G's Reading List for March 19, 2017

Virtual machine escape fetches $105,000 at Pwn2Own hacking contest [updated]
by Dan Goodin @ Arstechnica.com

Using 3 different exploits in Microsoft Edge browser, Windows 10, and then VMWare contestants were able to escape a virtual machine to compromise the host the VM was running on. Impressive.
Link: https://arstechnica.com/security/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/

_____________________________________________

Malwarebytes teams up with Cybersecurity Factory
by Malwarebytes Labs

Malwarebytes is proud to support Cybersecurity Factory, a 10-week summer program for early-stage cybersecurity companies. This program runs in collaboration with Highland Capital Partners provides teams with a $35,000 convertible note investment, office space, and dedicated security mentorship from industry leaders at leading companies throughout the United States...

Link: https://blog.malwarebytes.com/malwarebytes-news/2017/02/malwarebytes-teams-up-with-cybersecurity-factory/
_____________________________________________

WikiLeaks to Share CIA Hacking Data with Tech Companies
by Marissa Lang, San Francisco Chronicle

WikiLeaks will release the code showing how the CIA managed to break into phones, work around encrypted messaging apps and avoid detection by software designed to defend against cyberattacks.

Link: http://www.govtech.com/security/WkiLeaks-to-Share-CIA-Hacking-Data-with-Tech-Companies.html

_____________________________________________

Google Points to Another POS Vendor Breach
by Brian Krebs @ Krebs on Security

Another good thing about Google's site warnings.

Link: http://krebsonsecurity.com/2017/03/google-points-to-another-pos-vendor-breach/

G's Reading List for Dec.4, 2016

Some interesting quotes from a couple articles...

The Hard Thing About Safe Things

By Rich Seymour

October 12, 2016
https://www.endgame.com/blog/hard-thing-about-safe-things

Completeness
"This is an especially useful distinction for infosec, which often fails to integrate the insider threat element or human vulnerabilities into the security posture."

Clear Prioritization
"...urges practitioners and organizations to step back and assess one thing: What can I not accept losing?"
"Treating unacceptable loss as the only factor, not probability of loss, may seem unscientific, but it produces a safer system.  As a corollary, the more acceptable loss you can build into your systems, the more resilient they will be."

Resilience
"...the rush to place blame hindered efforts to repair the conditions that made the accident possible."  "To blame the user for clicking on a malicious link and say you’ve found the root cause of their infection ignores the fact that users click on links in email as part of their job."

From Theory to Implementation
"Cybersecurity epitomizes the complexity and systems of systems approach ideal for STPA. If we aren’t willing to methodically explore our systems piece by piece to find vulnerabilities, there is an attacker who will."

Human Adversaries: Why Information Security is Unlike Engineering

By Matt Weeks
January 29, 2016
https://www.root9b.com/newsroom/human-adversaries-why-information-security-unlike-engineering

"There are many ways to break down these differences, which I’ve summarized in the table below, but a simple way to think about it is that in the fields without human adversaries (e.g. building bridges) once you have found a solution, (make sure your cables can support the expected loads and stresses) you can standardize that solution and be basically done."

"In contrast, human adversaries means your opposition is adaptable, intelligent, and goal-driven."

Doing the Unexpected

"In fields with human adversaries, although some actions will be standardized, complete predictability is a recipe for failure."

"In information security, those who have conducted offensive operations know that offensive groups will never send an attack they believe will be stopped by defensive measures."

"...we have intelligent, adaptive, goal-driven, human adversaries. So let’s learn from the fields that have been dealing with them for centuries."

G's Reading List for Nov.24, 2016

I read a lot - at least I try to find time to.  I have to...just like all my peers in this the industry of information security.  My focus is in the threat intelligence and infosec/cyber attack space and that requires even more reading.  Thankfully there are a lot of smart people in this space with interesting insights, and my plan is to start highlighting these interesting articles, books, etc. in this blog more frequently.  In some cases I may make some "piffy" comment about the article to give you an idea what it's about and/or my thoughts on it.

