Monthly Archives: April 2018

ISO/IEC 27001 is a set of standards for information security management systems (ISMS) created by the International Organization for Standardization and the International Electrotechnical Commission, both independent, and non-governmental organizations. ISO/IEC 27001 is part of the broader ISO/IEC 27000 family, a set of standards designed to “[help] organizations keep information assets secure.”

As we’ll discuss below, the 27001 specification is incredibly important for businesses. From internally auditing your security posture to externally receiving certifications, the specific points within ISO/IEC 27001 should play an active role in managing your business’ data and information security.

What is ISO/IEC 27001?

ISO/IEC 27001 provides standards for enterprises, governments and other organizations to use and maintain their information security management systems. As the ISO defines it, an ISMS is a systematic approach to securing sensitive company information. This can be anything from financial data to intellectual property to employee details to third-party information. And although it has the word ‘system’ in it, an ISMS isn’t constrained to just technology. People and processes are an equally important part of securing information your business uses day-in and day-out.

Because the ISO is a non-governmental organization who writes general compliance principles – not how to implement them – the organization has no authority in and of itself to enforce “violations” of its standards. That said, many institutions that do have legal or regulatory authority rely on it for guidance. It has even been referred to as the “umbrella” for ISMS policies because of this fact.

WHO CARES?

If your business wants to comply with a specific set of industry standards, it’s highly likely that ISO/IEC 27001 plays a role – or at least has similar high-level guidance. This is the case with everything from J-SOX in Japan to the Data Protection Directive (DPP) in Europe to the Payment Card Industry Data Security Standard (PCI DSS) in the United States. Many regulations that already apply to your organization can be aided by following the ISO/IEC 27001 guidelines.

You can also receive certifications directly on these standards through which an affiliate organization can certify your business’ ISMS. Not only does this improve your brand image with clients, but it will also make you stand out from (or catch up with) your competitors. In today’s market environment, cybersecurity is obviously a benefit. We can even imagine a certificate better attracting technical staff or incentivizing organizations to partner with you. If others can trust how you manage and secure your information, that’s obviously a huge benefit for your business. ISO/IEC 27001 strengthens such trust.

(In the event none of that is convincing, check these statistics: by the end of 2016, well over 1.6 million ISO/IEC certificates were recorded worldwide – over 33,000 of them specifically for ISO/IEC 27001.)

WHAT EXACTLY DOES ISO/IEC 27001 SAY?

ISO/IEC 27001 uses a top-down, risk-based approach to information security management systems. One of its strongest features is that it’s not technology-specific – it doesn’t matter which devices or operating systems your business is running; you can still apply the standard’s principles.

As already mentioned, the standard outlines high-level planning and processes. For instance, clause 6 deals with planning, which includes information security risk assessments and general security objectives; clause 8 deals with operation, including the execution of security goals and the regular testing of those goals (i.e. setting and evaluating benchmarks); and clause 9 focuses entirely on performance evaluation, including monitoring, analysis, internal audits, and management reviews.

The specification then dives into more specific detail on specific security techniques, from information exchange procedures to clock synchronization to password management. This detail is designed to help businesses plan out their security policies in a checklist-oriented fashion.

For instance, the specification gives the following structure for access control policies:

1. Introduction
   
2. Policy Statement
   
3. Roles and Responsibilities
   
4. Information/Systems Access
   
5. User Registration/De-Registration
   
6. Secure Log-On Requirements
   
7. Physical Access Controls

As numerous security experts have pointed out, ISO/IEC 27001 compliance is important for everyone from IT staff all the way to CEOs. Businesses can use the standards to establish high-level security policies that then cascade down the organization, turning into more detailed procedures at each level (e.g. translating from policy goals into operational tasks into technical rules).

NEXT STEPS?

Much like many regulatory guidelines, ISO/IEC 27001 isn’t exactly light reading. The documentation is long, detailed, and complex. It should be clear at this point, though, that such compliance is incredibly important.

