Monthly Archives: February 2018

Improving Security without Destroying Careers – Overcoming the Blame Game

I was sitting in an awesome class being held at @BSidesHSV, and it got me thinking.

The class entitled “Fundamentals of Routing and Switching for Blue and Red Teams” put on by Paul Coggin was a deep dive into layer two and layer three configurations, and possible means of compromise. The content was outstanding, and Paul did a great job communicating a very difficult topic.

Throughout the class, Paul relayed many stories of compromises and attacks (all done in a completely generic manner, of course), and I couldn’t help but put myself in the shoes of the poor sap that made the choices leading to the compromise or unexpected result. I thought to myself this could easily be me in a different scenario. In spite of my knowledge and experience, I feel like we are all just one “screw up” away from the unemployment line.

I have over 20 years experience in a multitude of technologies and consider myself to have advanced skills in many areas. That said, I am not deluded. Today’s class served to remind me that no matter how much real world experience I have, there is always something I can learn and something that I don’t know. And its that one thing that I don’t know and don’t implement that could be a career limiting move.

Mulling over those thoughts, I realized that this just should not be. But unfortunately, the world operates this way but why? I think it comes down to this – a moral society is always looking for justice for moral wrongs committed within that society.

This is what makes civilized societies stable, safe and orderly. Unfortunately, we have generally adopted that same “justice at all costs” in the infosec world when poor security practices lead to compromise or outages, but we forget that those getting the blame haven’t committed any moral sin against society.

The scenario goes like this:

  1. Big Boy Company, Inc. experiences a data breach
  2. CEO of Big Boy Company does damage control then blames CISO
  3. CISO denies fault while seeking an underling to blame
  4. Eventually, CISO names Employee X as the lynchpin
  5. Employee X loses their job, their reputation and possibly career
  6. In the background, CEO, CISO and rest dump stock before story breaks

All this happens because everyone wants “justice” and wants a simple answer as to why this terrible thing happened. The problem is technical shortcomings, unless blatantly done for malicious purposes, don’t equate nor align with those moral crimes against society for which we seek justice in a criminal court. Yet, the public and the organization wants somebody upon which to hang all blame.

This fallacy is preventing us as a profession from moving forward and solidly improving security practices. Why? Unless the person getting canned (blamed) is completely incompetent (in which case, why were they in that position in the first place?), removing them means you just removed the most experienced and well-versed employee you had at that level.

In case you haven’t noticed, there is a shortage of qualified and educated infosec workers. Now your organization has to find a replacement, train them and get them up to speed.

In the meantime, don’t you think you just greatly increased the likelihood of another attack since you just let the world know you took out your star? Malicious actors read the news, fully expect the upheaval and will take advantage.

While the poor employee who lost their job and reputation and fights to retain their career, the C-level people share kudos among themselves celebrating their “resolution” and perceived increased security posture after having removed the “problem employee.” They keep their jobs and comfortable career. After the smoke clears, life returns to normal until the next breach that is!

I submit this is not how things should be. I keep going back to Kevin Mitnick and The Art of Exploitation written almost 15 years ago. We are still making the same mistakes today. What the heck is wrong with us?

So, how should we be approaching things? Businesses need to adopt a mindset that accepts the fact that tech employees need to spend about 25 percent or more of their work hours in training learning new skills, re-enforcing existing skills and keeping up with the latest trends in security and technology.

Next, employers need to listen to what these employees learn and adopt those things that will enhance their business security posture.

Training develops awareness. Awareness requires communication followed by management acceptance and action. Any breakdown in this chain leads to trouble.

Unfortunately, businesses today expect workers to “learn on their own time.” (for those those that can check out free cybrary.) They might reimburse the employee for their costs. Some even go as far as to provide access to things like Pluralsight and skillsoft or other training platforms. A step in the right direction, but one that overlooks two components: time and accountability.

Full-time employees have 2,080 hours per work year. Most are overworked, have too many expectations placed upon them, and are spending the bulk of their time responding to reactionary problems rather than proactively learning and fine-tuning their organizational security. And they are doing this knowing that they are one “screw up” away from walking the street.

