hacking – Page 946 – STE WILLIAMS

UK ICO, USCourts.gov… Thousands of websites hijacked by hidden crypto-mining code after popular plugin pwned

library
crime | hacking | security

Thousands of websites around the world – from the UK’s NHS and ICO to the US government’s court system – were today secretly mining crypto-coins on netizens’ web browsers for miscreants unknown.

The affected sites all use a fairly popular plugin called Browsealoud, made by Brit biz Texthelp, which reads out webpages for blind or partially sighted people.

This technology was compromised in some way – either by hackers or rogue insiders altering Browsealoud’s source code – to silently inject Coinhive’s Monero miner into every webpage offering Browsealoud.

For several hours today, anyone who visited a site that embedded Browsealoud inadvertently ran this hidden mining code on their computer, generating money for the miscreants behind the caper.

A list of 4,200-plus affected websites can be found here: they include The City University of New York (cuny.edu), Uncle Sam’s court information portal (uscourts.gov), Lund University (lu.se), the UK’s Student Loans Company (slc.co.uk), privacy watchdog The Information Commissioner’s Office (ico.org.uk) and the Financial Ombudsman Service (financial-ombudsman.org.uk), plus a shedload of other .gov.uk and .gov.au sites, UK NHS services, and other organizations across the globe.

Manchester.gov.uk, NHSinform.scot, agriculture.gov.ie, Croydon.gov.uk, ouh.nhs.uk, legislation.qld.gov.au, the list goes on.

The Monero miner was added to Browsealoud’s code some time between 0300 and 1145 UTC: here’s a clean copy of its JavaScript, and the hacked version. Coinhive’s code is mostly detected and stopped by antivirus packages and ad-blocking tools. The miner perishes when you close the browser tab, so if you have visited one of the affected sites, your computer shouldn’t be infected: the code only runs while the tab is open.

Scrambled … A portion of the obfuscated mining code injected via Browsealoud today

The injected mining code was obfuscated, but when converted from hexadecimal back to ASCII it spelled out the necessary magic to summon Coinhive’s stealthy JavaScript miner to the page.

Defense mechanism

The malicious code was first spotted by UK-based infosec consultant Scott Helme, and confirmed by The Register. He recommended webmasters try a technique called SRI – Subresource Integrity – which catches and blocks attempts by hackers to inject malicious code into strangers’ websites.

Just about every non-trivial website on the planet loads in resources provided by other companies and organizations – from fonts and menu interfaces to screen readers and translator tools. If any one of these outside resources is hacked or tampered with to perform malicious actions, such as mine crypto-coins, all the websites relying on that compromised resource will end up pulling the evil code onto their pages and into visitors’ browsers.

Now that’s taking the p… Sewage plant ‘hacked’ to craft crypto-coins

SRI uses a fingerprinting approach to stop vandalized JavaScript from being imported into webpages. If an internet dirtbag changes a third-party provider’s source code, the alteration is detected and blocked by the individual websites using this signature technique.

Until more websites use this protection mechanism, third-party resource providers – like Browsealoud – will be targeted by criminals to spread miners, or worse, on thousands of websites. A scumbag simply has to hack one provider to effectively infect countless other webpages.

“Third parties like this are absolutely a prime target and have been for some time,” Helme told El Reg today. “There’s a technology called SRI (Sub-Resource Integrity) designed to fix exactly this problem, and unfortunately it seems that none of the affected sites were using it.”

A spokesperson for Texthelp told us as we were preparing to publish that it has removed its Browsealoud code from the web while it probes the security cockup, shutting down the illicit Monero-crafting operation.

“We are addressing this immediately,” the biz said via Twitter. “Our Browsealoud service has been temporarily disabled whilst our engineering team investigates.”

Luckily, the injected code was just trying to slyly mine Monero coins – one XMR is worth $238.65 or £172.56 right now – rather than anything more malevolent, such as popping up dodgy ads, stealing passwords, snooping on keystrokes, or tricking people into installing malware.