You should turn to an ISO/IEC 27001 expert to audit your organization and understand the next steps to compliance. Filling existing gaps is especially important. It’s obviously possible to do so yourself, but it’ll likely take significantly more time and money than the alternative. Regardless, once you are compliant, invest resources in getting certified and staying certified. If there’s one thing that we know for certain in cybersecurity, it’s that stagnancy is death, so constantly reassessing policies and procedures to strengthen ISMS is essential.

via:  tripwire

In In re Zappos.com, Inc., Customer Data Security Breach Litigation (9th Cir., Mar. 8, 2018), the U.S. Court of Appeals for the 9th Circuit issued a decision that represents a more expansive way to understand data security harm.  The case arises out of a breach where hackers stole personal data on 24 million+ individuals.  Although some plaintiffs alleged they suffered identity theft as a result of the breach, other plaintiffs did not.  The district court held that the plaintiffs that hadn’t yet suffered an identity theft lacked standing.

Standing is a requirement in federal court that plaintiffs must allege that they have suffered an “injury in fact” — an injury that is concrete, particularized, and actual or imminent.  If plaintiffs lack standing, their case is dismissed and can’t proceed.  For a long time, most litigation arising out of data breaches was dismissed for lack of standing because courts held that plaintiffs whose data was compromised in a breach didn’t suffer any harm.  Clapper v. Amnesty International USA, 568 U.S. 398 (2013).  In that case,  the Supreme Court held that the plaintiffs couldn’t prove for certain that they were under surveillance.  The Court concluded that the plaintiffs were merely speculating about future possible harm.

Early on, most courts rejected standing in data breach cases.  A few courts resisted this trend, including the 9th Circuit in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010).  There, the court held that an increased future risk of harm could be sufficient to establish standing.

Then along came Clapper, adding ammunition to the courts rejecting standing.  Courts found no standing in cases brought by plaintiffs with a theory that a breach resulted in an increased risk of future harm.

But in the past few years, some courts have begun to begun to embrace the theory that increased risk of future harm is a sufficient injury to satisfy the standing requirement.  In Zappos, the defendants argued that Clapper rejected the theory in Krottner, and thus, Krottner should no longer be viable.  The 9th Circuit, however, held that Clapper didn’t reject the risk of future injury theory entirely, only when there wasn’t a “substantial risk that the harm will occur.”

The Zappos court concluded that in the Zappos breach, there was such a substantial risk.  The court reasoned that the the “information taken in the data breach still gave hackers the means to commit fraud or identity theft, as Zappos itself effectively acknowledged by urging affected customers to change their passwords on any other account where they may have used ‘the same or a similar password.’”

Now, there’s a major circuit split on the issue of whether the increased risk of future harm can be sufficient for standing.  Here’s a chart of some of the cases in the split over the past few years:

For those of you who are interested in the issue of data breach harm, I recently published an article about it:

Daniel J. Solove & Danielle Keats Citron, Risk and Anxiety: A Theory of Data Breach Harms,  96 Texas Law Review 737 (2018)

Here’s a post that summarizes the article:

via:  teachprivacy

More and more organizations are now entrusting their IT resources and processing to the cloud. This trend is likely to grow in the coming years. To illustrate, Gartner predicts that cloud data centers will process 92 percent of workloads by 2020. Cloud workloads are expected to increase 3.2 times in that same span of time, Cisco forecasts.

With migration on their minds, many organizations are beginning to wake up to the security challenges of hosting their data in the cloud. Some might be struggling to identify who’s responsible for their cloud security under the shared responsibility model with their chosen cloud service provider (CSP). Others might be looking to OneLogin and worry about falling victim to a breach that compromises their cloud-based data, not to mention succumbing to other threats that jeopardize their cloud security.

These concerns are all valid. But while cloud security does have its challenges, it’s not impossible to figure out.

Australian web security expert Troy Hunt recommends that organizations begin by not thinking about cloud security in a binary mode. He recommends adopting a conceptualization that involves “differently secure” aspects of the cloud as opposed to elements that are “secure” or not. The same goes for securing the cloud versus securing physical hardware and datacenters.

“On the one hand, you may hand over physical control, but on the other hand, you’re almost certainly doing so to an organization better-equipped to manage computing environments than your own,” Hunt observes. “Then there are concerns around the increased attack surface of putting services in the cloud, but there’s great things that can be done with virtualized networks and access to features that were previously cost-prohibitive for many organizations (WAFs, HSMs, etc.). So think of the cloud as ‘different’ and make the most of those hybrid scenarios where you can gradually move assets across in a fashion that suits your own organization’s comfort level.”

The cloud is certainly different from on-premises resources, so it makes sense that security would be different, too. It follows that organizations must sometimes rethink how they’re currently doing things with respect to implementing security in the cloud.