Employees also don’t have clear expectations communicated to them. They are often not held accountable for their own self-improvement. Lack of sufficient time and accountability lead to less-than-stellar improvement in skills.

This is a travesty. Management needs to change their perception and implement policies that give their employees confidence and the freedom to fail without fear of being thrown under the bus. Managers are coaches, and their job is to develop talent. Build a time and dollar budget for every employee and provide them with the tools they need to better serve the organization. These investments will always be far less costly than any breach.

Management should protect their employees, take responsibility when bad things happen and implement positive policy change to increase security. Happy, fulfilled and growing employees are the best security investment you could ever make!



via:   tripwire

Google launches a lightweight ‘Gmail Go’ app for Android

Google has added a notable addition to its line of “Go” edition apps – the lightweight apps designed primarily for emerging markets – with the launch of Gmail Go. The app, like others in the Go line, takes up less storage space on users’ smartphones and makes better use of mobile data compared with the regular version of Gmail.

The app also offers standard Gmail features like multiple account support, conversation view, attachments, and push notifications for new messages. It also prioritizes messages from friends and family first, while categorizing promotional and social emails in separate tabs, as Gmail does.

But like other Go apps, Gmail Go doesn’t consume as much storage space on the device.

In fact, according to numerous reports, Gmail Go clocked in at a 9.51 MB download, and takes up roughly 25 MB of space on a device, compared with Gmail’s 20.66 MB download, and 47 MB storage space.

Google has not made a formal announcement about Gmail Go’s launch, but several siteshave spotted its availability on the Google Play store this week. We’ve asked Google for more information about the app’s feature set, and what exactly is it that Go does to reduce the burden on low-end smartphones. The company declined to comment.


Some early adopters have pointed out that scrolling on Gmail Go is a much more choppy experience than on the standard Gmail. It also syncs fewer days of emails and attachments to use less bandwidth.

But overall, there are not many noticeable differences between Gmail and Gmail Go, in terms of feature set.

That’s not always the case with the Go-branded apps. For example, YouTube Go has several unique features, like the ability to download videos for offline viewing, and sharing videos with friends nearby, for example. In Gmail Go’s case, however, it’s only been designed to meet the size and memory requirements of Android Go.

But we have learned why Google didn’t announce Gmail Go: the app is not going to be available to all users. Instead, Gmail Go will only be available to install from the Play Store, and for update purposes, on devices that already have Gmail Go pre-installed. For now, that means only Android O Go edition devices will have the ability to use the app.

If those users prefer, they can choose to install the regular Gmail app, too, and use both side-by-side.

Gmail Go is joining a growing list of Go edition apps, including YouTube Go, Files Go, Google Go, Google Maps Go, Google and Assistant Go.


via:  techcrunch

Twitch launches always-on chat rooms for channels

Game streaming site Twitch is debuting an always-on chat room feature it’s simply calling “Rooms.” The addition was first announced at its developer event TwitchCon back in October, and was expected to launch before year-end. That timing shifted a bit, but the feature went live on Thursday across both web and mobile for Twitch users worldwide.

Rooms are custom chat spaces that are available from the channel page itself, and can be set up by anyone on their own account. They’re found in the header of the Stream chat on the creator’s channel, which is both where Rooms can be created or joined.


Starting now, channel owners have the option to create a “Room” for a specific group of users – like their channels’ subscribers, moderators, followers, or others with a shared interest, like spoilers, for example. That latter use case represents a topic that would make sense to hide from the publicly accessible main group chat.


But Rooms can also be used by groups who may have otherwise dominated the main Stream Chat with unrelated messages, memes, or private jokes, or for any other topic of the creators’ choosing, whether related to gaming or not. More importantly, they allow the channel’s community to stay connected and chat even when the creator isn’t streaming.

At launch, creators can only host 3 Rooms, Twitch says.

To start a Room, the creator clicks the new “Rooms” menu in the Stream Chat, followed by “Create a Room.” They then give the Room a name and assign chat permissions. Moderators and Subscribers are set categories, so they’re automatically added to any Subscriber or Moderator Room. But if the Room is set to be open to Everyone, the viewer can choose to opt into it if they want to participate.

