Listen to the latest updates, developments, and insights into the world of cybersecurity. Learn how to protect yourself against the ever evolving threat of cybercrime from leading talk radio shows and premium podcasts.
Remote work devices are being used to watch porn by over 51% of employees
"Microsoft yesterday offered more details on. How the salora gate threat actors worked and why. They're infiltration of their targets was as quietly effective as it proved to be it had for example been unclear how the handover from the sunburst de l. l. back door to the cobalt strike loader was accomplished and microsoft details how the threat actor obscured that handover as they accomplished it. Redmond's assessment of the salon gate crew is that they're quote skilled campaign operators who carefully planned and executed the attack remaining elusive while maintaining persistence unquote accomplished in operational security and adept at minimizing their footprint. In looking at the salon gate operation microsoft identified six techniques. Laura gate operators used to escape detection. They're worth reviewing first. They took care to avoid putting up the same indicators for each compromised host every cobalt strike de l. l. implant was designed to be unique to each affected machine. One of the tells the threat. Actors scrupulously avoided was the use of folder. Name file name. Export function names c two domain in ip http requests time stamp file meta data configure in child process launched. They also varied such non. Executable says w. m. i. persistence filter name w. m. i. Filter query passwords used for seven zip archives and names of output log files that says took a lot of effort and a whole lot more effort than the typical threat. Group finds it worth expending second the salora gate actors took care to camouflage themselves to blend into targets environments the tools and binary they used were named and put in folders that appeared to belong in the affected machine they mimicked existing legitimate files and programs that they found in the victim's environment third before they ran their hands on keyboard activity which would raise the risk of detection the threat actors disabled event logging using audit poll. They re enabled logging once they were finished similarly. They installed special firewall rules before they ran. Unavoidably noisy network reconnaissance. The rules were designed to minimize outgoing packets for certain protocols once the reconnaissance was complete. They systematically removed those firewall rules. It's also noteworthy. Microsoft says the salora gate operators executed lateral movement. Only after careful preparation they began by enumerating any remote processes and services running on target host and they moved laterally across the network only after they disabled security services that might detect them. Finally microsoft believes they timestamped the timestamps various artifacts altered them that is and also used professional wiping procedures and tools with a view to complicate the defenders problem of finding and eliminating the dl implants from the affected systems. So whoever they were and the smart money is still on russian intelligence services. The salora gay threat actors showed rare. Patients sophistication and attention to detail. Far beyond what organized crime normally attempts security week describes research by media trust into a cross platform malvern campaign lucky boy that's afflicting users of ios android and xbox systems it checks for blockers test environments and debugger before it runs once it does execute lucky boy uses a tracking pixel to redirect victim to militias sites like fishing pages or bogus software updates the campaign which surfaced last week appears to be in its early testing phases. It's another instance of malware using relatively complicated means of skating itself. It's not as complex as what. The solarge operators used but even criminals try to stay undetected. Proof point is found a business email compromise campaign that uses google forms bypass keyword based email content filters the researchers see the campaign as a hybrid combining social engineering with exploitation of the scale and legitimacy of google services the messages themselves relatively primitive with the poor idiomatic control so often found in criminal communications but proof points suspects. They'll find takers. Not the researchers. Think that the bbc effort represents an email reconnaissance campaign to enable target selection for undetermined follow on threat activity. The increase in remote work during the pandemic has of course greatly increased most organizations attack surface. Yes yes we know. This is old news but bear with us or rather bear with one dera. Who's twenty twenty. One cloud security report has some interesting findings on the extent to which the criminal underworld has embraced. the opportunities remote. Work affords your remote work. Not there's oh and remote workers could behave better to one dera says that accessing what they primly call inappropriate content and we leave it as an exercise for the listener what counts as inappropriate content has at least doubled since the onset of the pandemic. Did you know that websites in the adult gambling. Extreme and illegal content categories are more likely to leak data than nice sites while they are you know. Avoid the near occasion of compromise
CrowdStrike Co-Founder Dmitri Alperovitch Discusses the SolarWinds Hack
"Dmitri why don't we just jump right into it and would love your kind of analysis of what has happened Know there's been a lot of A lot of controversy there seems to be consensus that The the hack is the work of the russians a country. At least that you're quite familiar with in terms of its tactics relative to this. Maybe just sort of set the lay the land if you would. Yeah absolutely so. I think it's important to understand that while this is a great situation and certainly Will likely be highly detrimental to our national security in the short and medium-term The not an act of war. This is not a digital harbor as as some politicians have been talking about this In the last few weeks the important thing to understand is from what it looks like right now and we have now your information on what this operation has been at least over. Last year is traditional espionage The targets have primarily been government agencies with some Technology companies is wild wrapped into it but primarily focused on saft of secrets that are as you can imagine of high priority on to russian intelligence If it proves to be the As is most likely the case right now so This was an dacia operation in incredibly well executed very very patient but at the end of the day the goal is staff that goes not destruction. The goal was not the leaking of that public information. There's small chance we may still see that at n than we have to reevaluate our assessment. But for now at least it looks like the exact that the us government the us intelligence community would be proud to have executed against our around adversaries. I'm now from a supply chain perspective. You know we do now understand that You know we have a major threat factor that most organizations have not been focused on which as their it providers like solar wins like resellers that sell their microsoft cloud offerings which you can be compromised Without really having any way to control for for that risk at least on the front end of the of the intrusion cycle. Are you at this point. Confident that it that it is the russians indeed so the interesting thing about this Particular intrusion is that the private sector really does not have attribution here unlike virtually every other operation. We have seen or last ten years. Where many in the private sector including Former company grabs strike was very good at attributed jackson in many of them very quickly this one because the tradecraft was so new and unique never before seen. There's really nothing to tie back to any previous operations. We have seen To really give us good understanding who the adversary may be. So all the attribution so far From government officials obviously intelligence agencies are very good at Attributing attacks based on your variety of different sources and methods that go well beyond just technical measures so for now at least You know we have to wait to see what the evidence is going to come out with regards to this. We may very well seen in the future. Will this operations justice department has been establishing Very good. I think precedent for indicting Foreign intelligence operatives on a regular basis for various various acts that they've done against this country in You for private sector companies. What what would you advise chief. Information officers chief information security officers others were involved in In at least trying to grapple with the consequences to their organizations and ensuring that the damage is limited the extent to which they can. I think this really underscores the topic that you talked On a number of occasions about which is that every organization out there needs to start with an assumption that already inside. this particular gates underscores. Just how futile. It is to try to build walls around the perimeter of you network because someone somewhere is going to get through through through new mechanism that you haven't even thought of or or can't control four so it could be supply chain attack next time. It could be zero table an ability. It could be a known vulnerability that you've got patched against that or could be an insider The number of methods that they can get in are numerous. And if you're trying to chase your tail china For closed down each one. You're always gonna fail because there's always gonna be one more thing that you adding accounted for this out there that you may not have even thought of And the reality. Is that if you start with assumption that capable adversary will get inside in. The east are for their activities within the network. That's when you can get an advantage. Where if you detect them quickly into jackson before joining damage you can prevent for from any damage any damage from being done. And if you look at how They executed this particular attack. Yesterday came in through the solar winds vulnerability where they came in through the reseller On the was selling office re sixty five and azure licenses to their customers but at the end of the day once they move past that initial doctor they started doing traditional things started maintain persistence trying to kill security products. Move laterally trump. and that's what you had the opportunity to detect them in fact some organizations have to talk to them and Jacqueline before any any bhakta Before they had any impact to the company.
