Get Your Copy.
The Countermeasure is delivered to your inbox each Saturday, giving you insights on enterprise security developments you may have missed.
? Click This or I'll Sue. (Hint: Don't.)
In This Issue:
- The spy who socially engineered me
- Click this or I'll sue
- This isn't ARPANET anymore—you can't just trust everyone
- Making a hash of it
The Spy Who Socially Engineered Me
The Spycraft Revolution. A lengthy but fascinating look at how technology helps and hinders espionage. While you might not have ambitions to join the intelligence world, as the article states, "Anyone responsible for a company’s cybersecurity now has to think like a counterintelligence officer. To protect a firm’s sensitive information, he or she must identify the most gullible and careless members of the organization and fire them or give them better training."
Read this, possibly with a stiff drink at hand to mitigate dismay. This article contains an overwhelming amount of material about how to think like a spy (or a hacker), but bear in mind that both spies and hackers want to accomplish their aims efficiently and economically. They will go for the easiest targets first. These are often people.
While it may be tempting to fire the "gullible and careless," there's no guarantee their replacement will be any better. 97% of Americans Can’t Ace a Basic Security Test. So remedial education is probably your best option. You could start with the article below.
Click This or I'll Sue. (Hint: Don't.)
Malefactors keep phishing because phishing works. Some phishers rely entirely on accuracy by volume. Others, like any successful entrepreneur, get a leg up on the competition through careful instrumentation, monitoring, and data analysis. Legal Threats Make Powerful Phishing Lures is a fantastic look into a well-crafted phishing scam that seems to be the result of focusing exclusively on what works best.
Spread this article around. It's a quick read, and as many people as possible in your organization should know about this evolution of phishing.
This Isn't ARPANET Anymore—You Can't Just Trust Everyone
Ever notice how every time someone creates an approach to technology that's based on trust, it all goes to hell? Alphabet's Chronicle Explores Code-Signing Abuse in the Wild is an incredible exploration of exactly this problem, and looks at how malware writers are managing to do bad things by using malware that they've managed to get digitally signed.
Some related pieces on the interesting topic of trust in technology are The 3 Cybersecurity Rules of Trust and What You Need to Know About Zero Trust Security.
Where possible, don't implement—or at the very least, don't exclusively rely upon—technologies that depend on trust to operate. Never trust anyone, or anything. Instrument everything. Log everything. Audit everything. And make sure your backups and disaster recovery plans are both working. In its purest form, this is an impossible goal, but the achievable aim is to presume both that compromise is inevitable, and that literally anything can be compromised. From your operating system to your printer. If you don't have plans for how to deal with a compromise of every piece of technology—and every person—in your organization, now's the time. And where possible, automate and test your incident response. Don’t wait until a compromised event before trying out half-baked plans.
Making a Hash of It
G Suite'n'sour: Google Resets Passwords after Storing Some Unhashed Creds for Months, Years. You'll probably hear about this story, if you haven't already. If you're like your Countermeasure authors, your first response might be snarky. After all, who doesn't store passwords in plain text these days? All the cool social media giants are doing it.
While the news is sadly not that shocking, this particular article gives a useful explanation about the difference between “encryption” and “encryption + hashing.”
If you have developers who write applications in which those applications must store passwords, consider trapping them in a room with this article and letting them out until they can recite it. Backward.
This Week's Sequels
Further developments and analysis about last week's big infosec stories.
- Amnesty Sues Maker of Pegasus, the Spyware Let in by WhatsApp Zero Day
- WhatsApp Zero-Day Exploited in Targeted Spyware Attacks
Intel CPU Vulnerability
- Intel ZombieLoad Side-Channel Attack: 10 Takeaways
- Fending off Zombieload Attacks Will Crush Your Performance
- Behind the Naming of ZombieLoad and Other Intel Spectre-Like Flaws
Threads of the Week
This week we have two threads. Both are a little bit on the "someone was wrong on the internet" side of things, but ... people actually were wrong on the internet, and the education dished out is worthwhile.
Telegram is _never_ the solution. Friends don't let friends use Telegram. This'll be a thread! – Evan Sultanik (@ESultanik)
This take is common but inaccurate. Understandably so, but still important to correct. Usually the primary culprit where a known vuln is exploited is delays in applying patches. Not the culprit here. It was a breakdown in the data exfiltration prevention/detection that did it. – Katie Moussouris (@k8em0)
Tweet of the Week
PATCH. WINDOWS. NOW.
ATTN virtual I/O MMU users – a serious issue has been discovered in some updates to Windows 10, Windows Server, and Windows Server 2019 LTSC editions. @Plankers with details. - @VMwarevSphere
The Tweet links to Virtualization-Based Security Issues with Windows 1903/19H1 Releases
Podcast of the Week
This episode includes cybercriminals scamming each other: 129: Too Long; Didn't Listen
- The password news landed a few days after this was released: Don’t Have Your Account Hijacked. Secure Your Online Accounts with More Than a Password, Says Google Suppress additional snark long enough to follow the advice.
- Fingerprinting iPhones with the Built-in Gyroscope This generated a fair amount of buzz. Apple has patched the vulnerability, but for nerdy details of how the exploit worked, check out the original research: Sensor Calibration Fingerprinting for Smartphones
- WannaCry-Infested Laptop Starts at $1.13M in Art Auction Malware is … art?
- Firms, Stop Sending out Automated Emails That Look Suspicious As Hell! Yes, please. Don't make detecting phishing harder than it already is.
- Cybersecurity Jobs: These Skills Are Most in Demand and Have the Best Pay
- Millions of Instagram Influencers Had Their Private Contact Data Scraped and Exposed
- Consumer IoT Devices Are Compromising Enterprise Networks
- Hackers Take Over IoT Devices to ‘Click’ on Ads
- The Plane, It's 'Splained,' Falls Mainly Without the Brain: We Chat to Boffins Who've Found a Way to Disrupt Landings Using Off-the-Shelf Radio Kit