STE WILLIAMS

Cisco, Oracle, and LinkedIn security leaders share their challenges in communicating with business teams and advice for how CISOs can navigate the relationship.

(Image: Vectorfusionart – stock.adobe.com)

CISOs historically have reported to the CIO. Now, more CISOs are being invited into executive- and board-level discussions as more organizations begin to prioritize cybersecurity initiatives.

The CISO is “a relatively new executive role,” says Greg Jensen, senior principal director of security for Oracle. While the position has been around for a number of years, he explains, it hasn’t always been welcomed in boardroom conversations. Even with a stronger voice, CISOs are the ones in hot water when areas of compromise or a breach is identified, Jensen notes.

Security leads take the brunt of some reputational risks and threats to a corporation when a security incident takes place. “It’s the best but worst job someone could have,” he adds.

Jensen believes there is a silver lining for security leaders. The CISO’s role is changing as more people across the business realize the blame for security incidents shouldn’t solely fall to the CISO, who traditionally handles security, privacy, compliance, and regulation responsibilities. We are at a point when responsibilities, priorities, and expectations of the CISO are starting to shift.

“Historically, members of the security team have been viewed as solely being technical in nature,” says LinkedIn CISO Geoff Belknap. The long-term relationship between CISOs and business teams has been governed by the CISO’s willingness and ability to view big-picture corporate challenges while inwardly focusing on technical challenges. Now, as more board members learn about and value cybersecurity, it’s essential everyone is on the same page.

The CISO’s goal is to align security with the organization and enable business strategy. Security should be folded into the business strategy, says Steve Martino, senior vice president and CISO at Cisco. It shouldn’t be viewed as a hurdle or compliance box to check.

“The major security breaches that have happened in the past several years [have] educated executives on the importance of cybersecurity,” Martino explains. Now the challenges have shifted from “why security?” to “how can we implement security efficiently and effectively?”

This involves both sides adjusting expectations, learning one another’s priorities, clarifying misconceptions, and asking the right questions. Here, security leaders share their thoughts on the CISO’s relationship to the business and offer insight on how they can navigate boardroom conversations. Have any tips we didn’t include? Feel free to share them in the comments.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Community Projects Highlight Need for Security Volunteers.”

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/risk/security-leaders-share-tips-for-boardroom-chats/d/d-id/1335789?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Denmark has found multiple glitches in cellphone tracking data that’s thrown some 10,700 verdicts into question and led to the release of 32 detainees.

On Monday, Justice Minister Nick Haekkerup ordered a two-month halt to prosecutors’ use of cellphone location data in criminal cases, during which a steering group will investigate the extent of the legal problems the errors may have caused and will monitor the reviews of cases that may have been affected.

Better safe than sorry, he reportedly told local news agency Ritzau:

We shouldn’t take the risk that innocent people could be convicted.

Haekkerup said in a statement that the discoveries have shaken trust in the justice system. Hence, the Attorney General has “now decided to apply the handbrake.”

Location mis-data

The errors have been surfacing over the course of months. AFP reports that the first bug cropped up in software that converts raw data from mobile towers to make it usable for police.

During that conversion, important data was being dropped. For example, if a phone made five calls within an hour, the software would sometimes register only the first four. That led to the creation of a less detailed image of a phone’s whereabouts. According to the New York Times, Danish national police, who had discovered the bug, fixed it in March 2019.

Jan Reckendorff, the director of public prosecutions, told Denmark’s state broadcaster that a separate error was found in how some cellphone tracking data associated phones with the wrong towers, potentially linking innocent people to crime scenes.

Reckendorff:

It’s a very, very serious case. We cannot live with incorrect information sending people to prison.

Other glitches that have surfaced include how phones can be connected to several mobile phone towers at once, incorrect registering of the origin of text messages, and incorrect information on the location of specific towers.

Besides errors in police software, Danish national police went on to find what they said are several errors in the raw data that police are getting from the telecommunications companies. The scope and significance of those errors weren’t clear as of 18 August 2019, Haekkerup said at the time.

The telecom industry doesn’t understand how it can be at fault, though. We’re in the business of getting people to talk to each other, not of providing police surveillance, it responded, while acknowledging that law enforcement values this data.

As it is, the use of cellphone tower data in court cases has gone beyond its original purpose. Here’s what Jakob Willer, director of the Telecommunications Industry Association in Denmark, told AFP:

We should remember that the data is created to deliver telecom services, not to control citizens or for surveillance.