"You'll see. Where could i find your face now other than well. That's a good question. Probably everywhere you'll see now is a security engineer of two decades and one of the founders of cyber reason definitely can find it on on facebook you can find it on the lincoln On several newspapers Online publications Physical publications probably to your see isn't a public figure. But he's been around the block enough that if you manage to spell his name right on google you'll find plenty of pictures of his face some of you out. There are in the same predicament. Some of you you to your career or because you're proficient with some of media will have many more pictures online then you'll see does but even for cybersecurity audience. I can't imagine many of you out there. Having no pictures out on the web these days it requires diligence and effort to be that private. Is it possible that i might find your image in places where you don't yet realise it. Is i be surprised. Is it possible that you listener have images unveiled in it. You're not aware of you might not realize what's out there in the database of the gym. You used to go to or the office building. You used to work at or on your old. My space account the day make nelson. Our senior producer ran his and my face through a face. Search engine to test it out. I found shoot around twenty something with this kind of poise haircut. An earring and then there was one shot which was labeled adult content. Which i can only assume was because you're old sideburns. Were so dang sexy. Yeah that was my asimov period but hey it's nice to know that i have an alternative career in the adult industry in case this podcast thing never gets the graham. I don't know ron. There's a reason they put you on radio instead of tv Not for later fire. Make the fact that there are pictures of me. I don't remember in places. I didn't expect doesn't surprise me much and that's important for us story today. This episode is about a problem that arises when we have too many faces in too many places because like any data. Your face isn't something to be carelessly tossed around. There's value to it a market for it when i tell people about family sounds the audio documentaries. We create for families who wished to preserve an important piece of family history. A lot of them. Ask me if those family histories really interesting to listen to after all we're talking about our parents and grandparents not some famous movie stars or scientists
Cyber Security News Round-Up January 19th 2021
"The threat actors who stole covid nineteen vaccine documents appear to have altered them before releasing them online. The european medicines agency says the material stolen. Ama says included internal confidential email correspondence dating from november relating to evaluation processes for covid nineteen vaccines. Some of the correspondence has been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines emails about the vaccine development process. Where altered to give the appearance that this process was less credible than it might otherwise have been believed to be and ema standby the effectiveness and credibility of its reviews the corrupted alter data thus appear to have been emails about vaccine development and not data collected in the course of the development or evaluate of vaccines symantec reports another discovery in the salora gate threat actors armaments. Barium raindrop a back door used to drop. cobalt strike. raindrop bears some similarities to teardrop now where earlier identified as having been delivered by the sunburst back door both load cobalt strike beacon but raindrop uses accustomed packer. Cobalt strike raindrop also appears to be used to propagate across networks and may have been used selectively against high interest targets. Various sources are warning against seven vulnerabilities in the widely used. Dns forwarding client for unix based operating systems. Dns mask vulnerable. Systems could be susceptible to dns. Cache poisoning seven. Vulnerabilities are being collectively tracked. As dns spook jas off has a page up. Devoted to dna spook and users of affected systems are advised to apply patches as they become available on friday the us fbi renewed and updated a december warning about an iranian campaign. Enemies of the people intended to exacerbate us domestic mistrust and division by quote threatening the lives of us federal state and private sector officials using direct email and text messaging and quote. The operation also involves menacing dachshund. The bureau's warning says quote the iranian cyber actors have sought to intimidate some of the officials with direct threats including an image of an apparent text communication between the eeo teepee actors and an unidentified individual in the united states purportedly supporting the operation individuals. In the united states' intent on disrupting the peaceful transition of power potentially may be inspired by an act upon these influence efforts to harass harm threaten tack individuals specifically identified and quote enemies of the people represents an extreme form of this tendency and influence operations cyber scoop reports seeing a us intelligence assessment that claims russian and chinese services are using the capitol hill riot as an occasion for propaganda and disinformation. Those two nations styles have been consistent with that on display in past campaigns. Russian disinformation has been negative and disruptive concentrating on producing red meat conspiracy theories about the capitol hill riot. Chinese disinformation has been characteristically positive. That is not positive in the sense of or optimistic but positive in the sense of persuading its international audience of a particular position more accurately two positions. I the united states is a power in decline. And second this is what happens when you tolerate democratic demonstrations you get anarchy which is why in beijing's line. It's a good thing. They cracked down on hong kong at the end of last week. The fbi also issued a private industry notification warning of increased rates of fishing aimed at theft of corporate remote access credentials with a view to furthering privilege escalation. A common gambit is an invitation to log into a bogus. vpn page bleeping. Computer observes that this is the second such alert. The fbi has issued since the onset of the pandemic the fbi sees. This particular warning is calling out a new style of criminal activity quote. Cyber criminals are trying to obtain all employees credentials not just individuals who would likely have more access based on their corporate position. The alert says once they have some initial access even relatively lowly access. It's then the criminals task to work their way into other more sensitive precincts of the organization's network and finally the fbi is investigating whether pennsylvania woman identified as riley. June williams stole a laptop or a hard drive from. us speaker. nancy pelosi's office during the capitol hill. Riots with the intent of selling it to russian intelligence services. The washington post says. The suspect has now turned herself in and been arrested politico which broke the story over the weekend calls. The charges bizarre by which they mean startling not inherently implausible. The fbi says it was tipped off by a source identified only as a former romantic partner of the suspect. The ex-boyfriend as the new york times describes the tipster said that ms williams intended to sell the computer device to a friend in russia. Who then planned to sell. The device to svr vr russia's foreign intelligence service the transfer of the device to the russian middleman seems to have fallen through for unclear reasons if indeed there was any actual plan to do so and ms williams is believed to have retained the laptop in her possession. Investigation is continuing the laptop speaker. Pelosi's staff reported stolen is said to have been used only for presentations. But it's unclear. What if anything. Ms williams may have taken and what if anything hoped to turn over to the espn
Artificial Intelligence and Digital Transformation at Rolls-Royce
"Welcome to the cyber-security weekly podcast. I'm jay leno podcasting from singapore today and today we are very privileged to have dr becky bengal who is the president of south east asia pacific and south korea at rose to join us in the podcast. He repeats sharing with us. The work in a digital transformation and the recent ai breakthrough in ethics and trustworthiness at ross writes thank. You thought the bengals for joining us in the podcast today to be here for many of our listeners. dr bandou rose. Rice name has a long lasting romance and history going back to the first car built more than one hundred years ago but the motos business was separated out some time ago in nine thousand nine hundred seventy three. I believe and rose rises. Now in the business of pioneering the power that matters so tell us more about the journey business. That rose is in today and your role as the president of south east asia pacific and south korea at rose rice. Well has been rooted in engineering since we established in eighteen. Eighty four and this expertise has evolved the business to become one of the world's leading industrial technology company that we today and as the president for the region covering southeast asia pacific and south korea. I'm responsible for the regional strategy our external relations and governance of all our operations across the three businesses that we have civil aerospace is one of them manufactures of ever engines for large commercial aircraft on our regional jets and business aviation and we have decades of engineering expertise to take us through life through life. Service and support solutions for customers in the defense were market-leading aero-engines for military transferring control labor's including combat helicopter applications. I'm needles and power systems. Where leading provider of high speed reciprocating engines providing complete propulsion systems distributed energy solutions. So you can say that we. We have a diverse but volume that includes civil defense and power system and it is because w that our activities have tremendous impact on the world today and tomorrow we have always pursued clean safe and competitive solutions and we believe our technology will be fundamental in helping society transition to the low carbon future. And we're not going to do this on our own. We're going to do this. In partnerships and global partnerships to collaborate and co create solutions and with the regional hub. That we have here in singapore. We've developed collaborations with government agencies untucked -demia like a star and anti eu and us to pursue advanced research and technology in daytime smart manufacturing electrical systems. You touch on engine. That paolo many other products across the road strikes businesses. And i believe including aircraft of course and i imagine that you have been collecting analyzing the performance data of your engines for that case and in fact i see from one of your rolls royce presentation that you have been collecting data for some seventy trillion data points across twenty-sixth dimensions on your engines. So i think our listeners will be interested to know how you been. Harnessing that power data to make sense of this of information and into insight and action. And i believe in many ways is supplying the data to a machine learning throughout the life cycle of the engine from the initial stage of designed to manufacturing to maintenance repair. Overhaul that's right so we we've been applying data analytics for more than thirty years and using ai. With our real time engine. Health monitoring system but service w. lunch to back in nineteen ninety nine and our ai. Capabilities are deeply embedded into products and services so they aren't visible And not widely. Now we're able to monitor six thousand to eight thousand flights every day which is equivalent to monitoring three thousand engines in the sky at any one time so we have multiple sensors on board that continuously relay inflammation with were able to analyze five million data promises from our engines every day and we used to provide insights to our engineers for future development and services that we provide for our customers. But it's not just about the asian and the behavioral for engines. Current work includes applying a with a dedicated team that we have inside rolls royce school the day to labs to improve the risk management in supply chains predict market demand improved the efficiency of our operations and more recently nepal systems. Father of the business. We've been applying a on microbes making our industrial powered technology more reliable and sustainable and in the future we see a. I will continue to evolve. Play a bigger role especially as we saw increasing use of cloud based services which will be governed by data ethics framework and this becomes really essential and today more than two hundred projects that are starting to apply more and more of Framework so
Technology and Human Stories Intersect at the International Spy Museum
"I think my story really begins the story that led me to the international spy museum. I think it really begins on nine. Eleven saw on the day of nine eleven. I was in the royal airforce photographic intelligence. You know a friend came and said you have to see what's happening. I was kind of irritated. Thought it was going to be some banal thing on tv or something but we had the us running. All the time and the north tower had been struck and watch the tv and and the south terrorists struck. So i guess. I guess it just really really brought home to me. The i felt like an actor on a play by understand what the plot was. So i guess in one way or another ever since. Then i've been trying to work out. What the plot was. So ultimately that led me to leave the royal air force in two thousand and five and go back to skill and really since then so the past fifteen years of been bouncing around between -demia libraries and museums. And i'm very pleased and throw to be no other international spy museum and so what sort of Of course of study prepares you for what you're doing today. Yes as a good. It's a good question. I think the first thing that i thought to myself was okay so if i want to understand the plot. What's the best way to do so that late. Myth is a anti-national relations ond modern history. So those are the two subjects that are really packed up. And ron worth. And i guess try to just read redes- broadly and his way as a kid just to try to get a better sense of my own place in historical team an owner journey. I think one of the things that are really fascinating was it was still developing knives in the military the rule that that computing and cyber at plays and the modern world so thus saith trust of maine spot i guess international relations in history to directly. Answer your question. And so what was the direct path that That brought you to the spy museum itself. So i came to a had been loving up in new york. Spent a couple of years. The nine eleven museum on your was back in the uk for a but an anna kim to dc again for a fellowship at the library of congress and it was from there that the job came available at spy and i just seem to check all the boxes so through my heart in the rain and after her name. Munson around seven different interviews Thankful and glad that To put me unless. I am here well for those who may not be familiar with the international spy museum. Can you give us a little bit of the background. And the mission of the museum itself. Yeah the so the background of the museum as started Starting around twenty years ago recently. Twenty nineteen we moved to a brand new building on foreign plaza down near the river. Here in dc we tripled over a exhibition. Space will have around. Nain thousand objects are believe and we basically try to educate hit an international audience on the world of intelligence and espionage so the number of different ways. We do it through our exhibits. People can command and go through our exhibition space through the artifacts. Obviously were the key. Get to see some of the things that they may recognize from popular culture or from reading the news and also through a podcast on our programs.
