February 23, 2019

In This Issue:

• Password Managers Are Doo-Doo, But We Still Need Them

• Yes, Governments May Want Your Network

• To Prevent Social Engineering, Practice Social Nurturing

• A Worrying Spread of DNS Hijacking

Password Managers Are Doo-Doo, But We Still Need Them

Password managers are essential. No matter how much you yell at people, none of us can possibly remember different passwords for every service we use, especially if we have to meet password complexity requirements that are, to put it mildly, non-optimal for humans.  

 

Unfortunately, password managers are kind of crap, as a recent spate of articles shows:

• Severe vulnerabilities uncovered in popular password managers  
• Password managers may leave your online crown jewels 'exposed in RAM' to malware – but hey, they're still better than the alternative  

In related news: 

• Apple sued because two-factor authentication… oh, I give up  

• The man suing Apple over two-factor authentication has ‘previous’  

To summarize:?.
 

Countermeasure:

Make password managers mandatory, but also ensure that the ones in use are vetted by IT security teams, and that there’s a regular update mechanism to ensure that none of them get out of date. They’re absolutely critical to defense. The databases of the password managers need to be regularly backed up, but there are a lot of security concerns around cloud-based password managers. Defining policy around password managers is not something that can be put off.

Read More >

Yes, Governments May Want Your Network

There are four superpowers in the world: the U.S., the European Union, Russia, and China. Different groups have their own criteria to differentiate between "world power" and "superpower," but these four countries either have enough things that go boom to convincingly threaten smaller powers, enough economic power to plunge entire continents into deep recessions, or both. 

 

India is arguably a fifth superpower, and the Africa Union is trying hard. The geopolitical reality of the world is changing, and the alliances between these powers are very much in flux. Russia invaded Ukraine, and the world managed to avoid a hot war between world powers, but this is only the first flexing of muscles in this century's game of powers and principalities. 

 

The Venezuela mess risks devolving into a proxy war, and in general, international relations are a hot mess. This all impacts information security because, while we've managed to keep the shooting between powers down to some minor proxy war skirmishes in Syria lately, all of them are absolutely tearing up the Internet in search of better clubs with which to brain one another. 

 

Here are just a few of this week's stories related to this:

• With elections weeks away, someone “sophisticated” hacked Australia’s politicians  
• Australian prime minister blames 'state level' baddies for Oz parliament breach  
• Missile Sabotage by Covert Means  
• Singapore arms up on cyberdefence experts, opens cyberdefence school  
• Microsoft reveals new APT28 cyber-attacks against European political entities  
• Cyber espionage warning: The most advanced hacking groups are getting more ambitious  

It's been said before, but needs to be said again: it's time to stop thinking that your network isn't a target for state actors. It may well be that there's nothing on your network that they particularly care about, but when world powers are looking for a place to park their digital weaponry, and from which they can launch attacks, your network is as good as any.  

If the cold war between the powers suddenly turns hot, cyberwar will enter a new phase, and it’s safe to say very few organizations are ready for it.

Countermeasure:

We've been told for years that it's irrational to build state actors into our threat models, because it's statistically unlikely that we will be the target of one. This is changing. You need to have a plan for what to do if you’re compromised by a state actor. State actors have resources other malicious actors simply don't have. Your plan may have to be "break glass and pull cables,” but no matter what your plan is, you need to start planning one now.

Read More >

To Prevent Social Engineering, Practice Social Nurturing

"A person is smart. People are dumb, panicky dangerous animals and you know it. Fifteen hundred years ago everybody knew the Earth was the center of the universe. Five hundred years ago, everybody knew the Earth was flat, and fifteen minutes ago, you knew that humans were alone on this planet. Imagine what you'll know tomorrow." -- Agent Kay, Men in Black. 

 

Write about information security enough and you become tired of restating the point about how easily people are manipulated. NATO has recently reiterated this in spectacular fashion: NATO Group Catfished Soldiers to Prove a Point About Privacy.  

 

What's important to note here is not yet another instance of "people are easily socially engineered," but rather that we are most easily socially engineered when we’re looking for social connection. Even the most well trained, risk-aware person lets their guard down in the search for acceptance and validation. The need to be part of a group is written into our very DNA. 