He said that “the mistakes appear when you interpret the data.”

Karoline Normann, who heads the Danish Bar and Law Society’s criminal law committee, told the Times that going forward, lawyers are going to have to interrogate the accuracy of cellphone data in ways they haven’t previously, given that…

…evidence that may appear objective and technical doesn’t necessarily equal high evidence value.

Unraveling the mess

In a 2 July letter to Parliament, the Justice Ministry said that the review of criminal cases that have involved mobile phone location data – they date back to 2012 – would prioritize currently pending cases.

After that, the next priority will be to review cases where people have been sentenced to prison time, probation or other penalties. Next come suspended investigations or acquittals. Finally, the steering group will review cases being actively investigated. If people are in prison based on no evidence besides phone location data, they may have to be released, the Justice Ministry said in the letter.

The letter also said that a report on each review will be forwarded to the court and to the case’s defense lawyer, and that cases will be retried if necessary.

It’s not just Denmark

These kind of location data errors have also been spotted in the US and in South Africa.

It happened to Wayne Dobson, of Las Vegas: a repeat victim of what Naked Security’s Paul Ducklin calls “precise imprecision”: because of a flaw in a mobile phone company’s database, as of 2013, it was sending people who’d lost their phones to his house, even though all it really knew was that their phone was located somewhere in that part of the world.

Here’s Paul:

It doesn’t draw a little circle on the map to say, “That phone’s probably in a 2km radius of here,” or a jagged polygon to say “It’s somewhere inside this grid of lines joining the following five transmission towers spread over an 8km² area.”

It as good as says, “Head to Casa Dobson. You’ll find the phone in the kitchen, next to the kettle, under this morning’s newspaper.”

Nor is geolocation imprecision limited to cellphone towers.

In 2016, a Kansas couple sued over an IP mapping glitch that repeatedly sent Feds to their house, associating their address with the geographic center of the US and turning what should have been a quiet rural farmhouse into the default answer to “Where the hell is this nefarious IP address located,” as opposed to what that answer should have been: “We don’t have a clue.”

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/yIUHlMMyAfY/

Following hot on Mozilla’s trail, Google officially announced its own DNS-over-HTTPS (DoH) experiment in Chrome this week.

Mozilla recently announced that it would turn on DoH by default for users of the Firefox browser’s desktop version in the US. This provides some privacy protections compared with regular DNS queries, although as Paul Ducklin explains in the Naked Security podcast, it is not without its issues:

Nevertheless, Google clearly doesn’t want to be outdone. It published a blog post on Tuesday providing more detail on DoH functionality that it will include in Chrome 78.

Google is taking a slightly different approach to Mozilla, though. For one thing, it won’t change the user’s DNS provider. When Chrome makes a web request, it will check to see if that provider is on a list of DoH-friendly DNS services which Google says it has vetted for strong security and privacy. Only if it is on that list will it switch to DoH. This brings a significant benefit, according to the search and advertising giant:

By keeping the DNS provider as-is and only upgrading to the provider’s equivalent DoH service, the user experience would remain the same. For instance, malware protection or parental control features offered by the DNS provider will continue to work.

Right now, there are six providers in that list alongside Google itself: CleanBrowsing, Cloudflare (which is Mozilla’s DoH provider of choice), DNS.SB, OpenDNS, and IBM’s Quad9.

Google is making the service available on all Chrome-supported platforms with the exception of Linux and iOS. However, that doesn’t include managed Chrome deployments, which means that users of Chrome Enterprise and education customers are out for the time being. That seems to be its way of sidestepping the split-horizon problem that we outlined in our story about Mozilla’s DoH-by-default implementation earlier this week.

For now, the experiment will roll out to “a fraction” of Chrome users, although Google didn’t respond to questions about how they will be selected or where they are. If you’re one of them, you will be able to opt-out by disabling the flag, accessible in Chrome 78 by typing the following into your address bar: chrome://flags/#dns-over-https

Chrome 78 will enter beta sometime between 19 and 26 September 2019, and is due for a stable release on 22 October 2019.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/MXZMT9v3Sj8/

Operation reWired – a globe-spanning, four-month-long crackdown on email fraud involving law enforcement agencies in 10 countries – has resulted in the arrest of 281 people suspected of running BEC (business email compromise) scams.

The US Department of Justice (DOJ) on Tuesday announced that the operation, which kicked off in May 2019, led to the seizure of nearly $3.7 million in assets and repatriations.