Cyber Security Headlines 15th January 2021
"Packers waltzed past mfa used by seesaw. On cloud. Accounts multi factor. Authentication is one of the strongest security protocols. We have but it's not infallible on wednesday. The us cyber security infrastructure security agency revealed that malicious actors bypassed mfa to get into its cloud service accounts cease said that the threat actors had tried multiple times to breaches systems by various tactics including fishing brute force logging attempts and possibly a pass the cookie attack which involves the theft of authentication cookies from browsers and related processes. That's how the attackers were able to hijack an authenticated session by using stolen session cookies to access ceases online services social media convulses after capital attack. A widespread shakeup is underway facebook's yanking posts of flyers promoting events leading up to biden's inauguration as terrorism and cyber experts helped the platform to ferret out images calling for harm the walkie talkie app zillow which hasn't proactively moderated content has deleted over two thousand militia related channels after finding it was used by insurrectionists and parlor the social media app favored by trump supporters. May never come back for having been scraped off the app. Stores kicked out by slack and cut by amazon. Ceo john matzec told reuters parlor filed charges on wednesday asking for amazon to be forced to restore its service. Google fixes bug that delayed kovic contact tracing apps. The api bug affected contact. Tracing apps worldwide delaying notifications sent to android users. The apps are built on top of the exposure notification system an api that google released jointly with apple to help health services develop contact tracing apps it looks like the problem only manifested on android devices. Not on ios the api. Let's developers create contact tracing tools that protect privacy by relying on bluetooth to exchange anonymous keys between smartphones an easy way to warn users if they've been in contact with someone who later tested positive apple yanks feature that lets apps bypass mac. Os firewalls and vpn's has removed the content filter exclusion list from mac. Os eleven point. Two beta to k known as big sur. The controversial feature had allowed fifty three of apple's own apps to bypass third party firewalls security tools and vpn apps that users themselves had installed for their own protection. The list included some of apple's biggest apps such as the app store maps and i cloud security researchers had discovered the problem this past october and had called it a security nightmare waiting to happen
Hackers have leaked the COVID-19 vaccine data they stole in a cyberattack
"Hackers leaked stolen pfizer covid nineteen vaccine data online the european medicines agency e. And a today revealed that some of the pfizer bio and tech covid nineteen vaccine data stolen from its service in december was leaked online. Ema is a decentralized agency responsible for reviewing and approving covid nineteen vaccines as well as for evaluating monitoring and supervising any new medicines introduced to the european union on december. Thirty first there were media reports of threat actors leaking. What they claimed was the stolen. Ema data on several hacker forums. Ema also said that the european medicines regulatory network is fully functional and covid covid nineteen evaluation and approval. Timelines are not affected by the incident. Social media's big terrible week. Facebook staff are being warned to avoid wearing company branded apparel for their safety house. Democrats are planning to look into the role of social media as a source of this information relating to events proceeding and including the january six riot german chancellor angela merkel as well as a minister for the government of france have publicly objected to the ban on president. Trump's accounts and alternative private chat apps such as signal telegram on our topping app store downloads. For the first time go fund me has banned trump. rally travel fundraisers although not appearing strictly cybersecurity issues. These stories all have a great deal to do with privacy and they also have to do with security as the media in question have been outed as a means to incite groups to do militias. it's parlor archived. Due to quote mind numbing mistake as we reported here yesterday. A hacker succeeded in archiving ninety nine point nine percent of partners contents before it went off. Line analysis of what made this possible shows. That partner lacked the most basic security measures to prevent scraping and even ordered its posts by number in the sites. You are else which helped in pro grammatically downloading. It's millions of posts. Kenneth white a security engineer for mungo. Db refers to this as an insecure direct object reference parlor also did not use any sort of rate limiting to cut off anyone accessing to many posts too quickly making it. Easy for the hacker to write a script download everything in the order that they were posted. White calls this quote mind-numbing like a computer science one bad homework assignment sunspot. Malware used to insert back door into solar winds supply chain attack. Crowd strike has shared details about another piece of the solar winds orion puzzle. A piece of malware named sunspot was used to inject the previously analyzed. Sun burst back door into the orion product without being detected crowd. Strike reveal that the hackers deployed sunspot on solar winds systems. Sunspot is designed to check every second for the presence of processes associated with the compilation of the orion product on the compromised system if such a process is detected sunspot replaces a single source code file to include the sunburst back door
Solarwinds Orion Breach Investigations Continue
"Recall. It was late on a saturday night. Prior to the holidays. I forget the exact date of course when our c. Ceo actually flagged a story in the analyst channel for us asking. Hey we need to note on this and that time at the time it was a was the initial news story around the breach of the commerce department. And i forget the actual federal organization but something to do with transportation if i recall and at the time we drafted something up very quickly on the weekend which is rather odd to some extent so we knew it was probably significant. We had no idea that it was going to explode into into what it did and of course this had to have happened right before the holidays. Yeah we'll take us through. I mean in terms of what we know. Now where do we stand right now. Can you give us a little bit of the background of what happened in and where we stand. Yeah sure so. For those who aren't aware solar winds is a large us based software company that develops enterprise grade software to help its customers manage their networks and manage it infrastructure all their endpoints etc In particular the they create a product called orion so salt solar winds o. Rien i'm in that. That's the piece of software here that was really affected so solar winds in particular has about three hundred thousand customers which is pretty significant at thirty three thousand of which were notified in december by the company of the incident but they've actually said that at less than eighteen thousand were actually affected in some capacity by it. And that's you know that's still a huge figure. There's a lot we can go into kind of the scope of later what that breakdown looks like but the the high the high level is that attackers were able to to access to solar winds steal the code signing certificate and then make militias and unauthorized updates to a dynamic link library file otherwise known as the dl within the solar winds orion product. Starting back really actually in october twenty nineteen but the first militia update was is believed to have been pushed in march. Twenty twenty And that allowed them to back door of basically they opened a back door into organizations that were customers of a riot if that makes sense so this is a third party compromises. Supply chain software supply chain compromise affecting these other organizations and so that that initial backdoor has been called at least two different things by various research groups or companies one on burst and i think microsoft calls at solar gate. What is the the intended functionality of solar wins ryan. If you were running this what were you. What were you doing. So i mean it helps you. Manage it helps manager. it infrastructure. Be able to see what's installed uncertain certain points able to see who's talking to who et cetera. It's kind of a. It's an enterprise level management suite that generally people in. It would would use to to make sure that everything is running smoothly and things can talk to one another etc budget different different modules of things my understanding that you can. You can purchase that do various things But it's fundamentally not something like your end user would use. It's something that's very specific would probably be used by the infrastructure team for our company. It or security to some extent but by the nature of what it does Would would be able to access many things. Yes actually and it's f. They use solar winds on their network. It would have had visibility into essentially everything And that's that's the concern here. So what do we know in terms of how they were able to get in and do the things. They did to solar wind software. Good question we don't really know. Unfortunately we don't have a lot of information on how they actually breach solar winds and got access to. I mean if you if you take a step back the i kind of the first big breach aside from the aforementioned kind of government breaches that i mentioned was kind of fire. I dropping their notification that they had been compromised. The red team tools installed right but at the time it hadn't even been linked to solar winds yet and it took a little bit of time for them to even to determine that the way that they were compromised via the solar renzo ryan package. But we still don't have any insight into actually how initially got initial access into the solar winds. The company to be able to do this to begin with traditionally abt groups have utilized common techniques like social engineering the spearfishing for example or or email to deliver mauer privileged credentials to move laterally or to elevate their own privileges etc within target networks. But they also use the other things. Like watering holes for example tend to be a little bit less targeted malicious. Insiders is something that i think. We need to consider her and ironically enough here third party compromise also possibility. We just don't know
Breaking Into Secure Buildings