Texthelp’s altered JavaScript was pulled offline by 1600 UTC today, we can confirm, meaning the affected websites are, for now, back to normal. The UK’s ICO has also switched its website to a minimal “maintenance” mode as a precaution. ®

Updated to add

“In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year and our data security action plan was actioned straight away,” said Texthelp’s chief technology officer Martin McKay in a statement.

“Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline.”

The company added that “no customer data has been accessed or lost,” and “customers will receive a further update when the security investigation has been completed.”

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/11/browsealoud_compromised_coinhive/

Winter Olympics website downed by cyber attack

library
crime | hacking | security

The Pyeongchang 2018 Winter Olympics’ website went down just before the event’s Friday opening ceremony, thanks to a cyber-attack, and stayed down for about 12 hours.

The outage left users unable to print tickets or view information about the games. Some networks around the games venues also went down.

Speculation quickly suggested the outages were not accidental and at a Sunday evening news conference, Pyeongchang 2018 spokesperson Sung Baik-you confirmed they were caused by an attack.

“We know the cause of that problem, but that kind of issues occur very frequently during the Olympic Games,” he said. “We have decided with the IOC that we are not going to reveal the source.”

International Olympics Committee (IOC) head of communications Mark Adams suggested the problem could be ongoing. He told the briefing “We wouldn’t start giving you the details of an investigation before it has come to an end, particularly because it involves security which at these games is incredibly important. I am sure you appreciate we need to maintain the security of our systems.”

“At the moment we are making sure our systems are secure, which they are, so discussing details of it is not helpful.”

“This is normal practice,” Adams insisted. “You will understand that maintaining secure operations is our focus. That’s the focus of any organisation that has been hit by such a thing. An in line with best practice, which is industry practice, we are not going to comment on the issue because it is an issue we are dealing with.”

Fancy Bears’ who-takes-what in sports hack list ‘manipulated’ before leak

Adams later added that the IOC has not identified the attacker and would not name them at a press conference, but promised a “full report” into the incident. He would not commit to making it public.

As North Korea has made peaceful overtures towards the South ahead of the games, it’s thought to be unlikely it’s behind whatever attack hit the Games’ website.

The North has, however, assaulted the world with a 200-plus troupe of cheerleaders that performs choreographed song and dance routines in the stands at the games. The troupe is going a bit viral, a demonstration of the North’s ability to distribute propaganda about its capabilities. ®

Youtube Video

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/11/winter_olympics_website_downed_by_cyber_attack/

UK ICO, USCourts.gov… Thousands of websites hijacked by hidden crypto-mining code after popular plugin hacked

library
crime | hacking | security

The affected sites all use a fairly popular plugin called Browsealoud, made by Brit biz Texthelp, which reads out webpages for blind or partially sighted people.

For several hours today, anyone who visited a site that embedded Browsealoud inadvertently ran this hidden mining code on their computer, generating money for the miscreants behind the caper.

Manchester.gov.uk, NHSinform.scot, agriculture.gov.ie, Croydon.gov.uk, ouh.nhs.uk, legislation.qld.gov.au, the list goes on.

Scrambled … A portion of the obfuscated mining code injected via Browsealoud today

The injected mining code was obfuscated, but when converted from hexadecimal back to ASCII it spelled out the necessary magic to summon Coinhive’s stealthy JavaScript miner to the page.

Defense mechanism

Now that’s taking the p… Sewage plant ‘hacked’ to craft crypto-coins

“We are addressing this immediately,” the biz said via Twitter. “Our Browsealoud service has been temporarily disabled whilst our engineering team investigates.”

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/11/browsealoud_compromised_coinhive/

UK ICO, USCourts.gov… Thousands of websites hijacked by hidden crypto-mining code after popular plugin hacked

library
crime | hacking | security

The affected sites all use a fairly popular plugin called Browsealoud, made by Brit biz Texthelp, which reads out webpages for blind or partially sighted people.

For several hours today, anyone who visited a site that embedded Browsealoud inadvertently ran this hidden mining code on their computer, generating money for the miscreants behind the caper.

