chicksdaddy writes: "Our understanding of threats improves with each day. The tools we use to secure our systems have also improved over time – antivirus software, firewalls, application firewalls, intrusion detection, data leak prevention, and so on. And yet, when we look at the data, there’s not much evidence that better understanding and better tools are leading to better security. Why?
How about 'bad reporting?" In a conversation with The Security Ledger, Grier, the founder of Grier Forensics, said that, despite a wealth of security data, the security industry’s approach to analyzing it is immature. A respected forensics expert who presented a technique on using stochastic forensics to spot insider data theft at the 2012 Black Hat Briefings, Grier's latest project is developing a notion he calls “security paintings:” a way to distill disparate security metrics into easy to digest information.
He says classical data reports often fall into the same traps. “High level data is interesting, but low-level data is credible,” Grier said. “We need both, but we don't seem to be able to reconcile the two.” At a minimum, reports should draw the reader’s attention to the information that’s the most important to them. Humans have evolved to look for anomalies in their environment and to focus on them, but reports often fail to identify patterns in the data flag anomalies, he said.
One problem may be that its the developers, themselves, who design reports, rather than the users who are the audience. “The developers--the people who are the most familiar with the tables and data and database schema --are developing the reports. Tthey develop reports based on what they’re thinking about. Their perspective is ‘I’m a developer. I’m storing the data in this table. Let me show this table to you!’ They’re not thinking about it from the perspective of a security professional which is ‘I want to know X. What is the best way for me to present it to you?’"
Good security reports should be like "bouquets" Grier said — taking low level events (the flowers) and assembling them into mid- and then high level groupings that are easy on the eyes. If nothing else, reports should do the job of making data understandable and easy to act on. “The whole point of a report is to get a human involved,” he said. “One of the basic observations I made is that, for any kind of security control, if its obvious enough for a computer to make a decision about it, you don’t need a report,” Grier said."
chicksdaddy writes: "Mobile phone use may be a more accurate identifier of individuals than even their own fingerprints, according to research published on the web site of the scientific journal Nature. Scientists at MIT and the Université catholique de Louvain in Belgium analyzed 15 months of mobility data for 1.5 million individuals who the same mobile carrier. Their analysis, “Unique in the Crowd: the privacy bounds of human mobility” showed that data from just four, randomly chosen “spatio-temporal points” (for example, mobile device pings to carrier antennas) was enough to uniquely identify 95% of the individuals, based on their pattern of movement. Even with just two randomly chosen points, the researchers say they could uniquely characterize around half of the 1.5 million mobile phone users. The research has profound implications for privacy, suggesting that the use of mobile devices makes it impossible to remain anonymous – even without the use of tracking software.
For their research, they studied anonymized carrier data from a “significant and representative part of the population of a small European country.” In the study, the researchers used sample data collected between April 2006 and June 2007. Each time a user interacted with their mobile phone operator network by initiating or receiving a call or a text message, the location of the connecting antenna was recorded, providing both a spatial and temporal data point. “We show that the uniqueness of human mobility traces is high, thereby emphasizing the importance of the idiosyncrasy of human movements for individual privacy,” the researchers write. Given the amount of information that can be inferred from mobility data, as well as the potentially large number of simply anonymized mobility datasets available, this is a growing concern.”"
chicksdaddy writes: "The U.S. military relies heavily on distributed, wireless networks to communicate in combat zones. Now DARPA is looking for ideas on how to keep bad actors off these networks, ITWorld.com reports. In a post on its blog on Monday, DARPA — the U.S. military's advanced research group — said that it was seeking proposals for new technologies to "help make wireless networks more resilient to unforeseen scenarios and malicious compromise." The "Wireless Network Defense program" is intended to develop new protocols that enable military wireless networks to "remain operational despite inadvertent misconfigurations or malicious compromise of individual nodes."