"Hacking large organizations. Banks governments isn't usually easy but there are ways to do it. You could fish the right employees then escalate privileges. You could find a zero day in particular software program used by the organization or you don't even have to start in cyberspace physical breaches stolen. Machines tampered with machines insider access hacking buildings themselves aren't the most widespread security threat out there but the exist. According to verizon report from twenty twenty physical actions are the six most common way that data breaches occur. And they're effective to think about it like this. Would you rather have to remotely hack into a laptop or just. Swipe it off a desk. Physical security isn't something we talk about much but we're going to today. Hi levy welcome to malicious life in collaboration with siberian and this episode. We're going to learn how to break into secure buildings or prevent others from doing it. T- my name is se aka freaky clown. I'm the co founder and co ceo of a cybersecurity company cooks agenda based in the uk. We work globally. Say genta is not like other cyber security companies and fz isn't like other hackers. His specialty is cyber physical security breaking into buildings red teaming for corporations banks and governments. But you know in real life that makes his workflow a bit. Different like for example. The first step in most major breaches is reconnaissance exploring an organization's digital infrastructure and their employees to find where they're most exposed. Fcc's reckon involves actually going somewhere and probably bringing some binoculars. Is it like the movies where you're just sitting there in your car sitting with a newspaper. That kid is sometimes more mind-numbingly boring than that. Sometimes it gets brady cold. I remember once Reconnaissance in a very calm sightsee much about on the building. I had to look at and i climbed over this. Barb wire fence it like in the morning. And i climbed through this like a thorn. Bush go early treaded by allows bleeding and had a a ski mask on. I had night vision goggles. And i had to sit in this ditch covault. This data is close enough and the ditch was half food muddy water and it just started to snow and i was really cold and wet bleeding and i had to sit there for like three or four hours whilst i watched this in order to gain some intel before i went back to my hotel room after the recon phase hackers usually send phishing email or text to the victim containing militia slink or pdf after his recon f c. Does something much more simple. In fact he doesn't even need to be a hacker for this part. So i never start with the digit i because the digital is actually harder than the physical and this sounds absolutely crazy but Each genuinely true. He is much easier to walk into a bank or any secure building than east digitally break in just walking in the front door. Oh actually be really really shocked at. How easy is i remember. Years and years ago. i was. I was on site for physical test and there was a couple of members of our company that were they and one of them said to me like audrey to like. Learn how to do the stuff you do a easy. just walk in and cable. What do i do right well. You don't really authorized to do this but our show you. How easy is right. So i'm like come with me. We walked to the front of the building. I look through the front windows right and you can see how this app is right. So the app is there's a couple of these electronic parties so someone goes up the swipe card the barriers swipe papa and they walked through okay so we have to do is follow someone through the way. These barriers work is they. They work with a small beam. That goes across right so if a large person with the suitcases going through. It doesn't shut the doors on the suitcase. Say imagine your as close as physically possible to the person in front of you. That's a legitimately allowed to go in and if you get close enough it's going to count was one person now. Will we have to ease. Make them feel humans of really pad being awkward and they wanna get away from that situation as quickly as possible. So the more would you make for that person then the less likely they are to confront you the more likely you are to succeed so it's like it. It's drizzling little bit. Oh you have to do is run to the front door. Run through the front door and basically run into the back of someone who is just going through that matt gate. Six is easy. Yeah eats really that easy so only it was. He ran up to the this of the the front door ran through the doors and picked up a person at random. He was just swiping. The card ran into the back of them and he basically said oh really. sorry how. it's a busy trying to get through really quickly. And he runs into them. They go through and they are feeling awkward. Because i just got run into. Everyone's where everyone's kinda like. Oh my god this is sorry And then they they so just let him go through.
Microsoft Solar Winds Breach, Slack Outage, Assange Denied Extradition, Singapore Police Use Contact Tracing Data
"Microsoft source code accessed by solarmax attackers as part of its ongoing investigation into the solar wind supply chain attack. Microsoft discovered it systems were infiltrated beyond just the presence of militia code with the attackers able to view source code in a number of repositories while able to view the code. The attackers did not gain permission to modify any code or systems. The company said it did not see any production systems or customer data access or found any indication. It systems were used to attack. Other organizations slack suffers a massive outage. Looks like slack head a case of the mondays because the team messaging service was down for several hours on january. Fourth uses began reporting issues around ten am eastern with slack. Managing the issues on its support page around ten fourteen. Am saying the issues connecting to the service and messaging but classifying it as a full blown outage around eleven. Twenty am by one pm slack. Support advise that users should be able to reconnect with degraded performance but that counter integrations and email notifications for. Dm's we're still having issues. Slack did not specify the reason for the outage. uk judge denies assange extradition to the us. The judge ruled that wikileaks founder. Julian assange cannot be extradited to the united states to face trial on charges for violating the espionage act. the judge ruled that extradition would be unjust and oppressive. Setting assange is mental. Health would put them at extreme risk of suicide if extradited to the us the judge rejected assange s defence however that the charges weren't attack on press freedom and politically motivated saying the. Us brought the case in good faith in two thousand nineteen asandra charged with seventeen counts of violating the espionage act resulting from the publication of documents provided by former us army intelligence analyst chelsea manning. Singapore police can use contact tracing data in criminal investigations. Singapore's minister of state for home affairs desmond tan confirmed that law enforcement can use data from the country's trace together contact tracing app and wearable token as part of the country criminal procedure code. When the app token were introduced the government said data would never be accessed unless there was a positive test insisting token was not a tracking device and that all data would be encrypted for twenty five days before being automatically deleted tan also said that misuse of contact tracing data by unauthorized users was still subject to fines and up to two years in jail
AI Enables Predictability and Better Business
"Call myself a data geek. I before anything else. So i started in the world of data analytics just coming out of college some a longtime ibm Grew up in the world of data and analytics comes naturally. I think to me. I probably think in models I spent a bunch of time building out. A variety of businesses like data privacy. It'd immigration at ibm. I did crossover end. Spend time building out. Api management in the cloud the initial journey that clients took to the cloud and the middleware required behind it and at every step of these areas both on the data during the end the cloud journey there was this constant of security underlying it. And it's always been kind of their But just a few years ago. I jumped head on into a full security role with my current role of leading products for the ibm security brand. I think it really helps having that background and cloud and data coming into this role given what's happening in the security world right now but if you if you asked me to define myself into words ever i'm just gonna call myself a data geek fair enough fair enough but what sort of Transitions and evolutions. Have you seen within. Ibm itself in the time. That you've been there to be honest as a with by data hat on. Which is where i tend to Go to for questions like this and its impact right now on security. There's been on journey of going from reactive to proactive. In every sense of the word rate we in the world of data over the years You did analytics. And you found out behaviors and you found out patterns after something had happened and it's nearly been an evolution over the last couple of decades. Where nearly everything. We do. His gotten to a proactive. Predictive kind of behavioral pattern now. It's not always great but it's greed in a lot of different areas where that predictive ability allows us to do better business it allows us to better client service that allows us to do of a whole host of interactions better. So when i look it clients moving to the cloud and ibm helping them on that journey. So much of it is being better prepared better plan better more structured and more ready for that transformation and a lot of thought. Actually very often comes down to going from being reactive to being proactive and predictive in nature. And i love the fact that it's coming to security. I mean we will always have to do a bunch of defense that's just bought for the course with security but the most predictive we get the more we can understand the environment. We can pinpoint that defense. That is required while being very predictive. So for me. Personally i just as a data. Geek won the world to be more predictive than reactive. And it's a great journey. That i think has gone through. The market's gone through as well and it's not security specific It might have even happened in other areas of the business before security. But i'm really glad securities on that precipice of doing all of that now. And what role does artificial intelligence played in that ability to be. Predictive helps us get there. I know a lot of people will tie to being predictive. I think what does is b. Is its ability to analyze large scale of information in short durations of time and looking for patterns which would be very hard for human beings to do and those patterns allow us to then start building more advanced models any i and beyond that allow us to go down that predictive journey. So the speed and accuracy of finding these batman's needle in the haystack. Kind of things in some cases allow us to be able to get predictive nature. It would be very hard to do without the power of to be on that journey.
