I have no information that supports those tweets, and we have looked carefully inside the FBI,” he said. “The Department of Justice has asked me to share with you that the answer is the same for the Department of Justice and all its components.”

Comey pointed out that all and any surveillance of that type has to be ordered by a judge, not by any one individual. It would be impossible for one person to order and authorize that kind of political snooping, even if they did happen to be the president.

Youtube video

Admiral Rogers agreed, saying that no members of the NSA had been involved in any such shenanigans, and he hadn’t seen evidence of such surveillance. When asked about claims that GCHQ was involved – a suggestion the British snoop agency rather frankly denies – Rogers was emphatic, saying he would never ask his colleagues across the Pond to do such a thing.

“That would be expressly against the construct of the Five Eyes agreement that’s been in place for decades,” Rogers said, adding that he agreed with GCHQ’s comment that such claims were “utterly ridiculous.”

Noisy hacking attacks by Russia

A large part of the hearings covered the ongoing investigation into Russian state spies and Putin-sponsored miscreants actively influencing the US presidential election. For example, it is alleged Kremlin-backed hackers broke into Democrat computer systems, swiped documents, and selectively leaked the files to the public to swing the election for Trump.

Director Comey observed that normally the FBI refused to comment on whether an investigation into anything is ongoing. However, in this case, he was authorized to confirm that his staff was investigating these swirling claims, but that he wasn’t willing to talk about specifics – saying he understood that would be frustrating for Congress.

“The question most people have is whether we can really conduct this investigation in the kind of thorough and nonpartisan manner that the seriousness of the issues merit, or whether the enormous political consequences of our work will make that impossible,” Comey said.

“The truth is, I don’t know the answer, but I do know this: if this committee can do its work properly, if we can pursue the facts wherever they lead, unafraid to compel witnesses to testify, to hear what they have to say, to learn what we will.”

Potential Putin collusion probe

Both men said there was very little doubt that the Russians had tried to shape the election, as they had other elections. The pair declined to comment on claims that the Russian authorities had colluded with the Trump campaign or any of its staff, although the FBI boss confirmed his agents are “investigating the nature of any links between individuals associated with the Trump campaign and the Russian government, and whether there was any coordination between the campaign and Russia’s efforts.”

Comey also confirmed Russian intelligence services had hacked into a number of groups, including the Democratic National Committee and some Republican party servers, and that Putin and his pals “hate” Hillary Clinton. The FBI boss said his view was that by late summer 2016, the Russians had given up on Trump winning the election and concentrated on trying to hurt Clinton as much as possible.

The methods of disseminating information gleaned from the hackers were surreptitious according to Comey, and the Russians used WikiLeaks to get plausible deniability for the source of the information. He also noted that the hacks themselves had been “noisy,” as though the Russians wanted us to know they had been hacking around to damage whoever got into the White House.

“Their number one mission is to undermine the credibility of the entire democracy enterprise, of this nation. Their loudness in a way would be counting on us to amplify… and freaking people out,” Comey said.

Comey noted that the FBI began its investigation in June 2016 but didn’t make any public disclosures “due to the sensitivity of the matter.” He was not asked why he went public, twice, about investigations into the Clinton campaign while keeping the Trump-Kremlin links probe quiet.

Battle to stop leaks

A lot of Republican committee members wanted the view of the FBI and NSA on government officials leaking information to the press. Trump’s former national security adviser Michael Flynn was forced to resign after press reports of close ties to some Russian groups.

Rogers said that, of course, leaks were a problem, and that he had taken a personal interest in the matter and had made his views clear to NSA staff recently.

“I have raised this directly with my own workforce over the course of the last few months to remind everyone part of the ethics of the profession and not just the legal requirement but the ethics of our profession as intelligence professionals that we do not engage in this activity,” Rogers said.

“I reminded the men and women of the National Security Agency that if I am aware of any such conduct, there is no place for you on this team, and it is unacceptable to the citizens of the nation as well as the agency.”

Comey explained that, in some cases, leakers could be prosecuted under the Espionage Act. President Obama’s administration was a big fan of the Act, and used it more than any other administration to try to clamp down on leakers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/20/fbi_nsa_trump_wiretap/

A dozen recent high-profile deals reflect cybersecurity vendors’ hopes of expanding their offerings with next-generation technology, ideas, and talent.

Image Source: Pixabay

The security industry has grown at a frantic pace these past several years as cyber incidents continue to plague business and government, not to mention the US Presidential election.

But as Steve Morgan, CEO of Cybersecurity Ventures points out, the venture capital funding that security companies enjoyed from 2013 to 2015 has started to run out, so it’s likely that the industry will go through some significant consolidation throughout 2017 and into next year.

“Only so many companies will excel in the market and we can expect that many will crash and burn,” he says. “Overall, there hasn’t been a lot of IPO activity this year.”

That’s certainly not to say that the security business is slowing down –  far from it. In fact, Morgan says that the security industry is entirely driven by cybercrime, which he estimates will jump from $3 trillion in 2015 to $6 trillion annually by 2021.

