THE FULL STORY OF THE 2011 RSA HACK CAN FINALLY BE TOLD – Wired
May 18 2021
This isnât the first time weâve heard of a SNAFU like this, where virtual wires got crossed inside a video surveillance companyâs own back end, causing customers not only to lose track of their own video cameras but also to gain access to someone elseâs.
In one case, three years ago, a user of a cloud video service offered by a UK company called Swann received a video notification that showed surveillance footage from the kitchenâŠ
âŠjust not the kitchen in the userâs own house.
Amusingly, if that is the right word, the victim in this incident just happened to be a BBC staffer, relaxing at the weekend, who was gifted an ideal story to write up in the upcoming week.
In that incident, the camera vendor blamed human error, with two cameras accidentally set up with a âunique identifierâ that wasnât unique at all, leaving the system unable to decide which camera belonged to which account.
Alhough the vendor dismissed it as a âone offâ, the BBC tracked down an even more amusing (though no less worrying) occurrence of the same problem in which a user received a surveillance video of a property that looked like a pub.
With a few days of search engine wrangling, that user managed to identify the pub online, only to find out that it was, by fluke, just 5 miles away.
So he went there and took a picture of himself in the beer garden, via the pub landlordâs webcam, but using his own online account:
Dark World – A Guide to the Global Surveillance Industry
Mar 16 2021
AI and ML technologies have made great strides in helping organizations with cybersecurity, as well as with other tasks like chatbots that help with customer service.
Cybercriminals have also made great strides in using AI and ML for fraud.
âToday, fraud can happen without stealing someone elseâs identity because fraudsters can create âsynthetic identitiesâ with fake, personally identifiable information (PII),â explained Rick Song, co-founder and CEO of Persona, in an email interview. And fraudsters are leveraging new tricks, using the latest technologies, that allow them to slip past security systems and do things like open accounts where they rack up untraceable debt, steal Bitcoin holdings without detection, or simply redirect authentic purchases to a new address.
Some increasingly popular fraud tricks using AI and ML include:
âWith this pace of evolution, companies are left at risk of holding the bag â they are not only losing money directly through things like loans and fees they canât recoup and any restitution to impacted customers, but theyâre also losing trust and credibility. Fraud costs the global economy over $5 trillion every year, but the reputational costs are hard to quantify,â said Song.
Mar 05 2021
Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management can also be used externally.
Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network. Access to remote services may be used as a redundant or persistent access mechanism during an operation.
Follow best practices for detecting adversary use of Valid Accounts for authenticating to remote services. Collect authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours.
Mitigations
Feb 18 2021
RIPE NCC announced to have suffered a credential stuffing attack attempting to gain access to single sign-on (SSO) accounts.
The RIPE NCC is a not-for-profit membership association, a Regional Internet Registry and the secretariat for the RIPE community supporting the Internet through technical coordination.
It has over 20,000 members from over 75 countries who act as Local Internet Registries (LIRs) and assign blocks of IP addresses to other organizations in their own country.
The organization mitigated the attack and its investigation confirmed that not SSO accounts have been compromised.
âLast weekend, RIPE NCC Access, our single sign-on (SSO) service was affected by what appears to be a deliberate âcredential-stuffingâ attack, which caused some downtime,â reads a statement published by the organization. Â
âWe mitigated the attack, and we are now taking steps to ensure that our services are better protected against such threats in the future. Our preliminary investigations do not indicate that any SSO accounts have been compromised.â
Aug 28 2020
A former Cisco employee pleaded guilty to accessing the company’s cloud infrastructure in 2018, five months after resigning, to deploy code that led to the shut down of more than 16,000 WebEx Teams accounts and the deletion of 456 virtual machines.
According to a plea agreement filed on July 30, 2020, 30-year-old Sudhish Kasaba Ramesh accessed Cisco’s cloud infrastructure hosted on Amazon Web Services without permission on September 24, 2018 â he resigned from the company in April 2018.
Source: Cisco engineer resigns then nukes 16k WebEx accounts, 456 VMs
From Weakest Link to Human Firewall in Seven Days
Download a Security Risk Assessment Steps paper!
Security Risk assessment Quiz – Find Out How Your security risk assessment Stands Up!
DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles
Subscribe to DISC InfoSec blog by Email
👉Â Download a Virtual CISO (#vCISO) and Security Advisory Fact Sheet & Cybersecurity Cheat Sheet
Jun 14 2020
Amazon, IBM and now Microsoft ban the sale of facial recognition technology to police departments and are urging for federal laws to regulate its use.
Source: Tech firms suspend use of ‘biased’ facial recognition technology
Download a Security Risk Assessment steps paper!
Subscribe to DISC InfoSec blog by Email
Why Cities Are Banning Facial Recognition Technology | WIRED
httpv://www.youtube.com/watch?v=sYftT5YgwVI
Facial-recognition technology: safe or scary?
httpv://www.youtube.com/watch?v=-yvxbi5GMnA
ARTIFICIAL INTELLIGENCE Dangers to Humanity: AI, U.S., China, Big Tech, Facial Recogniton, Drones, Smart Phones, IoT, 5G, Robotics, Cybernetics, & Bio-Digital Social Programming
Sep 26 2019
User vs Security
The average personâs take on security control: they have real jobs to do, and security isnât one of them. so remember ‘usability vs bypass security control’ when designing a new control. Please feel free to share your opinion on this.
Funny business meeting illustrating how hard it is for an (infosec) engineer to fit into the corporate world!
httpv://www.youtube.com/watch?v=BKorP55Aqvg
parkour vs security chase
httpv://www.youtube.com/watch?v=Hnv5OOpr4ug
Subscribe to DISC InfoSec blog by Email
Aug 23 2018
Ditch Email Attachments. With your files in the cloud, you can easily share them with anyone â even if they’re outside your company firewall â with a simple link via email or straight from Box.
Keep Everybody on the Same Page. Easily share files and folders, and add, move or edit files while always having the latest file version on hand.
Preview Files Without Download. With Box, you can view 120+ types of files, including Word, Excel, PDF, AI, EPS, PSD, photos and moreâwithout downloading a single file.
Easily Share Your Workspace. Right click any folder to share instantly or open on box.com and invite your team to view, edit and upload files, turning folders into collaborative workspaces.
Never Lose Files. A stolen laptop or hard drive crash doesnât mean you lose your files. Safely store all of your work documents and projects in Box Drive.
Discover how Box can solve simple and complex challenges, from sharing and accessing files on mobile devices to sophisticated business processes like data governance and retention.
Jul 27 2017
Password managers such as LastPass offer a simple service: They will store all your annoying passwords (and help you generate new ones if needed) and then give them out to whatever service you’re logging into through the use of browser add-ons and apps. They’re much like the password tools already built into your browser itselfâthe ones that ask you if you want to save your password for this site so you don’t have it enter it again. Password managers, however, were built for this specific purpose and include a suite of tools that let you access the same library of passwords across your devices. This cache of passwords is, of course, protected by a super-password of its own which you obviously need to choose carefully.
With a password manager, on the other hand, it’s trivial to make all your passwords unique. You don’t need to memorize passwords, because it’s impossible-to-memorize 30-character long password, text, and symbols which are hard to type. When you have to change them, no problem. LastPass even has a feature that will auto-change your passwords for supported sites. In the worst case scenario if passwords are somehow exposed, your most crucial accounts should be protected by two-factor authentication.
While the risks of password managers prevail over by the ease with which LastPass allow you to make your passwords strong and unique, they do have their downsides. LastPass App is available on virtually every device, but you will have to download them on new gadgets before logging in to other things. This also makes logging into your accounts on someone else’s device a strange and potentially risky proposition.
Inevitably, you’ll stumble across a device that isn’t supported, and then you’re spending five minutes typing your incomprehensible Amazon password onto a Kindle manually while looking back at your phone for reference all the while. (It pays to keep a handful of the crucial passwords strong, but still something you can memorize). And for the full suite of features any password manager offers, you’re going to have to shell out a little bit of cash. It’s worth it for the convenience and peace of mind.
Everybody should install and use a password manager. Without a password manager, you’ll find yourself using simple-minded passwords like LastPass, or memorizing one strong password and using it over and over. Password manager prices range from nothing at all to $40 or more. At $12 per year, LastPass 4.0 Premium is on the low side for a commercial password manager price-wise, but on the high side feature-wise. The current version’s online console has gotten a welcome face-lift, along with a number of useful new features.