I don't have some catching name to call these posts so for now I'll call them "G's Reading List."  Pretty inventive...huh?! not.

My hope is that you'll find these readings as interesting as I find them.  Feel free to share your thoughts on them as well in the comment section.  Also, I encourage you to share any interesting readings you've found related to my posts and if you let me know it's okay to share with others I will put it on this blog with full attribution (let me know if you don't want attribution).

Okay let's get this party started...here are two great posts by MalwareJake...

CIA cyber-counterstrike probably not a leak after all

Source: MalwareJake

http://malwarejake.blogspot.com/2016/10/cia-cyber-counterstrike-probably-not.html

Cover your badge, cover your papers, think before your photo op

Source: MalwareJake

Wow, this is just embarrassing. C'mon, OpSec 101 people!

http://malwarejake.blogspot.com/2016/11/cover-your-badge-cover-your-papers.html

In the category of 'This is News?'

Two recent news stories invoked a 'this is new news?' reaction from me.  More like 'this is OLD news.'

The one article is about Russians perpetrating cyber-espionage against American companies and the other is about online cyber-gangs hacking online companies.  The victim of the latter news story is eBay (link here to story).  Those of us in the information security industry who investigate compromises/breaches and track attackers are not surprised by any of this.  We've seen Chinese and Russian attackers going after American company's systems, applications, data, etc. for many many years.

And it's not getting any better...they aren't letting up and neither are we.  Keep fighting the good fight!

References:
FBI threatens to go after Russian hackers
http://rt.com/usa/161132-fbi-russian-hackers-china/

eBay hacking: online gangs are after you
http://www.telegraph.co.uk/technology/internet-security/10849689/eBay-hacking-online-gangs-are-after-you.html

Cyber Warfare and the Mutually-Assured Destruction of Cyberspace

I frequently read the writings of Lenny Zeltser; he's a smart guy who always has something interesting to say.  He posted a short entry on his blog in July of 2012 stating his theory of how countries will use the principle of mutually-assured destruction to deter each other from a major world war in cyberspace.
Worth a read, check it out here:
http://blog.zeltser.com/post/27846821868/mutually-assured-destruction-in-cyberspace

World Economic Forum Global Risks 2011 Report (Jan 2011)

This past January 2011, the WEF released a report which detailed out what they see as the global risks in 2011(http://riskreport.weforum.org/). The report is called Global Risks 2011 Sixth Edition: An Initiative of the Risk Response Network
(http://riskreport.weforum.org/global-risks-2011.pdf).

It's an interesting read especially for those of us who deal with risk regularly in our profession. They identified two cross-cutting global risks, focused on 3 risk clusters, and noted 5 risks to watch.

The two cross-cutting global risks are Economic Disparity and Global Governance Failures. They note that these influence many other global risks and are a result of the globalization. Quote from the report:

"Globalization has generated sustained economic growth for a generation. It has shrunk and reshaped the world, making it far more interconnected and interdependent. But the benefits of globalization seem unevenly spread – a minority is seen to have harvested a disproportionate amount of the fruits. Although growth of the new champions is rebalancing economic power between countries, there is evidence that economic disparity within countries is growing."

The 3 risk clusters they focus in on are "macroeconomic imbalances" nexus, "illegal economy" nexus, and the "water-food-energy" nexus.

Illegal Economy Nexus:
This nexus examines state fragility, illicit trade, organized crime, and corruption. Quote from the report:

"A networked world, governance failures and economic disparity create opportunities for such illegal activities to flourish. In 2009, the value of illicit trade around the globe was estimated at US $1.3 trillion and growing. These risks, while creating huge costs for legitimate economic activities, also weaken states, threatening development opportunities, undermining the rule of law and keeping countries trapped in cycles of poverty and instability.
International cooperation – both on the supply side and on the demand side – is urgently needed."

For those of us who are constantly fighting cyber criminals it's nice to see a validation of what we've been saying about how it's growing rapidly, threatens our economies, and we are lacking the legal tools (policies, cooperation between countries) to help with deterrence and prosecution.