Companies looking to serve the growing security market are adding machine learning and analytics capabilities, hands-on expertise from incident response firms, and – in the case of AWS – artificial intelligence capabilities to bolster their security offerings.

Dark Reading compiled a list of 12 high-profile security deals that were completed in the past few months. This is not meant as a comprehensive list. While these deals may be just the beginning of the acquisition wave, it gives the industry a chance to catch up with itself and sort out how legacy companies such as HPE, Palo Alto Networks, Sophos, and Symantec plan to move forward in the months ahead. 

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/new-wave-of-security-acquisitions-signals-start-of-consolidation-trend/d/d-id/1328431?_mc=RSS_DR_EDT

When harnessed properly, threat hunting can be one of the most useful techniques for finding attackers in your network. But it won’t happen overnight.

The terms “threat intelligence” and “threat hunting” have become the next big thing in information security over the last few years. While many researchers (including myself) still view these buzzwords unfavorably, the reality is that – when done correctly – the concepts, processes, and strategies are critical to the security of an organization.

According to recent “report card” research from DomainTools, over 40% of survey respondents said their organization currently uses some sort of threat intelligence platform. This demonstrates that the field is growing – and with a heavy focus on threat hunting. The report card examined the maturity of information security departments across the globe, and gauged their success in implementing hunt capabilities in both small and large organizations. 

But What Is Threat Hunting, Really?
It’s important to remember that threat intelligence is merely threat data with contextualized analysis to help analysts understand the threats to their organization. Threat intelligence isn’t as easy as merely paying for an API or web portal to access specific threat data. Performing proper threat analysis requires skilled analysts, vetted information and data, timely information, and multiple data sources.

Often over-used and misunderstood, threat hunting is the process of proactively searching through networks and host data to detect and possibly help eliminate miscreants from networks and hosts. Performing one hunt can be different from another, and hunts vary from analyst to analyst. Many good hunters define their ability to hunt as an art versus a science. Many hunters rely on gut feel in conjunction with proper security analysis platforms, therefore combining the art and science of hunting. Unfortunately, hunting is often seen as hugely beneficial, but difficult to implement.

A-Hunting We Will Go: Threat Hunting Maturity
In our research, we found that threat hunting is emerging as a top tactic among many organizations. Of the respondents, more than one quarter (26%) indicated they spend 26 hours or more per week hunting threats in the network. A large majority (78%) of respondents using hunt capabilities find value in hunting – specifically drilling down on forensic clues from emails, such as domain name, IP address, or email address, which ideally leads to information that makes the organization more secure. Many of these organizations then take the information they find to proactively block on their proxies/egress firewalls and other defensive technology. Some of those same organizations will actually share out indicators of attack (IOA) or indicators of compromise (IOC) to like industries.

It Takes Time to Get it Right
Standing up a threat hunting capability doesn’t need to be difficult, but it needs to be right. The speed of adoption of a hunt program is one of the biggest and most prevalent issues I’ve witnessed within organizations attempting to stand up a hunting program. It takes time to implement and properly run a threat hunt team or capability! One of the most important things an organization should consider at the outset is the Threat Hunting Maturity Model from SQRRL.

By following this maturity model as a foundation for your own hunt capability, you can work your way through the four levels it takes to grow hunt capability organically – helping reduce the pains commonly associated with a developing hunt program. In addition to the maturity model process, it’s also important for organizations to have proper automation technology in place for when they achieve maturity.

Related Content:

• Threat Hunting Becoming Top Of Mind Issue For SOCs
• ‘Threat Hunting’ On The Rise
• 5 Things To Consider With A Threat Hunting Program

Kyle Wilhoit is an internationally recognized security researcher with more than a decade of experience leading research teams to deliver timely and organized threat intelligence to internal and external customers. In his current role as senior security researcher at … View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/getting-beyond-the-buzz-and-hype-of-threat-hunting-/a/d-id/1328441?_mc=RSS_DR_EDT

This week, the International Telecommunications Union is holding a workshop to see how blockchain technology might be useful as a security tool. It’s a good indicator of the technology’s ongoing success. Eight years after the original bitcoin blockchain emerged, efforts are well under way to push its security benefits into multiple industries. What strengths does it carry, and what challenges will it face, as a next-generation security tool?

We explained basic blockchain operations here. The technology’s biggest security benefit is its ability to cut out the middleman. Instead of transacting via a trusted arbiter, parties get to transact with each other directly, and seal the outcome so that neither can dispute it in the future.

Why is this useful, if trusted third parties promise to do all that work for you? The problem with trusted third parties is that you can’t always trust them. Just look at what happens if your trusted third party happens to be Wells Fargo, or Bank of America, say.  Or Deutsche Bank, or Barclays, UBS, Rabobank, and the Royal Bank of Scotland. We could fill an entire article with links like this. You get the picture.