“LastPass also supports a range of multi-factor authentication options for protecting your vault, including app-based authenticators like Symantec VIP and Google Authenticator, hardware tokens like YubiKey, and fingerprint readers. And its $12-a-year subscription is a steal when other password manager services charge as much as $35 for a single user.”
Jan 14 2014
Authentication and access control plays a critical role in web application security. Mostly for logging, all authentication and access control events should be logged which includes but not limited to successes and failures. If we are logging only the successful events, someone may brute force attack the passwords without any detection or notice. On the contrary, let’s say only failures are logged, a legitimate or valid user may misuse, corrupt, harm or simply abuse the system without any detection. Besides that all other authentication and access control related events (such as account lockout) are important and must be logged.
Logs should include the resources involved in the web application (IP address, URL, user name, http method, protocol version, etc…) and document the reason why access was denied for the failed event. Some application provides much better logs than others. generally log entries should contain (user ID, timestamp, source IP, Description of the event, error code, priority).
All error conditions should be logged including simple stuff as sql query errors, which can help to detect sql injection attack. Some errors related to the availability of the application are important for early sign to trigger BCP. Availability is one of the main pillar of information security, so it should be logged and monitored. Log error conditions should include but not limited to (failed queries, file not found and cannot open error, unexpected state, connection failure and timeout)
Besides the inherent benefits of log management, a number of laws and regulations further compel organizations to store and review certain logs. The following is a listing of key regulations, standards, and guidelines that help define organizationsâ needs for log management – ISO 27001, ISO 22301, FISMA, GLBA, HIPAA, SOX, and PCI-DSS.
Mar 28 2013
By Liberman Software @ Identity Week
If youâre a fan of old war movies â and especially if youâre a child of the Cold War â then you no doubt recall watching scenes where prior to launching a nuclear missile, two operators will turn their launch keys simultaneously in order to initiate the launch. The military refers to this security process as âThe Two Person Conceptâ or âThe Two Man Ruleâ. Sometimes the phrase âDouble Safekeepingâ is used.
The concept is that double safekeeping is an effective control mechanism for ensuring the highest levels of security during critical operations. Thatâs because the process requires two or more authorized personnel to be involved before sensitive resources or information can be accessed.
So itâs only logical to assume that if double safekeeping can prevent something as crucial as the accidental or malicious launch of nuclear weapons by a single person, then the practice can be extended into other realms of security.
And thatâs exactly what my company did recently within the field of privileged account management. Our flagship privileged identity management product, Enterprise Random Password Managerâą (ERPM), now includes a version of double safekeeping that controls privileged passwords.
ERPM is a security product that automatically discovers, secures, tracks and audits privileged accounts across multiple operating systems. It continuously changes privileged passwords, and helps prevent unauthorized users and programs from being able to access an organizationâs most sensitive data.
Now, with its new double safekeeping feature, ERPM can release different password segments to different authorized IT personnel. It breaks up privileged account passwords into different parts, and each part is assigned to an authorized user, in a fully audited manner.
For example, an IT manager may have one segment of the password, and a systems administrator may have the other segment. Together both people have the entire password, and the ability to access the corresponding privileged account. Separately, neither one can use the powerful account to anonymously change configuration settings, extract confidential data or install programs on their own.
And while this may be the first time youâre hearing about such a capability, Iâm betting it wonât be the last. Some regulatory compliance mandates, like BASEL II, are now requiring organizations to store sensitive information â including passwords â in multiple parts so that one person canât maintain key secrets individually.
This whole thing reminds me of an old saying that goes something like: âIf one man can single handedly save the ship, then it stands to reason that the same man can also single handedly sink the ship.â Take precautions.
Nov 08 2011
CESG Approved USB Stick
CESG is the UK Government’s National Technical Authority for Information Assurance
Over 1 million SafeSticks are now in use in the NHS helping to keep patient data and other confidential data secure! Buy your SafeStick today!
SafeStick is a secure USB stick with AES 256 bit hardware encryption and is FIPS 197 certified.
SafeStick includes brute force attack lockdown protection. This means should the password to your SafeStick be entered incorrectly a number of times, the SafeStick is disabled or the data on it wiped.
The antivirus and anti-mailware software available for SafeStick (at an extra cost) prevent any nefarious software from spreading on your SafeStick. With one in four virus or mailware attacks now spread by USB sticks, this is an essential control to have in place.