IBM COVID-19 Vaccine Cold Chain, Cellhawk Surveillance Tool, SISA Releases Malware Detection Tool, and Macros Used in Cyber Attack
"Defending the covid nineteen vaccine supply chain in an editorial ibm's global league for threat intelligence. Nick rosman makes the case that this supply chains should be treated on the same level as the electrical grid or air. Traffic control arguing. It's now part of national critical infrastructure. He points out that pharmaceutical companies medical manufacturers and component suppliers in vaccine clinical trials have already been subject to attacks with the fishing campaign. Starting suppliers of cold storage need to transport the vaccines the largest supply chain of suppliers. Distributors storage facilities and packers provides a number of vectors to impede the vaccine's ultimate distribution for rosman the key to defending the supply chain is collective action and a coordinated strategy with an organized approach to threaten intelligence sharing cellular aggregation tool detailed in police reports. The tool is called sell hawk from hawk analytics and is often used by law enforcement. So hawk collects information provided by cell providers at the maps of people's locations movements and relationships claiming to be able to process a years worth of cellular data in about twenty minutes. This can allow police departments take information from so-called tower dumps that lists all phones connect to a given tower and create spreadsheets attract connected phones without a warrant so can correlate this with gps and other data generated by smartphones to show how a person moved and use their phone over time with the ability to do things like continuously monitor specific phones and send alerts to law enforcement when someone moves out of gio fence daria ceasar releases a malware detection. Tool for azure and microsoft. Three sixty five. The powershell based tool called. Spiro is designed for incident responders to look for unusual potentially malicious activity. The tool was developed by ceases. Cloud forensics team and checks the unified as m three sixty five audit log for indicators of compromise lists azure ad domains and checks as your service principles and their microsoft graft permissions to discover potential. Malicious activity sparrow a response to a rash of recent authentication based attacks seen in multiple sectors macro based mail where uses git hub and imager in attacks. Were docs are a common attack vector for cyber attacks. No need for me to tell you that. Researchers arc birger details about a new technique however that uses macro in a word file to download a power shell script from getup then initiates the download of a benign image file from the image hosting service imager the pixel values from that image then used by the power shell script in calculating the next age payload ultimately decoding cobalt strikes script on windows systems after publishing their findings. The researchers found that the domain associated with the c. to server the script attempts to reach is no longer available
January 25, 2021
"And restricting access to devices based on white listed ip addresses intel probes reports of quarterly earnings. Hack intel corporation said on thursday that it was investigating reports that an info graphic in its quarterly earnings statement had been the object of unauthorized access by an unknown actor before publication. The company released a statement that said quote once we became aware of these reports. We made the decision to issue our earnings announcement a brief time. Before the originally scheduled release time and quote this measure was taken to prevent individuals who might have gained access to the stolen info graphic from illegally using the information obtained in advance for an unfair advantage on the market tesla. Fires new software engineer for allegedly stealing python scripts tesla fired and sued the engineer for trade secret theft and breach of contract after discovering that he had allegedly copied thousands of files to his personal dropbox account just days after being hired a complaint filed on friday in us district court in san jose. California claims that. Al ix cutoff transferred warp drive files from tesla's secure internal network to his dropbox account. That tesla has no access or visibility to catalog said he was unaware of the lawsuit and insisted that the transfer was a mistake. The result of dropbox automatically copying python files. He installed as part of his on boarding process and now our sponsor new security brings you the first of the top five
Trickbot may be down, but can we count it out? [Research Saturday]
"A kind of came especially over the last year or two is very much focused as a lawyer. And a lotta means you know trick. Bought itself isn't bad on its own. But it's what comes next which is can be really really bad and the offering is behind trick. Border experts triaging their infections. They have no problem compromising huge visible organizations worldwide probably millions outside low millions and looking through those infections to find interesting whether you're an organization where a government department whether you're a bank And either doing follow up intrusion activity themselves or providing it to other third parties whether they be nation states cybercriminals etc. So we've been tracking trick bought for a number of years now from the technical side. We seen we did some research into an interesting of totally skeptical of it. There was some public claims. That trick bought systems that were compromised with trick ball being sold to the north koreans and like i said totally skeptical of that when we started looking at it and by the end we will i. Yes this is definitely there and so he put out some public blog on on. That seems pretty clear that in a small number of cases where some financial institutions have been hats they've had those accesses provided or sold to the north koreans who've been done follow up activity and so yeah kind of lead on from that and we saw initial take down where look like somebody was trying to tell all the trick board infected systems kind of cut off the connection between them and the cybercriminals militias infrastructure. And we worked with. Brian krebs on it because it was quite a technical story and brian's very good at understanding the technical aspects asaba crime and by some working with brian. And you know he's story published in reference to us that a number of other mainstream media washington post new york times Reached out off the folks. We knew who said that. You know diesels told us that action was sava command. And then then it and then we've been told that it was an independent action around the same time leading up to the elections. I independent action legal action by microsoft to take down the infrastructure. And so yeah. We have started to look at that that the alleged sava command action and then it kind of linked in and kinda fell in with microsoft's action and everybody was asking the same question. Which was what's happening ball right right. Yeah well before we dig into some of the details that you all have outlined here when it comes to wood. Cyber command allegedly didn't also microsoft. Can you have insights on trick body itself. I mean is it operationally. What is the kind of What's their order of operations. Do they go out and Get their hooks in people's systems and then go offer that up for sale. Do they say you know. Hey we have. These types of systems available and for a price will give you access to them or do they do. They take a custom order from someone. Says you know we'd really like to have access to these kinds of systems. Can you go out and provide that or is it any insights on how they go about it. Yeah i think it's probably all of the above what you described like this is a professionally. Iran managed service saba crime as a service. And i'm sure there's members of the group that are doing intrusions and ransom ring organizations. They're probably buying access into organizations from the ground. So the cybercriminals underground people. Call it the deepen doc web. Although i hate that term. But they probably doing that they probably buying installs from other cybercriminals installs being there's other groups which are just focused on getting initial infections on systems and then selling them below you wanna thousand compromised systems from the us or from western europe from the netherlands for example and just selling folk installs of compromised systems like that And they do and what you just said is selling off access to different people custom or otherwise so yeah it is very long standing operation from very very very well resourced Probably no different. Where we're well resourced intelligence vendor and they're the opposition and there's no doubt they will resource as well. Yeah can you give us some idea of what's going on. Behind the scenes in terms of the the scale of the infrastructure when trick bought was up and running before You know folks came in and tried to To interfere with them. how large were they. And what was the the types of systems. They had what was going on with their command and control servers. That sort of thing. As a whole the focus up until the takedown seemed to be mostly ransoming organization so small and mid size organizations that have initial access and they do it themselves well they provide it to a third party hackbarth potty group of saba criminals who would then look to move within a compromise network within a compromise organization. Almost i want to try and get the the main controller. So that's the system which controls all the other systems because if they have access to that they can push out an update which then install was ransomware on all the system so that was kind of the the objective from an infrastructure perspective. They used a lot of what we think is route us. So there was a company monochromatic. I think is how you pronounce them microchip hacked microchip. Routers you can. Basically there was a vulnerability is fame patched for quite a while but a lot of people's route is all over the world have not been patched and they'll basically scanning exploiting them and they use that as their initial poi- it very much made marcus job very difficult in taking down the infrastructure because it was in all over the world the had these rafters we tr- act as the first layaway compromise systems. Connect to win places like brazil. Indonesia colombia extend former former soviet union countries very dispersed and a lot of them. So that made things difficult With with microsoft takedown suddenly. Well let's walk through the take down starting with the one that folks seemed to to think came from. Us cyber command. I mean that began back towards the end of september september What exactly did they reach out and do sure. There's a each each trick. Both infection has a configuration and the configuration says. Connect these places. This is the way you connect to receive commands so compromised systems received commands from the bad guys. Those commands typically come from those compromised mccray routers who forward to the real bad guys says. I'm so that was happening. And we saw an update pushed that had the ip address. One two seven zero two zero two one which is the loop back. Ip address so the objective was really push this update tool the infected systems so the infected systems trying connect to themselves only so effectively. Be you can cut the head off the snake being off the server can go after all the all the snakes at the bottom of the infected systems. And that's what. The objective was so for a period of time. Every trick boy infected system that had been turned on and connected to the command and control center received an update which said that connection so that was the alleged alleged to be. Us mcmahon's action and they do a couple of times over a couple of week period as well and in the first instance the bad guys the configuration back pretty quickly and the second one i think was about twenty four hours where the where took for them to
Implications of Solorigates circumspection. RBNZ cleans data sources. Gamarue in student laptops. Dodgy apps. Ransom DDoS surges. Securing the Presidents Peloton.
"Funding for this cyber wire. Podcast is made possible in part by taint him at him. They know that. In a distributed world both business operations and agencies missions increasingly begin at the endpoint provides unified endpoint management and security for the most demanding. It environments their approach decentralizes data collection aggregation and distribution down to the end point delivering transformational scale speed and reliability across your distributed workforce. Learn why the department of defense and half of the fortune one hundred trust neom at ten. Am dot com twice. It's may be an indicator once it's nothing at all to the machines. The reserve bank of new zealand works to clean up. Its data sources. Were me student. Laptops daily food diary is a glutton for your data ransom de dos kayla. barlow examines. How we handle this information in our run books in response plans our guest. Ron gula from gulag tech adventures shares his thoughts on proper public cyber response to the solar winds attack. And should we worry about that. White house peleton
January 22, 2021
"Technologist claims to have distinguished about forty thousand faces spotted in nine hundred videos. They've put together a collection of unique identifiers for what the system interprets as a particular individual which video from the capital riot they appeared in timestamps and the location where the video was taken. Their data sat doesn't attempt to match individuals to their identities that's good given how error-prone facial recognition technology is for example. One glitch involved supposedly recognizing andrew cuomo space from t-shirt. The technologist has shared their findings with the f. b. i. e. u. privacy watchdogs go after employers who spy on workers. Workers surveillance is reportedly spiking in the us and europe as employers.
