Tuesday, 10 February 2015

20% of Security Operations are Woefully Unprepared for Attacks

Given that the cost of data breaches has increased 96% since 2011, it’s time that security operations move out of IT and gain the direction from upper management. That’s especially true given that a disturbing majority of them are immature and underprepared for the threat landscape.

That’s the assessment from HP, whose 2015 report on the State of Security Operations, and almost 70% of security operation centers (SOCs) and cyber-defense organizations are only achieving "minimum ad-hoc threat detection and response capabilities.” In other words: enterprises around the world are grossly unprepared to defend against even the most basic of cyber-attacks.

“The size, scope and severity of cyber-attacks now requires the attention and direction of upper management,” the report said. “It has become a boardroom issue that requires thoughtful planning and implementation, aligning with business objectives and risk tolerances.”

Considering that threats are evolving quicker than solutions, the C-suite should act quickly, HP said, laying out several steps to success. For one, companies should prioritize cyber as a strategic component of the business framework, at the same level as finance, marketing and operations. Second, executives need to personally understand how breaches are likely to occur, and the rudimentary methods used to insert malicious code into an organization’s network. And finally, they should actively explore and utilize leading-edge technologies and tools to achieve strategic security goals rather than only relying on traditional defenses.

HP found in its report that 20% of cyber-defense organizations are not providing minimum security monitoring capabilities to their organizations. Additionally, 66% of security operations centers (SOCs) and cyber-defense organizations were found to  achieve only minimum ad-hoc threat detection and response capabilities. Further, 87% of them operate at sub-optimal maturity and capability levels.

“The assessments have shown some interesting trends,” HP noted. “Organizations are willing to seek capital for ‘do-it-all’ technology that is flexible and can perform advanced tasks; [but they] often neglect to seek operational budgets to staff the proper resources or to develop the needed processes, resulting in solution deployments that don’t provide the expected value.”

This has caused organizations to accept immature capabilities that address only simple issues, but does not allow them to achieve strategic business goals, minimize risks or secure their environments.

On the plus side, due to major breaches and industry-wide vulnerabilities such as Heartbleed and Shellshock, there has been a significant increase in organizational willingness to share threat intelligence and temporary solutions to problems. Visible breaches meanwhile have led to C-level and board-level exposure to the financial and brand impact on organizations; and through media coverage and internal evaluations, executives are asking questions about the ingredients necessary for organizational recovery, the importance of a security operations program that provides situational awareness, and the need for security organizations to provide ongoing reporting on business risk and incident activity.

“Security operations maturity and capabilities goes beyond a technology investment,” HP noted. “The continuation of highly publicized breaches and the effect to the entirety of a business and consumers' demands ever more effective and efficient cyber defense organizations. These organizations must continually mature in all operations categories including people, process technology and business.”

UK still lazy about mobile security

Intel survey finds that most UK adults aren't concerned with security issues on their mobile.
Nearly two-thirds of UK adults do not read the terms and conditions when downloading mobile apps, according to new research by Intel Security.
The results, released to mark Safer Internet Day, also saw 67 percent of respondents admitting that they were unaware of what personal information they might be giving away.
41 percent cited a lack of time as the main reason for not reading the small print, while 20 percent said they didn't care because they wanted the app regardless. Additionally, 20 percent said they trusted app stores.
Meanwhile, 57 percent believed it was not their responsibility to protect their own devices.
"It should come as no surprise that cybercriminals are turning their attention to mobile given that the same precautions we take on our PC or in the real world don't always seem to apply in our mobile lives," said Intel Security's VP of Consumer, Nick Viney.
"To combat this risk, we must take back control and practise basic security measures to ensure we're not unknowingly handing over our most valuable and personal information to cybercriminals. Safer Internet Day should serve as an annual reminder to take stock of our digital lives, and to make sure we're practising good cyber hygiene," added Viney.

WhatsSpy – Trace the moves of a WhatsApp user

WhatsSpy Public is an web-oriented application that tracks every move of whoever you like to follow. This application is setup as an Proof of Concept that Whatsapp is broken in terms of privacy. Once you’ve setup this application you can track users that you want to follow on Whatsapp. Once it’s running it keeps track of the following activities:
  • Online/Offline status (even with privacy options set to “nobody”)
  • Profile pictures
  • Privacy settings
  • Status messages
I made this project for you to realise how broken the privacy options actually are. It just started out as experimenting with Whatsapp to build an Bot, but I was stunned when I realised someone could abuse this “online” feauture of Whatsapp to track anyone. I could just say this in like a blog article (like I tried but got marked as spam) that the privacy options are broken, but you wouldnt realise the impact it actually has.

Shortlist requirements:
  • Secondary Whatsapp account (phonenumber that doesn’t use Whatsapp)
  • Rooted Android phone OR Jailbroken iPhone OR PHP knowledge
  • Server/RPi that runs 24/7
  • Nginx or Apache with PHP with PDO (php5-pgsql installed) (you can’t host on simple webhoster, you need bash)
  • Postgresql
WhatsSpy Public requires an secondary Whatsapp account. Once the tracker is started, you will not be able to recieve any messages over Whatsapp for this phonenumber. You can either try to register an non-Whatsapp used phonenumber with for example this script or just buy an 5 euro SIM Card and use this phonenumber for the tracker.
For the tracker to work you need an secret which is retrieved from either your Phone or the register script mentioned above. In case of phone registration you need an jailbroken iPhone or rooted Android device in order to retrieve the secret.
  • Jailbroken iPhone users: You can retrieve using this script.
  • Rooted Android phones can use the following APK to retrieve the secret.
In order to retrieve the scecret you need to follow these steps:
  • Insert your (new) secondary SIM card in your phone and boot it up.
  • Re-install Whatsapp on your phone and activate it using the new phonenumber.
  • Use either the APK (Android) or the script (iPhone) to retrieve the WhatsApp secret. Write this secret down, which is required later.
  • Insert your normal SIM card and re-install WhatsApp for normal use.

Facebook can identify your face from any image with Deep Face

The Facebook project known as Deep Face can decern the accuracy of the true identity of any picture of you. DeepFace AI system is now powerful enough to spot users in the 400 million photos uploaded to the social network every single day.Facebook is claiming good intentions with the Deep Face program. Facebook claims that instead of tagging users in embarrassing and incriminating photos without their permission, users will be able to first see the photos they are appearing in and then have the choice to blur out their faces.The Deep Face program works for strangers’ pictures as well as ones from friends, but users can only see the identities of people they already know.
But with good or bad intentions, Facebook holds all the cards and will still be able to identify you in any picture and hold on to that very valuable personal data. Additionally, other entities who are researching similar technology specifically the government and private companies such as Google may very well have access to this data as well.
The technology behind Deep Face is actually very intriguing. With the ability to read features in a variety of lighting conditions and angles the way human eyes are able to, Deep Face uses an algorithmic technique called “Deep Learning”. By drawing on constants from an existing image data, the program is able to learn to recognize pixel patterns in new faces and become more accurate in identifying people’s faces. The algorithm improves itself, and is able to analyze faces as eyes, mouths, and ears instead of pixels and use that data to guess when the same faces show up in vastly different kinds of pictures.

Anonymous takes down dozens of "terrorist" social media accounts in #OpISIS

Anonymous hacktivists, in conjunction with RedCult, have ramped up efforts to disrupt ISIS by zeroing in on social media accounts allegedly used by the terrorist group for recruitment and propaganda purposes.
Against a backdrop of increased military action by allied forces against ISIS, hackers flying the Anonymous flag have unveiled a new operation - dubbed #OpISIS - which aims to take down websites and email accounts, as well as expose Islamic militants, according to a message recently posted on PasteBin.
Greetings citizens of the world, we are Anonymous,
Operation ISIS Continues:
First we need to clarify few a things.
We Are: Muslims, Christians, Jews...
We Are hackers, crackers, Hacktivist, phishers, agents, spies, or just the guy from next door.
We Are students, administrators, workers, clerks, unemployed, rich, poor, We are young, or old, gay or straight.
We wear smart clothes or rugs, we are hedonists, ascetics, joy riders or activists.
We come from all races, countries, religions, and ethnicity.
We Are Anonymous.
In the statement and an accompanying two minute video, an Anonymous spokesperson explains how the group sees ISIS as a virus that it says it intends to cure.
Part of the treatment appears to be the takedown of Facebook and Twitter accounts. The document on PasteBin lists a total of 90 Twitter accounts which the group says it has taken offline due to their affiliation with ISIS.
It also says it's keeping twelve Facebook accounts under continuing surveillance after they were found to have been "keeping contact with the terrorists (ISIS) in Syria & Iraq".
In a similar offensive last month, Anonymous launched #OpCharlieHebdo in response to the terrorist attacks in Paris, claiming responsibility for the downing of dozens of "Jihad sites".

Fearing an FBI raid, researcher publishes 10 million passwords/usernames

Dan Goodin, Ars Technica
A security consultant has published 10 million passwords along with their corresponding usernames in a move he characterized as both necessary and legally risky given a legal landscape he said increasingly threatens the free flow of hacking-related information.
Most of the existing corpus of passwords exposed in hack attacks is stripped of usernames, preventing researchers from studying the possible relationship between the two fields. Mark Burnett, a well-known security consultant who has developed a specialty collecting and researching passwords leaked online, said his sole motivation for releasing the data was to advance what's already known about the way people choose passcodes. At the same time, he said he was worried the list might land him in legal hot water given the recent five-year sentence handed to former Anonymous activist and writer Barrett Brown, in part based on links to hacked authentication data he posted in Internet chat channels.
"I think this is completely absurd that I have to write an entire article justifying the release of this data out of fear of prosecution or legal harassment," he wrote in a post published Monday night on his blog. "I had wanted to write an article about the data itself but I will have to do that later because I had to write this lame thing trying to convince the FBI not to raid me."
Last March, federal prosecutors dropped criminal charges related to links Brown left in two Internet relay chat channels that were frequented by members of the Anonymous hacker collective. The links led to authentication data taken during the December 2011 hack on Strategic Forecasting by members of Anonymous. Before dropping the charge, prosecutors said the links amounted to the transfer of stolen information. Even though the charge was dropped, however, prosecutors still raised the linking to support their argument Brown deserved a long prison sentence.
In Monday night's post, Burnett also raised changes the Obama administration is proposing to federal anti-hacking statutes. Many security professionals have said the revised law would outlaw the publication of links to public password dumps even if the person making the link had no intent to defraud. If the people sharing the information have any reason to believe someone might use it to gain unauthorized computer access, critics have argued, they would be subject to stiff legal penalties under the Computer Fraud and Abuse Act.
Burnett wrote:
But recent events have made me question the prudence of releasing this information, even for research purposes. The arrest and aggressive prosecution of Barrett Brown had a marked chilling effect on both journalists and security researchers. Suddenly even linking to data was an excuse to get raided by the FBI and potentially face serious charges. Even more concerning is that Brown linked to data that was already public and others had already linked to.
In 2011 and 2012 news stories about Anonymous, Wikileaks, LulzSec, and other groups were daily increasing and the FBI was looking more and more incompetent to the public. With these groups becoming more bold and boastful and pressure on the FBI building, it wasn’t too surprising to see Brown arrested. He was close to Anonymous and was in fact their spokesman. The FBI took advantage of him linking to a data dump to initiate charges of identity theft and trafficking of authentication features. Most of us expected that those charges would be dropped and some were, although they still influenced his sentence.
At Brown’s sentencing, Judge Lindsay was quoted as saying “What took place is not going to chill any 1st Amendment expression by Journalists.” But he was so wrong. Brown’s arrest and prosecution had a substantial chilling effect on journalism. Some journalists have simply stopped reporting on hacks from fear of retribution and others who still do are forced to employ extraordinary measures to protect themselves from prosecution.
Which brings me back to these ten million passwords.