Out of the 281 arrests, 167 were in Nigeria, 74 in the US, 18 in Turkey, and 15 in Ghana. Arrests were also made in France, Italy, Japan, Kenya, Malaysia, and the UK.

Chief Don Fort, with the US Internal Revenue Service’s (IRS’s) Criminal Investigation unit, said in the DOJ’s release that the criminal network was complex, and it had a lot more going on besides talking businesses into making bogus wire transfers. Investigators discovered that the conspirators stole more than 250,000 identities and filed more than 10,000 fraudulent tax returns, attempting to receive more than $91 million in tax refunds, he said.

The collection of law enforcement agencies who coordinated their efforts in Operation reWired is a who’s who list: besides the DOJ, it included the US Department of Homeland Security (DHS), the US Department of the Treasury, the US Postal Inspection Service, the US Secret Service, and the US Department of State. Deputy Attorney General Jeffrey Rosen also gave a shout-out to the FBI, as well as to more than two dozen US Attorneys’ Offices, the Internal Revenue Service’s (IRS’s) Criminal Investigation unit, state and local law enforcement partners in the US, and law enforcement partners in Nigeria, Ghana, Turkey, France, Italy, Japan, Kenya, Malaysia, and the UK.

All together, their work resulted in more than 214 domestic actions: besides the arrests, that included warning letters sent to money mules. There were a number of alleged money mules arrested for allegedly helping to rip off people and businesses, as well.

These are just a few of the suspects who were arrested, who their alleged targets were, and how much money the Feds managed to freeze:

• Brittney Stokes, 27, of Country Club Hills, Illinois, and Kenneth Ninalowo, 40, of Chicago, Illinois, were charged with laundering over $1.5 million in BEC scam money. According to the indictment, a community college and an energy company were defrauded into sending about $5 million to bank accounts controlled by the scammers. Banks were able to freeze around 3.6 million of the $5 million defrauded in the two schemes. Police seized a 2019 Range Rover Velar S from Stokes and approximately $175,909 from Stokes and Ninalowo.
• Opeyemi Adeoso, 44, of Dallas, Texas, and Benjamin Ifebajo, 45, of Richardson, Texas, were arrested and charged with bank fraud, wire fraud, money laundering, and conspiracy. Adeoso and Ifebajo are alleged to have received and laundered at least $3.4 million and to have assumed 12 bogus identities to defraud 37 victims from across the US.
• Yamel Guevara Tamayo, 36, of Miami, Florida, and Yumeydi Govantes, 39, also of Miami, were charged with laundering more than $950,000 in BEC scam money. They’re also allegedly responsible for recruiting about 18 other people to work as money mules, who in turn allegedly laundered proceeds of BEC scams for an international money laundering network. They allegedly went after title companies, corporations, and individuals.
• Two individuals were charged in the Northern District of Georgia for their alleged involvement in a Nigeria-based BEC scheme that began with a $3.5 million transfer of funds fraudulently misdirected from a Georgia-based healthcare provider to accounts across the US. Two Nigerians – Emmanuel Igomu, 35, of Atlanta, Georgia, and Jude Balogun, 29, of San Francisco – were arrested on charges of aiding and abetting wire fraud for their alleged part in receiving and transmitting BEC money.
• Cyril Ashu, 34, of Austell, Georgia; Ifeanyi Eke, 32, of Sandy Springs, Georgia; Joshua Ikejimba, 24, of Houston, Texas; and Chinedu Ironuah, 32, of Houston, Texas, were charged in the Southern District of New York with one count of conspiracy to commit wire fraud and one count of wire fraud for their alleged part in a Nigeria-based BEC scheme that affected hundreds of victims in the US, with losses in excess of $10 million.

What’s a BEC scam?

These scams typically involve legitimate business email accounts that have been hijacked, be it through social engineering or hacking, to initiate unauthorized transfers. The scammers often target employees who hold the pursestrings and businesses that work with foreign suppliers and/or businesses that are in the habit of executing wire transfer payments.

As the DOJ explained in its announcement, the criminal networks that run BEC scams also go after individuals, be it through people buying real estate, the elderly, and others, by convincing them to make wire transfers to bank accounts that the crooks control. We saw an example of a real estate scam earlier this year when we learned about a woman getting swindled out of $150,000 from the overseas sale of her house in Australia.

Sometimes the fraudsters will impersonate a key employee or business partner after they’ve seized control of that person’s email account. Sometimes, they’ll find their victims through romance and lottery scams.