The Year's Best Stories on Security Now
"Hello everybody is. I don't know how. Steve does this mustache thing. We're giving steve the week off You know he he takes no time off. The man works his butt off not only with with his with his products. Spin right and and all the research and stuff. He does for his website. Grc dot com. But he spends you know hours putting together the security now show every week and the funny thing is about steve. He never wants to take a day off. He never wants to miss a show so i've tied him up and put them in a closet so he can't be here today because the guy needs a week off and we're gonna take some of the best moments from the year. Twenty twenty starting with the story of and this was a bad one clearview and their face recognition technology. So last week we talked about the clearview a i company who were doing the facial recognition and bragging the web for three billion face sprints and made them available to six hundred police department so they could identify people within seconds since then clearview has increased their collection of cease and desist. Letters are just not exactly what they are hoping to be collecting from major. Us social media players. The first one they they received was from twitter a couple of weeks ago when twitter told clearview to stop collecting its data and to delete whatever it had. In addition facebook has similarly demanded the clearview stop scraping photos because the that action violates facebook's policies and now google and youtube are also both telling clearview to stop violating their policies against data scraping. Clearview take on. This is defiance. The ceo hone thanh fat was interviewed last wednesday morning this morning. News show He's told to trust him. He said the technology is only to be used by law enforcement and only to identify potential criminals. Tom fat claims that the results which which is not encouraging our ninety nine point six percent accurate. I guess though you wouldn't wanna miss. I want a false positive. Miss identify you as a bad guy. So i guess accuracy is is a better thing and he also claimed that it's his right to collect public photos to feed into his facial recognition archive. He said. there's also a first amendment right to public information so the way we have built our system is to only take publicly available information and index it that way and we by the way there was a recent supreme court decision having to do or was it supreme court but maybe ninth circuit court having to do with scraping of linked in which they ruled. Yup you can't stop scraping if it's public information. Y'all can't stop it. In fact i have that i mentioned that here So we know from last week when we talked about this the that in illinois at least with their bitta. The biometric information privacy act You know it's illegal there And youtube statement read quote. Youtube terms of service explicitly forbid collecting data. That can be used to identify a person. Clearview has publicly admitted to doing exactly that and in response we sent them a cease and desist letter as facebook Facebook said last tuesday that it has demanded that clearview stop scraping photos because the action violates its policies. Facebook said we have serious concerns that clear views practices which is a with sorry serious concerns with clear views practices which is why we've requested information as part of our ongoing review. How they respond. We'll determine the next steps. We take which i'm sure. Facebook attended sort of sound ominous And taunt that defended clearview as being a google like search engine. He said google can pull information from all different websites. If it's public and it can be inside sorry. Excuse me if it's public and it could be inside. Google search engine. It can be an hours as well. Google disagreed saying that clearview isn't at all like their search engine. Google said there's a big difference between what we do and the way your shanghai ing everyone's face images without their consent. Most websites want to be included in google search and we give webmasters control over what information from their site is included in our search results
SolarWinds hackers breached US Treasury officials’ email accounts
"Attackers stage. A dry run get solar winds in october. Two thousand nineteen. Yahoo news is sources. Say the operators of the attack conducted a test of the campaign five months before the supply chain attack began in earnest. This test sent files without back. Doors through signed updates to orion seemingly detest they would actually be delivered and detected and updated. Faq by solar winds indicates that this was the first modification to its updates. It was aware of in related. News and analysis by the wall street journal farsight security and risk iq identified twenty four organizations that installed solar ones orion platform with militias backdoors installed including cisco intel invidia. Vm-ware belkin kent state university the california department of state hospitals and deloitte nso group spyware reportedly used against journalists a new report from security researchers at citizen lab at the university of toronto details. How government operatives used the pegasus spyware from nso group to attack the phones of thirty-six journalists producers and executives at al jazeera as well as journalist at el arab tv in london the attack was carried out using the click kismet exploit chain and i message that worked against phones running. Iowa's thirteen dot five dot one or earlier. Apple said at pets vulnerabilities seemingly with iowa's fourteen. Cia agents exposed with stolen data. A new report in foreign policy looks at the impact of data stolen by state-backed groups and other ap tease round twenty thirteen. The cia began to notice that undercover operatives in africa and europe began to be rapidly identified by chinese operatives. This marked a period where the us intelligence community noted a general professionalization of china's intelligence operations building infrastructure to process that data. They were already collecting both officially and illicitly as well as general rooting out of corruption that previously led to deep penetration into the chinese government. In the early two thousands china began tracking flights and passenger lists it also when after biometric data at airports like at bangkok this information was correlated with data gathered on an attack at the office of personnel management in two thousand twelve which leaked personal data from twenty one point five million people that data could be analyzed to figure out who was a us agent pair that information with travel data and you could figure out who from china those agents met with and with the background data indicating who might be approached at becoming sa asset europol. The european commission launch a new decryption platform. This platform was lodged in collaboration with the european commission's joint research center designed to aid authorities in decrypt information that is obtained lawfully in criminal investigations and managed by your oppose european cybercrime centre functionally. This platform will use in-house expertise with both software and hardware tools to provide effective assistance to national member. state investigations. National police forces from member states can now send lawfully obtained evidence to europol for decryption.
Threat Hunting Offsets the Technology Gaps
"We're not get my start. I would say to take back to a military law enforcement days. So physical security of course close protection Details so i've been in the space probably since seventeen in some form or fashion security I transitioned into cyberspace. Actually in early. Two thousand Working class i was part of the first development team of launching windows two thousand Iky server l2tp vpn server I was there at the fortunate. I guess you could call it Experience with bill gates and launching that in february of two thousand and the sony centre. It was the first appliance based vpn service powered by windows. And then i working for class. That time i also help build out the first cloud based vpn. Your cloud firewall service. Powered by chastised at the time was nortel cosign so that dates me a little bit And then building out. What was the first. Mp l. s. environment building out using twenty five forty seven would universe building out that the virtual router typist and so insecurity for a long time transitioned into more of a layer seven environment layer for like they're know with level three and building out the an mssp practice with inside a service provider will relaunch diaz Real so as part of the two thousand fourteen. Ntp attack with using Yola rod wears away to combat the two thousand fourteen biggest dos attack at that time Building out also Various types of security environments from secure email to secure access tumbling so In in building out the first Threatened telling as a service Taking intelligence encouraging that intelligence and turning it back and enriching that in empowering and into people sims decline sim so Been into space for quite some time and done everything from being on the keyboard to you're developing and strategizing and bring it to market some of the most robust and i would say sophisticated security services that south today and still active today when you look back on some of those earlier days you know thinking back to something like the launch of like you're saying windows two thousand two mean can give us some insights as to the evolution that you've you've experienced the growth in the the sophistication and capabilities of these tools. Mean when you think about the evolution of this i it's it's it's my body linked to see how we have evolved so much From the tumbling type activities more cloud base sas environments you no longer. Are we required ito to to actually launch a client on your device when we're using software as a way to connect using example as a celsius recently about a year and a half ago. I built out a appliance based service at allow us to run your ssl connections and using open vpn to a source gateway and then out to the cloud and basically all in two zero touch provisioning to say so to to evolve from having someone manually. You'll help you set up your tunnels establish tunnels you know. Establish appreciate keys. And connections that these major to automatically enabling that is just it's crazy to see how we've involved in. It's actually quite you know exciting to see where we're going to go because of covid. Nineteen right kobe. Nineteen has taught us so much that the next evolution of cybersecurity. And you know this would call borderless You'll environment is is going to drive us to more cloud around monitoring the compliance configuration changes things that we did not do in the past that we're going to be obligated to do in the future. Yeah i mean that's a really interesting point how we i mean I suppose it could be looked at as a as an upside. This push this You know we we pushing this outside of our comfort zones into new areas. While i mean you have to. Nail henrik conference on. Cybersecurity has never been Comfort right it's always been complex. It's always been hard to. Let's just call it like it is wanted to communicate to people to help you understand the value of it and three and i think the foremost is actually enabling it right because too often what i've learned over my years as a people it's still a compelling event meaning that a unless something happens to me i don't worry about it and it's so much like law enforcement is it's a lot around activities you know. Let's just take a home environment if the house around the street got broken into prior to that happening. You didn't do anything but now that it got close to home. What are you going to do. you're going to either. Go get a big dog. You're gonna put cameras up. You can put an alarm system. The problem we have today is that we're reactive versus proactive and cybersecurity has been that way for last year. I would say ten years of not fifteen years as very reactive and we're still reactive today. Even though we're being pushed outside of our comfort zone i mean. Think about kobe. Nineteen it was reactive right. We had to move quickly to To accommodate a remote workforce bauer coming back and doing what trying to figure out what holds that. I open to enable that from that reactive aspects. so it's a very interesting you'll bell curve that. I see that goes on where we're going up and down up and down and it's it's hard to keep out in front really is
What can the US do to prevent cyberattacks?