Moderator chats are always private but creators can choose to allow all viewers to preview their Subscriber chat Room, even if they can’t participate. This setting is available upon Room creation, via a toggle switch.

The launch follows other changes on Twitch in recent days, including new features to highlight a channel’s top fans, and notable update to Twitch’s community policies to crack down on hate speech, harassment, and sexual content. Rooms could potentially help with those goals to some extent, as it could allow people to move their back-and-forth messages out of the main chat to a sub-chat where their posts are less visible – or even invisible – to the general viewing audience. That doesn’t mean that Twitch will tolerate hateful content in the sub-chats, but it could help by hiding posts that may have otherwise been misinterpreted by casual viewers who didn’t understand the context.

Twitch says the feature was something that was designed based on requests from the community, and will continue to be iterated on throughout the year.

Rooms will be rolling out starting the 15th.



via:  techcrunch

New iOS Bug Crashes Apple Devices, Blocks Access to Apps and iMessages

A new bug in certain versions of Apple’s operating system can cause iPhones, Macs and even Apple Watches to crash, blocking access to iMessages and other popular apps.

As reported by Italian blog Mobile World, the bug affects devices running iOS11 when an Indian language (Telugu) character is received or simply typed in a text field.

“If the character is displayed within an application (WhatsApp, Twitter, etc.), the app in question will crash and will continue to close each time you try to start it,” warned Giuseppe Trippodi of Mobile World.

Other third-party apps, including Facebook Messenger, Gmail and Outlook for iOS, also become disabled when a message containing the symbol is received.

“The situation gets worse if someone sends you the symbol and iOS tries to show it in a notification. In this case, the entire [iOS] Springboard will be blocked,” said Trippodi.

According to Mobile World, the bug was also successfully tested on the latest versions of watchOS and macOS, immediately crashing apps like Messages, Safari, Note and the App Store.

Fortunately, the beta version of iOS 11.3 already appears to resolve the issue.

The flaw was reported to Apple earlier this week but the tech giant has yet to respond in a statement.

Tom Warren



Another iOS bug is crashing iPhones and disabling access to iMessage …

6:00 AM – Feb 15, 2018


This isn’t the first time Apple users are inconvenienced by a major software bug. In 2016, a similar bug caused iOS devices to freeze when attempting to play a specific video in Safari.

More recently, just a few weeks ago, another bug in iOS11 forced devices to restart repeatedly after 12:15 am. The bug was triggered by third-party apps using recurring local notifications, such as reminders.



via:  tripwire

What Are You Doing to Keep Your AWS S3 Data Private?

Leaky AWS S3 buckets have been spilling confidential information onto the public internet for years, and now anonymous hackers have created a search engine to make finding those exposed secrets even easier.

New on the scene is “BuckHacker.” The name is a portmanteau, stemming from the fact that it allows the hacking of “buckets,” which is the name for containers of data within Amazon Web Services Simple Storage Service (S3).

It is a tool designed to allow easy searching of information publicly available in AWS S3. It’s like a Google search just for S3, where up to seven percent of S3 buckets contain public data, according to recent research.

Although previous tools and techniques have been published for finding accidental S3 exposures, BuckHacker is notable for making the process simple, which leads us to our titular question: what are you doing today to keep the confidential data stored in your AWS S3 account private?

If you don’t have a firm answer to the question, there’s a good chance you could find yourself in the headlines as another data dump is discovered.

AWS S3 access control configuration is incredibly complex, and accidental public exposure is all too easy to allow. Every change to access control lists (ACLs) or the bucket policy can cause previously private data to become public. We went into deep detail on the complex nature of S3 access control in a previous post on preventing AWS storage breaches.

The perfect storm is created when configuration complexity is met with tools like BuckHacker, which make it easy for even non-technical attackers to find the leaks in your buckets.

What should you be doing about it? At a minimum, you must manually evaluate all of the ACLs and Policies that affect access to your S3 storage on a continual basis.

Use the principle of least privilege and do not over grant access. A common mistake is granting access to authenticated AWS users, which is effectively public. This means you have given access to every AWS user in the world, not just those in your own organization.