And sometimes, they’ll use dating sites to recruit money mules to help them launder the ill-gotten booty. Last month, the FBI said that this recruitment of money mules on dating sites is on the rise.

BEC scammers aren’t fussy: Besides fraudulent wire transfers, they’ll sometimes go after fraudulent requests for checks… or sensitive personally identifiable information (PII)… or employee tax records… or any/all of the above.

(Watch directly on YouTube if the video won’t play here.)

These scams are getting increasingly sophisticated, and they’re raking in ever more loot. From the FBI’s 2018 Internet Crime Report:

In 2013, BEC/EAC scams routinely began with the hacking or spoofing of the email accounts of chief executive officers or chief financial officers, and fraudulent emails were sent requesting wire payments be sent to fraudulent locations. Through the years, the scam has seen personal emails compromised, vendor emails compromised, spoofed lawyer email accounts, requests for W-2 information, and the targeting of the real estate sector.

The report also said that the FBI had received 20,373 BEC/email account compromise (EAC) complaints, reflecting losses of over $1.2 billion, last year: more than double the amount lost as a result of such scams during the previous year.

Also on Tuesday, the FBI put out an updated set of figures that show that between October 2013 and July 2019, $26.2 billion has been lost to BEC scammers. Between May 2018 and July 2019, there was a 100% increase in identified global exposed losses, the FBI said – an increase due in part to greater awareness of the scam. which has in turn encouraged more reporting.

They’re coming for payroll

The FBI said that the crooks are increasingly going after payroll funds. It’s seen a spike in spoofed emails sent to companies’ human resources or payroll departments. The emails look like they’re coming from employees requesting a change to their direct deposit account – a tweak to a related scheme, in which a crook gains access to an employee’s direct deposit account and alters the routing to another account.

Typically, the crooks are directing the funds toward pre-paid card accounts.

The FBI had these tips, specifically aimed at helping employees to avoid these payroll scams:

• Use secondary channels or two-factor authentication (2FA) to verify requests for changes in account information.
• Ensure the URL in emails is associated with the business it claims to be from.
• Be alert to hyperlinks that may contain misspellings of the actual domain name.
• Refrain from supplying login credentials or PII in response to any emails.
• Monitor personal financial accounts on a regular basis for irregularities, such as missing deposits.
• Keep all software patches on and all systems updated.
• Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s email address appears to match who it’s purportedly coming from.
• Ensure the settings on employees’ computers are enabled to allow full email extensions to be viewed.

What else to do

Report it!

Like the FBI says, the skyrocketing statistics related to BEC fraud incidents and losses are due at least in part to increased awareness and reporting.

Of course, law enforcement can’t fight what it doesn’t know about. To that end, please do make sure to report it if you’ve been targeted in one of these scams.

In the US, victims can file a complaint with the IC3. In the UK, BEC complaints should go to Action Fraud. If you’d like to know how Sophos can help protect you against BEC, read our Sophos News article Would you fall for a BEC attack?

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/NtExc1bJlLg/

Every now and again, a Microsoft Patch Tuesday update arrives with a bang that sends users scrambling for cover.

Arguably, September 2019’s update earns that description, featuring no fewer than 17 critical flaws (excluding Adobe), plus two zero-day vulnerabilities marked ‘important’ which Microsoft says are being exploited in the wild.

The latter are CVE-2019-1214 and CVE-2019-1215, both elevation of privilege bugs in all versions (7, 8.1, 10, including Servers) of the Windows Common Log File System (CLFS) and ws2ifsl.sys (Winsock), respectively.

Both require local authentication, which means that the exploitation Microsoft is worried about probably depends on being used in conjunction with other vulnerabilities.

But don’t be lulled by the non-critical status – both are dangerous enough to allow an attacker to gain admin privileges.  The difference between ‘important’ and ‘critical’ in this context is just the amount of effort required rather than the trouble it could cause.

In addition, two others marked ‘important’, CVE-2019-1235 (Windows Test Service Framework) and CVE-2019-1294 (Secure Boot Bypass) are in the public domain, which means that exploitation is now a possibility.

RDS and all that

The standouts from a total of 80 flaws are, naturally, the criticals. Among these are four client-side flaws in the Remote Desktop, CVE-2019-0787, CVE-2019-0788, CVE-2019-1290, and CVE-2019-1291.