"What can the. Us do to prevent further cyber attacks. Light of the high profile cyberattacks performed by the russian foreign intelligence service and other state backed actors alex stamos published an op. Ed in the washington. Post on how the us should defend against them going forward. He called on the us to create a cyber security equivalent of the national transportation. Safety board to track investigate and issue recommendations on cyber-attacks and further calls on a federal data-breach law that would require disclosure of breaches side of state based laws. He further calls on putting defensive cybersecurity on the same level of intelligence gathering and offensive operations with the creation of being a good start but noting that it lacks the size and technical competence of offensive operations. The third measure would be to appoint individuals with practical defensive cybersecurity experience too key roles in the biden administration.
Ex-Cisco Employee Convicted for Deleting 16K Webex Accounts
"I'm gonna tell you about a chap called sudesh qasaba ramesh and he was working at cisco which of course the giant technology firm working there from Midway through twenty sixteen up until april twenty eighteen where he departed the company. Okay so he spent. How many years say he was there for almost two years to fully months. After he left the company's employment he decided to log into their systems specifically some cisco systems which were hosted on an amazon. Aws server when those cloud buckets those blobs of computer mitchell. Don't kinds of clever things up there in the cloud. Do we know where he is in america. Always in the state somewhere else can start. Yes yes But he is no longer under their employees so he's no longer working with them but this is only months after he left. Let me just let me just repeat that. This was fi months after he some heat when he was able to do it. Not just he thought about it he actually did he did. He logged in Has it never happened to you. That a client has left the gates open after you no longer working for them anymore. I'm sure they have. I'm sure correct answer because you've never checked because that would be a bad thing. It would be yes. I i exactly. I'm sure there have been Companies i've worked for who haven't changed the credentials and you're working for technology and security firms Well in some cases. Yes so. I'm just saying i'm just saying i'm not surprised that just when i was working down kentucky fried chicken to him some extra bob. It wasn't yeah we'll okay but this was cisco you're right so cisco's is a big dog. Okay so five months. After this guy's finished employed he manages to log in. yeah he looks in someone. Forgot to do something. I wanted just having a nose you think or know. He's not just news around. They'll just have a curious to see if the company still doing well in his absence. He's not doing that. I wonder how cisco doing without me. No no i miss. I have yeah. Yeh we've all done it. That's why. I wonder how bad doing no i've left up shit. Grew up to something else. You're saying yes. So sudesh ramesh. He looks in to this. Aws server and deletes. Oh four hundred fifty six virtual machines. Oh boy which were being used by cisco to power. Its webex video conferencing service. Oh for god's he's trying to bring go to it's knees through its web x.'s. As though webex doesn't bring the entire world to its knees on a regular basis whenever you into it. Music video chat yet. The video conferences. You must have used it. Have you guys used webex video Yes pre pandemic. Oh yes it's been usurped by things. Like zoom zoom really has sort of caught everyone's imagination now hasn't but webex was. It's still worsley going strong in its eased by some organizations. What's the mark corporate one. So as a consequence of ramesh deleting all these virtual machines as a result of this over sixteen thousand webex teams accounts. Were shut down for up to two weeks. Imagine the impact on productivity. That's right productivity. Must have gone through the roof. Yes well we can't have a meeting. Oh darn we'll have to do some work instead over the sending email You're on mute and having all those kind of kenya hemi austria on my last call cheese every over there so they can hear you over the line. This is the way so. I'm just doing next to somebody who did exactly that on the national conference call five. Am called into the office showers loud as that two countries anyway and so sixteen thousand accounts were shut down up to two weeks cisco spent roughly one point four million dollars restoring the damage paying people to restore the autism restore them. Don't you have to just press. Go back to you control z. Issue dragged out of the track. They would have backups. Shirley we would think so. Wouldn't you and they also had to pay over one million dollars to customers in refunds. 'cause they're hosting all. These webex is for other companies. People would have had contracts and they would have had to say. oh terribly. sorry you haven't been to use it two weeks. We can haul webinars that people were not able to host yet. Not just internal inside your company but one would have been given to customers. Mike god the product marketing manager is going insane thinking like from the marketing team. Like oh there goes yeah calendar. We've got a problem. We've got to change the landing pages real to reel who's who's at full the guy did it. Yeah ultimately him. Yeah yeah. I mean like leaving your car unlocked right so if i left my car unlocked and then someone stole something from inside my car which has happened to me. Whose fault is it right. Ultimately prison stole a thing for my car because it is parked in my drive. But they're opportunist and you'd say well lock your doors dumb ass. Yes so so cisco should have looked dolls. Demolish had the kind of. I'm guessing pretty high level privileges to do that. Much damage that easily. I mean nobody locked. Is the countdown nine. A little bit. I mean jeez. Five months later. I mean i can understand if it was the day after he left but five months later. My guess is that win. Some sunlight ramesh left employment at the company. They may well have revoked his access to active directory and his ability to log into his email or something like that. But i wonder whether access to the aws server or something which was available to many people in the it poem. Maybe they were sharing credentials shared crafts. Yep and. I think that's probably what was happening. And it's hard to workout if you do share credentials inside an it team who might know those looking credentials in. It's a pain to change them. Because that's gonna affect lots of other people and lots of other services. Well not if you use a really good password manager. Well simplifies a lot right because you can change at the admin level for everybody. Yeah i suppose so if you also have services which might be logging into these systems and it may be. It's grabbing the password for everything. The real mistake here is sharing. Paul sweats right. There are teams of people where the password we'll be known to a variety of people and they'll log in they'll doing administration and all kinds of different maintenance and our work on a particular system and the thing is that they don't have individual password see can't just revoke a person's password scrape advice. We share passwords possibly shared. Yes we share passwords to run this. Podcast jimmy yes. You're not cisco though. I know we're not cisco but i'm saying we know better and we do it because the work around to do it. Any other way is too complicated like just ridiculously complicated. Can i show you cro- the if one of us were to leave smashing security to set up a podcast about. I didn't know piccoli predicament. Something in fact took off and weren't interested in smashing security any more than i would change the past or whoever remained would change the parts of those accounts. And so that you or whoever had left would no longer be a system really. Does this mean you're joining our podcast now. Is that what i'm understanding. It sounds like to me. So there's clearly some in the of cisco they should have changed the log in credentials right just like you would expect when people leave a company to hand in their badge or giving any keys which they have to look doors but shed credentials bad bad bad ideas so for something that business kercheval legs the kingdom. I mean it's one thing to say you know. Here's the marketing log in for. I don't know something really unimportant. But your admin credentials for your entire webex product. So cisco call sedition when they figured out what happened and say look. We obviously dismissed bad way and offer him a nice severance package and a hug will in a donut to get to the bottom. Exactly what his beef was with sysco. What made him do this with some months. Later is not really an act of passion is it. he was still doing. Shushing takes five months to stir it be angry with the company. But you're not angry necessarily move its customers and you're not probably angry with most of your former colleagues so remain professional. Don't take it out on them. Because what if you are though. What if you do eight all. Your fork is a justified in this case. Reminded me a little of the case of terry challenge. Do you remember terry. Childs was a former network administrator the city of san francisco back ten or fifteen years ago. I remember his name right. Well yes he infamously looked up. The city's entire network for days in two thousand and eight resets nor the admin passwords. So that only he knew them and he refused to reveal them to anybody and the excuse he gave and you know. He was arrested in things in a week and a half. Nothing was happening. Because no i'm gonna tell you the password you can't and he claimed it wasn't going to tell the bosses or the managers the passwords because he was concerned that they would indiscriminately share those credentials with third party contractors and so. He didn't like that. People were being careless with passwords. He was like l. So you so you the vaults you cannot break it and ultimately oh my go to me. The mayor of san francisco had to personally go and chat with him. He was the only trustworthy person. That doesn't sound just like a typical quote rogue employees. I think there's some mental stuff going on there because that's a baby or something. That's that's that goes beyond anyway sedation. Ramesh he pleaded guilty on. The ship has now been sentenced to twenty four months in the clink and to pay a fifteen thousand dollar fine as well and because he was here on a visa as well. I suspect he may find it difficult to stay case
Adrozek: Widespread Malware Campaign Seeks To Silently Inject Ads Into Search Results, Affects Multiple Browsers