You should also continuously check for the public notification icon within the S3 dashboard, as this notification can alert you to an accidental exposure.

However, be warned. Although the AWS S3 dashboard performs an analysis of the access control mechanisms and will attempt to display a notification if your S3 buckets and objects are public, our testing has shown that the S3 public access notification is not always accurate.

A tool like the Tripwire Enterprise Cloud Management Assessor can be used to automatically assess your AWS S3 buckets and objects to determine if they are exposed for anonymous access and even report on objects that have become newly exposed as might happen with an accidental access policy change.

The Cloud Management Assessor will scan each of the buckets and objects you have stored in Amazon S3 to retrieve metadata, file contents, policy and access control information. It will also monitor each of these gathered values for changes.

For a definitive test, the Cloud Management Assessor can even perform HTTP requests against each object in your S3 account to ensure you have complete knowledge of what is exposed and what isn’t.

We are unlikely to stop seeing AWS S3 data leaks anytime soon, especially with ever greater cloud adoption and tools like BuckHacker to exploit misconfigurations. AWS S3 access control is complex, and you must continuously evaluate the exposure of your private data in order to avoid becoming BuckHacked.


via:  tripwire

New Microsoft dashboard shows PCs at risk from Meltdown-Spectre

  • Microsoft has updated its Windows Analytics service to give IT pros an overview of how well protected their IT estate is against the Spectre and Meltdown security vulnerabilities.
  • A dashboard details which firmware, operating system, and AV compatibility updates are installed, disabled or need to be put in place.

Mitigating the Meltdown and Spectre security vulnerabilities has turned into a major headache for IT admins.

New patches to offset the risk from these flaws have introduced problems of their own, causing computers to slowdown, as well as to both randomly reboot or to stop booting at all, which in turn has resulted in fresh updates to disable earlier problematic fixes.

The difficulty is that the Meltdown and Spectre security vulnerabilities are potentially too serious for any IT admin to ignore. Meltdown and Spectre are vulnerabilities in modern chip design that could allow attackers to bypass system protections on nearly every recent PC, server and smartphone, allowing hackers to read sensitive information, such as passwords, from memory.

To help IT pros navigate the minefield of working out which Meltdown and Spectre patches they should and shouldn’t install on Windows machines, Microsoft has updated its Windows Analytics service.

The updated Windows Analytics dashboard, shown below, will break down which Meltdown and Spectre patches have been installed across an IT estate, in a Windows group or on an individual machine. The overview details which firmware, operating system and AV compatibility updates are installed, disabled or need to be put in place.


The Windows Analytics service dashboard.

Image: Microsoft


The service is available on Education, Enterprise and Pro editions of supported desktop versions of Windows: Windows 7 with Service Pack 1, Windows 8.1, and Windows 10, and requires an Azure Active Directory account to set up.

Microsoft also announced it has rolled the latest operating system and firmware updates to mitigate against Spectre and Meltdown-related attacks into its February Patch Tuesday update.

While Microsoft released an out-of-band update earlier this month to disable Intel’s buggy Spectre-related firmware update, this emergency patch is not included in the February bundle.

The fixes in the Patch Tuesday update will be automatically installed on most Windows PCs but will need to be manually enabled on Windows servers.

Intel has also updated its guidance on which systems are safe to apply its microcode updates to mitigate variant 2 of the Spectre vulnerability, broadening its advice to cover older Intel processors.



via:  techrepublic

Who Is Responsible for Your Cloud Security?

The cloud is a tremendous convenience for enterprises. Running a data center is expensive – doing so not only requires buying a lot of servers, cable and networking appliances but also electricity, labor costs, cooling and physical space.

Services like Amazon’s AWS, Microsoft’s Azure, Oracle’s Cloud and Google’s Cloud Platform give businesses the benefits of having a data center without the expensive overhead and related hassles. Imagine how much more expensive it would be to launch a Software as a Service (SaaS) product if establishing the backend had to be done without the help of third-party cloud services?

Cloud services and the internet offer tremendous cost savings, efficiency and functionality. Unfortunately, putting your data on the internet exposes it to greater cybersecurity risks. It’s certainly possible to security-harden cloud services to make them a lot less vulnerable to cyber attack.