The theme of bugs in Remote Desktop Services (RDS, previously Terminal Services) and Remote Desktop Protocol (RDP) has become a flaw buffet this year (see this summer’s ‘BlueKeep’), but these would be harder to exploit and not wormable. As Microsoft writes:

To exploit this vulnerability, an attacker would need to have control of a server and then convince a user to connect to it.

More likely, an attacker would simply compromise a legitimate server the user already trusts using a known server-side flaw vulnerability and then wait for victims to connect.

Windows shortcut

Another interesting critical flaw is CVE-2019-1280, a remote code execution bug connected to how Windows processes .LNK Windows shortcut files which Microsoft describes as follows:

The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary.

If this sounds rather familiar, that might be because it’s a type of flaw made famous by CVE-2010-2568, – a key vulnerability exploited by the Stuxnet attacks against Iran in 2010 (the technique was also abused by the ‘Astaroth’ fileless malware in 2018).

Adobe

September 2019 is another modest month for Adobe, featuring only three CVEs that fix two critical bugs in Flash Player (CVE-2019-8069, CVE-2019-8070), and one DLL hijacking flaw rated ‘important’ in Application Manager.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/lRHTsM8cImQ/

We have a new twist on the “researchers find unprotected public-facing cloud-hosted database” story, as one recently uncovered archive turned out to be at the heart of a years-long fraud operation.

The team at VPNmentor said they were confused when first encountering the mystery database that contained details on scores of accounts from ticket purchasing sites. The profiles, all seemingly used for small, independent theaters and music venues, contained payment details for around 17 million ticket purchases.

“The breach seemed to give access to personal details of anyone purchasing tickets from a website using Neuroticket,” explained the VPNmentor team, headed up to Noam Rotem and Ran Locar, on Wednesday.

“Initially, we believed this vulnerability compromised customers on these websites.”

Even more curious, when the team tried to track down the owners of the exposed email addresses, they got few responses, indicating the vast majority were fake accounts.

When efforts to tie the records to a breach of Neuroticket, Ticketmaster, or Tickpick all resulted in dead ends, the team noticed that around 90 per cent of the records also referenced Groupon.

When the VPNmentor crew got in touch with Groupon, they had their breakthrough. It turns out the emails had all been used to purchase tickets for gigs, plays and concerts that were on offer through Groupon deals. What’s more, Groupon immediately recognized the purchases as being the work of a fraud ring it had been tracking since 2016.

The fraudsters in this case used an army of fake accounts and stolen credit card numbers to make bulk purchases of tickets being offered at a discount on Groupon. Those tickets were then resold by the fraudsters at full price (or at a markup) to turn a quick profit.

“Groupon had been able to close most of the accounts, but not all of them. The operation has remained resilient, despite excellent work by the company,” VPNmentor’s team said in their write-up.

“Groupon’s Chief Information Security Officer (CISO) estimates the number of fraudulent accounts in the network we helped uncover to be as high as 20,000.”

Cybercrook hands cops £923k in Bitcoin made from selling phished deets on the dark web

READ MORE

It gets even more bizarre. When combing through the records in the database, the VPNmentor crew found a note from another hacker who had stumbled on the exposed database.

“Claiming to have extracted information from the database, it demanded a ransom of $400 in Bitcoin, in exchange for not releasing the stolen data to the public and subsequently deleting it,” the team notes.

“It seems, at least one criminal hacker has already hacked the database. Not understanding what they discovered, they’re trying to extort its owners.”

UK-based bug hunter Oliver Hough also says he came upon the database a while ago, but was unable to connect the dots with Groupon.

Ha no way! I found this last year, reported it to Groupon, tried tracing the owners, in the end I gave up

Nice work! https://t.co/WAw1ugVzJ6

— Oliver Hough Esq. (@olihough86) September 11, 2019

The moral of the story is, as always, keep track of your cloud database instances and always make sure public access is disabled. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/12/database_groupon_scam/

Webcast Security professionals like you have a tough job.

You can bang on about risks, threats, cyber-attacks, and other scary stuff, explain the ins and outs of compliance, issue dire warnings to colleagues about what may happen if they don’t do the right thing… and they remain supremely unperturbed.

And all the time you know precisely who will be carrying the can when things go wrong. If you want to know what you can do to ease your frustration, and make yourself heard, the answer is at hand.

In today’s webcast – Lions and Tigers and Hackers, Oh My! – you will hear security blogger Graham Cluley, Robert O’Brien, CEO of cybersecurity software developer MetaCompliance, and The Reg’s own Jon Collins share expert advice that will help you sharpen your ability to cut through the knotty tangle of intransigence and avoidance.