 

We are pack animals, and without finding a place in a tribe, we deteriorate. This is a very real, very serious threat to information security. It's also one that most organizations – indeed most western nations – are culturally ill-equipped to handle. 

 

The only viable counter to the need for connection among employees is to ensure that they have it. This requires serious culture changes for most organizations. Ruling through fear, burning employees out like spent candles, and attempting to "motivate" employees through anxiety by using performance evaluation methods like stack ranking all lead to disconnected, disaffected employees.  

 

Fostering a sense of inclusion is something at which militaries excel. NATO's catfishing experiment demonstrates that more is needed than just esprit de corps if people are to feel socially satisfied enough to be mindful about things like privacy. 
 

Countermeasure:

Take care of the mental health of your employees. Hire experts. Talk to your people. Find out how to keep them engaged and included, and make awareness and mindfulness about privacy and information security a part of the social structure you foster. Individuals whose social needs are nurtured are less likely to give up information than those who are desperately in need of  coffee, friends, and a really good hug.

Read More >

A Worrying Spread of DNS Hijacking

There is no summary to be had here, pithy or otherwise. A Deep Dive on the Recent Widespread DNS Hijacking Attacks may be one of the most important pieces of information security writing that will come out all year.

Countermeasure:

Do not stop go, do not collect $200: read Brian Krebs's breakdown of the recent DNS hijacking mess immediately. it's time to take a look at Project Furnace, and see whether or not this can bring some of the unruly newtech platforms in use by *Ops teams to heel.

Read More >

Time To Take Responsibility

“For the foreseeable future, the burden lies on each individual – each consumer, each employee, each company owner, each senior exec, each board director — to stay informed and to practice wise security and privacy habits.” – Byron Acohido 

• MY TAKE: What it takes to beat cybercrime in the age of DX and IoT: personal responsibility 
• Security Leaders Are Fallible, Too

This Week in Phishing

This shouldn't be able to be a regular segment of this newsletter. But it is. And that is sad.

• The Anatomy of a Lazy Phish  
• NoRelationship phishing attack dances around Microsoft Office 365 email filters  
• Teams has finally arrived, phishing emails are pretending to be a teams message (badly) 
• Hackers Found Phishing for Facebook Credentials

Thread of the Week

This thread is a nice glass of cold water for those who don't have a complete understanding of the statistical likelihood of various types of attacks.
 
"0hday/Zeroday/0-day exploits should be the least of your worry. Adversaries mostly wont be using them" – Daniel Cuthber

Tweet of the Week

 
Hot takes on the Splunk/Russia thing. 

 

Breaking: InfoSec SEIM vendor @splunk ends all business relationships with organizations in Russia - @SwiftOnSecurity  

The tweet links to: Shifting Priorities in our Global Strategy, with a related article being Revealed: Numbers show extent of security fears about security biz Kaspersky Lab.

Podcast of the Week

 

Wondering why there's a sudden hate on for two-factor authentication (2FA) going through the Internets? This is a good start to understanding the debate that everyone seems to be having:

• 115: Love, Nests, and is 2FA destroying the world?  
• The Cyberlaw Podcast: Executive Orders and Alien Abductions

Quote of the Week

Sadly, we're also the animal that uses operating systems which don't give us control of our own updates, from vendors who also don't invest in QA. 

 

Humans are the stupidest animal capable of fabricating semiconductors. - @SwiftOnSecurity

Quick Links

• Use an 8-char Windows NTLM password? Don't. Every single one can be cracked in under 2.5hrs  

• Google in hot water after not revealing it had hidden a secret microphone in home alarm product 

• Users alarmed by undisclosed microphone in Nest Security System 

• EA opts Origin users out of “real-name sharing” after complaints  

• Designing Welcome Mats to Invite User Privacy 

• Powerful Permissions, Wimpy Warnings: Installing a Root Certificate Should be Scary  

• Nasty code-execution bug in WinRAR threatened millions of users for 14 years  

• WinRAR versions released in the last 19 years impacted by severe security flaw  

• Hard-to-detect credential-theft malware has infected 1,200 and is still going  

• DrainerBot infected apps play invisible videos to drain your data 

Stool of the Week

High-tech toilet seat monitors your heart as you sit on the can