Manchester.gov.uk, NHSinform.scot, agriculture.gov.ie, Croydon.gov.uk, ouh.nhs.uk, legislation.qld.gov.au, the list goes on.

Scrambled … A portion of the obfuscated mining code injected via Browsealoud today

The injected mining code was obfuscated, but when converted from hexadecimal back to ASCII it spelled out the necessary magic to summon Coinhive’s stealthy JavaScript miner to the page.

Defense mechanism

Now that’s taking the p… Sewage plant ‘hacked’ to craft crypto-coins

“We are addressing this immediately,” the biz said via Twitter. “Our Browsealoud service has been temporarily disabled whilst our engineering team investigates.”

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/11/browsealoud_compromised_coinhive/

Have federal nuclear supercomputer? GO CRYPTOMINING!

library
crime | hacking | security

Here’s some fun for the weekend – with a serious side.

What would you do with a really powerful computer?

Wait…

…don’t answer that question just yet – we’re going to do some time-travelling first.

What would you do with a really powerful computer if it were 1998?

We were about to say, “Try to get a copy of every song on Napster for bragging rights about the size of your digital jukebox,” but Napster only came out in 1999.

We also nearly said, “Learn how to download the internet over the university’s network,” but Google had that more or less wrapped up by then.

Or maybe you were community-spirited, and decided to lend out your home computer’s processing power while you were asleep or at work, by contributing to projects such as distributed.net or SETI@home.

Distributed.net is a project to carry out brute-force cryptographic cracking and see how well it goes, to act as a yardstick to keep track of how many bits of encryption we’re likely to need in real-life.

SETI@home is the Search for Extraterrestrial Intelligence, churning through masses of background data from radio telescopes, just in case aliens (or their conquering AI overlords) had already called us but we’d been too self-obsessed to notice their call at all, let alone to answer it.

As you can imagine, back in the 1990s, lots of work PCs were used at night for these at-home projects – at least, the users were at home, but the computers weren’t.

These “donations of computing resources” frequently (OK, almost always) happened without the permission, or even knowledge of, the company that actually owned the computers and paid the electricity bills.

(Both the abovementioned projects are still going strong, by the way. So far, the answers are, “72 bits” and, “Apparently not.”)

What would you do with a really powerful computer if it were 2008?

We reckon the obvious answer would be, “Build the world’s biggest online Dungeons and Dragons multiverse.”

Or, perhaps, “Run enormously dramatic climate simulations that start with a butterfly flapping its wings in Africa” – 2008 was, after all, still firmly in the afterglow of Al Gore’s kerosene-burning global journey to promote environmental change.

OK, now we’re back in 2018.

What would you do with a really powerful computer today?

Let’s be more specific: what would you do if you were a sysadmin with access to 1,000,000,000,000,000 floating point operations per second, or 1 petaFLOP for short?

FLOPs are a measure of power used mainly when ranking supercomputers.

Very loosely put, “floating point operations per second” refers to “the amount of actual number-crunching you can do in any given time”, not merely how many low-level computer instructions you can execute.

A 3GHz Intel CPU, at its peak, can do tens of billion instructions per second (most modern CPUs have multiple processing cores), but a calculation such as “divide the US national debt in cents by the number of angels that can dance on the head of the Seattle Space Needle” might need dozens of clock cycles, or even more.

If you’ll allow us to carry out some rather hand-waving comparisons, we’ll take a quick look at the combined power of the Folding@home project, a contemporary distributed computing project much like SETI@home, but focused on disease research rather than on possible messages from outer space.

Folding@home has about 50 petaFLOPS at its disposal from around 100,000 participating computers, typically with well-above-average processing power, for an average of 2000 computers per petaFLOP.

So a 1 petaFLOP computer all of your own would be something like having a botnet of 2000 top-end gaming rigs dedicated entirely to your computational commands.

Where to get a 1 petaFLOP computer?

But where would you get a 1 petaFLOP computer?