As well as covering the usual security topics, such as passwords, phishing, and the like, the discussion will reveal a useful set of techniques, tricks, and tips that can drive security awareness into the minds of the users you need to convince.

If you want the power to enable the best possible security practices, tune in to this live webcast, brought to you by MetaCompliance, today.

Sign up and drop in right here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/12/security_webcast/

From university courses to open source self-starters, community software projects aim to solve problems for populations in need. A focus on security is required as well.

In 2008, the Georgia Institute of Technology kicked off a course to give computer science students experience in creating applications and software for communities that might not otherwise have the resources to purchase technology. 

Known as Computing for Good, the course produced some early successes. The Vein-to-Vein project created — in collaboration with Center for Disease Control (CDC) — an open source blood safety management system for clinics in Africa that could electronically track information related to specific blood samples. Similarly, the Basic Laboratory Information System (BLIS) project worked with the CDC and several nations’ ministries of health to create a system to help medical and hospital laboratories manage tests and specimens.

Other projects have included creating a system that helps manage workflow in schools for students with disabilities, and a system that analyzes images to look for illegal mining operations. 

A decade later, many of these systems are still in use in some form — a testament to the power of volunteering coding skills for community projects, says Santosh Vempala, the Frederick G. Storey chair in computing and a professor of computer science at Georgia Institute of Technology.

“The challenge is to provide benefits of computing while working in the current resource-constrained environments [dealing with, among other issues] lack of Internet, water, electricity, technical skills, education, and income,” he says. “So some considerations are quite different from the developed world, and others take a relative backstage, at least for a time period.”

Risk Realities
Yet the success and longevity of the projects also put them at risk because attackers are searching for vulnerable systems — and such bespoke projects are on their radar.

On September 10, for example, vulnerability management firm Rapid7 disclosed three vulnerabilities it had found in the BLIS system during a penetration test. These vulnerabilities could have allowed an attacker to gain information on the system’s users, give an existing user administrator privileges, and then change the the user’s password — effectively gaining administrator access to a BLIS system.

Currently, such systems are deployed in almost three dozen facilities in Africa, giving them the ability to serve an important healthcare function: to collect and maintain data on the samples and testing in medical laboratories. As a result of that support, the project continues to benefit from developers’ efforts. Not only did a maintainer respond quickly to Rapid7, but developers had already identified the issues and have released an update with a patch. 

Tod Beardsley, director of research at Rapid7, gives the project plaudits for its quick response to the issues, but argues that security needs to be made a priority. 

“It is great that they could get fixes out, but I do think that when you are providing software, it is on you to double-check your security,” he says.

There are many such projects and efforts. Carnegie Mellon University and the University of Southern California have created similar courses and delivered projects to affiliated groups, some that are still in use today. GitHub has many open source projects written by volunteer developers, and the Free Software Foundation has supported a number of software projects, under the GNU monicker, aimed at developing communities. 

“Open source maintainers are motivated by a mix of altruism, commitment to maintaining the community around the project itself, and the pride in knowing that they have developed something cool that is serving some greater need,” says Reed Loden, director of security at HackerOne.

The code-security trends of these charitable development efforts mirror those in the open source world in general. Security is often an afterthought, and as the focus of attackers shifts to less-vetted projects, such software comes under scrutiny. 

Such projects need to recruit more security people, Loden says.

“There is only a small pool of people out there that have the skillset to actually fix vulnerabilities once found, and we currently do not have enough maintainers to review and apply those fixes,” he says. “In terms of motivation, many security researchers are contributors to open source and are firm believers in open source projects. They are motivated by a mix of altruism, curiosity, and. of course, if there is a bounty — though not generally the prime motivator.”

One problem is that many of these projects are used by small groups or a limited number of organizations, so they fail to gain the same scrutiny as larger, more well-known projects, says Rapid7’s Beardsley.

“You would never find this software, really, unless you were looking for it or had worked on it,” he says. “It would not show up on any list of downloaded software, and it really was not created with well-known components or frameworks that have had security scrutiny.”

Connected Complexity
Such issues become even more critical because many of these systems are moving from local installations to Internet-connected servers and even to the cloud. BLIS, for example, is undergoing a series of updates to make it ready to become an Internet-connected service, Georgia Tech’s Vempala says. 

“After 10 years of entirely offline activity, countries would now like to consider moving to Internet and cloud-based healthcare data,” he says. 