Adrian Sanabria, Director of Threatcare, says it’s not possible for companies to just “lift and shift” to Amazon Web Services (AWS) or Microsoft Azure without inviting a very expensive disappointment. Instead they must pay attention to the differences and use them. With that said, one of the most important differences in the cloud for Sanabria is the management plane:

“Since everything in the cloud is virtualized, it’s possible to access almost everything through a console. Failing to secure everything from the console’s perspective is a common (and BIG) mistake. Understanding access controls for your AWS S3 buckets is a big example of this. Just try Googling “exposed S3 bucket” to see what I mean.”

Consoles aren’t the only factor that separate the cloud from physical hardware. Craig Young, a security researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT), says the ways in which organizations can choose to process data in the cloud also stand out:

“Cloud service providers allow customers to build complex private network environments suitable for processing even the most sensitive data. The confidentiality of this data rests on security controls unlike those commonly used on-premise, and a slight mistake can ultimately expose this sensitive data to the public Internet. Network administrators need to keep a close eye on the external view of all IP space allocated for their cloud. Vulnerability scanners like Tripwire IP360 make it easy to recognize exposed services and close them up before attackers can exploit them.”

Understanding how cloud security differs from datacenter security is crucial for organizations. They need that knowledge not only to migrate to the cloud. It’s also essential for companies to implement security controls once they’ve completed the move.

via:  tripwire

Amazon is making it easier for parents to manage their child’s device usage from their own phone, tablet, or PC with an update to the Parent Dashboard in Amazon FreeTime. Since its launch in 2012, Amazon’s FreeTime Unlimited has been one of the better implementations of combining kid-friendly content with customizable profiles and parental controls. Today, parents can monitor and manage kids’ screen time, time limits, daily educational goals, device activity, and more while allowing children to access family-friendly content like books, videos, apps and games.

Last year, Amazon introduced a Parent Dashboard as another means of helping parents monitor screen time as well as have conversations with kids about what they’re doing on their devices. For example, if the child was reading a particular book, the dashboard might prompt parents with questions they could ask about the books’ content. The dashboard also provided a summary of the child’s daily device use, including things like what books were read, videos watched, apps or games played, and websites visited, and for how long.

According to a research study Amazon commissioned with Kelton Global Research, the company found that 97 percent of parents monitor or manage their kids’ use of tablets and smartphones, but 75 percent don’t want to hover over kids when they’re using their devices.

On Thursday, Amazon addressed this problem by allowing parents to remotely configure the parental control settings from the online Parent Dashboard in order to manage the child’s device from afar from a phone, tablet or computer.

The controls are the same as those available through the child’s device itself. Parents can set a device bedtime, daily goals and time limits, adjust their smart filter, and enable the web browser remotely. They can also remotely add new books, videos, apps and games to their child’s FreeTime profile, and lock or unlock the device for a set period of time.

The addition comes following last year’s launch of FreeTime on Android, and Google’s own entry into the parental control software space with the public launch of Family Link last fall. Apple also this year made vague promises about improving its existing parental controls in the future, in response to pressure from two Apple shareholder groups, Jana Partners LLC and the California State Teachers’ Retirement System.

With the increased activity in the parental control market, Amazon’s FreeTime may lose some of its competitive advantages. Amazon also needed to catch up to the remote control capabilities provided with Google’s Family Link.

There are those who argue that parental controls that do things like limit kids’ activity on apps and games or turn off access to the internet are enablers of lazy parenting, where devices instead of people are setting the rules. But few parents use parental controls in that fashion. Rather, they establish house rules then use software to remind children the rules exist and to enforce them.

The updated FreeTime Parent Dashboard is available via a mobile-optimized website at parents.amazon.com.

via:  techcrunch

The personal information of millions of Panera Bread customers was reportedly left exposed online for at least eight months.

According to reports, the popular US bakery-café chain, which operates over 2,100 locations, was initially alerted of the data leak back in August 2017.

As reported by security journalist Brian Krebs, researcher Dylan Houlihan contacted the firm and was told it was “working on a resolution.” However, the issue remained unfixed.

The leaked records – exposed in plain text – appeared to belong to customers who had signed up for an account to place an order online at panerabread.com.

The data included customer names, email addresses, physical addresses, dates of birth and loyalty card numbers, as well as the last four digits of credit card numbers.

Panera Bread acknowledged the breach on Monday, telling Fox Business that 10,000 customer records were impacted.

The St. Louis-based company released the following statement:

“Panera takes data security very seriously and this issue is resolved. Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.”

Meanwhile, Krebs claims Panera’s remediation continued to leave the data exposed for some time afterward.

“The vulnerabilities also appear to have extended to Panera’s commercial division, which serves countless catering companies. At last count, the number of customer records exposed in this breach appear to exceed 37 million,” wrote Krebs.

Tim Erlin, VP of product management and strategy at Tripwire, adds that the incident serves as a reminder that “security is often as much about response as prevention.”

“Organizations that collect, store and transmit customer data need to have plans in place to deal with reported vulnerabilities. The time to plan is before an incident occurs, not during,” said Erlin.

via:  tripwire

Walmart has begun discussing a possible acquisition of health insurer Humana, The Wall Street Journal first reported Thursday citing people familiar with the matter. Reuters also reported the companies are discussing a partnership, but that a full acquisition is also possible.

Shares of Humana soared as much as 13 percent in after-hours trade on Thursday. Walmart shares edged slightly lower in extended trade.

The newspaper said that details of the potential deal were not immediately clear and that it’s possible one may not materialize.

Walmart said in a statement to CNBC that it doesn’t comment on rumors and speculation. Humana did not immediately respond to CNBC’s request for comment.

As of their Thursday close, Humana had a market value of about $37 billion, according to FactSet. Shares of the insurer have surged 30 percent in the past year, while Walmart shares have jumped more than 25 percent.

The news comes amid a rush of deal chatter as insurers are under pressure to lower medical care costs.

In December, CVS Health announced a $69 billion deal to buy insurer Aetna. That deal would combine CVS pharmacies, pharmacy benefit manager platform and Aetna’s insurance business.

Online retail giant Amazon has pledged to partner with J.P. Morgan and Berkshire Hathaway to tackle rising employee health-benefit costs. CNBC has also reported that Amazon has participated in exploratory talks with generic-drug makers.

via:  cnbc

The DoD Invites Hackers to Test Enterprise System Security Used for Global Operations.

HackerOne, the leading hacker-powered security platform, today announced the fifth U.S. Department of Defense bug bounty program. The program opened registration on April 1, 2018, scheduled to conclude on April 29, 2018, and will focus on a Department of Defense (DoD) enterprise system relied on by millions of employees for global operations.

“Any compromise of the system or the sensitive information it handles would be detrimental to our people and our mission. These bug bounty challenges are a way to give talent outside the public sector a channel to safely disclose security issues and get rewarded for these acts of patriotism.”

“The DoD has seen tremendous success to date working with hackers to secure our vital systems, and we’re looking forward to taking a page from their playbook,” said Jack Messer, project lead at Defense Manpower Data Center. “We’re excited to be working with the global ethical hacker community, and the diverse perspectives they bring to the table, to continue to secure our critical systems.”

To be eligible to participate in the bug bounty challenge, individuals from the public must be United States taxpayers or a citizen of or eligible to work in the United Kingdom, Canada, Australia, or New Zealand. U.S. government active military members and contractor personnel are also eligible to participate but not eligible for financial rewards. See full eligibility requirements and register here.

“Millions of government employees and contractors use and rely upon key enterprise systems every day,” said Reina Staley, Chief of Staff at Defense Digital Service. “Any compromise of the system or the sensitive information it handles would be detrimental to our people and our mission. These bug bounty challenges are a way to give talent outside the public sector a channel to safely disclose security issues and get rewarded for these acts of patriotism.”

Since the Hack the Pentagon program kicked off in 2016, over 3,000 vulnerabilities have been resolved in government systems. The first Hack the Air Force bug bounty challenge resulted in 207 valid reports and hackers earned more than $130,000 for their contributions. The second Hack the Air Force resulted in 106 valid vulnerabilities surfaced and $103,883 paid to hackers. Hack the Army in December 2016 surfaced 118 valid vulnerabilities and paid $100,000, and Hack the Pentagon in May 2016 resulted in 138 valid vulnerabilities resolved and tens of thousands paid to ethical hackers for their efforts. Hack the Air Force 2.0 demonstrates continued momentum of the Hack the Pentagon program beyond just its first year, as well as a hardened attack surface.

“The most security mature organizations look to others for help,” said Alex Rice, co-founder and CTO at HackerOne. “The Department of Defense continues to innovate with each bug bounty challenge, and the latest challenge is no exception. We’re excited to bring a fresh, mission-critical asset to the hacker community with the goal of protecting the sensitive government data it contains.”

via:  businesswire

Proficient penetration testing, otherwise called ethical hacking, is among the most energizing IT occupations any individual can be associated with. You are truly getting paid to stay aware of the most recent innovation and get the opportunity to “break in” to PCs without the danger of being captured. There’s no drawback. For whatever length of time that you make a capable showing with regards to, the individual who contracted you will be happy with the result of your work. On the off chance that you figure out how to break into their assets, they get an opportunity to close the gaps priory the malicious actors discover them. If you fail to break into the customer’s computer, it either means that the system is well secured or you are not capable enough to prove your skills.Most expert penetration testers move toward becoming “pen testers” one of two ways. It is possible that they pick up hacking skills all alone or they take formal instruction classes. Today we are going to discuss about some best certification courses that are more than enough to teach you penetration testing and grab you job in the field as a penetration tester.

Certification isn’t generally important to learn a new skill, however picking up an certification demonstrates potential employers that you sufficiently adapted about an educational modules and finished an knowledge test about the material. Moreover, some employers prefer or require particular certifications for particular positions.

First lets talk about the difference between Penetration Tester Vs. Vulnerability Assessor.

There’s a lot of confusion about the difference between Penetration Testers and Vulnerability Assessors.

“Penetration Tests are designed to achieve a specific, attacker-simulated goal and should be requested by customers who are already at their desired security posture. A typical goal could be to access the contents of the prized customer database on the internal network, or to modify a record in an HR system.”

“Vulnerability Assessments are designed to yield a prioritized list of vulnerabilities and are generally for clients who already understand they are not where they want to be in terms of security. The customer already knows they have issues and simply need help identifying and prioritizing them.”

In simple terms, Vulnerability Assessors are list-orientated and Pen Testers are goal-orientated.

Now for those Certifications.

Certified Ethical Hacker

The EC-Council’s Certificate Ethical Hacker (CEH) is effectively the most seasoned and most well-known penetration course. The official course, which can be brought on the web or with a live face to face educator, contains 18 distinctive subject spaces including traditional hacking subjects, in addition to modules on malware, remote, cloud and versatile stages. The full remote course is offered for $1,850, and incorporates a half year of access to the online Cyber Range iLab, which will enable understudies to rehearse more than 100 hacking labs. For correlation, CBT Nuggets offers CEH preparing for $80 every month, which incorporates numerous other possible exam preparations.

Special discount: Get the CEHv9 training for only $75.

SANS GPEN

SysAdmin, Networking, and Security (SANS) Institute is a profoundly regarded preparing association, and anything they educate alongside their certifications are enormously regarded by IT security specialists. SANS offers various pen testing courses and accreditations, however its base GIAC Penetration Tester (GPEN) is a standout amongst the most well-known.

The official course for the GPEN, SEC560: Network Penetration Testing and Ethical Hacking, can be taken on the web for $5,910 or live face to face in $6,260. The GPEN exam is $1,699 per exam endeavor. It has 115 questions, a three-hour time limit, and requires a 74 percent score to pass. No particular preparing is required for any GIAC exam. The GPEN is secured on GIAC’s general code of ethics, which they consider important as authenticated to by a running count of exam passers who have been disqualified for violating the code.

Offensive Security Certified Professional (OSCP)

The Offensive Security Certified Professional (OSCP) certification has been around for a little more than 10 years and has picked up an all-around reputation for toughness with an exceptionally hands-on learning structure and exam. The authority on the web, self-managed $800 instructional class is called Penetration Testing with Kali Linux and incorporates 30 days of lab access. Since it depends on Kali Linux (the successor to pen analyzers’ most loved Linux distro, BackTrack), members need a fundamental comprehension of how to utilize Linux, bash shells and contents.

CREST

Globally, the not-revenue driven CREST data confirmation accreditation and affirmation body’s pen test courses and exams are usually acknowledged in numerous nations, including the United Kingdom, Australia, Europe, and Asia. Peak’s main goal is to instruct and affirm quality pen analyzers. All CREST-endorsed exams have been inspected and affirmed by the UK’s Government Communication Headquarters (GCHQ), which is analogous to the United States’ NSA.

Crest’s fundamental pen testing exam is known as the CREST Registered Tester (or CRT), and there are exams for web and infrastructure pen testers. Exams and expenses change by nation, yet in Australia; for instance, the CRT exam cost $1,000. Crest test takers must survey and recognize the CREST Code of Conduct. The Offensive Security OSCP certification can be utilized to acquire the CRT.

People sitting in a non-certification class are often checking email, surfing the web, and not paying attention. People sitting in certification classes are usually paying attention, listening, and asking questions. Employers know the difference. Therefore, the candidate with certification gets more priority than any other ordinary candidate. Moreover, in the field of ethical hacking and cybersecurity the employer always seek for skilled candidates who know how to perform effectively.

via:  academy.ehacking

The easiest way to control your own VPN server.

Alphabet’s cybersecurity division Jigsaw released an interesting new project called Outline. If I simplify things quite a lot, it lets anyone create and run a VPN server on DigitalOcean, and then grant your team access to this server.

I played a bit with Outline and it’s an interesting product. There are two components, a managing app and a client. Let’s start with the manager.

Right now, the manager is available on Windows and Linux, with a macOS version coming soon. It’s an Electron app so it feels like using a web app. By default, Outline recommends that you use DigitalOcean, a well-known cloud hosting provider.

You can also create your VPN server on another server, but that’s not really the point of Outline. Outline is all about making it as easy as possible to run your own server. Otherwise you’d already be using Algo VPN or Streisand.

If you choose DigitalOcean, the app opens a web view and asks you to enter your login, password and one-time password. After that, you need to let Outline use the DigitalOcean API. And that’s all you need to do during the initial setup process.

Now let’s create a VPN server. Outline automatically chooses the cheapest droplet on DigitalOcean, which costs $5 per month for 1TB of transfer data (somehow, Outline says you get 500GB). DigitalOcean currently has data centers in 8 different cities — Amsterdam, Singapore, Bangalore, Frankfurt, London, San Francisco, Toronto and New York.

After selecting a city, the managing app automatically downloads a Docker image and creates a server on DigitalOcean based on this Docker image. Software on the server will be automatically updated every hour. Your DigitalOcean server will also automatically perform security updates for the operating system and reboot the server if necessary.

Now let’s go back to the computer you’re currently using. You can now control your VPN server from the managing app. By default, Outline only generates one key for you. But you can add more users and invite your coworkers to use your server.

You can use the managing app to create more servers, delete a server or delete users if they don’t need access to your server anymore. The app also tells you how much bandwidth each user has used.

The invite page is just a static webpage hosted on Amazon S3 with two things. First, the page invites you to download the Outline client on your phone or computer. Second, the key is in the URL. Your browser displays the key when you load the page.

That’s why you shouldn’t invite your friends using an unencrypted method — don’t use Facebook, don’t use emails. Remember that the key will also be stored in your browser history.

But connecting to the VPN server is as easy as installing an app and clicking on an invitation link. It’s a great experience for non-tech-savvy users.

Let’s talk about the client for a minute. The app that you use to connect to the VPN server is currently available on Windows, Android and Chrome OS. Jigsaw is working on macOS and iOS clients. It features a single screen that lets you connect and disconnect from a server — quite straightforward.

Outline isn’t a VPN

Under the hood, Outline relies on the Shadowsocks protocol. And if you’re familiar with VPN protocols, Shadowsocks is nothing like OpenVPN, IPSec or WireGuard. In fact, Shadowsocks isn’t a VPN protocol at all.

Shadowsocks is an open-source project to create an encrypted socks5 proxy to redirect internet traffic. This is a bit technical, but a VPN is like an encrypted tunnel between your device and a server. All your network traffic goes through this tunnel and the VPN server (not your phone or computer) is the device talking to the internet.

It’s great because you know for sure that your ISP and other users on your WiFi network can’t look at your traffic (except if there are DNS leaks). You can also pretend you’re in another country.

But it’s also awful because anybody who has access to your VPN server can see your internet traffic. That’s why you should never rely on a VPN company, even if they promise that they respect your privacy. They’ll analyze your browsing habits, sell them to advertisers, inject their own ads on non-secure pages or steal your identity. And you can’t know for sure if you can trust them.

Traditional VPN protocols can also be blocked because they use specific ports and they look like VPN traffic if authorities and ISPs use deep packet inspection. That’s why countries can block VPNs altogether.

And yet, a socks5 proxy looks like normal internet traffic. Shadowsocks is taking advantage of that and combining the advantage of a proxy with traffic encryption. It’s supposed to work great in China for instance.