Key Features and Benefits:
SafeStick is a fully manageable enterprise solution when used in partnership with SafeConsole (available at an extra cost). SafeConsole allows you to kill a stick if it has gone missing. It also enables you to enforce group policies, allowing you to enforce such policies as allowing certain file types to be put on the drive whilst denying others. You can also reset passwords using SafeConsole.
SafeStick is tough, durable, waterproof, heat resistant, crush proof. It can take anything you can throw at it.
SafeStick is compatible with Windows 7, Vista, XP, 2000, 2003, 2008, Mac OSX, Linux and Citrix in an ultra small form factor and can be used as a either a standalone or enterprise solution.
Simply plug in a SafeStick and within minutes you can be up and running. All you need do is set a password and any data placed on the SafeStick is encrypted.
Order your SafeStick today!!!
BlockMaster SafeStick 1G Encrypted USB Flash Drive
BlockMaster SafeStick 2G Encrypted USB Flash Drive
BlockMaster SafeStick 32G Encrypted USB Flash Drive
Jun 29 2011
“Security measures that just force the bad guys to change tactics and targets are a waste of money,” said Bruce Schneier, “It would be better to put that money into investigations and intelligence.”
The security boss of Amsterdam’s Schiphol Airport is calling for an end to endless investment in new technology to improve airline security.
Marijn Ornstein said: “If you look at all the recent terrorist incidents, the bombs were detected because of human intelligence not because of screening … If even a fraction of what is spent on screening was invested in the intelligence services we would take a real step toward making air travel safer and more pleasant.”
“TSA Is NOT Security It’s A JOKE!” Issac Yeffet
http://www.youtube.com/watch?v=s7pICJ0i6Jc
Dec 29 2008
The purpose of network access control is to protect and safeguard assets attached to network from threats of unauthorized users gaining access to organizationâs assets.
Network Access Control (NAC) authenticate users to make sure they are authorized to login and following the policies and procedures for login before authorized to use organization assets. Some of the threats to assets are insider fraud, identity theft and botnet infestation, where botnet can be utilized as a launching pad for attacks to other organizations.
Various laws and regulations have been introduced for various industries to protect organization data. Organization can be held liable, if they donât practice due diligence or have adequate protection for their assets. Before putting the policy in place to protect these assets it might help to know specific threats to environment. Todayâs threats come from well organized criminals who take advantage of unprotected assets. These days most of the cyber crimes are international crimes. Even though most of the countries have cyber crimes laws today but the legal system varies from country to country which slows cooperation between countries. Todayâs technology is changing fast but the legal system is not changing fast enough to tackle new cyber crimes. We donât have comprehensive international laws yet which cover cyber crimes to prosecute these criminals; most of cyber crimes are conducted from a country whose law enforcement agency either donât have time and training to pursue these crimes vigorously or donât have a jurisdiction in the country where the crime is committed. Sometime law enforcement agencies get help from Interpol to prosecute these individuals, but most of the time law enforcement agencies in various countries are helpless because these criminals are not in their jurisdiction. In some cases these criminals are utilizing state of the art tools to cover their tracks.
Some Considerations to tackle NAC: adapt ISO 27002 domain 11 sub category 11.4 (NAC) controls as a policy suitable to your organization.
1. Create a network access control policy: policy on use of network services
2. User authentication for internal and external connections
3. Enforce access control policy
3a. Up-to-date signature file (anti-virus, anti-worm, anti-trojan, anti-adware)
3b. Up-to date patches
3c. Equipment identification in network
3d. Backup access control logs remotely and review regularly
3e. Multihome firewall installed which segregate networks
3f. Harden system configuration
3g. Network connection control
3h. Network routing control
4. Assess the posture of your network regularly to redefine policies
5. Gartner MarketScope for Network Access Control, 2008
6. The Forrester Waveâą: Network Access Control, Q3 2008
âIn Forresterâs 73-criteria evaluation of network access control (NAC) vendors, we found that Microsoft, Cisco Systems, Bradford Networks, and Juniper Networks lead the pack because of their strong enforcement and policy. Microsoftâs NAP technology is a relative newcomer, but has become the de facto standard and pushes NAC into its near-ubiquitous Windows Server customer base.â
Nortel Secure Network Access and Microsoft NAP integration
httpv://www.youtube.com/watch?v=rqu88yx4FGc