"Microsoft three eighty-six defender research team posted a blog titled widespread. Malware campaign seeks to silently inject adds into search results and affects multiple browsers. They named this thing. I don't know why add rosiak at as in advertising. Ad are ozk address. Zach is really rolls off the tongue so one of the things that makes this. Malware noteworthy is it. It is widely cross family and multi browser. It affects edge chrome yen decks and fox uniformly and although its most prominent feature is unwanted at injection in not only injects ads. The malware also exfiltrated any of the browsers stored credentials. That it may have access to in on. That's you know when you tell your browser rather than your password manager that you want it to save things. Unfortunately if you're if you're you know up in browsers business you can figure out what credentials saved. Because in order for it to send them they cannot be encrypted. So you know that's a problem so of course that that could cause you know exporting your credentials could cost significantly more harm than some unwanted. Ads injected into search results. I saw pictures of it. And yeah shows you what you would normally see would be google results on a google search and instead like the whole first page is is these bogus. Ads stuck in tied to keywords. So you know it's it's trying to get You know add Payment benefits microsoft. Said we call this family. A browser modifiers abdulrazak if not detected and blocked address zek. Ads browser extensions modifies specific de l. l. per target browser and changes browser settings to insert unauthorized ads in web pages off and on top of legitimate ads from search engines. The intended effect is for users searching for certain keywords to inadvertently click on these malware inserted ads which leads to affiliate pages. The attackers earn through affiliate advertising programs which pay by mount of traffic referred to sponsored affiliate pages cybercriminals abusing affiliate programs is not new microsoft wrote browser. Modifiers are some of the oldest types of threats. In fact remember it was it. Was that adware at a at aware. Thing which what that. I found in my browser a one of those old be. Hbo's member browser helper objects That caused me to write the first anti spyware. 'cause it was spyware a bit gotten in unannounced and unasked for anyway microsoft said however the fact. This campaign utilizes a piece of malware that affects multiple browsers is an indication of how this threat type continues to be increasingly sophisticated. In addition the malware maintains persistence and exfiltrated website credentials exposing affected devices to additional risks. So anyway it was surprisingly sophisticated Disabled browser updates to prevent its configuration modifications from being reversed. And even establishes a windows service to gain persistence over the long term. So that if you did something that tried to get rid of it it that the service would keep running and say and then put itself back. So it's a serious issue. Microsoft was tracking. This thing's compromise of more than thirty thousand. Pc's per day so the good news is mine. Sure that microsoft's security people became aware of these threats and shortly thereafter so did windows defender protections sweet so It might be a good idea for for some peace of mind. Just ask defender to perform a full scan of your various windows systems from time to time and you know that takes some time. There's no way around that you know as the author of spin right. I'm all too aware that actually reading everything on your system we'll take some time I just thought while. I was putting the show together. I would do that. So i started up a full scan on my win. Ten machine And says go ahead. Use your machine while. Let's scans in the background. But i did notice that it aggressively throttles. It's scanning not to interfere with your use of the computer in the foreground so it's probably better to choose a time when you're not about what when you are about to be away from your machine and fired up at that point So when it was all done While i was assembling the notes i noted that it took ninety minutes and it scanned five million seven hundred ninety seven thousand eight hundred ninety nine files always blows me away. When i see that leo. After the scan was finished. I just stared at that number. I remembered fondly and this takes us back to our alter days. I remember when our hard drives had seven files on them. now the number of files has seven digits. Amazing you know. I do miss those days. Yeah
Google Play Core Library Problems
"Play core library problems. Google provides android app developers with a component called the google play core library the android developer. Docs describe this component library by saying the play. Core library is your apps. Runtime interface with google. Play store some of the things you can do with the play. Core include the following download additional language resources managed delivery feature modules managed delivery of asset packs trigger in-app updates and requests inap- reviews. So you know it's a it's an. Api essentially interface to the online. Google play store that allows apps to interact with various play services from within the app itself. you know so you know you could dynamically load additional code additional levels of game as needed maybe Poll locale specific resources And of course interact with the review mechanisms and since this is the officially sanctioned and recommended way to do this many popular i would argue well-designed android apps utilized this library. Those include google's own chrome facebook the face the android facebook app the instagram at what's app snapchat booking And even the edge browser Facebook and instagram alone account for five billion and one billion downloads respectively. So just imagine the total number of android apps worldwide that have historically incorporated this library at google's best meal. It's and it's the right way to do it. It's you have if you're app has as some need to interact with the google. Play store after it's been downloaded and installed this is the officially sanctioned way to do it okay so the problem is a quite serious bug was discovered inside this very widespread common app library and because the library is linked into android apps to become part of them. That this isn't something that google can fix with an android update You know Even for those android smartphones that would be receiving updates. So what's the bug. A- quote the company with the oxymoron name over secured. Since this was their discovery they explained the google play core libraries a popular library for android that allows updates to various parts of an app to be delivered at runtime without the participation of the user via google. Api it can also be used to reduce the size of the main ap k. File by loading resources optimized for a particular device and settings localization image dimensions processor architecture dynamic modules at thousands really cool instead of storing dozens of different possible versions. They said the vulnerability we discovered made it possible to add executed modules to any apps using the library meaning arbitrary code could be executed within them an attacker who had a malware app installed on the victims device could steal users log in details passwords and financial details and read their mail so again the the a well meaning high volume app installed on on a apple smartphone. I mean sorry android an on an android device. It's got this library. The library has a bug that allows any other app in the phone to utilize the bug to cause that they well-meaning app to download. Whatever the bad guys want so essentially it allows any malicious app to penetrate to penetrate androids critical inter up sandbox which exists solely for the purpose of isolating apps from each other to prevent them from access access to each other's stuff and although google knew about this earlier this year and immediately patched the vulnerability back on april. Sixth of two thousand twenty. Apparently not all developers received the memo checkpoint. Research took a look at this just last week and explained what it means. They said when we combine popular applications that utilize the google play core library and the local code execution vulnerability. We can clearly see the risks if a malicious application exploits. This vulnerability can gain code execution inside popular applications and have the same access as the vulnerable application. The possibilities are limited only by our creativity. They said here. Just a few examples. Inject code into banking applications to grab credentials. And at the same time have sms sprint permissions to steal the two factor authentication codes inject coated enterprise applications to gain access to corporate resources inject code into social media applications to spy on the victim and use location access to track the device inject code into instant messaging apps to grab all messages and possibly send messages on the victim's behalf. Anyway we get the point. It's bad and in their proof of concept demonstration checkpoint used a malicious app to steal a log in authentication cookie from an older version of chrome which was built using the original library once in possession of the cookie. Of course now you can do session personnel right. The attacker was unable to gain unauthorized access to a victim's dropbox account so as i noted earlier. The library was updated back in april eight months ago. But last week checkpoint identified fourteen apps having combined downloads of nearly eight hundred and fifty million. That are still vulnerable today. Eight months later with a few hours of their publishing their report the developers of some of the named apps had released updates that fix the vulnerability it only took them eight months public shaming and some outcry
Delaware County Pays $500,000 Ransom After Outages
"Ransomware news. A few things Delaware county pennsylvania has paid half a million dollar ransom after their systems were hit by the d'appel paper ransomware last weekend. And because being pennsylvania that's on a lot of our politically focused people's radar because it was one of the loudly and hotly contested states in the us's recent presidential election So of course. The first question anyone has is whether they ransomware attack which was recent may have had any effect upon the state's election networks so delaware county was quick to state that the bureau of elections and the county's emergency services department were neither of those were affected. They're on a different network than the one that was hacked sources said that the counties in the process of paying this half a million dollar ransom since its insured for such attacks so they figure. Hey what the heck. Let's pay the ransom. Get our get the key and get our systems back up. We're hearing more about d'appel pay more. And so i think this is one that we're gonna be talking about much as we've been talking about you know so dino key be and review and so forth It was derived from its predecessor. Bit pay more and it shares a large body of its code D'appel payment has been improved to add. multi threaded encryption. Because of course that's what you want in your whole server encryption is speed so anyway It's faster now. And in an odd twist the d'appel payment gang apparently advised delaware county to change all their passwords and also modify their windows domain configuration to include safeguards from the use of the mimi cats program. Now it's not clear what those safeguards would be. Maybe like explicitly look for mimi. Cats me cats. We've talked about it from time to time. It's an open source tool. That's been around for about six years since two thousand fourteen. It's commonly used by ransomware gangs to harvest windows domain credentials when they get into a compromise network. So it's one of those. You know lateral movement tools It doesn't qualify as living off the land because it's typically not present on systems that ransomware needs to to download a copy in order to use it but it is on get hub and its author. Six years ago explained that he wrote it as a way to learn see and experiment with locating and extracting windows credentials from the ram of running systems. So yeah it's very much like that. Active directory tool. We were talking about a few weeks ago. It wasn't ever really written to be used for malicious purposes. But boy is it handy for for those you know it extracts things it finds them and extracts amount of ram and d'appel paper is envy. This gang are using me. Cats