Currently, every existing installation in Africa is local, so the vulnerabilities found by Rapid7 are essentially moot, Vempala adds.

Georgia Tech has put a focus on the topics of security and privacy in its current incarnation of the Computing for Good course. In addition, other charitable efforts are underway as well. Google’s Patch Reward Program pays security researchers and developers up to $20,000 for finding vulnerabilities and providing a patch to a select group of open source projects. GitHub, now owned by Microsoft, offers anyone the ability to sponsor an open source project, as do many other projects such as Open Collective, Tidelift, and Community Bridge.

To date, however, most of these efforts have been aimed at large, well-known, and foundational open source efforts. Smaller community projects have fewer resources and need security professionals to volunteer as well, Rapid7’s Beardsley says. 

“When you are in a position of building software for at-risk populations, populations that don’t have the normal level of resources that we might enjoy here in the US, you have a special obligation to pay attention to security,” he says. “We need volunteer efforts by security professionals and developers with security backgrounds to check in on these projects.”

Related Content:

• The Truth About Vulnerabilities in Open Source Code
• Internet Bug Bounty Receives New Funding to Expand Internet Safety Program
• Startup Virtru Supporting Sensitive Work of Nonprofits
• New Technique Makes Passwords 14M Percent Harder to Crack, Nonprofit Claims

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Security Pros’ Painless Guide to Machine Learning, AI, ML DL.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/community-projects-highlight-need-for-security-volunteers/b/d-id/1335779?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Despite billing himself as “the world’s most famous hacker”, Kevin Mitnick isn’t the infosec personality your grandma is most interested in learning more about.

That honour falls to Robert Herjavec, who is the most searched-for person on Google with an infosec connection, according to a list compiled by threat intel firm Redscan.

Canadian entrepreneur Herjavec formed the eponymous firm in 2003, building it into a multimillion-dollar security integration and reseller business. However, he’s also a regular feature on the Canadian version of Dragons’ Den, meaning his telly antics are much more likely to be of interest to the great unwashed than his company.

Behind Herjavec in the second most-Googled spot is John “Totally Sane” McAfee, last seen moving from tinfoil safe house to tinfoil safe house having been told by an American court to pay $25m to the family of his murdered next-door neighbour. McAfee denies involvement in Gregory Faull’s death, despite having fled his Belize home in the immediate aftermath.

Compared to non-industry folk, computer security’s fame is rather residual. Ranking alongside McAfee’s Google search popularity is actor David Bradley, famous for playing a mumbling farmer with a barn full of weapons and explosives in British cult classic Hot Fuzz and also for appearing a few times in some American sitcom about a metal chair. Meanwhile, rivalling infosec’s top man Herjavec is actor and lawyer Ben Stein, known among film buffs as the boring teacher who says “Bueller? Bueller?” (and not a lot else) in Ferris Bueller’s Day Off.

Eventually making an appearance at number three is Mitnick, who continues to trade to this day on his FBI most-wanted status from 2000.

Numbers four and five on Redscan’s list are Bruce Schneier and Troy Hunt respectively, who rank alongside Sandra Denton (Pepa from 1980s hip-hop duo Salt-N-Pepa) and English footballer Lucy Bronze, who plays for French club Olympique Lyonnais.

Aside from personalities, Redscan also took a look at other infosec-related search terms using Google Trends to compare relative popularity over time. While their list of antivirus and enterprise security companies holds no surprises, they also looked at the most-Googled hacking crews. Despite having been out of business for nearly a decade LulzSec is still up there in third, behind Anonymous and Lizard Squad.

As for the most searched-for hacks [None of us made it – Ed], the Equifax breach of 2017 is number one among the last 10 years’ worth of Googled breaches. 2018’s top was the Marriott Starwood reservation data breach, with 2017 also featuring Equifax and 2016 being the year of the Yahoo! hack.

“Cyber security has changed remarkably over the last 15 years and Google’s search data is a great measure of this,” said Andy Kays, a technical director at Redscan. “This is underscored by the rising interest in online privacy and the fallout and damage caused by the Equifax data breach, the most Googled cyber breach ever.”

Indeed it has. While extrapolating from Google Trends (which never puts raw numbers on compared searches, only returning wiggly lines) is a risky business at the best of times, it probably says something deep and insightful that public awareness of infosec’s more knowledgeable people ranks alongside female footballers and bit-part actors.

