Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

https://www.youtube.com/watch?v=vFV2GxBZ7D0

From the description:

Recording of the first live stream reverse engineering a new ransomware family. Lots of lessons learned for the next time 🙂

I haven’t made it through the entire video (almost four hours) but it is very impressive!

Speaking of impressive, check out the Emisoft blog for more of same.

Enjoy!

Data Breach Digest (Verizon)

From the report:

The Situation Room

Data breaches are complex affairs often involving some combination of human factors, hardware devices, exploited configurations or malicious software. As can be expected, data breach response activities—investigation, containment, eradication, notification, and recovery—are proportionately complex.

These response activities, and the lingering post-breach aftereffects, aren’t just an IT security problem; they’re an enterprise problem involving Legal Counsel, Human Resources, Corporate Communications and other Incident Response (IR) stakeholders. Each of these stakeholders brings a slightly different perspective to the breach response effort.

Last year, thousands of IR and cybersecurity professionals delved into the inaugural “Data Breach Digest—Scenarios from the Field” (aka “the RISK Team
Ride-Along Edition”) to get a first-hand look into the inner workings of data breaches from an investigative response point of view (PoV).

Continued research into our recent caseload still supports our initial inklings that just over a dozen or so prevalent scenarios occur at any given time. Carrying forward from last year, we have come to realize that these data breach scenarios aren’t so much about threat actors, or even about the vulnerabilities they exploited, but are more about the situations in which the victim organizations and their IR stakeholders find themselves. This gives each scenario a distinct personality … a unique persona, per se.

This year, for the “Data Breach Digest—Perspective is Reality” (aka “the IR Stakeholder Edition”), we took a slightly different approach in bringing these scenarios to life. Each scenario narrative—again, based on real-world data breach response activities—is told from a different stakeholder PoV. As such, the PoV covers their critical decision pivot points, split-second actions taken, and crucial lessons learned from cases investigated by us – the Verizon RISK Team.
… (emphasis in original)

The “scenario” table mapping caught my eye:

The Scenari-cature names signal an amusing and engaging report awaits!

A must read!

To make up for missing this last year, here’s a link to 2016 Data Breach Digest.

Two-thirds of US companies would pay to avoid public shaming scandals after a breach by Razvan Muresan

From the post:

Some 66% of companies would pay an average of $124k to avoid public shaming scandals following a security breach, according to a Bitdefender survey of 250 IT decision makers in the United States in companies with more than 1,000 PCs.

Some 14 percent would pay more than $500k, confirming that negative media headlines could have substantial financial consequences. In a recent case, officials from Verizon, which agreed to buy Yahoo’s core properties for $4.83 billion in July, told reporters that the company has “a reasonable basis” to suspect that the Yahoo security breach, one of the largest ever, could have a meaningful financial impact on the deal, according to multiple reports.
…

The ransomware report I was reading earlier said that 29% discounts off of original ransom demands are common and the trade tends to the low end, several hundred dollars.

Perhaps Barrons or the Wall Street Journal needs to find its way onto your reading list.

EFF Dice-Generated Passphrases

From the post:

Create strong passphrases with EFF’s new random number generators! This page includes information about passwords, different wordlists, and EFF’s suggested method for passphrase generation. Use the directions below with EFF’s random number generator member gift or your own set of dice.
…

Ah, EFF random number generator member gift. 😉

Or you can order five Bicycle dice from Amazon. (Search for dice while you are there. I had no idea there were so many distinct dice sets.)

It’s mentioned but not emphasized that many sites don’t allow passphrases. Which forces you to fall back onto passwords. A password manager enables you to use different, strong passwords for every account.

Password managers should always be protected by strong passphrases. Keys to the kingdom as it were.

big-list-of-naughty-strings by Max Woolf.

From the webpage:

The Big List of Naughty Strings is a list of strings which have a high probability of causing issues when used as user-input data.

You won’t see any of these strings on the Tonight Show with Jimmy Fallon. 😉

They are “naughty” when used as user-input data.

For those searching for a starting point for legal liability, failure to test and/or document testing against this data set would be a good place to start.

Have you tested against the big-list-of-naughty-strings?

Kaspersky Lab reports in Fileless attacks against enterprise networks the discovery of malware that hides in memory to avoid detection.