But you can’t guarantee that all internet traffic goes through a proxy server — it depends on each app. A proxy adds a level of granularity that can be convenient but also a security issue. For instance, the Outline client doesn’t redirect all your Windows traffic to the Outline server right now.

So Outline can be the perfect tool if you want to access censored websites with your web browser. But you won’t disappear from the network with an Outline connection.

Trusting Google

It’s hard to forget that Outline is a Jigsaw project. People working on this project are paid by Alphabet, Google’s parent company. In other words, it’s hard to trust a Google project when it comes to privacy.

But Jigsaw really wants you to trust them with this one. Outline is an open-source project. This way, experts can have a look at the code to see if there’s anything shady. The service has also been audited by a third-party security firm.

Jigsaw collects crash logs with non-identifiable data. They also collect all server IPs but can’t access those servers — I’m not sure why Jigsaw wants to see all IPs. You can also opt in to share more usage data.

Your Outline servers don’t keep any log of your internet traffic. So even if the NSA has a warrant to access an Outline server, it’ll only find out how much bandwidth each user has used with this server. But there’s no way to connect the dots and find out who’s behind this Outline server.

The biggest risk might be DigitalOcean. You have to enter your name, email and credit card to create a DigitalOcean account. Authorities could just ask DigitalOcean to find out who’s paying for your Outline server and get back to you.

Security vs. accessibility

Outline isn’t the most secure (sort of) VPN out there. It’s always better to build your own hardware server, connect it to the internet using a connection that you don’t pay under your own name and installing VPN software yourself.

But nobody is going to do that.

Privacy is always a balance between security and accessibility. The most secure tools out there are also the most difficult tools to use.

Many projects are now trying to make security more accessible. And it’s a breath of fresh air. Algo VPN lets you build your own IPSec VPN server with just a few command lines. Streisand also lets you build a server with all sorts of protocols with little technical knowledge.

These are great projects and I would recommend looking at them if you want to build your own VPN. But Outline goes one step further. You don’t need to type a single command line to create a Shadowsocks server.

Jigsaw says it’s the perfect tool for news organizations. And it’s true that most journalists know how to install an app. It’s not as scary as adding a VPN certificate. I would say it’s a great way to access censored websites if you live in China or another country with restrictions, even if you’re not a journalist.

You have to evaluate your level of risk and choose the technical solution that is right for you. If you’re not doing anything illegal and you just want to access blocked website, you can make some concessions.

And there’s one thing for sure, Outline is much better than any free or commercial VPN service out there.

via:   techcrunch

Kaspersky Lab has released the source code of an internally-developed distributed YARA scanner as a way of giving back to the infosec community.

Originally developed by VirusTotal software engineer Victor Alvarez, YARA is a tool that allows researchers to analyze and detect malware by creating rules that describe threats based on textual or binary patterns.

Kaspersky Lab has developed its own version of the YARA tool. Named KLara, the Python-based application relies on a distributed architecture to allow researchers to quickly scan large collections of malware samples.

Looking for potential threats in the wild requires a significant amount of resources, which can be provided by cloud systems. Using a distributed architecture, KLara allows researchers to efficiently scan one or more YARA rules over large data collections – Kaspersky says it can scan 10Tb of files in roughly 30 minutes.

“The project uses the dispatcher/worker model, with the usual architecture of one dispatcher and multiple workers. Worker and dispatcher agents are written in Python. Because the worker agents are written in Python, they can be deployed in any compatible ecosystem (Windows or UNIX). The same logic applies to the YARA scanner (used by KLara): it can be compiled on both platforms,” Kaspersky explained.

KLara provides a web-based interface where users can submit jobs, check their status, and view results. Results can also be sent to a specified email address.

The tool also provides an API that can be used to submit new jobs, get job results and details, and retrieve the matched MD5 hashes.

Kaspersky Lab has relied on YARA in many of its investigations, but one of the most notable cases involved the 2015 Hacking Team breach. The security firm wrote a YARA rule based on information from the leaked Hacking Team files, and several months later it led to the discovery of a Silverlight zero-day vulnerability.

The KLara source code is available on GitHub under a GNU General Public License v3.0. Kaspersky says it welcomes contributions to the project.

This is not the first time Kaspersky has made available the source code of one of its internal tools. Last year, it released the source code of Bitscout, a compact and customizable tool designed for remote digital forensics operations.

via:  securityweek