Well, let’s say you knew the sysadmins who ran a supercomputer for a bunch of nuclear scientists…

…what would you do with all those spare processor cycles?

Better yet, what if you were those sysadmins, and you thought no one would mind all the unaccounted-for megawatt-hours on the next electricity bill? (Or at least hoped they wouldn’t notice?)

According to Russian news agency Interfax, the moonlighting activity of choice for a bunch of rogue workers at the All-Russian Research Institute of Experimental Physics, was cryptomining.

Who would have thought?

If Google’s machine translation is to be trusted, the Institute’s director Tatyana Zalesskaya officially stated:

There was an attempt to make unauthorised use of office computing capacity for personal purposes, including for so-called cryptomining.

We don’t know what cryptocurrency or currencies were involved – but if we were given to gambling, we’d guess at Bitcoin, Monero or both.

Zalesskaya is also reported as saying that “similar attempts have recently been noted in a number of big companies with large computing capacities.”

We don’t know whether that makes it sound better (because it’s not just physicists struggling to control computer usage) or worse (because it’s already a widespread problem).

Mostly harmless?

It’s like 1998 all over again, where work computers are being “donated”, without permission, to carry out “home hobbies”.

It sounds mostly harmless at first – cryptomining doesn’t need to read your personal data, or even to access to your filing system at all, so what’s the downside?

To be fair, there isn’t much of a downside, as long as you ignore:

The unbudgeted operating expenses from powering computers to work for someone else.
The opportunity costs because legitimate works gets slowed down.
The security risks from who-knows-what untrusted programs and network connections.
The reputational and regulatory costs of reporting, investigating and explaining the intrusion.

Anyway, now we know what supercomputers get up to when there are no new subatomic particles to be discovered, MMPORG multiverses to be explored, or interstellar aliens to get in touch with.

CRYPTOCOINS!

You couldn’t make this stuff up… and, sadly, you don’t need to.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/h_LYYrdKHsg/

NSA code backported, crims cuffed, leaky AWS S3 buckets, and more

library
crime | hacking | security

Roundup Here’s a roundup of this week’s security news, beyond what we’ve already covered, to kickstart your weekend.

You dirty RAT

Scumbags could, once upon a time, buy a remote access trojan called Luminosity Link for about $40, and get a piece of malware that, when installed on victims’ PCs, would spy on their activities, disable security software, and install further malicious code. It’s the sort of stuff miscreants purchase to snoop on their partners, spouses, employees, rivals, and so on. But now that’s over, for Luminosity Link that is, because Brit cops have shutdown the software’s distribution, and are hunting for those that bought it.

“The sale and deployment of this hacking tool were uncovered following a single arrest and the subsequent forensic examination of the computer,” said Detective Inspector Ed Heath, head of the UK’s South West Regional Cyber Crime Unit. “More than a year’s complex work with international policing partners led us to identify a large number of offenders.”

Infraud ‘kingpin’ nabbed

There was more good news in international cooperation this week with the takedown of the Infraud Organization, a group accused of selling and exploiting stolen data online. Thirteen people were cuffed and 36 indicted after an international police operation.

According to the cops, the alleged kingpin of the operation, who’s motto was “In fraud we trust,” was Sergey Medvedev, 31, a Russian national who was nabbed during a holiday in Thailand. Police seized a lot of electronic gear and shortly afterwards took control of the crime gang’s forum.

We’ve seen cops and government agents use this tactic – snaring people on vacation – before against Russian operators. Basically, there aren’t a lot of nice getaway destinations in Russia during winter, and if nationals head to a country that has the right extradition treaties, they’re going to get cuffed.

Two steps forward, several steps back

OK, so the police had some luck, but there’s still a lot of nasty stuff out there.

Chinese researchers have spotted an Android worm in circulation in Asia and now spreading fast around the world. The ADB.Miner, it is believed, is being spread by third-party app stores, thanks to code borrowed from the Mirai botnet.