But when Amazon or Google owns the infrastructure and your enterprise owns the data, who is responsible for keeping your cloud services secure?


The Information Systems Audit and Control Association’s (ISACA) Control Objectives for Information and Related Technologies (COBIT) framework defines the following as essential IT resources:

  • People
  • Information
  • Applications
  • Infrastructure

A cloud prover, such as Azure or AWS, typically provides infrastructure as a service (IaaS) and platform as a service (PaaS). The infrastructure is the physical components of computers, networks and networking appliances. The platform is all of that plus middleware components, such as databases. If the application you’re running is yours, the SaaS aspect is your responsibility.


Amazon’s AWS is a leader in cloud services. AWS’ initiatives help to set trends in the cloud services industry. AWS features what Amazon calls a Shared Responsibility Model.

Here’s what they say on the official AWS policy site:

AWS responsibility ‘Security of the Cloud’- AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.

Customer responsibility ‘Security in the Cloud’– Customer responsibility will be determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities. For example, services such as Amazon Elastic Compute Cloud (Amazon EC2), Amazon Virtual Private Cloud (Amazon VPC), and Amazon S3 are categorized as Infrastructure as a Service (IaaS) and, as such, require the customer to perform all of the necessary security configuration and management tasks. If a customer deploys an Amazon EC2 instance, they are responsible for management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance.

So, in a nutshell, AWS will make sure that only authorized parties have physical access to their data centers. AWS will keep the pertinent network security appliances running, such as IPS devices, IDS devices and firewalls. They also monitor logs for security alerts and address any related issues of the security of the network itself.

If there’s a vulnerability in your code (which doesn’t belong to Amazon) and a cyber attacker exploits it, that’s on you.

AWS will let you know if there’s a security incident and will address the infrastructure related issues for you. Software-related compliance and incident matters are your responsibility as the customer who owns the product which is running in AWS’ cloud. Access management pertaining to your application is up to you to protect.


You’re responsible for the security of your software in the cloud, but you don’t have to do it alone. Securing your applications is a lot of work; it’s a 24/7 job!

You should consider deploying a third-party cloud security solution. Configuration management, vulnerability management and log management can be better handled with the help of a company that has specific expertise with these security services. Don’t try this at home, kids!

I also strongly recommend that you download Tripwire’s free whitepaper on Securing AWS Cloud Management Configurations, especially if you’re considering AWS as your cloud provider.


via:  tripwire

Best Practices in Healthcare Information Security

Some of the most common phrases that come out of information security professional mouths include: “Well, that did not work” and “The project fell apart, and I don’t know what I could have done better.”

The pain of not knowing what security best practices your team can/should implement can cost the company time and money. It could also end up affecting the customer and making the business liable for damages that take years to pay off.

When it comes to healthcare Information security, there are tons of ways of doing business. No matter what you implement, some of the results just do not come out the way you expected. So, the question is as follows: “What are the best top practices in healthcare information security?”


Technical Perspective:

Train, train and train some more. Ensuring your staff is up-to-date on the latest threats out there is a great way to make everyone “eyes and ears” for the company. Empower them with information security education to let them know they have skin in the game, as well.

Domain Access:

Not everyone needs domain access. In fact, it does not matter if a person has a high title or several initiations after their name. That doesn’t mean they should have domain access. Furthermore, giving the key to the king/queen is even a worse idea. Now the target on their back is even bigger.


If the company is allowing BYOD, then ensure that some sort of MDM solution is in place that containerizes the session when an employee accesses PHI and/or any PII. An area to look out for in the MDM space is the disabling of developer mode, which could render null and void the services provided by an MDM tool.


Do not only do “security” by checkboxes. Make sure all AV installations actually work, are up-to-date, and contain the correct configurations.

Change management and tracking are needed:

It does not matter how small or big the company is, change management is needed. Even if it’s in an Excel spreadsheet. The smaller the firm/business is, the more it will need to know to figure out where to roll back to. For bigger companies, one would hope that there is enough tracking, monitoring, and checks and balances in place that effectively make change management integrated/fully adopted.