Speaking of cyber security, it's identified as one of the 5 risks to watch. Interestingly survey respondents assessed them with low levels of confidence while experts consider they may have severe, unexpected or under-appreciated consequences. The specific text in the report was:

"Cyber-security issues ranging from the growing prevalence of cyber theft to the little-understood possibility of all-out cyber warfare."

They note 4 distinct global risk-related activities as stand outs:
* Cyber theft
* Cyber espionage
* Cyber war
* Cyber terrorism

I'm particularly concerned with cyber theft. From the report:

"Cyber theft has become a growing industry with a long tail, particularly in countries where economic disparity has recently been combined with access to global communication technologies. Actors in this field range from entrepreneurial individuals to shell corporations built with the hope of economic gains offset by acceptable risks. Interestingly, some assessments indicate that cyber thieves experience a substantially lower feeling of guilt than is apparent in other criminal activities."

They spell out the potential for disruption causing a large impact:

"The pervasiveness of the Internet and importance of related technologies to everyday life and business means that should a major disruption occur, it is likely to have high impact globally."

I agree wholeheartedly!

I recommend checking out the report (link below). It's an interesting read.
http://riskreport.weforum.org/global-risks-2011.pdf

Main site:
http://riskreport.weforum.org/

Various interesting news and posts

The Web's most dangerous keywords to search for
http://blogs.zdnet.com/security/?p=3457
I've long known that some 75% of all screensavers found on the Internet via Google search contain malware but thought that some of these words were interesting: free games, work from home, iphone, barack obama. Something else interesting is the finding that when searching for lyrics keywords or phrases with the word 'free' in them one of four sites contain malicious code. Talk about blackhat SEO.

Building an Automated Behavioral Malware Analysis Environment using Open Source Software by Jim Clausing
http://www.sans.org/reading_room/whitepapers/tools/building_an_automated_behavioral_malware_analysis_environment_using_open_source_software_33129
Looks very promising. On my reading list.

Ex-DOS and Microsoft Exec Heading Up DHS Cyber Post
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9133855
Earlier this month Secretary Napolitano of the U.S. Department of Homeland Security named Philip Reitinger as Director of the National Cyber Security Center in DHS. This is a newly formed office in DHS. Previously Philip had held positions in DOD Cyber Crime Center and was leading the Trustworthy Computing initiative at Microsoft. Philip replaces Rod Beckstrom who vacated the post earlier this year citing lack of funding and internal support. I wish Philip all the best and hope he's able to get what he needs to get things done there.

New information security bill to replace FISMA

There's yet another cyber security bill introduced in the US Senate; this one is called the 2009 U.S. Information and Communications Enhancement Act. While the others affect both government and private industry this one aims to strengthen information security within government offices.

It's an update to FISMA which has long been criticized for the lack of requiring agencies to demonstrate compliance. This bill focuses more on measuring actual security rather than on report writing, which is FISMAs focus. It requires the Commerce Department to establish standards for securing government systems. It will take away information security management away from the DOD and NSA and limits DHS' role to incident response and defenses provided by US CERT. I'm not sure I agree with that as there are some talented folks at DHS and US CERT.

You can read the whole bill here http://www.govexec.com/nextgov/042809/ICE_Bill.pdf

New Cybersecurity Bill Gives Commerce Dept and President Obama Cyber and Internet Authority

On April 1, 2009 a bill, a.k.a. "Cybersecurity Act of 2009" to ensure the free flow of commerce within the United States has been introduced in the US Senate. (See PDF draft here) It's important that our nation gets working on this critical issue now so I reviewed the working draft and thought I'd summarize it and note some interesting passages.