DARPA says that its goal is larger than just securing individual nodes, or the communications between them. Instead, the organization envisions something like the reputation system used by credit card companies to spot fraudulent transactions, according to Dr. Wayne Phoel, a DARPA program manager. "We need to change how we control wireless networks by developing a network-based solution for current and future systems that acknowledges there will be bad nodes and enables the network to operate around them," Phoel said."
chicksdaddy writes: "So-called “watering hole” attacks that exploit legitimate web sites and use them as honey pots to lure the intended victims are all the rage among sophisticated attackers. But the Internet still has its dark alleys and bad neighborhoods. And they’re still the source of a lot of malicious activity – especially in connection to run of the mill crimes like spam and phishing attacks.
That’s the conclusion of research done by students at the University of Twente’s Centre for Telematics and Information Technology (CTIT), which studied 42,000 Internet Service Providers (ISPs) and found that just 20 (.05%) were responsible for nearly half of the IP addresses linked to spam e-mail.
The study said that these “bad neighborhoods” were the source of a lion’s share of the spam. In many cases, the IPSs themselves appeared dedicated – in large part – to propagating malicious traffic. In one case, 62% of the IP addresses at one ISP were related to spamming activity, the study found."
chicksdaddy writes: "Another day, another watering hole attack on the Beltway intelligentsia. This time its the web page of The National Journal, a magazine that caters to the politicians and policy makers inside Washington D.C. According to a blog post by Anup Ghosh at the security firm Invincea, The National Journal’s Web site was serving up attacks to visitors of the site on Tuesday. The discovery was surprising, as the magazine acknowledged an earlier compromise on February 28th and said that it had since secured its site. According to a blog post by Anup Ghosh at the security firm Invincea, The National Journal’s Web site was serving up attacks to visitors of the site on Tuesday. The discovery was surprising, as the magazine acknowledged an earlier compromise on February 28th and said that it had since secured its site.
Invincea’s analysis showed that the site had been compromised and an iFrame based redirect to a web site that hosted the Fiesta/NeoSploit exploit pack was discovered. That kit attacked visitors with exploits for two, known Java vulnerabilities: CVE-2012-0507 and CVE-2012-1723. For visitors with more recent versions of Java that protect against exploits of those holes, a separate redirect was included to an exploit kit that used Java object serialization to break the security controls of Java 7, Update 11, Ghosh wrote. He said the attack is similar to other recent watering hole attacks, including a January incident in which hackers compromised the web site of The Council on Foreign Relations. The Security Ledger has the whole story."
chicksdaddy writes: "So much for privacy settings. In a paper published in the Proceedings of the National Academy of Science (PNAS), researchers from Cambridge University and Microsoft Research demonstrated that it is possible to use knowledge of an individual user’s “Likes” on Facebook to “automatically and accurately predict a range of highly sensitive personal attributes including: your age, and gender, sexual orientation, ethnicity, religious and political views." The list of reliably guessable information goes on to include other less quantifiable characteristics like your personality traits, intelligence, happiness, your preference (or not) for addictive substances and whether your parents split up, according to a report by The Security Ledger.
For their study, the researchers surveyed over 58,000 volunteers who provided their Facebook Likes, demographic proles, and the results of several psychometric tests. The researchers then performed a regression analysis on the Likes and other data to predict details about the individual users. Turns out: the model works quite well. Researchers found they were able to correctly discriminates between homosexual and heterosexual men in 88% of cases, and discern the profiles oof African Americans and Caucasian Americans in 95% of cases. Political affiliation was also reliably predicted: researchers could discern between Democrat and Republican in 85% of cases, the report found.
The report makes for good reading – even if it does tend to reinforce some cultural stereotypes. For example, researchers concluded that “the best predictors of high intelligence include ‘Thunderstorms,’ ‘The Colbert Report,’ ‘Science,’ and ‘Curly Fries,’ whereas low intelligence was indicated by ‘Sephora,’ ‘I Love Being A Mom,’ ‘Harley Davidson,’ and ‘Lady Antebellum.’” Wait – Curly Fries??"
chicksdaddy writes: "Phone scams are a numbers game. Most people hang up in your ear. Of those who actually answer, only a small fraction are gullible enough to fall for your scam. So what you really don't want to do is to waste time on the line with somebody who's an IRL (in real life) expert on the topic that's the subject of your scam.