Remove All Ego:

Time and time again, there are experts in the industry that think they know it all. But at the end of the day, you are going to have to work with others and play nice. So remove your ego, get that chip off your shoulder, and provide value to the project, organization and/or job duty.

Security Domains Are There for a Reason:

No matter how you label them or name them, security domains are there for a reason – adhere to them. Respect and understand it as a baseline minimum. You might not have to like it, but it is there for a reason.

Be as Transparent as You Can Be:

Granted, there are just some areas of information security where you can not disclose information. However, if everyone knows what everyone is doing and how they are doing it, then the business can move along a lot faster and smoother. In recent projects, I have seen staff members hoarding information in the belief that it would mean job security. That is the wrong approach. Allow your team and/or business to know the status of a project and/or the business; doing so will sow the seeds for trust and respect.

Small or Big, Know your Medical Regulations, Rules and Laws:

Know your line of business, and furthermore, know the law that your line of business is going to be held to. The law is the law, so know it and the regulations, rules and guidelines.

When adopting some of these recommendations, please take into consideration your business and your business needs.


via:  tripwire

New PoS Malware Ex-filtrates Credit Card Details via DNS Server

Researchers have identified a new strain of point-of-sale (PoS) malware that impersonates a LogMeIn service pack to steal credit card data via a DNS server.

According to security firm Forcepoint, the malware – dubbed “UDPoS” – is unusual in that it generates a large amount of UDP-based DNS traffic to exfiltrate magnetic strip payment card details.

“Nearly all companies have firewalls and other protections in place to monitor and filter TCP- and UDP-based communications; however, DNS is still often treated differently, providing a golden opportunity to leak data,” explained Forcepoint in a detailed blog post.

Security researchers noted that, as of this writing, detection rates for the malware are still very low for the monitor component, citing that “visibility is always an issue with non-traditional malware.”

“Samples which do not target standard endpoints or servers can quite easily be missed because of the lack of focus on protecting these sorts of systems,” the researchers added.

Luke Somerville, head of special investigations at Forcepoint, told Dark Reading that the company has found no evidence showing UDPoS is currently being leveraged by cybercriminals.

Nonetheless, when analyzing the threat, one of the command and control servers communicating with the malware was active and responsive, which may suggest that the authors were at least prepared to deploy it in the wild, said Forcepoint.

LogMeIn issued an alert this week, warning users of the phishing scam:

This link, file or executable is not provided by LogMeIn and updates for LogMeIn products, including patches, updates, etc., will always be delivered securely in-product. You will never be contacted by us with a request to update your software that also includes either an attachment or a link to a new version or update.

As always, users are advised to follow standard best practices to safeguard their accounts against phishing and social engineering, such as using two-factor authentication, setting strong passwords and remaining vigilant of suspicious activity.


via:  tripwire

Amazon said to launch delivery service to compete with UPS and FedEx

Amazon is gearing up to compete directly with UPS and FedEx, according to a new Wall Street Journal report. The so-called “Shipping with Amazon” program will be an end-to-end shipping solution, with pickups from businesses and shipments made to consumers, per the report.

The timeframe for rollout is soon, too: Amazon is said to be readying the service for its first launch in LA in the “coming weeks,” starting, not surprisingly, with companies that sell stuff via its website. After its initial launch in LA, Amazon will look to expand it out to other cities, possibly as soon as later this year, the WSJ says.

Of course it makes sense that Amazon would extend its service to third-party merchants working on its ecommerce platform, but the report goes further, saying Amazon would eventually like to offer shipping services to basically any other business, too – with the goal of undercutting both UPS and FedEx on rates.

This should not be surprising to anyone following Amazon’s moves on the logistics front – the retail giant has its own fleet of cargo jets, its own warehouses, its own last-mile contract couriers and can even act as an ocean shipping agent, just like both FedEx and UPS. It’s been reported for a while now that Amazon would eventually compete directly with its longstanding delivery partners.

Neither UPS nor FedEx seem to be especially taken aback by this, based on their non-comment comments in the WSJ report. For now, at least, Amazon will still definitely have to rely on its shipping partners to make things work.


via:  techcrunch