Secure all the things

The second security benefit complements the first; blockchain technology allows participants to “seal” transactions so that they are visible but immutable, which keeps everyone honest. Different implementations use different techniques. Bitcoin chews up the computing power of a small city to preserve its transactions in digital resin. Other techniques include proof of stake. Each has its own technical and economic implications.

No wonder, then, that people are experimenting with blockchains for security reasons. Some, such as the Danish Liberal Alliance and Australia, hope to use it for voting, perhaps misunderstanding some of the bigger security concerns with online votes.

Some, like Factom, want to notarise your documents using the blockchain. Others are mulling the use of blockchain tech to keep your medical records safe.

Blockchain technology faces some challenges, though. One of the biggest is block-washing. Whenever a technology comes along, people inevitably apply it to everything. Developers and marketing types alike suddenly shoehorn the technology into every project they can think of, even when it doesn’t fit.

This mad rush to capitalise on new technology fuels the early curve of the Gartner Hype Cycle, leading to an inevitable crash as the technology fails to meet expectations. It’s happening with AI right now, and also with blockchain technology, some argue.

We can see this as the blockchain moves to the cloud. Decentralization was an important characteristic of the original blockchain, but Microsoft’s Project Bletchley runs blockchain middleware and application marketplaces in Azure. IBM does something similar on its Bluemix cloud platform.

All this stuff will be cryptographically protected, of course, but it’s still facilitated by a single trusted party, and in effect turns the blockchain into something else. Marketing types at Microsoft are already playing with the inevitable, depressing moniker “Blockchain as a Service”, which pretty much negates the whole idea of a decentralized, independent network.

Once the tech industry stops being so breathless about the blockchain and the blue chips have reinvented it in their own image, it will face other problems. Standardization is one of them. There are many different approaches to blockchain technology, each claiming its own advantage. It will be important for these to work well together. Standardization efforts are now  in the works; The International Organization for Standardization (ISO) already has a committee looking at it.

Good concepts and bad code

The other problem for blockchain technology revolves around software security. Just because blockchain’s underlying concept offers security doesn’t mean that the implementations follow suit. China, which has its own interest in cryptocurrency, recently analysed 25 of the top blockchain-related software projects, and found significant software security flaws in many of them. Most of the software tools related to input validation.

These issues aren’t just theoretical. They’re antithetical to what many blockchain projects are hoping to achieve. Coding flaws in blockchain implementations are serious, and lead to financial losses, such as the $400,000 theft of Zcoins last month.

As blockchain software becomes more sophisticated, the attack surface and scope will expand. A key factor here will be smart contracts. Whereas the original bitcoin blockchain only holds records of digital transactions, more recent efforts have bigger ambitions. Smart contracts are in effect programs designed to run on the blockchain.

Imagine replacing a legal contract with a computer program. Instead of paying a lawyer to govern the contract, all parties can run it independently, and the blockchain makes the program’s output immutable and transparent.

The program checks external conditions and executes its clauses accordingly. Let’s say Bob and Jane both own equal shares in a company. If the share price hits a certain threshold, they get a bonus dividend based on the number and class of their shares. Normally, a lawyer would have to take care of that, charging handsomely for the privilege. A smart contract with access to company funds would do it automatically.

That whole access to company funds thing is a bit scary, though, given that a smart contract is just a computer program, and computer programs have security flaws. The DAO, a company created entirely from smart contracts on the Ethereum blockchain, lost the equivalent of $50m or so last year in Ethereum’s Ether cryptocurrency. An enterprising hacker found a flaw in the smart contract code and flushed it all into another account.

Ethereum had to fork its own blockchain – going back to rewrite history – to get the cash back. Several developers didn’t like that idea, and retained the original Ethereum code, thus creating Ethereum and Ethereum Classic. We wonder if the Coca Cola Company would have approved?

None of this sounds like the basis for a bright, secure future. What it means in practice is that we must get much better programming this stuff before we begin trusting huge swathes of our economy with it or enthusiastically using it to organize the Internet of Things.

Vinay Gupta, one of the original members of the Ethereum team and author of this HBR article on the blockchain’s security promise, has said that we should look to more rigorous disciplines like functional programming to avoid costly screw-ups in the future. The problem is that few people have that rigour. Raise the bar for blockchain coding, and half of the startup projects lining up for their virtual crowdsales would probably disappear.

The blockchain holds promise, but it might have to go through Gartner’s trough of disillusionment before it becomes a major item in the security industry’s toolbox. We might have to keep revising our coding practices, too.

The blockchain is today where the web was in 1994. Two decades later, the web is the Justin Bieber of tech – recently come of age, hugely successful, but addled and tarnished by its runaway success. It’s is a beautiful but insane place let down by a dystopic mixture of dodgy Javascript and rampant cybercrime, and ruled by privacy-eating monoliths. Wouldn’t it be nice if we could learn from our mistakes while priming the Next Big Thing?

Follow @NakedSecurity
Follow @DannyBradbury

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dAMX7iHNQOk/