It’s summary:

During incident response, a team of security specialists needs to follow the artefacts that attackers have left in the network. Artefacts are stored in logs, memories and hard drives. Unfortunately, each of these storage media has a limited timeframe when the required data is available. One reboot of an attacked computer will make memory acquisition useless. Several months after an attack the analysis of logs becomes a gamble because they are rotated over time. Hard drives store a lot of needed data and, depending on its activity, forensic specialists may extract data up to a year after an incident. That’s why attackers are using anti-forensic techniques (or simply SDELETE) and memory-based malware to hide their activity during data acquisition. A good example of the implementation of such techniques is Duqu2. After dropping on the hard drive and starting its malicious MSI package it removes the package from the hard drive with file renaming and leaves part of itself in the memory with a payload. That’s why memory forensics is critical to the analysis of malware and its functions. Another important part of an attack are the tunnels that are going to be installed in the network by attackers. Cybercriminals (like Carbanak or GCMAN) may use PLINK for that. Duqu2 used a special driver for that. Now you may understand why we were very excited and impressed when, during an incident response, we found that memory-based malware and tunnelling were implemented by attackers using Windows standard utilities like “SC” and “NETSH“.

…

Kaspersky reports 140 enterprises in 40 countries have been affected by the malware:

The reported focus has been on banking/financial targets, which implies to me that political targets are not preparing for this type of attack.

If you are going to “play in the street,” an American expression meaning to go in harm’s way, be sure to read the attribution section carefully and repeatedly. Your skills aren’t useful to anyone if you are in prison.

Now’s Probably The Time To Consider One Of These Burner Phones by Paul Sarconi.

From the post:

WE’RE LIVING IN a new era of political unpredictability. Who knows what race, religious group, or professional sector will be scrutinized tomorrow? If you’re concerned that your devices will be targeted for confiscation and search, heed caution now. Start carrying a burner phone—a handset you can wipe clean and destroy without much thought. We’ve rounded up some good options.

One note: The point of using a burner is to avoid leaving a trace of your phone activity. Our list of recommended phones (and one app!) comes with links to online retailers so you can read more about the devices, but if you’re trying to stay private, you should buy both the phone and a pre-paid data allotment with cash. Most of these handsets (and the prepaid cards) are available at big-box stores here and abroad.
… (emphasis in original)

If your privacy matters, burner phones are in your present and future.

Quite recently I was creating an account at a hacker site that required, required mind you, a cellphone number for authentication.

That’s crazy. Why would I want to label myself with my cellphone number in a hacker forum? Not today, not tomorrow, not any day.

So, Paul’s list comes at an opportune time.

A word of caution about the Burner App.

It’s true you can delete the Burner App temporary phone number from your phone but Burner App maintains a copy of that number with your account. In case you want to “reactivate” the number.

Trusting a third party is a poor opening move in learning to protect your privacy.

Buy a debit card for cash and use a fake identity with Burner App.

Security Design: Stop Trying to Fix the User by Bruce Schneier.

From the post:

Every few years, a researcher replicates a security study by littering USB sticks around an organization’s grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as “teachable moments” for others. “If only everyone was more security aware and had more security training,” they say, “the Internet would be a much safer place.”

Enough of that. The problem isn’t the users: it’s that we’ve designed our computer systems’ security so badly that we demand the user do all of these counterintuitive things. Why can’t users choose easy-to-remember passwords? Why can’t they click on links in emails with wild abandon? Why can’t they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?

Traditionally, we’ve thought about security and usability as a trade-off: a more secure system is less functional and more annoying, and a more capable, flexible, and powerful system is less secure. This “either/or” thinking results in systems that are neither usable nor secure.
…

Non-reliance on users is a good first step.

An even better second step would create financial incentives for Bruce’s first step.

Financial incentives similar to those in products liability cases, where a “reasonable care” standard evolves over time. No product has to be perfect, but there are expectations of how not bad a product must be.

Liability not only for the producer of the software but also enterprises using that software, when third-parties are hurt by data breaches.

Claims about the complexity of software are true, but can you honestly say that software is more complex than drug interactions across an unknown population? Yet, we have products liability standards for those cases.

Without financial incentives, substantial financial incentives, such as with products liability, cybersecurity experts (Bruce excepted) will still be trying to “fix the user” a decade from now.

The romantic quest to capture and punish those guilty of cybercrime, hasn’t worked so well. One collection of cybercrime statistics pointed out that detected cybercrime incidents increased by 38% in the last year.

Tell me, do you know of any statistics showing a 38% increase in the arrest and prosecution of cybercriminals in the last year? No? That’s what I thought.

With estimated cybercrime prevention spending at $80 billion this year and an estimated cybercrime cost of $2 trillion by 2019, you don’t seem to be getting very much return on your investment.

We know that fixing users doesn’t work and capturing cybercriminals is a dicey proposition.

Both of those issues can be addressed by establishing incentives for more secure software. (Legal liability takes legislative misjudgment out of the loop, enabling the organic growth of software liability principles.)

Phone-Hacking Firm Cellebrite Got Hacked; 900GB of Data Stolen by Swati Khandelwal.

From the post:

Israeli firm Cellebrite, the popular company that provides digital forensics tools and software to help law enforcement access mobile phones in investigations, has had 900 GB of its data stolen by an unknown hacker.

But the hacker has not yet publicly released anything from the stolen data archive, which includes its customer information, user databases, and a massive amount of technical data regarding its hacking tools and products.

Instead, attackers are looking for possible opportunities to sell the access to Cellebrite system and data on a few selected IRC chat rooms, the hacker told Joseph Cox, contributor at Motherboard, who was contacted by the hacker and received a copy of the stolen data.
…

I can understand the hacker’s desire to make money and if unlike TheShadowBrokers, who are still pricing themselves out of a sale (approximately $8,230,000), the price is a reasonable one, crowd-funding might be a useful approach to purchasing the tools for public release.

I can’t afford to bid on the tools as an individual, but would contribute to a crowd-funded effort to secure a public release of the tools.

Why? The more hacking tools that are available, the less secure governments become.

People become less secure as well but governments are a far greater threat to people than cyber-criminals will ever be.

Cyber-criminals want your money, governments want your freedom.

To be fair, Kevin Beaumont notes in his retweet:

Where to begin… (There’s a similar number of No SQL databases with no passwords).

There are “weird machines” and cutting edge hacks but what separates you from a successful hacker is making the effort.

Are you going to be a successful hacker in 2017?

Smile! You’re on a stolen iPhone’s candid camera! by Lisa Vaas.

Lisa tells the story of Anthony van der Meer and his creation of a honeypot phone in order to create a film about who would steal a cellphone?

The phone was rigged to allow Van der Meer to spy on the thief and quite to my surprise, Lisa raises the question of whether it is “ethical” to spy on the thief?

How very curious. Thieves have privacy rights?

Van der Meer’s case it possible the original thief simply sold the phone but even if you credit that tale, would you buy a phone at below market value on the street? And not suspect there was something odd about the transaction?

In any event, I do appreciate Lisa’s story because it points to a great technique for piercing government security. After all, what government staffer would not appreciate finding a quite new and unlocked iPhone 7?

Of course they want to use their phones to access their government email, networks, etc.

😉

Better penetration efforts everywhere are already using this technique but just in case it has not occurred to you, enjoy!

Don’t get your hopes up too high. Places that are somewhat serious about security, DOE (read nuclear sites), CIA, etc., prohibit cellphones altogether on premises.

That leaves hundreds of thousands of other government sites and facilities open, not to mention the users themselves.

Data breach exposed locations of oil-industry explosives, handler credentials by Dell Cameron.

From the post:

A misconfigured storage device discovered by a security researcher in October left exposed thousands of internal files belonging to an explosives-handling company. [The original story is dated 01/12/2016, so this post is almost a year out of date.]

The files, which have since been secured, reportedly included details about facilities in three U.S. states where explosives are stored.

The leaky file repository belonged to Allied-Horizontal Wireline Services (AHWS), a leading wireline company with more than 400 employees and 70 wireline units throughout the United States. (“Wireline” is an industry term that refers to cabling technology used at oil and gas wells.) The company is licensed by the federal government to store and use explosives to complete an oil-drilling process known as “perforation.”

Chris Vickery, a lead security researcher at MacKeeper who notably discovered several misconfigured voter databases this year, found the breach in early October. After verifying the device’s owner, Vickery reached out to an AHWS executive, who quickly moved to secure the company’s data.
…

Data breach stories are so common that out-dated ones are especially of little interest.

Except, that this date breach story illustrates the problem of data leakage.

From the tone of the post, you are thinking evil-doers need to find companies that use explosives, hack their systems, blackmail their staffs, etc. All of which is serious stuff, not to mention a lot of effort.

But an unknown ATF official leaks the information that makes all that work unnecessary:

…
There are no federal laws prohibiting Allied-Horizontal Wireline Services from disclosing the location of its explosives, an ATF official said. “Licensees storing explosive materials must notify the authority having jurisdiction for fire safety in the locality where the explosive materials are stored.”
…

Where are explosives are stored? (United States only) Check with your local fire safety authority.

Thanks ATF!