Alas, that's exactly the situation that "David" found himself in when he randomly dialed Joe Faulhaber, a technician in Microsoft Corp.'s Malware Protection Center (MMPC). Faulhaber described the encounter in a blog post last week (http://blogs.technet.com/b/mmpc/archive/2013/03/06/when-fake-malware-phones.aspx), "When fake malware phones," IT World reports. Its a good read if only to understand how scammers are playing on consumers' lack of technical sophistication to fool them into buying useless or ineffective products and services."
chicksdaddy writes: "There's more information on the hacks that compromised Twitter, Facebook Apple and Microsoft. According to a story by The Security Ledger, the attacks were part of a wide-ranging operation that relied on many “watering hole” web sites that attracted employees from prominent firms across the U.S. The assailants responsible for the cyber attacks used at least two mobile application development sites as watering holes in addition to the one web site that has been disclosed: iPhoneDevSDK.com. Still other watering hole web sites used in the attack weren’t specific to mobile application developers – or even to software development. Still, they served almost identical attacks to employees of a wide range of target firms, across industries, including prominent auto manufacturers, U.S. government agencies and even a leading candy maker, according to sources with knowledge of the operation."
chicksdaddy writes: "With $3.14159 million in prize money at stake, Google's Chrome OS has withstood attempts to hack it in the company's semi-annual Pwnium contest in Vancouver, a Google spokeswoman told The Security Ledger. Google's Pwnium Contest had no takers for prizes totaling $3.14159 million. In a statement Thursday, Google spokeswoman Jessica Kositz said that the company did not receive any winning entries during the day-long contest, but that the company is evaluating work that may qualify for a partial prize.
Admittedly: Google didn't make the job easy. Chrome's native security features pose a considerable challenge to hackers under normal circumstances. Then, on Monday, Google released an update fixing 10 vulnerabilities in Chrome — five of them rated "High." Any of those might have contributed to a hack that would warrant a six figure payout under Pwnium's rules. Instead, Google paid between $1,000 and $2,000 for each vulnerability to the researcher responsible for disclosing it to the company."
chicksdaddy writes: "Threatpost has the story of the extreme — even hair-raising — lengths that Facebook's incident response team has gone to in order to prepare the company's staff to be hacked. Among the methods described at the CanSecWest Conference: "Operation Loopback" in 2012, which was designed to mimic an APT-style attack from China and used what appears to be an internally developed exploit for an internally discovered 0day.
From the Threatpost article: "McGeehan and his team this time identified a likely attacker--China--and decided to impersonate its tactics. For this one, they recruited an internal engineer as an accomplice. They wanted to get a backdoor into Facebook's production code, so they sent a spear-phishing email containing exploit code for a live zero-day vulnerability to the engineer. He dutifully clicked the link and his machine was promptly compromised. (McGeehan would not identify which product the vulnerability affected, nor how the Facebook team came into possession of it, but said that they disclosed it to the affected vendor before the Loopback exercise and used it before the patch was publicly available.)" Ouch!"
chicksdaddy writes: "The security firm Bit9 released a more detailed analysis of the hack of its corporate network was part of a larger operation that was aimed a firms in a “very narrow market space” and intended to gather information from the firms. The analysis, posted on Monday on Bit9s blog is the most detailed to date of a hack that was first reported on February 8 by the blog Krebsonsecurity.com, but that began in July, 2012. In the analysis, by Bit9 Chief Technology Officer Harry Sverdlove said 32 separate malware files and malicious scripts were whitelisted in the hack. Bit9 declined to name the three customers affected by the breach, or the industry segment that was targeted, but denied that it was a government agency or a provider of critical infrastructure such as energy, utilities or banking. The small list of targets — just three — and the fact that one malware program was communicating with a system involved in a recent "sinkholing operation" raises the specter that the hack of Bit9 may have played a part in the recent attacks on Facebook, Twitter and Apple, though Bit9 declined to name the firms or the market they serve."