Summary points...
- Cybersecurity oversight of government networks, the Internet, cybersecurity research would fall under the Secretary of Commerce;
- Roles and responsibilities involve other agencies such as ODNI, NIST, FCC, and NSF.
- Three years of funding, then after a review/evaluation a potential for continued funding;
- Establishes state and regional cybersecurity centers tasking them with securing small- and medium-sized businesses;
- Requires providing security for the FCC's national broadband initiative;
- Establishes a private-public sector clearinghouse for vulnerability information;
- Conducts the feasibility of cybersecurity insurance;
- Taps NIST as the standards body for all cybersecurity related standards;
- Provides the President with the power to disconnect the Internet in a cybersecurity emergency or in the interest of national security;

Various interesting passages...

Section 3 - Cybersecurity Advisory Panel.

DUTIES.—The panel shall advise the President on matters relating to the national cybersecurity program and strategy and shall assess—
(1) trends and developments in cybersecurity science research and development;
(2) progress made in implementing the strategy;
(3) the need to revise the strategy;
(4) the balance among the components of the national strategy, including funding for program components;
(5) whether the strategy, priorities, and goals are helping to maintain United States leadership and defense in cybersecurity;
(6) the management, coordination, implementation, and activities of the strategy; and
(7) whether societal and civil liberty concerns are adequately addressed.
...
REPORTS.—The panel shall report, not less frequently than once every 2 years, to the President on its assessments under subsection (c) and its recommendations for ways to improve the strategy.

I have a problem with that frequency; at a minimum it needs to be twice a year.

Section 4 - Real-time Cybersecurity Dashboard.

The Secretary of Commerce shall— (1) in consultation with the Office of Management and Budget, develop a plan within 90 days after the date of enactment of this Act to implement a system to provide dynamic, comprehensive, realtime cybersecurity status and vulnerability information of all Federal government information systems and networks managed by the Department of Commerce; and (2) implement the plan within 1 year after the date of enactment of this Act.

Wow is this aggressive for this large of an undertaking.

Section 5 - State and Regional Cybersecurity Enhancement Program.

The Secretary of Commerce shall provide assistance for the creation and support of Regional Cybersecurity Centers for the promotion and implementation of cybersecurity standards.
...
The purpose of the Centers is to enhance the cybersecurity of small and medium sized businesses in United States...

What do they mean by "enhance"? To what extent will these new regional centers assist SMBs with their security?

ACTIVITIES.—The [Regional Cybersecurity] Centers shall—
(1) disseminate cybersecurity technologies, standard, and processes based on research by the Institute for the purpose of demonstrations and technology transfer;
(2) actively transfer and disseminate cybersecurity strategies, best practices, standards, and technologies...

Where's NIST? Are they going to be folded into this new center? Ah later in the document, section 6, NIST is mentioned...

Section 6 - NIST standards development and compliance.

National Institute of Standards and Technology shall establish measurable and auditable cybersecurity standards for all Federal government, government contractor, or grantee critical infrastructure information systems and networks...

Does NIST not already do this? Maybe this is giving them teeth - which is a great thing.

The Institute shall establish a standard testing and accreditation protocol for software built by or for the Federal government, its contractors, and grantees, and private sector owned critical infrastructure information systems and networks.

This will touch the private sector is a very big way since something like 75% of all of the critical infrastructure is run by that sector.

...[NIST] shall be responsible for United States representation in all international standards development related to cybersecurity...

(2) shall require each Federal agency, and each operator of an information system or network designated by the President as a critical infrastructure information system or network, periodically to demonstrate compliance with the standards established under this section.

(e) FCC National Broadband Plan...shall report on the most effective and efficient means to ensure the cybersecurity of commercial broadband networks...

So what exactly does that mean? Maybe requiring firewalls and other controls, which would help mitigate some of the network worms.

FCC NATIONAL BROADBAND PLAN.—In developing the national broadband plan pursuant to section 6001(k) of the American Recovery and Reinvestment Act of 2009, the Federal Communications Commission shall report on the most effective and efficient means to ensure the cybersecurity of commercial broadband networks, including consideration of consumer education and outreach programs.

Section 9 - Secure domain name addressing system.

...develop a strategy to implement a secure domain name addressing system.

Section 10 - Promoting cybersecurity awareness.

...develop and implement a national cybersecurity awareness campaign...

Good good.

Section 11 - Federal cybersecurity research and development.