It appears that the main purpose of the malware is to rev up the infected phone’s processor core so that it can mine digital currency. As such, the worm will need to spread fast to be effective – most handsets don’t have the hardware grunt (or battery life) to be a serious coinage creators.

Eternal romance in time for Valentine’s Day

We’re likely going to be seeing more malware infections coming down the line using the NSA’s leaked exploit code that attacks Windows network shares. Earlier this week, a security researcher showed it was possible to adapt the exploit code to attack older versions of Windows that were previously spared by the cyber-weapons.

Sean Dillon, a researcher at security shop RiskSense, found a way to port the EternalChampion, EternalRomance, and EternalSynergy exploits – developed by the NSA and then leaked online by the Shadow Brokers – to Microsoft operating systems going all the way back to Windows 2000.

If you have applied the MS17-010 patch from Microsoft, you should be safe from these SMB-based attacks.

It was an interesting piece of research, done to make it easier for other researchers to find new ways to block the code. But it’s likely that the malware community is also taking note and so we’ll see a lot more hacks using these exploits in the future.

The Shadow Brokers are thought to be a Russian front organization, and there was more news about what Putin and his pals have allegedly been up to this week. Jeanette Manfra, the head of cybersecurity at the Department of Homeland Security, said that he Russians had actually got into voting rolls computers before the 2016 election.

“We saw a targeting of 21 states and an exceptionally small number of them were actually successfully penetrated,” she said

That’s good news in a way, but as we have seen it’s astonishingly easy to hack America’s pathetically insecure voting system. Much more work is going to be needed to fix these issues and there’s another election round this year.

Buckets, buckets everywhere!

Chris Vickery and the Upguard team have had a busy week, exposing not one but two cases where companies are storing material online in Amazon S3 buckets without proper safeguards.

On Monday, he outed Octoly, a Paris-based brand marketing company that chucks freebie goodies at social media influencers in exchange for getting positive press coverage. Unfortunately, the agency left the contact details for 12,000 of these hipsters-for-hire online for all to see.

(For the record, it should be pointed out that we at El Reg never provide positive coverage in exchange for freebies. We’ll happy let a PR buy us a drink or six, or a slap-up steak meal, or a trip to Hawaii, but that’s not reflected in our copy.)

On Wednesday, Upguard was at it again, this time reporting on the Maryland Joint Insurance Association in the US. On this occasion, it wasn’t an Amazon cloud account issue, just a misconfigured network-attached internet-facing storage device that provided easy access to anyone who found it online.

The device contained customer names, addresses, phone numbers, birth dates, and full Social Security numbers, as well as financial data such as check images, full bank account numbers, and insurance policy numbers. For added fun, the company’s admin passwords were also on display.

Upguard has made finding unsecured storage archives and advising companies on how to be more secure into a nice little business. If you don’t want to be shown to be a doofus then for goodness’ sake lock down your archives – we’re getting peeved at having to cover these kinds of cockups. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/10/security_roundup/

Corpse! of! Yahoo! drags! emails! of! the! dead! case! to! US! Supreme! Court!

library
crime | hacking | security

Should a court-appointed lawyer be allowed to rifle through your email account after you die? The artist formerly known as Yahoo! has asked the US Supreme Court to answer that question for users in the United States.

The court, which is located in the country’s capital city of Washington, DC, on the eastern side of the US, has been asked by Oath Holdings, the corporate body holding the purple-tinged corpse of Yahoo!, to declare whether a lawyer can or cannot read your private correspondence after you die.

“During their lifetimes, most people will have sent emails they considered private to their friends, doctors, lawyers, and lovers. They will have protected the privacy of those emails with passwords intentionally withheld from others. Their emails may say unflattering things about children, parents, and spouses, or contain embarrassing revelations, which they intended to remain private, even after death,” said Yahoo!’s filing.

“Yet,” continued the filing, “under its interpretation of federal law, the Supreme Judicial Court of Massachusetts said that court-appointed estate administrators can access all private email accounts, irrespective of the [deceased’s] actual wishes.”