chicksdaddy writes: "There’s been a lot of light and heat in the last week when it comes to the U.S. government and cyber security. But a just-released report from the Government Accountability Office (GAO) makes clear that, in the big scheme of things, the Executive Order is just window dressing on the mess that is the Federal Government’s handling of cyber security.The report, GAO-13-187 (PDF), is a round-up and updating of previous reports that studied aspects of federal cyber security as they affect a wide range of federal agencies. The GAO’s conclusion? Uncle Sam has made negligible progress towards improving the security of its information systems, and has little to show in key areas such as responding to cyber incidents, promoting R&D on cyber security tools and technology and educating its workforce about cybersecurity. Nor is the federal government better prepared to respond to cyber attacks, despite a 782% increase in them in the last six years. In short Uncle Sam needs a plan, GAO found."
chicksdaddy writes: "OK – the good news is that the dead aren’t rising from their graves and the Zombie Apocalypse hasn’t begun (yet).The bad news: a phony EAS (Emergency Alerting System) warning about just such a cataclysm earlier this week may have been the result of a hack of what one security researcher says are known vulnerabilities in the hardware and software that is used to distribute emergency broadcasts to the public in the U.S.
The warning from Mike Davis, a Principal Research Scientist at the firm IOActive, comes just days after unknown hackers compromised EAS systems at television stations in the U.S. and broadcast a bogus emergency alert claiming that the “dead were rising from their graves” and attacking people. Published reports say that at least four television stations were the victims of the hoax: WBKP and WNMU in Marquette, Michigan; KNME/KNDM in Albuquerque, New Mexico; and KRTV in Great Falls, Montana.
Davis says that he discovered and reported a number of critical vulnerabilities in a key component of the EAS system: multi-function hardware known as a CAP EAS or ENDEC device.Davis said he and a colleague downloaded and analyzed firmware for the dominant manufacturer of so-called CAP-EAS devices and found that the software was rife with critical, easily exploitable security vulnerabilities, including embedded passwords and remotely exploitable software vulnerabilities. Davis declined to name the vendor whose software he analyzed, but said he reported the issues to the Department of Homeland Security’s ICS-CERT. The hack of the devices used to broadcast the zombie warning sounds similar to the kinds of holes he just reported, he said."
chicksdaddy writes: "Application 'whitelisting' offers an alternative to signature based malware protection. Rather than trying to spot the bad guys, the thinking goes, just identify a list of approved (whitelisted) applications, then block everything else. But what happens when the whitelist, itself, becomes compromised? That’s the scenario that’s playing out with customers of whitelisting firm Bit9, which acknowledged a breach of its corporate network that allowed unknown assailants to gain control of an application code signing server. (https://blog.bit9.com/2013/02/08/bit9-and-our-customers-security/) The incident began with compromises of machines on Bit9's network that were not running Bit9's software — something that Bit9 encourages its own customers not to do. The company's acknowledgement came after Bit9 was contacted regarding the breach by Brian Krebs of Krebsonsecurity.com, which broke the news Friday. (http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/)"
chicksdaddy writes: "NOTE — I'm resubmitting this to correct the description. In the previous submission I flipped the positive/negative correlation of wealth to cyber security — saying the exact opposite of what I wanted to! Apologies!
"To paraphrase a quote attributed to F. Scott Fitzgerald: ‘Rich countries aren’t like everyone else. They have less malware.’ That’s the conclusion of a special Security Intelligence Report from Microsoft, anyway. The special supplement, released on Wednesday, investigated the links between rates of computer infections and a range of national characteristics including the relative wealth of a nation, observance of the rule of law and the rate of software piracy. The conclusion: cyber security (by Microsoft’s definition: low rates of malware infection) correlated _positively_ with many characteristics of wealthy nations – high Gross Income Per Capita, higher broadband penetration and investment in R&D and high rates of literacy. It correlated _negatively_ with characteristics common in poorer nations – like demographic instability, political instability and lower levels of education.""