Why the FBI Shouldn’t Arrest Me

Although researchers typically only release passwords, I am releasing usernames with the passwords. Analysis of usernames with passwords is an area that has been greatly neglected and can provide as much insight as studying passwords alone. Most researchers are afraid to publish usernames and passwords together because combined they become an authentication feature. If simply linking to already released authentication features in a private IRC channel was considered trafficking, surely the FBI would consider releasing the actual data to the public a crime.
Including usernames alongside passwords could help advance what's known about passwords in important ways. Researchers, for instance, could use the data to determine how often users include all or part of their usernames in their passwords. Besides citing the benefit to researchers, Burnett also defended the move by noting that most of the leaked passwords were "dead," meaning they had been changed already, and that all of the data was already available online.
As password dumps go, 10 million is a large number, but it's still small compared to the seminal 2009 hack of gaming website RockYou, which leaked 32 million passcodes, 14.3 million of which were unique. Last year, The New York Times reported that Russian criminals amassed a database of more than one billion passwords gathered from more than 420,000 websites. As Burnett noted, what sets this latest dump apart is that it was made by a security professional with the goal of advancing the public understanding of password choices. Equally noteworthy will be the reaction it receives from prosecutors.

White House to set up new early warning cyber-threat center

The new cyberthreat center will help build intelligence amid cyberattacks (Image: NSA)
The U.S. government is to set up a new agency to monitor cyber-threats and share intelligence.
In a speech Tuesday, assistant to the president for homeland security and counterterrorism Lisa Monaco announced the new division would be a new intelligence-based center that will "connect the dots" between incoming cyber-threats so that various government agencies can be aware, and prepare.

Ahead of the State of the Union later this month, the president's proposed laws aim to force companies to disclose hacks and breaches inside a month.
"Cyber-threats to our national security and economic security are increasingly in their frequency and sophistication." Monaco said. "No-one it seems is immune, from healthcare companies and universities, to technology companies.
She warned that nation states and non-state hackers are constantly "seeking to steal, to spy, to manipulate, and to destroy data."
President Obama made cyber-threat and intelligence sharing a key priority in his State of the Union address last month, in which he promised better cybersecurity in the wake of high-profile hacks against Sony Pictures, and most recently health insurance provider Anthem.
A number of federal agencies, including the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Dept. of Homeland Security (DHS), all have divisions focusing on cybersecurity.
The Obama administration wants the newly-formed Cyber Threat Intelligence Integration Center (CTIIC) to do exactly that -- linking the various federal divisions in order to create a "seamless intelligence flow," according to an official speaking to Reuters on Tuesday.
"There's so many different pieces of intelligence coming in, you've got to collaborate and put it together," said CrowdStrike president Shawn Henry on CBS This Morning.
The new agency, which will begin with about 50 staff and a budget of $35 million, aims to learn from the intelligence failings that led to the September 11 terrorist attacks in New York, officials said.
"We need to sync up our intelligence with our operations, and respond quickly against threats to our citizens and companies," said Monaco.
The center will "have to work in lock-step with the private sector," she said. "The federal government won't leave the private sector to fend for itself. Partnership is a precondition of success."
That means "daily collaboration" to identify threats in order to stave off attacks. She said in an example that the U.S. government will alert private sector companies as soon as it becomes available to it, in an effort to prevent attacks from happening.
But Monaco confirmed CTIIC will "not collect intelligence."
The director of national intelligence James Clapper will head up the division.