Yahoo! is asking the US Supreme Court to overturn that through the American legal procedure of certiorari, which is similar to the English legal concept of judicial review, describing the Massachusetts court’s view as “expansive, flawed and dangerous”.

Central to the US Supreme Court case is an earlier case from Massachusetts where that US state’s top judges decided it was all right to go poking through the Yahoo! email account of John Ajemian, who died more than a decade ago after a cycling accident. Ajemian’s brother and sister wanted to get into their brother’s private email account, arguing that as his surviving relatives, they were able to legally consent to having the account opened up.

Yahoo! had refused to disclose Ajemian’s emails, citing an American federal law, the Stored Communications Act. The Purple Palace’s people said that in effect they could only disclose the emails with the dead man’s consent – and, as he was dead, that obviously would not be forthcoming. The local court ruled that the act permitted Yahoo! to reveal its contents.

“Since email accounts often contain billing and other financial information, which was once readily available in paper form, an inability to access email accounts could interfere with the management of a [deceased’s] estate,” observed the judges.

The judicial review application was filed in mid-January. No date for hearing has yet been set. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/09/yahoo_email_account_access_supreme_court/

Ruskie boffins blasted for using nuke bomb lab’s supercomputer to mine crypto-rubles

library
crime | hacking | security

Engineers at Russia’s top nuclear weapons lab have been arrested – after the eggheads were caught using one of the supercomputers to mine cryptocurrency.

The government-run research facility at Sarov, southeast of Moscow, has been developing nuke bomb technology since the 1940s. It is a closed town, meaning you need a permit just to visit the area. Security is so tight it doesn’t appear on maps.

A pair of unnamed boffins at the site were using the lab’s petaflop-grade supercomputer to mine digital currency, but were discovered and collared by President Putin’s agents, it is claimed.

“There was an attempt to unauthorized use of office computing capacities for personal purposes, including for so-called mining,” Tatyana Zalesskaya, head of the research institute’s press service, told Interfax on Friday.

“Similar attempts have recently been registered in a number of large companies with large computing capacities, which will be severely suppressed at our enterprises. This is technically a hopeless and criminal offense.”

The facility uses supercomputers to model nuclear explosions and their effects without having to blow anything up and violating the nuke bomb test ban treaties Russia has signed.

We’re told the engineers were snared when they tried to connect the computer to the internet. That’s a massive infosec no-no: security teams noticed it immediately, and called in Russia’s crack intelligence outfit, the FSB. A criminal investigation is underway, and the brainiacs are unlikely to keep their jobs, we reckon. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/02/09/russian_nuclear_supercomputer_cryptocurrency/

Back to Basics: AI Isn’t the Answer to What Ails Us in Cyber

library
crime | hacking | security

The irony behind just about every headline-grabbing data breach we’ve seen in recent years is that they all could have been prevented with simple cyber hygiene.

Earlier this month, many of the planet’s most influential leaders met at the World Economic Forum in Davos to address some of the most pressing issues of our time, including artificial intelligence (AI). AI was touted as the answer to everything from bespoke cancer therapies to more-efficient cheese making. Some people in cyber are turning to AI as well, arguing that machines will be able to more quickly adapt to and manage threats, and eventually even be able to predict (and therefore prevent) attacks.

AI has a great PR machine behind it and may hold good long-term potential. But it’s not the answer to what ails us in cyber. In fact, I’d put AI in the same camp as advanced persistent threats (APTs) — sophisticated cyberattacks usually orchestrated by state-sponsored hackers and often undetected for long periods of time (think Stuxnet). Both are really intriguing, but in their own ways they’re existential distractions from the necessary work at hand.

At the crux of just about every high-profile breach and compromise, from Yahoo to Equifax, sits a lack of foundational cyber hygiene. Those breaches weren’t about failing to use some super-expensive, bleeding-edge, difficult-to-deploy and unproven mouse trap. In cyber, what differentiates the leaders from the laggards isn’t spending millions and millions of dollars on sexy bells-and-whistles interfaces. It’s about organizations setting a culture in which security matters. That means they prioritize cyber hygiene. They understand that cyber risk equals business risk in our digital age.

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Consider the Equifax breach. When the company was called to testify before Congress about the catastrophic breach that affected 145 million Americans, they displayed a dazzling disregard of cyber-risk. Their willingness to blame the breach on a single engineer’s slow response to a known vulnerability highlighted a lack of procedural discipline and rigor, to say nothing of the organization’s immaturity in cybersecurity basics. AI cannot address or solve for this cultural misalignment.

Cyber Hygiene 101
Let me be clear — perfect cybersecurity is not possible, no matter what anyone may say. If someone is determined at all costs to get through your defenses, the odds are good that they’ll find a way in. But the irony behind just about all the headline-grabbing data breaches we’ve seen in recent years is that they could have been prevented with basic cyber hygiene. Why? Because even when state actors are behind an attack, they most often take advantage of lackadaisical security practices and use known vulnerabilities and exploits to get in. It’s cheaper. It’s easier. You don’t have to burn a zero-day. Attribution is much harder, and there is a slew of other good reasons, which brings us back to the fact that basic cyber hygiene is the cheapest, easiest, and most effective way to improve your security posture.

What’s even better news? Very good cybersecurity is within reach for most organizations. It begins with the fundamentals, and if you follow some of these best practices, you can prevent the vast supermajority of breaches and exploits.

Best Practice 1: Know your systems really, really well. This may seem obvious but it’s astonishing how many organizations do not know precisely what technology they’re using. This presents a twofold problem. First, you can’t protect what you can’t see. Second, technology is not risk free. For every digital investment — IT, cloud, mobile, apps, the Internet of Things, and DevOps — there is an accompanying risk. Most organizations fundamentally don’t understand the extent of the systems they’re using, how those systems can be exploited, or what they need to do to prevent that from happening.

Best Practice 2: Use state-of-the-art authentication and access management. If you’re using passwords today, you simply fail to understand the reality of our threat environment. You need to embrace multifactor authentication. Think of TouchID or FaceID or something similar. Getting rid of passwords and the associated user failures moves the needle, and can improve user frustration. Along with that, manage account privileges based on what access is needed by whom.

Best Practice 3: Invest in better monitoring and more efficient response. The average number of days between the time a breach occurs and when it is detected consistently clocks in at over six months. Organizations can take advantage of the technologies that shrink this time by providing greater visibility into computing platforms — cloud, hybrid, or on-premises — to ensure that security teams have a complete view of their entire attack surface.

Here’s a challenge that we should all embrace — let’s make 2018 the year we all get serious about cybersecurity fundamentals. Let’s get the basics right. Let’s not throw our arms up in despair or search endlessly for the latest cure-all until we’re adequately addressing the basics. Investing in AI is no substitute for sound fundamentals.

Related Content:

Amit Yoran is chairman and CEO of Tenable, overseeing the company’s strategic vision and direction. As the threat landscape expands, Amit is leading Tenable into a new era of security solutions, empowering organizations to meet the challenges of evolving threats with … View Full Bio

Article source: https://www.darkreading.com/back-to-basics-ai-isnt-the-answer-to-what-ails-us-in-cyber-/a/d-id/1331010?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Russian Authorities Arrest Engineers for Cryptocurrency Mining at Nuclear Weapons Site

library
crime | hacking | security

The nuclear weapons facility employees reportedly tried to mine cryptocurrency via a supercomputer.

Russian media is reporting that authorities have arrested several engineers working at a major nuclear weapons facility after they were caught trying to mine cryptocurrency with the facility’s supercomputer, according to Gizmodo.

The Sarov-based All-Russian Research Institute of Experimental Physics is a highly sensitive and guarded facility reportedly with some 20,000 employees and a petaflap-speed supercomputer. It’s also where the USSR built its first nuclear bomb.

The engineers’ scheme reportedly was detected after they tried to link the mostly offline supercomputer to the Internet.