(b) Secure Coding Research...
(c) Assessment of Secure Coding Education in Colleges and Universities

Interesting.

Section 14 - Public-private clearinghouse.

...The Department of Commerce shall serve as the clearinghouse of cybersecurity threat and vulnerability information to the Federal government and private sector owned critical infrastructure information systems and networks.

Section 15 - Cybersecurity risk management report.

In section 15 they talk about conducting a feasibility study of creating a market of cybersecurity management including civil liability and insurance.

Section 18 - Cybersecurity responsibilities and authority.

This is the section that has got several people concerned and upset about. It essentially provides for the President to declare a cybersecurity emergency and shutdown the Internet. There's also a provision which allows him to disconnect any system or network in the interest of national security. This authority extends to Internet connections into Federal offices as well as any US critical infrastructure information system or network. This is intriguing because a majority of the infrastructure defined "critical" by the US Government is owned and operated by the private sector. This bill would grant the President the power to shut down private sector systems and networks.

This section also requires mapping of Federal systems and networks. Good idea, wonder how long it will take though.

Section 30 - Joint intelligence threat assessment.

This section requires the Director of National Intelligence and the Secretary of Commerce to submit to Congress an annual assessment on cybersecurity threats.


What's interesting in all this is that neither DHS nor NSA are mentioned in this bill. Just recently the Director of National Intelligence testified in front of Congress that the NSA should be in charge of cybersecurity. And a few weeks ago director of DHS's NCSD resigned over concerns about the move of cybersecurity from DHS to under the NSA.

What will hapen to all the initiatives currently underway by DHS and NSA? Will they be folded into this new organization or directed by this organization yet still reside in respective agencies? What about DOD's cybersecurity efforts?

All I want is for them to get it right organization-wise and start working to address the country's cybersecurity shortcomings - ASAP.

Message to US Adversaries: You Have Plenty of Time to Launch Cyber Attack

This is basically what the US government is telegraphing to those who want to attack our infrastructures. This conclusion of mine for the most part was confirmed today when I read the ThreatChaos post about the National Cybersecurity Center director (Rod Beckstrom) resigning, after only a year in office and little accomplished - not due to his lack of trying I might add.

Read his resignation letter, which is posted here. It's very telling of the issues in the agency. His two main complaints and reasons for leaving are power fights with NSA (re.; no power or authority to do the job he was given), and lack of funding. It sounded like this new center was doomed from the start.

He said he had only 3 people on his staff and 5 weeks of funding. What? No wonder couldn't get much completed. This office's mission was to address the lack of cyber security within the US Federal government and it's expected to accomplish this with 3 people and no funding?

The other main issue has to do with fighting with the NSA over the program. The NCSC is in DHS yet the NSA wants this role and according to Beckstrom's letter some in DHS were putting up roadblocks in his way. To make matters more difficult the Director of National Intelligence is putting his support behind the NSA.

Now another year has gone by and cyber security is still not a priority for the US Federal government and the mess still exists. Many Federal agencies are doing cyber security work that overlaps with each other and a central coordinating agency still does not exist.

One idea I'm hearing is the creation of a new armed forces branch to be in charge of cyber security and I think that's a great idea. A decision needs to be made soon and we need to get moving with improving our nations cyber security from both a defensive and offensive standpoint. Our adversaries aren't waiting, they continue to attack and breach our defenses.

There is one piece of good news however: on February 9th, 2009 President Obama issued a directive to conduct an immediate cyber security review of all plans, programs, and activities underway throughout the government dedicated to cyber security. They have 60 days to complete it. Press release here. I'm glad they are trying but I'm not holding my breath that decisions will be made soon (re.; weeks) after this review is completed and it's entirely possible we'll still be waiting by the next election cycle this November.

My plea to the policy makers in the US Federal government: stop advertising our confusion and uncertainty, make the decisions that need to be made, execute on those decisions, and start showing our adversaries we are serious about cyber security before it's too late. Oh and by the way, there are plenty of good people in the private industry that are willing to help you.