Keep fighting the good fight, folks. We know who you are – even if Auntie Mabel doesn’t. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/11/infosec_isnt_cool_to_normies/

It’s time for cybersecurity manufacturers and solution providers to step up and show leadership in addressing firmware security. Read why and how.

Awareness of cybersecurity danger has skyrocketed in recent years. In 2004, the entire global cybersecurity market totaled $3.5 billion — by 2014, it exceeded $120 billion. However, almost all this attention has been on attack vectors such as software, applications, infrastructure, and human/social behavior. Firmware — code that is loaded onto a device when it’s built and is mostly hidden from the end user — is a dangerous new attack vector. It is largely firmware concerns that are driving the debate around devices made by the Chinese firm Huawei.

The emergence of firmware as a new attack vector has reignited an age-old debate within industry: Who’s responsible for addressing device cybersecurity? Is it the device manufacturer, or is it the company purchasing the device? This “chicken or the egg” debate has hampered cybersecurity for too long. Unaddressed, it could also torpedo the emergence of the Internet of Things (IoT), which is expected to produce billions of Internet-connected devices run by firmware — cameras, printers, speakers, appliances.

The government’s answer to the question of responsibility is becoming quite clear. In the face of increasingly aggressive and sophisticated cyberattacks, there has been a focus on securing the Department of Defense (DoD) supply chain. This means the cybersecurity practices of contractors have come under more intense review. The mechanism for doing so is through Defense Federal Acquisition Regulation Supplements, or DFARs.

DFAR 252.204-7012 pertains to regulations around how contractors must safeguard covered defense information, and how they need to report cyber incidents. To enforce these requirements, the DoD has launched its Cybersecurity Maturity Model Certification (CMMC) initiative, which will require contractors achieve certification by late 2020 to participate in the national defense supply chain.

These regulations also reflect an increasing willingness of government to hold companies responsible for cybersecurity vulnerabilities in their products. For example, Cisco recently agreed to pay $8.6 million to settle litigation claiming the company violated the False Claims Act by not addressing vulnerabilities in its video surveillance products sold to the US government. The company ignored the warnings of an internal whistleblower and continued to sell the product for years before revealing the potential cybersecurity holes publicly.

Of course, the threat extends beyond government networks to private industry and academia as well. Recently, I was speaking with Bill Priestap, former assistant director of the FBI’s counterintelligence division, at a recent cyber summit held in Baltimore, Maryland. He shared with me the following quote:

Nation state adversaries are employing a variety of means to try to gain insight into our companies and research institutions, and today our approach to protecting proprietary information must be more comprehensive. Among other things, this involves understanding and addressing supply chain risks, including those associated with firmware.

The counter narrative from the industry regarding taking on such cybersecurity responsibility has been the difficulty and additional cost. Many cybersecurity products involve technology from multiple firms, increasing the complexity of the challenge. Firmware images and libraries are often delivered as binaries for insertion into software, meaning there is no access to the source code. In the business-to-government space, additional quality assurance time and costs need to be borne without a guarantee of resulting business.

There is some validity to these arguments, but times have changed and companies must step up and accept responsibility for the cybersecurity of their offerings. It’s become the table stakes for doing business.

Leading companies can also view increased firmware security as a differentiator. New technology startups have emerged, some headed by former intelligence personnel, that simplify and automate the firmware analysis process. File systems can be extracted and scans run to detect things like backdoor accounts, out of date software and potential zero-day vulnerabilities. Companies have better technology today to inspect and validate the components provided by their vendors.

It’s time for cybersecurity manufacturers and solution providers to step up and show leadership in addressing firmware security. Better tools are available, and government regulation is increasingly making it mandatory. Embracing the challenge head on will increase confidence in IoT devices, be better for their bottom lines and ensure the continued growth of the cybersecurity industry overall.

Related Content:

• 9 Things That Don’t Worry You Today (But Should)
• Unsecured IoT: 8 Ways Hackers Exploit Firmware Vulnerabilities
• Meet FPGA: The Tiny, Powerful, Hackable Bit of Silicon at the Heart of IoT

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Security Pros’ Painless Guide to Machine Intelligence, AI, ML DL.”

Tony Surak has co-founded and/or operated a number of startup companies including network equipment company Synaptyx, software development services firm GlobalLogic and database product company FoundationDB. He also serves as a board member for Attila Security and ReFirm … View Full Bio

Article source: https://www.darkreading.com/risk/firmware-a-new-attack-vector-requiring-industry-leadership-/a/d-id/1335743?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple