Cyber Warnings E-Magazine – June 2017 Edition Copyright © Cyber Defense Magazine, All Rights Reserved Worldwide ;

CONTENTS CYBER WARNINGS

Published monthly by Cyber Defense Magazine and distributed electronically via opt-in Email, HTML, PDF and From the Editor’s Desk ...... 4 Online Flipbook formats.

Not Ocean’s 14 ...... 5 PRESIDENT

An Alan Turing-Inspired Solution to the Cybersecurity Stevin Miliefsky [email protected] Labor Shortage ...... 8 EDITOR WHY BIOMETRICS IS A SECURITY ESSENTIAL…AND SO IS DISABLING IT ASAP ...... 12 Pierluigi Paganini, CEH [email protected]

5 Keys to Protecting your Company’s Online Finances 16 ADVERTISING

Don’t be an Easy Target ...... 18 Jessica Quinn [email protected] The CIO discuss information security leadership ...... 22

KEY WRITERS AND CONTRIBUTORS WannaCry/Ransomware? Secure your Enterprise Using Charles Parker, II Blockchain-Enabled Cybersecurity...... 24 Xuyen Bowles Doug Ramos Dixie Somers The challenges of interference within modern industrial Michael Ryan systems ...... 26 Myles Suer Narayan Neelakantan Milica D. Djekic Hacking: Cheaper than a Nando's chicken...... 30 Jonathan Stock Lee David Painter Daniel Jetton Don’t Become Another Data Breach Statistic ...... 42 Jerald (Trip) Nine Asher de Metz Fernando Cuervo The Internet of Things ...... 45 Kurt Long Ryan Orsi Is Your Company’s Data Being Sold on the Dark Web? 51 Hunter Bannister Pascal Bergeot François Amigorena Five tips for educating your employees on cyber security Rodrigo Ruiz ...... 53 Rogério Winter Hannah Elias (Lou) Manousos Yet Another Case for Viable Back-Ups and Testing...... 57 Jami Mills Vibbert

Interested in writing for us: WannaCry ‘Remedies’: The Second Wave of Attacks .. 59 [email protected]

The Risks (and Prevention) of Crime-as-a-Service in CONTACT US: Healthcare ...... 63 Cyber Defense Magazine Toll Free: +1-800-518-5248 Fax: +1-702-703-5505 Part III: Current and Future IoT Threats ...... 66 SKYPE: cyber.defense Magazine: http://www.cyberdefensemagazine.com

Post-Quantum Information Security ...... 71 Copyright (C) 2017, Cyber Defense Magazine, a division of STEVEN G. SAMUELS LLC The intelligent control systems and their perspectives .. 76 848 N. Rainbow Blvd. #4496, Las Vegas, NV 89107. EIN: 454-18- 8465, DUNS# 078358935. All rights reserved worldwide. [email protected] Reducing the attack surface: how to empower your staff while keeping your network secure ...... 80 Executive Producer: Gary S. Miliefsky, CISSP®

How context-aware security adds layers of protection to single sign-on services ...... 82

5 ways small businesses can be affected by a cyber National Information Security Group Offers FREE security breach ...... 86 Techtips ...... 118

Lazarus: Data Leakage With Cryptographic System ..... 95 Job Opportunities ...... 119

Legal Steps of Action to Take If Your Privacy Has Been Free Monthly Cyber Warnings Via Email ...... 119 Compromised by the State ...... 97 Cyber Warnings Newsflash for June 2017 ...... 122 Trump’s Cybersecurity Executive Order: A Promising Start to Securing Digital Infrastructure...But Don’t Forget What’s Beyond the Firewall ...... 101

State Cybersecurity Regulation: Another Patchwork Approach? ...... 104 NK is the new Iraq? ...... 109

NSA Spying Concerns? Learn Counterveillance ...... 114

Top Twenty INFOSEC Open Sources ...... 117

From the Editor’s Desk

Dear Readers,

Here at Cyber Defense Magazine, we are all about continuing to focus on best practices and solutions for you. Cyber Warnings monthly e-magazine covers hot INFOSEC topics with some of the best advice from industry experts.

In 2017, we should focus on best practices at logging, encryption of data at rest and in transit, and system hardening through vulnerability remediation.

Our future depends upon the cyber security skills of teens and college students entering our field.

Let’s continue to share a wealth of information with each other to stay one step ahead of the next cyber threat.

To our faithful readers, Enjoy Pierluigi Paganini Pierluigi Paganini, Editor-in-Chief, [email protected]

Not Ocean’s 14

Casinos are also an e-Target by Charles Parker, II

Casinos are no different than an accounting firm, hospital, or manufacturer in at least one sense when cybersecurity is the common thread. These entities hold data that people want to steal. This data is then sold or otherwise leveraged for their own uses to generate revenue or simply sold. One industry not researched at length has been the casinos.

These businesses tend to focus more on the physical security as the workers handle mass amounts of cash, the chips, and playing cards. Granted this is exceptionally important.

Without a robust physical security program in place, the physical items of value would simply walk out. The risk of a physical theft is a completely viable area to secure, as much as possible. As part of the overall security program, data security also should be addressed and implemented.

Although the risk of a physical theft is present, the data security risk is ever present. The person(s) do not have to be physically present on site to steal money or to sabotage the system. This attack may be exercised from virtually anywhere in the world with an adequate internet connection.

Attack Casinos are just as likely as other entities to be a victim of a breach. This was the case with the Grey Eagle Casino in Calgary when their employee data was compromised.

The entry point for the attack was a computer in the Human Resources office that had been compromised. The data and information stolen consisted of confidential letters, and files. These did have dozens of employee’s names and personal information.

To authenticate this, the data was posted online from approximately 12 documents affected over 12 employees. Although the entry point was a Human Resources computer, the method utilized, by the attacker, was phishing attack. The form was a phishing email with a malicious link or the user ended up logging into a malicious website.

Although this compromise was embarrassing enough, this compromise could have been much worse. This incident was isolated with one system. In theory, it would have not been too far of a bridge for the attackers to branch out and infect other computers on the network or the servers. Other data could have been harvested. The casino could also have been a victim of widespread ransomware.

Remediation This was a serious attack with serious consequences. To work towards this not occurring any time soon, the casino may implement employee training sessions. These would need to be regular and applicable. If videos were to be used, these would not consist of the same bland ones shown for the last ten years.

This attack made it rather apparent that the email system’s security was rather out of date or just not functioning well. The filter for phishing, spam and other malware should red flag and quarantine these. To further decrease the opportunity for this to happen again, phishing campaigns should also be completed.

With these in place, the user will increase their awareness in the last a bit, which in certain instances, all that is needed. This may be accomplished with training, videos being viewed, and other methods. The business may also send emails with written training with a questionnaire at the end of the email to verify the material was read and understood.

Attacks will come from many sources throughout the globe. At times, if the attackers know there is a vulnerability, the business will have a rather large bulls-eye on it and attacks would only increase.

Resources Globalnews.ca. (2017, January 27). Security experts call grey eagle casino security breach wake up call. Retrieved from https://reportca.net/2017/01/security-experts-call-grey- eagle-casino-security-breach-a-wakeup-call/ Sosiak, M. (2017, January 25). Grey eagle casino employees information leaked in major privacy breach. Retrieved from http://www.newslocker.com/en-au/region/casino/grey- eagle-casino-employee-information-leaked-in-major-privacy-breach-globalnewsca/view/ Tighe, T. (2017, January 26). Security experts call grey eagle casino security breach a wake-up call. Retrieved from http://globalnews.ca/news/3208546/security-experts-call-grey-eagle- casino-security-breach-a-wake-up-call/

About The Author

Charles Parker, II began coding in the 1980’s. Presently CP is an Information Security Architect at a Tier One supplier to the automobile industry. CP is presently completing the PhD (Information Assurance and Security) in the dissertation stage at Capella University. CP also is an adjunct faculty at Thomas Edison State University. CP’s interests include cryptography, SCADA, and NFC.

He has presented at regional InfoSec conferences. Charles Parker, II may be reached at [email protected] and InfoSecPirate (Twitter).

An Alan Turing-Inspired Solution to the Cybersecurity Labor Shortage

As the global pool of malicious cyberattackers grows in strength and innovation — finding new, unheard of ways to breach our systems — the pool of professionals with the skills to outsmart them continues to shrink. If your company has ever tried to recruit an IT professional with cybersecurity experience, you know the skills gap is real. More than 80% of IT organizations face a shortage of employees with specialized cybersecurity knowledge.

This labor shortage is one organizations can’t afford to ignore — no matter your industry, it’s all too easy (and far too likely) for you to become the target of a cyber threat. Criminal attacks have hit companies in all business areas, from manufacturing to retail, and everything in between. The wearisome search for skilled reinforcements to work against these attacks has left the IT industry uneasy, but we haven’t unturned every stone yet.

There’s a bright, uniquely talented, yet underemployed group of people who may have just the right skill set to fulfill our cybersecurity labor shortage. They have the intelligence, competence, and technical expertise to thrive in the IT industry; all they need is the opportunity to put their talents to work.

Who are these talented workers? Individuals with autism.

While people with autism have traditionally been overlooked in the labor market, tech companies have begun to take notice of the impressive contributions they can make. It appears that some traits associated with autism, such as a propensity for numbers, the ability to hyperfocus, and meticulous attention to detail, are all qualities that are a great asset to a programmer or anyone who works with large data sets.

Microsoft, Hewlett-Packard, and software giant SAP have all instituted pilot programs to hire people with autism for IT positions. Others, including IBM and Dell, are laying the groundwork for similar programs, according to the Harvard Business Review. There’s also the nonPareil Institute, a Texas school and software company devoted to teaching coding to young adults with autism.

The results look promising. If your company hasn’t previously considered tapping into the pool of people with autism spectrum disorder (ASD) — especially in the world of cybersecurity — here’s why you should.

Neurodiversity at Work in IT Consider one of the heroes of modern computing: Alan Turing. The British mathematician and logician is famous for his contributions to cracking the code of the Enigma machine during World War II, which allowed the Allies to intercept the Germans’ coded messages. Some historians believe his work shortened the war in Europe by two to four years.

If that accomplishment wasn’t enough, Turing is also considered the father of theoretical computer science and artificial intelligence — and it’s widely believed that he had autism.

While Turing was not diagnosed during his lifetime, experts such as Kevin Pelphrey, the director of the Autism and Neurodevelopmental Disorders Institute at George Washington Institute, point out that Turing’s “mathematical genius and social inelegance” suggest he may have been on the autism spectrum.

“[Turing’s] story illustrates how society benefits when it gives a voice to those who think different. Until he came along, no one perceived the need for a computer; they simply needed to crack the code. It took a different kind of mind to come up with that unexpected, profoundly consequential solution,” Pelphrey remarked in Wired.

Turing’s autistic brain may have been the key that allowed him to think far differently from his coworkers — so far outside of the norm that he came up with a computing device no one had imagined. This is the sort of inventive mindset we need in cybersecurity today, at a time when cyberattacks are advancing faster than we can invent new methods of prevention.

Neurodiversity Considerations Slowly, perceptions of people with autism are beginning to change. In the 1990s, sociologist Judy Singer introduced a new term to describe conditions including autism, dyslexia, and ADHD: neurodiversity. It was meant to change the discourse around disorders like autism. And the recent spate of ASD-oriented hiring programs suggest it’s working.

This is not to say all people with autism will be able to (or will even want to) work comfortably in an office environment. Roughly one-third of people with autism also have an intellectual disability, and some find even brief social interactions to be too overwhelming and disruptive. For others, though, minor adjustments from employers — like allowing them to converse via typing (or text-to-speech software) — can help them feel at ease, and work productively in a professional role.

Many people with autism have average or above-average intelligence; the fact that their minds work differently than most can be a strength for companies that want to think differently. Employers seeking innovation already recognize the benefits of having diverse employees, and those on the spectrum are no different.

A 2016 study by Australia’s Curtin University of 59 companies found that employees on the autism spectrum performed at above-average levels in the categories of work ethic, attention to detail, and overall work quality. On productivity, ASD and non-ASD employees were the same.

The study also found no added cost associated with hiring workers on the spectrum.

“Employees with ASD were also found to have a positive impact on the workplace in terms of the creative and different skills they brought to the organization and by increasing awareness of autism amongst employees,” said Dr. Delia Hendrie, the lead researcher on the study.

Cybersecurity may be an area particular geared toward people on the spectrum. At a British cybersecurity conference in March, a presentation on neurodiversity in the industry suggested that individuals with autism may make excellent pen testers and SOC analysts. Meanwhile, a guide to incorporating people with autism into the industry notes the following traits associated with autism that are an asset to the cybersecurity industry:

● Strong memory of facts ● Methodical thought process ● Skilled in pattern recognition ● Attention to detail ● Strong problem-solving skills

For obvious reasons, skills like these can be a phenomenal asset for someone who scans lines of code, meticulously analyzes data, or performs any other number of other cybersecurity tasks.

Creating a Welcoming Workplace for People with Autism In many cases, the hiring process is stacked against people with autism, as traditional interviews emphasize social skills and communication abilities — areas in which many autistic people operate outside of traditional social norms.

This is likely a large part of why as many as 90% of American adults with autism are unemployed or underemployed. The Harvard Business Review described one such man, who needed two years to find a tech job despite having two master’s degrees with honors, this way:

He seems, well, different. He wears headphones all the time, and when people talk to him, he doesn’t look right at them. He leans over every 10 minutes or so to tighten his shoelaces; he can’t concentrate when they’re loose. When they’re tight, though, John is the department’s most productive employee.

Or there’s Aaron Winston, who has wanted to be a video game programmer since he was a child. He enrolled in college after high school, but dropped out immediately because of the social atmosphere. By age 22, though, he was employed full-time by the nonPareil Institute and had already created his own video game — all because the Institute was designed to take a chance with people like him.

For companies who speak about being committed to innovation, growth, and new ideas, it’s time to recognize a reality: if you want people who think outside the box, you must accept people who behave a bit outside the box, too.

That’s why initiatives such as the Autism at Work program at SAP include an interview process custom-designed for prospective hires who have autism. The program aims to tackle some of the biggest hurdles autistic people face when seeking jobs.

SAP didn’t stop at the hiring process. The organization has also taken steps to ensure a more welcoming work environment for people with autism once they’re hired. Through the Autism at Work program, candidates are matched with a mentor at the start of the hiring process. Once

they’re hired, this mentor turns into a coach to help them make a smooth transition into their role.

It doesn’t work out every time. To assess whether applicants in its ASD program are a good fit, Danish consulting company Specialisterne offers a multi-week training program that gives the company the chance to see how the applicant handles work assignments. Their program was crafted with understanding in mind. The company’s founder has a child with autism.

Building a neurodiverse workplace requires understanding that creating a welcoming workplace doesn’t fall onto those with autism. It’s the responsibility of their coworkers, peers, and managers — those without autism — to uphold an environment that fosters support, kindness, and acceptance. Part of this should involve autism awareness and sensitivity training for employees to educate them on how to make it easier for employees with autism to integrate into the workplace.

SAP’s Autism at Work program has found great success; so far, 100 people have been hired for IT positions of all kinds, including software testing, data analysis, and quality assurance. SAP has launched the program globally, from the US to India to Brazil. The program’s success challenges perceptions of what people with autism can achieve.

“The common prejudice is that people with ASD have limited skills and are difficult to work with. To the extent that’s true, it’s a measure of our failure as a society,” Pelphrey told Wired. “[W]e have clear evidence that job-focused training and support services, especially in the transition to adulthood, can make a huge difference, leading to higher levels of employment, more independence, and better quality of life.”

Employers can share in this success. Alan Turing helped to shorten a historically brutal war, in large part because of his ability to think differently. Organizations need this kind of creative and innovative thinking to advance in the IT and cybersecurity space.

If more tech companies are willing to accommodate people with high-functioning autism — by adopting inclusive hiring practices and creating welcoming environments for neurodiverse people — we may just find stronger and more innovative IT teams, better equipped to address the complexities of cybersecurity.

About the Author With 20 years of experience in the enterprise space, Xuyen Bowles now oversees one of the most successful cyber security firms in San Diego, CA. Sentek Cyber (a division of Sentek Global) offers a wide array of cyber security protection from penetration testing, consultancy, training to advance threat detection. "It's not a matter of if, it's a matter of when." Ms. Bowles finds great gratification in helping companies ensure they are safe from data breach.

WHY BIOMETRICS IS A SECURITY ESSENTIAL…AND SO IS DISABLING IT ASAP By Doug Ramos, Security Practice Manager, Groupware Technology

Today user identity is the number one concern when securing a corporate network. With malware and hacks being focused on stealing identities, it is the most critical point of security to lock down.

Companies are requiring stronger and more complex passwords but is that enough? Some companies are adding two factor authentication with the use of one time passwords.

With the recent breach of a cloud based identity management company even that is not good enough.

The use of biometric authentication measures such as finger scans or iris/voice recognition may offer better security for access control in the workplace than passwords, swipe cards, door codes, PINs and other conventional workplace security implementations, since they can’t be stolen, forgotten, etc.

The cost of biometric technology has also dropped significantly to enable this category to become a very cost-effective solution.

And with advancements in accuracy, size and form, biometrics are becoming a more common means of two-factor authentication, especially as the need for a more secure form of secondary authentication is on the rise.

Two-factor authentication is the use of something else besides just a username and password to identify yourself in the workplace.

Organizations are increasingly adopting secondary authentication as a means of providing an extra level of security that has become a necessity in workplaces now more vulnerable to sophisticated data breaches.

Breaches are no longer just a mere isolated technology concern. They have become priority for all businesses to proactively prevent before they happen.

However, most business breaches do not happen not because of disingenuous cyberthieves cunningly coming with up with all manners of security terrorism and threats. Lost or stolen employee credentials are the most common causes for organizational data breaches.

Compromised employee credentials as a factor in breaches has indeed become a big caused of concern for organizations. Forty percent of companies in a 2015 survey say they expect a data breach resulting from employee behavior in the next 12 months

In December 2016, Gemalto, an international digital security company who is the world’s largest manufacturer of SIM cards, released an Authentication and Identity Management Index based on a survey of 1150 IT managers from 13 countries around the world, including the US, UK, France, Germany, Japan and India.

Results of the survey showed that employee expectations around usability and mobility, are affecting how enterprise companies deploy authentication and access management.

Almost 50% of the IT managers surveyed noted that they are increasing resources and spending on access management. The time to implement has speeded up as well: 62% expect to implement strong authentication in two years' time, an uptick from 51% of respondents who said the same thing in the previous year’s survey.

Of the survey respondents, 94% reported they are using two-factor authentication to protect at least one application and nearly all of the respondents (96%) expect to use it at some point in the future.

Biometrics is a great form of secondary authentication. The problem occurs when any employee leaves the company. For biometric or any authentication there are different repositories that an end user credentials might be left active on.

The majority of companies still do not have any method of detecting, enforcing or cancelling a user’s biometric authentication. Today most companies still manually disable accounts. This is not only an ineffective time waster but leaves a business vulnerable to major security risks.

It can take weeks for a user to be removed and during that time they can still access confidential information. To avoid errors that could result from manual offboarding procedure, I suggest automating the process.

In my case when I left a big tech company, my email access and badge access stopped that same day but my VPN access to internal servers was still enabled. My user credential was still able to access internal resources.

It took the company two weeks to completely shut me out. Companies need to deploy a solution that automates the process of onboarding and offboarding users quickly and efficiently and that can integrate with all internal resources like AD, LDAP or other identity stores.

User accounts and credentials need to be disabled all at the same time. This will minimize security breaches from ex-employees and from lost or stolen credentials.

Value partners have a depth of experience and knowledge about secondary authentication security solutions such as biometrics and the best ways of access management in onboarding and offboarding scenarios.

Resellers listen to their customers, so that they can quickly understand which solutions are the most appropriate for their unique needs. They are ideally positioned to support businesses and offer sound advice.

There is a plethora of solutions out there that alleviate the angst of manual onboarding and offboarding. These solutions all onboard devices and can disable accounts instantly when needed from all the different identity locations. Additionally, with the advent of compliance standards, it is necessary for businesses in many industries to audit and evaluate their user access processes regularly to meet regulations.

Companies don’t have the best interests of their own organization in mind in not doing away with manual procedures that are more open to error.

Automated processes that disable accounts instantly will not only alleviate the security risks of former employees still able to access company information, they also alleviate the possibility of organizations inadvertently falling short of compliance regulations.

Identity management is a rapidly growing field in the age of security and data breaches—with secondary authentication becoming a necessity and secondary technologies like biometrics becoming more cost feasible and common.

With the identity management category soaring in relevance, so too must the identity and access management market with organizations needing to adopt efficient automated processes to relieve the stress of slow, manual and complex access management that can still leave organizations with secondary authentication open to security risks when users are not offboarded instantly.

About the Author

Doug Ramos is Security Practice Manager at Groupware Technology, where he is growing and expanding the company’s security business by evaluating and adding the latest security solutions that will offer the best protection for Groupware Technology customers. He has over 20 years of experience in the technology industry in security and networks. Doug started his career at Lucent and became one of its first VoIP specialists, building out voice networks in eight different countries. He has also worked at Cisco in its wireless and security divisions and as Manager of Cisco Enterprise Networking for CANCOM-HPM Networks. Prior to joining Groupware Technology, he was Director of Wireless Product Marketing at Fortinet.

5 Keys to Protecting your Company’s Online Finances

Companies with an online presence globally are facing the growing problem of cybercrime. As a company owner, you are not only responsible for detecting online fraud, but also paying the related costs.

According to Forbes, every dollar of fraudulent transactions costs your business an upwards of $2.

These costs can grow rapidly because online businesses are susceptible to a wider range of cyber-attacks including salami attacks, credit card fraud, and identity thefts.

You can take actionable steps to protect your company’s finances by following the pointers below.

1. Have a Dedicated Computer for Your Banking Needs

Only access your company’s finances on a single computer for all transactions between you and your customers.

Ideally, this dedicated computer should not be used for other online activity such as checking mail, accessing social media, and general surfing.

Doing so exposes your computer to vulnerabilities. It’s also advisable to steer clear of mobile banking if you can.

2. Segregate Your Accounts and Keep your Credit Cards Safe

Your personal banking account and company account should be kept in segregated accounts. In the case of an attack, it helps if all your eggs are not in one basket. Which means you won’t lose all your money.

Separate accounts also make it easier to keep track of your business expenses and file tax returns.

Don’t share your credit card number with companies or individuals whom you’re not familiar with until you can build a certain level of trust.

3. Get Professional Protection

Have you considered hiring someone with a master’s degree in information security? If you haven’t, it’s about time you did.

At a master’s level, your employees are more comfortable with all matters information security and you’ll manage to stay ahead of the fraudsters.

These employees will also be more valuable, and they will have leadership and managerial skills that are not taught in most undergraduate programs.

4. Extensive Background Checks on New Employees

Employees are your first line of defense in the case of a cyber-attack but also the most vulnerable point of entry.

A basic background search when hiring new employees can help you to notice any red flags in the candidates you are considering.

It’s especially important to do this for those employees who’ll be handling your company’s cash or accessing sensitive financial information.

5. Educate your Employees Security technology has come a long way and is always changing, but regular training sessions are a good way to keep your employees updated on the most current cyber threat prevention measures.

Enforce this training by implementing policies and strict guidelines for all employees to adhere to.

Local business development centers are a good place to source for fresh ideas on what to include in your training sessions.

Online consumer behavior and fraud schemes keep evolving. As a forward-thinking company, this means you should use modern defenses to prevent fraudulent attacks which help to keep your business afloat.

About the Author

Dixie Somers is a freelance writer and blogger for business, home, and family niches. Dixie lives in Phoenix, Arizona, and is the proud mother of three beautiful girls and wife to a wonderful husband.

Don’t be an Easy Target

7 Ways to Keep Your Server Secure by Michael Ryan, CEO, South River Technologies

Keeping corporate servers safe is a constant concern for IT professionals. Typically, the first step in Secure File Transfer server security is choosing a secure protocol such as FTP/S or SFTP. Sometimes, that’s not possible, so what other security measures can you take?

The most important thing to focus on is to not be an easy target. Guaranteeing that you’ll never be hacked isn’t likely, but you can make your Secure File Transfer server a much less attractive target. Here are 7 ways to do this:

Control Unauthorized Server Access

It may seem obvious, but your first line of defense against attacks is controlling server access. Keeping non-authenticated users or programs from accessing your servers is an important factor in ensuring that your confidential information stays as secure as possible.

1. Anti-hacking (password guessing) features on your SFTP server should be enabled. Your server should have settings for how many invalid password attempts can be made before the user (or program) is locked out. Ideally, this should be set at about 3, but no higher than 5. This makes the time between attempts much longer and reduces the likelihood of password guessing.

2. Disable anonymous access – or use it with extreme caution. In many FTP servers, there is actually a user named “anonymous.” If you use anonymous access, make sure that this user is locked into their home directory and has read-only privileges. Even if you do this, logging in as anonymous may enable the user to determine which port you use for FTP and which version of the server software that you are running.

They can easily do research to determine if any security vulnerabilities exist in the software version you are running. The best practice, if you need to offer downloads through anonymous access, is to put those files on a dedicated SFTP server that sits outside your DMZ.

3. Anti-hammering features should also be enabled. This helps to prevent Denial of Service (DoS) attacks. A DoS attack is a way of making a server unavailable to its users by using a program to saturate the target server with communication requests. This makes the server so busy that it cannot process the legitimate file transfer requests.

Your SFTP Server should have settings for the maximum number of requests per second that the server will allow. The minimum setting should be about 40 connections per second. If you have very high traffic to your server, you may want to set this number a bit higher, so that you don’t lock out legitimate traffic. Setting it lower will make it more secure, but increases the risk of blocking actual user requests. It’s important to carefully consider this balance, and to look at your server log files to determine normal usage ranges.

Users are the Weakest Link

Regardless of the measures you take to secure your server, you are at the mercy of your users. Users want their passwords to be simple to type and easy to remember. Users like words, especially words that mean something to them – a pet’s name or a child’s name, for example. And users often use the exact passwords on a multitude of sites and services.

4. Two-factor authentication should be an option. As mentioned previously, hacking passwords is the one of the most common ways that unauthorized users gain access to systems. In addition to password policies, one method of drastically reducing the likelihood of password guessing is to implement an additional level of authentication. There are many ways that two-factor authentication can be implemented. A common way of doing this is with a token, such as a Safenet or RSA token. The token displays a numeric string which changes at short intervals. The user is required to enter the displayed numbers. The numeric string is then validated against a remote server or satellite. If it matches, the user progresses to the next level of authentication, which is entering their password.

5. Intelligent password policies should be implemented. While your system may be secure from hacking, if a password on another system is hacked, there’s a good chance that password will work in many places. Your server should allow the administrator to enforce policies on password length and what type of characters must be used. Requiring a password to include both upper and lower-case letters, at least 1 number and at least 1 special character will add exponentially to the number of possibilities for what the password can be. And a minimum length of 8 characters also makes the password much more difficult to guess.

Don’t Fall Victim to Your Software

As easy as it is to keep your software up to date, this is one place where many companies cut corners. Ensuring that you are running the best and latest versions of your software is key to staying cyber safe.

6. Keep your server and your operating system up to date. If you have good SFTP server software and it’s working well for you, there is often a temptation to leave it alone. However, new security threats are born every day, and server software companies are 19 Cyber Warnings E-Magazine – June 2017 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide

working constantly to keep ahead of these threats. Running out-of-date software means that you may be subjecting your server (and your network) to security threats that can easily be avoided with a simple software update. Similarly, the operating system should also be kept up to date. Apply service packs and other updates regularly so that vulnerabilities at the Operating System level are less likely.

7. Don’t use freeware. Most companies that sell Secure File Transfer servers or Managed File Transfer servers will tell you not to use freeware – and rightly so. They have a vested interest in encouraging customers to buy these products. But there are legitimate reasons that you should avoid freeware:

• Development environments may not be secure. This increases the risk of malware in free downloads.

• Developers can make FTP or SFTP work without strictly adhering to the IETF specifications for protocols. This may leave some functions unimplemented.

• Choose a company that has an interest in your success. If your SFTP server encounters problems, how important is it for the company to get you working again? How concerned are they about your protection and staying current with the newest security standards?

Even though it’s an unsecure protocol, using FTP is often a technical requirement – perhaps for connecting with partners or legacy systems, or because it’s easy and cost effective for distributing files. Use secure protocols if you have the option to do so.

FTP is more frequently used today than you might expect. Use these tips to make sure that your server is as secure as possible.

About the Author

Michael Ryan is the CEO of South River Technologies (SRT), a global provider of cybersecurity solutions targeting organizations in need of secure enterprise collaboration for their distributed workforce. Mr. Ryan has over 20 years of experience in cybersecurity, initially designing frame- relay encryption networks to secure banking transactions in Europe. He serves on the board of the Cyber Association of Maryland and is a previous president of the Chesapeake Regional Technology Council. Michael can be reached on Twitter @SRTCEO and at the SRT website: http://www.southrivertech.com/.

The CIO discuss information security leadership

Recently, I got to ask members of the CIOChat about their CISO colleagues. To be fair, this was an above board and positive discussion. And their guidance should be helpful to all CISOs especially those wanted to build more effective relationships with their business counterparts.

CISO Communication Skills Ed Featherston, Vice President for Cloud Technology Partners, started this discussion. Ed said communication skills is a must have for today’s CISOs. He said that effective CISOs must have the ability to explain cost/risk/benefit in business terms to get buy in and support. Chris Petersen, an IT consultant, agreed with Ed and asserted that all C-suite personnel should be effective and transparent communicators. Josh Wright, Chief Technical Architect for PwC, said, however, that we have to educate CISOs.

They need to understand that “not knowing how the sausage is made doesn't make people dumb, it makes them vulnerable to bad decisions”. EG Nadhan, Chief Technical Strategist at RedHat, agreed with Josh by saying that security experts are notoriously bad at talking to normal people.

At the RSA Conference, Seth Meyers, the comedian, even made a joke about this problem by saying it must feel good being at conference where everyone actually knows what you are talking about.

Steven diFilipo, CIO for the Institution for Transformational Learning, didn’t disagree with the sentiment of Seth Meyers. diFilipo said “a CISO that communicates risk in a manner that does not matter to others will not have their burden for long”. Peter Salvitti, CTO for Boston College, extended diFilipo’s thought by saying there is no such thing ever as "over-communicating" risk, compliance, and governance.

CISO effectiveness is tied to their creativity in communication”. Steven Fox, Senior Cybersecurity Officer for the US Department of Treasury, shared here by saying that most of his customers see opportunity where his team sees risk. Featherston confirmed Fox’s thinking by saying “security balance/tradeoffs is like walking a tightrope over tank of hungry sharks”. CISOs need to get business people to understand the risk of falling.

For this reason, Featherston says a hallmark characteristic of a competent CISO is the ability to clearly and effectively communicate complex security ideas.

Become more like a business facing CIO Melissa Woo, CIO of Stoneybrook University, said here that good CISOs should have the same traits as a good CIO. Promotion opportunity? These includes being a communicator, strategic, etc. Sharon Plitt, CIO of Binghamton University added on that CISOs and CIOs must be able to communicate risk to business partners and be able to help with identifying and managing risk.

In sum, she said that everyone in IT today needs to be a bit of a business person or they risk becoming irrelevant. Business knowledge is essential. Pascal Viginer, CIO of Orange, said here it is better have a security oriented CISO with strong business acumen. Josh Olson, Chief Information Officer for Michigan Tech University, agreed and went said he believes the CIO and CISO should be able to swap roles on demand. Woo said she did not find Josh’s thought controversial because the skill sets are so similar. Nadhan had a somewhat different opinion here. He said if the CIO is a business person, then the CISO should be a security business person.

The CISO drives policy & governance and manages compliance and risk based upon strategic business initiatives. diFilipo agreed and said that a CISO should understand how to deliver on business needs. For this reason, he said that security is a component of service/product delivery. At this point, Jeffrey Pomerantz added that his research at Educause shows CISOs spend a lot of time on supporting institutional strategy.

Parting remarks So there you have it, CISOs should be more like a CIO. In other words, they should be a business leader. If you are looking for more ideas on being an effective CISO, I have put together a brief on the CISO function with data. Here is a link to that brief.

Further Reading

Enlightened CISOs set the bar higher

Twitter: @MylesSuer

About the Author

Mr. Suer is the Director for Solutions and Industry Marketing at Protegrity Corporation. Mr. Suer is focused upon solutions for key audiences including CIOs, CFOs, Chief Enterprise Architects, and Chief Data Officers and the application of Protegrity to industries. He is also the facilitator for the #CIOChat and a Contributor to CIO.com. Prior to Protegrity, Mr. Suer was the Chief Platform Evangelist at Informatica. Much of Mr. Suer’s experience is as a BI practitioner. At HP and Peregrine, Mr. Suer led a product management team applying analytics and big data technology to the company’s IT management products.

Mr. Suer has also been a thought leader for numerous industry standards. For COBIT, Mr. Suer has written extensive. Most recently, he published in ISACA News “Extending COBIT 5 Data Security Guidance”. Mr. Suer led new product initiatives at start-ups and large companies. Mr. Suer has, also, been a software industry analyst. Mr. Suer holds a Master of Science degree from UC Irvine and a 2nd Masters in Business Administration in Strategic Planning from the University of Southern California.

WannaCry/Ransomware? Secure your Enterprise Using Blockchain-Enabled Cybersecurity by Narayan Neelakantan, Co-Founder and CEO, Block Armour

Ransomware has fueled a new wave of cybercrime against organizations. While ransomware targets both enterprises as well as individuals, the former offers a far higher level of profitability. With every passing day, attackers are launching more phishing campaigns, engineering new exploit kits and releasing new variants of ransomware to target organizations and hold their data ransom.

A successful ransomware attack can not only cause businesses financial damage due to the ransom payout, but also cause significant economic losses due to business disruption caused by locking out vital information, and subsequently, due to the negative impact on reputation leading to a loss of customers in the aftermath of an attack.

The recent rampage of WannaCry succeeded in taking ransomware out of the domain of cybersecurity and raising widespread awareness about cybercrime and how it affects not just organizations, but also individual users.

While its perpetrators only managed to collect around $100,000 in ransom, it succeeded in causing nearly $8 billion of economic losses to businesses in almost 200 countries, and has now come to be known as the world’s largest cyberattack.

As more enterprises undergo digital transformation, the value of data continues to increase. While automation enables faster and more scalable operations, digital data becomes even more critical to an enterprise’s functioning.

Existing cybersecurity solutions like strong firewalls and antivirus programs could not keep WannaCry from infecting enterprise networks and systems, which went on to successfully lock out users from their data and demand ransom in Bitcoins. The need of the hour is for solutions that offer a new and evolved approach in guarding against more sophisticated cyberthreats.

Blockchain could offer a future-ready mechanism for enterprises to protect their networks and critical infrastructure from emerging cyberthreats like ransomware. The WannaCry ransomware attack exploited a dated, unpatched vulnerability in Microsoft Windows to infect its users.

Over 67% of the systems infected by WannaCry ran on Windows 7 – a significantly older, but still commonly used OS. This attack illustrates how easy it is for cybercriminals to take advantage of legacy hardware, ineffective IT policies and disconnected interactions between IT and business functions within an organization.

The advantage of enabling a blockchain-based cybersecurity is that even if data is accessed by legacy hardware, its decentralized nature of data storage prevents organizations from having a single point of failure, which can be targeted and attacked by hackers. 24 Cyber Warnings E-Magazine – June 2017 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide

Without sensitive data being collected and maintained at a single physical location, cybercriminals would be unable to lock and hold data ransom.

In addition, blockchain offers organizations the ability to store critical data in an encrypted format, across records that are immutable and tamper-proof. Data stored in a blockchain undergoes sequential hashing to generate a unique fingerprint.

Blocks of transactions taking place within the system are linked by these hashes to ensure data integrity.

Any attempt to access or alter data stored in a blockchain is indelibly recorded, allowing organizations to not only restrict access to unauthorized users from outsider their networks, but also reduce the risk of insider threats.

In addition to allowing critical data to be managed in a decentralized manner, blockchain allows for improved provisioning of digital identity and access management services. A blockchain- enabled cybersecurity solution will allow organizations to enforce tighter access controls and prevent mishandling of data by unauthorized users.

When access to sensitive data gets controlled more effectively, the threat of ransomware correspondingly becomes more controlled and manageable.

While blockchain originally emerged as a completely secure mechanism to ensure Bitcoin transactions and has made a considerable impact in the fintech space, rising sophistication and frequency of cyberthreats requires a brand-new focus on this technology from a cybersecurity perspective.

Blockchain can empower organizations by giving them the ability to enforce improved identity and access management to keep cybercriminals at bay.

About The Author

Narayan Neelakantan is the Co-Founder and CEO of Block Armour – an India-based startup working on providing next-gen enterprise cybersecurity, powered by blockchain technology. With over 16 years of experience in the field of Cybersecurity, IT Governance, Risk & Compliance and IT Infrastructure, Narayan is an innovative thought leader responsible for strategizing, implementing and maturing Risk Management & Cyber Security. He was previously the CISO and Head – IT Risk & Compliance with India’s National Stock Exchange (NSE) – Technology. Narayan can be reached online at [email protected], https://twitter.com/BlockArmour and at our company website http://www.blockarmour.com/

The challenges of interference within modern industrial systems

By Milica D. Djekic

The new industrial revolution being known as 4th generation of industrial systems would bring us a completely new approach to industry’s assets. The 4th industrial revolution would make us deal with the more sophisticated and more complex solutions that would seek a certain level of the skills. As it’s well known – this technology would be cyber-based or in, other words, it would rely on new advancements such as computers, web and mobile devices.

Many industrial plants being used for those purposes would get designers who would believe that if they choose the wireless solutions – they would reduce the amount of wires being applied in their infrastructure and consequently reduce the cost for those wirings.

People would so often think that wireless technologies got so convenient, but very few of them would realize that they bring with themselves a certain amount of the risk regarding interference and some health’s concerns being correlated with the quite high level of electromagnetic radiation getting present in the room.

The new generation industrial systems would start becoming the part of our reality. The very small percentage of the industry’s assets is already equipped with the emerging technology. The main reason why the industry’s giants would invest into a new technology is that such an investment could bring them the good amount of profit once it begins to get exploited. It’s well known from the economy that any investment into new technologies could increase the productivity and effectiveness through the working process and consequently boost the incomes to such a factory.

That’s the crucial reason why industrial giants would make a decision to put more money, time and effort to develop and run the new generation assets. In those cases, they would follow the cost-effective solution being suggested with a today’s knowledge and experience getting present within an expert’s community.

Many designers would recommend that we should use wireless technologies as something being much cheaper than the wired solutions. Following such an approach – many technological and financial experts would get their projects being approved for a reason they would rely on wireless systems having a certain level of advantage over the wired ones.

We would agree that sometimes it’s so complicated to handle all those wirings and as it’s known – the concepts of wireless transmission of information as well as power are well-researched and it’s logical that engineers would cope good with those results.

On the other hand, we would try to make a simple question if those new generation factories suffer some sort of a business discontinuity for a reason of some systematic failures or unobvious reasons. The capacities of those production systems are huge and it’s obvious how big the economical losses could be if the factory would suffer the frequent stoppage in its production. This could be some systematic mistake for real, but so commonly the reasons are more bizarre.

The engineers and technicians working in those high tech factories could believe that they would suffer the flaws because the technology is still new and many aspects of its design are still unexplored. Right here, we would point a concern to more obvious physical phenomenon being the interference. Some researchers would do the great studies about those challenges being present at the busy places such are the airports. They would indicate that the signal could get amplified, damped or deformed depending on the sort of interference you are dealing with.

Just try to imagine that you deal with the constructive interference that would so greatly amplify your signal and make a receiver dealing with so to simply get burnrd because of such a strong electromagnetic wave. The receiver itself would get in touch with that strong signal and it would induce electricity it cannot deal with. So, as a consequence of such an occurrence – we could have a damage of the entire receiving part.

As it’s known – the industrial systems would basically deal with a plenty of sensors, controllers and actuators. You would agree with us it would not be convenient at all if some of those subsystems would simply burn for a reason of high voltage. In such a case, we would appeal on system’s designers to pay attention on a good calibration as well as reliable fusing elements that would save those segments from damage. Also, it could happen that the interference would be destructive meaning that the entire signal could get damped.

In that case, nothing would happen or – in other words, the production system would not receive any signal on. This would get identified as a stoppage in production and the technical service would spend some time trying to discover what happened for real which would also affect the business continuity.

Finally, receiving some sort of shifted or deformed signal would damage the information that would come at its destination causing the flaws in the entire operation.

Through the following series of illustration we would try to demonstrate how constructive, destructive and inbetween interferences appear in a practice. The illustrations being provided here are drawn using the GRAPH mathematical tool and their purpose would be to show through simple periodic functions such as sinus and cosine how it works in a theory.

We would highlight that the cases from the practice are much more complicated and they need a detailed mathematical analysis to get understanded. Let’s start with the constructive interference being given in a Figure 1.

Figure 1. The constructive interference

As it’s shown above, this sort of interference would deal with two basic signals being shown in blue and red colors and those signals would get in phase with each other. The total sum of these two signals would give us the pink signal suggesting us that the final result is so amplified. The second example would suggest how it works when the total signal is denied for a reason of destructive interference dealing with the signals being out of phase with each other. The illustration is provided in a Figure 2 as follows.

Figure 2. The destructive interference

Finally, we would demonstrate how something inbetween interference looks like in a theory and how the entire resulting signal could be shifted or deformed. The illustration is given in a Figure 3 as follows.

Figure 3. The inbetween interference

In order to conclude this effort – we would want to suggest that the interference could be the huge issue in the industrial systems of tomorrow, so we would advise the researchers, engineers and scientists to make a closer look to this challenge. We are aware that the ultra modern factories of today would deal with high technological solutions such as robots, autonomous machines, intelligent sensors and much more. Also, the new tendency is that the transmission of information and energy would be wireless, so we would recommend that the interference as well as some health’s requirements should find their place into some of the future investigations. We strongly believe that the research’s bodies would find their interest to run those projects for a reason they can make the global business being more competitive and profitable.

About The Author

Since Milica Djekic graduated at the Department of Control Engineering at University of Belgrade, Serbia, she’s been an engineer with a passion for cryptography, cyber security, and wireless systems. Milica is a researcher from Subotica, Serbia. She also serves as a Reviewer at the Journal of Computer Sciences and Applications and.

She writes for American and Asia-Pacific security magazines. She is a volunteer with the American corner of Subotica as well as a lecturer with the local engineering society. 29 Cyber Warnings E-Magazine – June 2017 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide

Hacking: Cheaper than a Nando's chicken. by Jonathan Stock, Cyber Security Recruitment Consultant, IntaPeople.

Now don’t get me wrong, hacking can be expensive, individuals or groups can sit in-front of 200 computer screens with all of the latest technology working at the same time. Picture Kevin Smith in Die Hard 4 or Gene Hackman (no pun intended) in Enemy of the State. But there’s another side of hacking that I’ve recently read about which I wanted to shed some light on.

Recently a USB device called PoisonTap has been introduced to the hacking market. With a cost of $5 it allows users to simply plug it into a computer, leave it for 1 minute, remove it and then the hacker has access to online accounts and routers. Now that’s pretty simple, I’m not a technical genius but I’m pretty sure even I could do that (not that I plan to or have any need to!) so if it was to fall into the wrong hands, or be planted into an infrastructure, the consequences would be quick and painful. There’s also a new DDoS attack called ‘BlackNurse’ which allows hackers to take down routers and servers from a single laptop. Like with the majority of cyberattacks, you need a decent skillset to pull it off, but if you can use a laptop to create DDoS attacks with that sort of power then all you really need is a laptop (available at most retail stores!) which is pretty cheap to set up.

Now we go to the big bad dark web or Tor-Network. For those who don’t know about the dark web, it’s a seedy underworld of pretty much anything you want. Most of it isn’t nice, most of its quite criminal in nature and would be like looking into Voldemort’s soul. What I didn’t know about this network, is that you can hire hackers for pretty cheaply and they will target companies / individuals on your behalf. Again, another cheap way of hacking.

With the way that the world is changing, more and more cybercriminals are emerging. With this, you get cheaper versions of hacking and there’s going to be more and more of these type of threats that emerge over time. Think about how simple it would be to get a bucket load of PoisonTap devices, and with the lack of cyber security education within some companies, imagine how easy it would be to get these into a computer. With the USB sticks dropped in a University campus 48% were plugged into a computer, if this similar result was achieved with PoisonTap then there would be quite a few companies up the proverbial creek without a paddle.

About The Author

My Name is Jonathan Stock and I am a cybersecurity recruitment consultant working for IntaPeople. In addition to sourcing candidates for various cybersecurity companies, I am also a contributor to several cybersecurity online magazines, a member of the UK Cyber Security Cluster and an event coordinator.

Jonathan can be reached online at [email protected], @JonathanStock86 and at our company website http://www.intapeople.com Daniel can be reached online at ([email protected]). For more information on OBXtek, please visit their website at https://www.obxtek.com/aboutus

Don’t Become Another Data Breach Statistic

7 tips from a security expert to implement now by Lee David Painter, CEO, Hypersocket Software

Hardly a week goes by without a new data breach grabbing the headlines. Already this year, data breaches at mobile phone network Three, Wonga and Sports Direct have come to light. Not to mention the ransomware attack on the NHS and other organisations.

It’s tempting to believe that all attacks and breaches are as a result of shady hackers operating from half way around the world – and that large organisations are always the targets.

However, in many cases, the cause of a data breach is much closer to home and as often down to poor password security, software vulnerabilities, simple human error, and abuse of access and privileges, as malicious outsiders. And there’s growing evidence that smaller businesses are being impacted too.

Network security specialists, Hypersocket Software counts organisations such as Cisco, Xerox and Huawei among its customers.

As more and more organisations look to tackle their everyday security challenges, we offer seven steps to help smaller businesses avoid becoming a data breach statistic.

1. Introduce IAM - Stolen credentials are a prime entry point to systems for hackers. Investing in fairly simple Identity and Access Management (IAM) technology means a business can be sure that regardless of how a network and data is being accessed, it’s being accessed securely.

2. Use multi-factor authentication - One of the best practices for securing data is extending security around applications by using multi-factor authentication.

That means to gain access to a system a user is authenticated by providing information on something they know and something they have.

So, the first authentication challenge might be provide a piece of personal information, such as their favourite football team or favourite colour (something they know). The second challenge could be a time limited token sent to their mobile with a reactivation code (something they have).

Multi-factor authentication should particularly be used for granting access to privileged users. 42 Cyber Warnings E-Magazine – June 2017 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide

3. Limit employee access to systems - The fact that someone has established his or her identity as an employee should not result in unfettered access to all your systems.

It’s important to work on the principle of least privilege to ensure employees only have access to the services they really need for their role.

For example, an assistant in the admin team does not need administrative privileges on IT systems; a member of the sales team does not need access to sensitive financial information.

4. Use a Password Manager - One element that can be lacking particularly in smaller businesses is security from the end user’s perspective in the form of a password policy and password management.

Passwords are now so commonplace that people can become complacent with their use. Repeated, simple and obvious passwords can open the door for hackers.

Ensure employees follow these five insider hacks for creating stronger passwords, and use a Password Manager.

This allows users to store, manage and access all the systems they need with one password, enabling companies to make their password requirements stronger, longer and trickier for hackers to uncover.

5. Don’t forget Self-service - Password Self-service solutions allow end users to manage their own accounts and systems access without needing to call the IT helpdesk.

So users can reset or unlock their password using multi-factor authentication. This means security can be enhanced as organisations can enforce a strong password policy.

6. Don’t worry about the cost – Free versions of security software will serve smaller businesses’ needs and offer outstanding levels of protection at the same time. Many of the solutions mentioned above – including Access Manager, Password Manager and Self-service – can be downloaded free of charge, quickly and easily.

Visit websites such as Softonic, Hypersocket or Download to compare what’s available from different software companies and find a product that best suits your needs.

7. Create a security aware culture - Best practice in network, systems and data security needs to be enshrined in a strong and well communicated security policy.

It should be embedded with a company’s culture, rigorously monitored and taken seriously at every level – from the top down.

Comments Lee Painter: “Data breaches might appear to be getting more frequent and the hackers more sophisticated. The reality for smaller organisations, however, is that most data breaches are low level in their complexity.

That’s not to say they can’t have a damaging effect, but following these steps and employing security best practices throughout the business will go a long way to reducing the chances of a breach.”

About The Author

Lee David Painter, CEO of Hypersocket Software. Lee is a software developer turned entrepreneur who specialises in network security solutions.

In 2002 he set up his first business, 3SP Ltd, and created a suite of open source and commercial security applications. These included SSH APIs for Java and .NET and SSL-Explorer, one of the first open source, browser-based SSL Virtual Private Networks.

During this time he also established SSHTOOLS. Beginning life as an open source project in 2002, SSHTOOLS now provides vital SSH components to enterprise businesses. 3SP Ltd was acquired by Barracuda Networks in 2008 and Lee continued to establish SSHTOOLS and then moved on to set up two new businesses:

Nervepoint Technologies and Hypersocket Software. Each business focuses on creating more secure IT environments by providing tools and software to tackle the IT security challenges that organisations face every day. Nervepoint Technologies offers password management solutions and counts organisations such as CISCO, Symantec and Xerox amongst its clients, while Hypersocket Software provides enterprise and professional level network security and remote access management software.

Lee at [email protected], https://twitter.com/hypersocket and at our company website http://www.hypersocket.com/

The Internet of Things

Exchanging Convenience for Security by Daniel Jetton, VP Cyber Services, OBXtek, Inc.

Prologue Picture this scenario. Recently, I purchased a smart grill, which automatically starts and heats up via an app I can set on my phone. Additionally, it senses when my food is the correct temperature for retrieval. One day I receive a text message from someone calling himself “Xtrakt0R79”. Xtr@kt0r79 texts me that he has hacked my grill and has fired it up to 500 degrees. The gauge is rapidly approaching the danger zone. I quickly hit another app on my phone, connecting to the Wi-Fi camera on my back patio. I can clearly see the hot grill with heat waves dispersing in the air above it. The hacker is asking for $75 transferred via bitcoin or crypto-currency to keep from superheating the unit and possibly starting a fire on my patio. I have 20 minutes to comply and 30 minutes to complete the funds transfer. What do I do? I should have secured these apps and devices better. Was there a default password I should have changed? Can the hacker access other smart technology in my house? From where will the next ransom request come?

Introduction The term “Internet of Things (IoT)” is used to describe the increasingly networked machine-to- machine/network-to-network communications that is built on cloud computing and various sensors. The IoT exists in an instantaneous, virtual and mobile environment. The term IoT is sometimes used synonymously with “smart” hardware, describing how the hardware reacts and sometimes anticipates our needs (like turning on the lights or otherwise reacting to voice commands). These smart devices are not equipped with artificial intelligence, but use sensors and commands that automate tasks we humans no longer have time or the inclination to do (Burrus, 2017). The three major drivers of this IoT technology are decreased computing and storage costs, pervasive cheap and tiny sensors, and ubiquitous connectivity (Jontz, 2017). Objects like smart thermostats learn your house habits to adjust temperatures that keep you most comfortable when home and save money when you are not. Smart lights may go off when they sense no movement or have reached a programmed time. They may also turn off when you press a button on your phone or use a voice command. Between you and the smart device exists a network and internet cloud that decipher and transmit the data from sender to receiver.

The cleverest part of the Internet of Things is not necessarily that you can tell devices to do things, but that devices can tell you things. A moisture detector can alert you to a flooding basement via your phone. Smart cement can detect warps, cracks and stress fractures on bridges and roads and automatically notify authorities to prevent a calamity. Similar sensors on your car can detect ice on a sloped road and automatically slow your vehicle (Burrus, 2017). In traffic, anyone with the Waze application on their smart or tablet device can use the GPS and algorithm (and network of users) to determine the fastest way home. 45 Cyber Warnings E-Magazine – June 2017 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide

Trade off In 2016 the IoT market generated $1.39 billion with a forecast of generating $74.53 billion by 2025. Largely due to global distribution and growing internet availability, the demand for connected devices will increase while the cost of sensors, sensor technologies, and high speed internet will decrease. The only thing slowing the growth will be a shortage of IoT expertise and trained workers along with a lack of universally accepted standards and protocols (Inkwood, 2017). Polling 5000 enterprises globally, an AT&T Cybersecurity Insights Report found that 85% of enterprises are either currently using or planning to adopt IoT hardware, yet only 10% are confident they can secure these devices (Meola, 2016). Always On: Part of the Collective

Virtually every household item has the potential to become connected to the internet in the next few years. Turning a “dumb” device into a smart one will be financially inconsequential as processors become a commodity. This could result in a flood of smart devices that have little to no value to the consumer. These smart devices would instead be produced as a way to harvest data, analytics and information for the manufacturer. Data is a much sought after commodity that can be used by the manufacturer or resold on the marketplace. Mikko Hypponen, chief research officer at F-Secure, foresees kitchen appliances collecting data to monitor repairs and broadcast their location. Location data can help marketing and sales by focusing advertising (unbeknownst to the owner). With upcoming 5G wireless service, these devices may not even need a home Wi-Fi to communicate worldwide. Just as computer-controlled vehicles are commonplace in the automobile market; soon you likely won’t be able to purchase a device without IoT connectivity. Darren Thomson, CTO & Vice President of Technology Services at Symantec, agrees that companies are asking if they can produce IoT devices instead of if they should. Businesses across the globe are racing to digitize what they do and connect what they have in order to collect data from what they have to sell. Further, patches and updates work for items that can be completely shut down and rebooted, but cars, buildings, pipelines, power plants and cities have little or no downtime.

The danger of using these IoT items is that we become used to them and forget they are always on, always collecting data (Palmer, 2017). The emergence of the data economy will further promote use of connected devices and the data they produce. This emergence will give big companies like Amazon, Apple, Facebook and Microsoft distinct advantages and power. Algorithms can be implemented to predict when hardware needs servicing, when a person is at risk for a disease, or is ready to buy a product.

Access to this data also gives an advantage over rivals and startups. By tracking “big data”, large companies will be able to know new trending products and services as they happen, giving them the opportunity to copy or purchase an upstart before it becomes a threat (Economist, 2017). As data of the 21st century becomes what oil was in the 20th century, companies will be staking their claims and digging deep in hopes of hitting some of that valuable data.

The Threats Threats to IoT, from hackers to malware, are myriad. A newly discovered malware called BrickerBot, currently in the wild, targets IoT devices that specifically run open-source Linux. BrickerBot takes advantage of users who did not change their default username and password printed on the IoT devices prior to shipping. While other malware may look to add a device to its collective of botnets, BrickerBot looks to kill the device outright. As opposed to the common distributed denial of service (DDoS) attack, BrickerBot offers a permanent denial of service (PDoS) attack which renders the device useless. While this vulnerability is common, it is easily preventable and remedied by changing the default username and password while turning off any Telnet remote access (Coppock, 2017).

The cellphone, the most ubiquitously connected device today, has its own share of security issues. Pew Research found that 28% of owners do not lock their cell phone screen at all. 40% of owners only update their devices when it is convenient and 14% admit to never updating the software (Williams, 2017). Personal phones are connected at all times and contain personal correspondence, photos, banking and contact information; however, a large percent of the population can’t be bothered to secure it. Perhaps in the future, government regulation will mandate protections for cell phones in the same way mandates were implemented for the automobile (Palmer, 2017). Safety belts weren’t always standard or legally required and air bags are a fairly recent innovation. People lived longer in spite of themselves.

A Secure Way Forward Security company ForeScout produced an IoT Enterprise Risk Report authored by ethical hacker Samy Kamkar. The report reflects badly on IoT product vendors that often use rudimentary security and old firmware--an invitation to backdoor exploits and IoT botnet DDoS attacks (Palmer, 2016). So, what are we to do in order to secure our IoT world? There are some enterprising individuals and companies that see this niche and offer options. Forbes offers up the six most popular technologies for future IoT security with examples of each; 1) IoT Network Security – intrusion detections and firewalls; 2) IoT Authentication- static/dynamic passwords, two-factors, digital certificates and authentication; 3) IoT Public Key Infrastructure (PKI) – digital certificate and cryptographic keys and life-cycle capabilities; 4) IoT Encryption – in rest and in transit, full key encryption life cycle management; 5) Rest-based Application Programming Interface (API) – authorization and authentication of data from device to back- end, integrity through bona fide communication channels and 6) IoT Security Analytics – aggregation, monitoring and normalization of data from other IoT devices, adding machine learning, anomaly detection and predictive modeling in the future (Press, 2017).

IoT as Security Another solution for the security of IoT is IoT itself. In other words, the same techniques that allow inspection, management and optimization of the immense amount of information that currently cross networks can be used to repair a hack or breach. Tools can be developed to compare network activity against a baseline while continuously monitoring and logging. Full situational awareness is especially vital for critical systems as opposed to a common household platform (OT vs. smart home), but both can be used for the same purpose. The future of 47 Cyber Warnings E-Magazine – June 2017 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide household IoT adopters may be breach alerts sent to their smartphones and automatic hack countermeasures deployed upon discovery.

Just as the internet was developed as a government application then transitioned to the public, this IoT solution can be also be deployed in this manner. Current Defense Department initiatives include the ability to identify and react to network changes. The Defense Advanced Research Projects Agency (DARPA) is working to develop self-healing networks. Currently, finding bugs has been considered “artisanal” requiring many hours of professional expertise. These challenges leave hackers with an advantage. Judson Walker, systems engineering director at Brocade Communications Systems, insists that IoT security solutions lie in clearly defined software and application program interface frameworks. These frameworks centralize control over IoT devices, facilitating the ability to alter sensors with minimal effort. Handling massive amounts of data has provided the push for machine learning (artificial intelligence). Algorithms are being formulated for use in not only networks to examine the information, but to also understand it and recognize unusual changes or deviations-- ultimately making decisions to mitigate threats. Removing the human piece will provide a much faster reaction to events as opposed to the slow engagement (or non-engagement) of human owners. On-the-spot self- correction is the quickest way. The technology does exist, but the lack of trust is the biggest hurdle as we are turning over human decision making to algorithms (Jontz, 2017).

Conclusion The Internet of Things is a ubiquitous entity that offers untold abilities and conveniences that could not be anticipated 20 years ago. Unfortunately, the ubiquity and security concerns can leave users including countries, cities, municipalities and individuals vulnerable in a multitude of ways. The sheer volume of devices and the data they process and store can be used by bad actors for ill. While we are becoming more aware of the risks, we continue to plug-in without taking proper care to mitigate and address those risks. Some solutions are simple (changing usernames and passwords) while others are more complex (implementing authentication and encryption). If companies insist on producing unsecure IoT devices, perhaps the government may step in to regulate security of these devices. Until we start to take notice of the risks and take the initiative for our own security. Personal responsibility means we take it upon ourselves to do what we can to secure our personal devices while demanding companies secure theirs. Lack of action should require federal intervention to protect the public at large. We should always remember that information is power. We should never give up that power unknowingly or unwillingly.

References Burrus, D. (2017). The Internet of Things Is Far Bigger Than Anyone Realizes. Retrieved from https://www.wired.com/insights/2014/11/the-internet-of-things-bigger/

Coppock, M. (2017). New ‘BrickerBot’ malware attack kills unsecured Internet of Things devices. Retrieved from https://uk.news.yahoo.com/brickerbot-malware-attack-kills- unsecured-204503806.html

Economist. (2017). The world’s most valuable resource is no longer oil, but data. Retrieved from http://www.economist.com/news/leaders/21721656-data-economy-demands-new- approach-antitrust-rules-worlds-most-valuable-resource

Inkwood Research. (2017). Global Internet Of Things Market Forecast 2017-2025. Retrieved from https://www.reportbuyer.com/product/4379313/global-internet-of-things-market- forecast-2017-2025.html

Jontz, S. (2017). Cyber Network, Heal Thyself. Retrieved from http://www.afcea.org/content/?q=cyber-network-heal-thyself

Meola, A. (2016). How the Internet of Things will affect security & privacy. Retrieved from http://www.businessinsider.com/internet-of-things-security-privacy-2016-8

Palmer, D. (2016). IoT devices can be hacked in minutes, warn researchers. Retrieved from http://www.zdnet.com/article/iot-devices-can-be-hacked-in-minuteswarn-researchers/

Palmer, D. (2017). Internet of Things security: What happens when every device is smart and you don't even know it? Retrieved from http://www.zdnet.com/article/internet-of-things- security-what-happens-when-every-device-is-smart-and-you-dont-even-know-it/

Press, G. (2017). 6 Hot Internet of Things (IoT) Security Technologies. Retrieved from https://www.forbes.com/sites/gilpress/2017/03/20/6-hot-internet-of-things-iot-security- technologies/#4d72f76e1b49

Williams, B. (2017). Put a lock screen on your phone, sheeple! Retrieved from http://mashable.com/2017/03/15/phone-security-lock-screen-survey/#ODDkctwhXSqk

About the Author

Daniel Jetton MBA, MS, MA, CISSP, CAP, PMP is the Vice President of Cyber Services for OBXtek, Inc., an Award-Winning Government Cybersecurity Service Provider providing Information Technology Engineering and Support, Program Management, Software Development, Testing, and Information Security services to the Federal Government. He is responsible for leading and defining cyber strategy while ensuring security, defense and risk mitigation for his clients.

Mr. Jetton is a former Army Medical Chief Information Officer with over 25 years of experience in cybersecurity, management, strategic planning and project management.

Daniel can be reached online at ([email protected]). You can follow Daniel on Twitter @CyberPhalanx. For more information on OBXtek, please visit their website at https://www.obxtek.com/aboutus

Is Your Company’s Data Being Sold on the Dark Web?

Learn how Comodo can help you for free if any of your information is already for sale on the Dark Web.

As companies scramble to find the best ways to protect themselves from ransomware and other types of malware and with almost daily reports of major breaches and infiltrations, public awareness of cybersecurity may be at an all-time high…and yet, there are still some very basic, and easy to correct, mistakes being made that put companies at risk for major data loss.

One major threat that has IT security personnel on high alert is known as “pony” malware. Basically a Russian password thief, this type of malware performs data exfiltration on the credentials of more than 90 applications once gaining access to a machine.

Large companies, as a whole, are typically more vulnerable to these zero-day “pony” malware attacks, simply on a percentage-basis because there are more employees accessing more sites, both personal and professional.

But enterprises are also more likely to be targeted because there is more for the black hats to gain, compared to hacking smaller organizations.

According to Ponemon Institute, in 2016, a single stolen record cost companies $158. Data breaches overall, however, set companies back approximately $4 million, on average.

Black hat hackers don’t care if they hurt your organization, as your stolen data becomes their revenue source on the Dark Web—but you should.

Imagine a free report that can allay your fears and provide you with specifics about the areas of vulnerability for your company. Well, look no further. Comodo is offering a no-cost Company Threat Analysis report specifically to enterprises, companies with 1,000+ employees.

This report shows in detail the kinds of data from companies and employees that is vulnerable to this kind of malware—and what is being sold on the Dark Web.

Enterprises in all sectors have been shocked to discover the amount of information from their organization that is currently available for sale on the Dark Web. What stands out as a vulnerability, from a brute force perspective, is the simplicity of it all.

As the Threat Analysis report has clearly shown our researchers, many of us are not very vigilant about our passwords.

It is normal for many people to use the same password for multiple devices and accounts, or to only change them slightly, by adding a “1” – very common – or a symbol, usually “!” – also very common.

Even when prompted to update or change them, many times we just move to the next number or next symbol.

Often we use the names and birthdates of our children, spouses or other family members, simply updating their age as our new number each year.

All of these password “strategies” are easily breached, by using brute force, simply trying the next most logical, simple password upgrade.

For example, if I have a password that is “Nancy1,” when it is time to upgrade, if I’m like a large contingent of the population, I’ll simply go with “Nancy2” or “Nancy1!.”

We have to be concerned about this not just on a personal level, but at a business level. If someone in my company is using this strategy, it not only puts their accounts at risk, it puts my business at risk.

So what does this mean? How can you determine if your company is at risk? The best way to see what is vulnerable, to find out if there is already any information available for sale on the Dark Web, is to sign up for a Company Threat Analysis.

Comodo’s personalized reports identify if an enterprise’s information has been stolen and dive into how this data became available to cybercriminals in the first place—for example, via credentials stolen from direct network access or data breaches from third-party applications.

For each instance, the affected company gets the chance to review a sample of the leaked credential records and details on the attack processes, to help them understand what went wrong.

Find out exactly what is out there and what you need to do to take care of the problem. Visit https://threatanalysis.comodo.com/.

About the Author

Jerald (Trip) Nine oversees Comodo's Threat Intelligence Programs Division. He is responsible for managing a team that analyzes more than 300,000 crime servers globally.

He has studied threat analysis on close to 1,000 U.S. enterprises and consults many Fortune CISOs on their global security posture. Nine also studies password psychology and reverse engineers the latest credential hacking methods

Five tips for educating your employees on cyber security

Are you watching your employees closely enough?

You may be surprised to know that your main concern when it comes to cyber security is not some external threat, but the people who surround you on a daily basis. Yes, it’s your employees that you really need to worry about, not some hackers in a garage in Idaho. That's not to say that your staff have an agenda to bring your company down (or at least, let's hope not). It's just that human error and carelessness while doing everyday tasks are the main causes of business security breaches.

Whether it's leaving their laptops and mobile devices lying around in public places, storing data in insecure locations, or failing to protect sensitive information and networks with effective passwords, there are numerous ways in which your employees can leave your business vulnerable to attack.

How can security threats be avoided?

Don't lose heart – with the right approach, the people who work for you can be transformed from your greatest weakness to your greatest strength in combating malicious cyber attacks.

The first thing you need to do is ensure that you have a rigorous IT security policy in place. This policy should be thorough enough to cover all realistic eventualities, updated regularly to take into account newly emerging threats, and contain a clear step-by-step plan for responding to any security issues that arise.

Once you've implemented this, you need to make sure your employees understand what the risks are, and the scale of impact they can have.

To put it in language they'll understand, the costs of recovering from a cyber security issue can potentially be enough to put you out of business – which means no more jobs.

Your staff may be more than willing to follow your security policy, but if it's not drummed into them on a regular basis, they will simply get caught up with all the other important things they have to keep track of to do their jobs effectively.

This means that you'll not only need to educate your staff on the risks and best practices to avoid them, but you'll need to constantly remind them of their duty to keep your company safe, and the ways in which they can do so.

To help you out, we've put together our top five tips to keep your employees up to speed on cyber security:

1: Make sure they understand how a cyber security breach could affect the business

Cyber security is no game – a breach can be invited by the most innocent of oversights, but the consequences can be devastating for your whole organization. You may suffer financial losses. Your valuable digital assets and intellectual property could be compromised. Or your customers' private data could be leaked, leading to fines and costly lawsuits. Any of these things can also lead to an irreversible loss of trust or irreparable damage to your public reputation. And all it takes is one careless act by a member of your team – leaving their laptop on a train, working with sensitive files over an open Wi-Fi network, or clicking on a link in a phishing email. They may not realize it, but by using memorable dates or family members' names in their passwords, and revealing that information on social media or other online locations, your staff can unleash a trail of evidence that allows smart hackers to place your entire business at risk.

2: Get everyone involved in cyber security

Just because someone is a manager or an IT expert, it doesn't mean that they won't make mistakes that can compromise the safety of the company. Everyone needs to be educated on cyber security – in fact, senior staff members have access to a greater range of information, which makes them more attractive to potential cyber criminals. Your technical staff may have the knowledge they need to remain secure, but they're also more likely to be targeted by savvy hackers, who will know that they have greater access rights to your systems, networks, and data. Because IT professionals know more, they can also become complacent, which is why regularly reminding them of their responsibilities is no bad idea. Remember, it only takes one person to make one mistake to put the whole company in a vulnerable position.

3: Have regular recaps on best practices for cyber security

You must make sure that training is a regular practice in your company. It's no good explaining best practices when a mistake has already been made. This means educating new staff on the risks, and also holding regular sessions where you remind workers of the ways in which they can keep the company safe and update them on any new habits that they need to bring in. You should also make resources available to your workforce in between training sessions, in the form of information packs, forums where issues can be discussed, bulletins and opportunities to speak to IT experts in the company who can remind them of their responsibilities and clarify anything that they don't understand. You can make the information you provide interesting, keeping it up to date with the latest news about cyber security breaches at other companies, and discussion about how this affected those companies to reinforce how seriously this issue needs to be taken. Another trick you can try is to introduce regular tests to ensure that the advice you're giving is being taken on board.

4: Create clear-cut rules for online activity

If your employees have strict rules for how they browse the web, send emails, or use company devices, they're more likely to follow them than if you give vague guidelines. Introducing a “safe 54 Cyber Warnings E-Magazine – June 2017 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide

browsing” culture can keep staff vigilant of suspicious links or email scams. Enforcing regular password changes and implementing security measures to keep data safe is useful, but remember that if you make it too difficult, staff might find workarounds that compromise the security that these measures are supposed to enhance.

For example, if they have to change their passwords too frequently they may write them down on a notepad and leave it lying around, and if they have to go through an overly complex process every time they want to access their files in the server, they may store them offline or on external storage devices, saving everything into the network at the end of each day.

5: Have a plan in place for recognizing and dealing with cyber attacks

Of course you want to have measures in place that will ensure you avoid a cyber attack, but however safely you and your staff are behaving, the unthinkable can always happen. If it does, you'll want to make sure that you have a process in place for minimizing the threat and returning to normality as quickly, painlessly, and cheaply as possible. One thing you can do to this end is to have a way for staff to alert the relevant person if they're concerned that a breach may have occurred or that something doesn't feel right.

This could be an emergency phone number that is publicized around the office. If an attack happens, you'll need to make everyone aware of it as quickly as possible, and have a procedure in place that will ensure everyone knows what they should and should not do. An internal communications plan will enable you to get information to the people who need it. It's also useful to have a PR strategy so that your people know how to respond to questions from press and stakeholders to maintain a responsible public image.

Unfortunately, we live in an age where there will always be people targeting your business, and it's vital that you protect yourselves against them in any way possible. The best way to keep your business safe is to make a commitment to educating your staff and making sure that they're aware of the security threats their activities can present, the scale of damage that can be caused by simple mistakes, and what they can do to minimize the risk.

About the Author

Asher de Metz has approximately 20 years of experience in the cyber security industry consulting to some of the world’s largest companies in all of the top vertical markets. Starting in London he has worked across Europe, the Middle East, and has spent the last 8 years in America working for Sungard Availability Services where he runs the Technical Security Practice.

Yet Another Case for Viable Back-Ups and Testing

Mistakes Happen by Charles Parker, II

InfoSec has the distinct tendency to be a very taxing and stressful, at the most inopportune times, field to work in. There are the usual deadlines, budgetary constraints, labor hour limitations, internal politics, vendors calling and/or emailing, and the inevitable compromise or successful phishing campaign at 3:50 Friday afternoon or 3:30 Tuesday morning.

Murphy’s Law has been very active in InfoSec for some time. These moving parts must be considered and scheduled to continue the forward movement, while maintaining the in-depth defensive posture against the attackers from across the globe.

This balancing act is manifested with the user multi-tasking. The human experience only has so much attention to apply to all the projects. With a greater number of projects, there is less attention to each applied. With this, all it takes is one oversight and there may be a massive time-consuming issue to resolve.

One area of operations that has become increasingly important are the back-ups. Back-ups have been very useful and a beneficial tool on many different fronts for the business and Admins, e.g. a user deletes an email or sets of emails, hardware errors, users being ransomware victims, and other use cases.

In general, this is a prudent practice and an industry standard. The Admin never knows when the data would be needed. This protocol is simply important. Not to utilize a back-up protocol is, at the least, bordering on negligence.

With the back-up methodology, there are many factors to take into consideration, including the timing and media. Also, as important is the testing. Without a robust test periodically, there is no guarantee the back-ups are viable. Testing is not always done though.

At times, the Admin simply is too busy and accepts the output from the back-up application stating the back-up was perfectly acceptable. Although this report may provide an artifact stating all is fine, there may be an error. The dependence on this may provide the background for a significant oversight and error.

GitLab

An issue was noted recently with GitLabs back-ups. GitLab is like GitHub, except with a alternate focus of lab work. With this instance, an employee deleted a directory located on the incorrect server. 57 Cyber Warnings E-Magazine – June 2017 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide

This was clearly an accident and not a case of malicious insider misfeasance. The SysAdmin was at work later in the evening, and in the fatigued state inadvertently deleted a director on the wrong server. Within this directory was a folder holding 300GB of live production data, which was supposed to be backed-up.

The SysAdmin realized the oversight when there was only 4.5 GB of data remaining. At this point the SysAdmin was thinking of the back-ups and hopping these were still working and in viable.

Although this would have been a great use of the back-ups and a victory, there unfortunately were issues. This use case involved live data. The prior viable back-up was completed six hours previously, so there was a gap. To add an issue to this, GitLab utilized five back-up formats. None of these continued data or was set-up initially.

Oops.

Lessons Learned

The application of insurance is to protect against an event with a low chance of occurring that would have a large impact if realized. This was one of those cases. The back-ups are a form of insurance. With a catastrophic, epic failure, the business operations would simply cease or nearly so. The business would need to use paper again to do much of anything.

The users and Admins may not put a mass amount of thought into this, until the back-ups are needed. At this point, it may be an emergency to get these in place and working.

The business needs to have regular back-ups scheduled and tested regularly. Without these, the Admin is merely hoping and placing their reputation on a report.

About The Author

He has presented at regional InfoSec conferences. Charles Parker, II may be reached at [email protected] and InfoSecPirate (Twitter).

WannaCry ‘Remedies’: The Second Wave of Attacks

Since May 12th, over 200,000 victims in 150 countries have been hit by a massive, international ransomware cyberattack called WannaCry.

Ransomware is a type of malware that works by seizing control of and blocking access to a computer’s files, programs, and operations.

Users are then informed that they must pay a certain amount in order to regain access to their files, with the threat of permanently losing all of their data if they choose not to pay.

In the WannaCry attack, users were given three days to make the payment before the fee increased, and seven days before the files would be lost forever. (http://blog.easysol.net/ffiec- issues-ransomware-alert/)

How did we get here?

March 14th – Microsoft released a patch for vulnerabilities in its operating system, reportedly likely to have been tipped off by the NSA. (https://www.nytimes.com/2017/05/14/world/europe/cyberattacks-hack-computers-monday.html)

April 14 – The Shadow Brokers, a group of hackers that emerged in August 2016, released several hacking tools that reportedly originally belonged to the NSA. They also released a message citing various political motivations for leaking the information.

May 12 – Computers around the world running older operating systems or that had not yet been updated with Microsoft’s March security patch were infected by the massive attack. Among those affected were hospitals, universities, and government agencies.

A UK cybersecurity researcher discovered a kill switch in the attack code and inadvertently hindered the spread of the malware in the United States.

However, the kill switch was unable to help systems that had already been affected, and it is likely that the hackers will send out more attacks without the kill switch included. (https://arstechnica.com/information-technology/2017/05/wanna-decryptor- kill-switch-analysis/)

May 15 – The number of victims continues to be updated as employees return to their work computers on Monday morning.

In addition, the kill switch has been turned off in the latest variant, making the previous slowing of the infection 59 Cyber Warnings E-Magazine – June 2017 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide

How WannaCry remedies are only another fraud vector

The massive scope and potential financial impact of the WannaCry attack has understandably caused a lot of panic, and companies and individuals alike have been rushing to protect their devices.

However, this frenzy has opened up new damaging routes for fraud.

One of these attack routes is through mobile applications that have been found on third-party application stores.

There are various mobile applications advertising that they can be used to protect users from the WannaCry ransomware.

However, our analysts found that some of these apps contained adware meant to infect the devices they are downloaded onto.

Rather than protecting users’ devices, they are causing them harm.

The adware found is classified as Adware.mobidash, which is a module that attackers used to include into Android games and apps and monetize them.

This adware has the capability to load webpages with ads, show other messages in the status bar, or modify the DNS server.

The latter is quite dangerous as the real risk lies in the fact that the end user’s device is performing unwanted activity without their authorization.

To hide this dangerous behavior, the adware doesn’t start to perform its malicious activity immediately, but after a short period of time.

How to protect your business and your end users:

• Deploy the MS17-010 update issued by Microsoft on March 14. This patches the vulnerabilities being exploited by WannaCry.

• Educate employees on how to spot and report phishing.

• Deploy a DMARC policy to reduce spearphishing emails that target employees, such as those emails used to deliver ransomware like WannaCry.

Our Take

We have blogged a lot about digital trust, fake news and all sort of tricks that criminals use to get the attention of consumers to have them click in a link.

Yet this is one area that continues to amaze us: how sophisticated the manipulation of the human factor has become.

It will only be a matter of time until we see the WannaCry malware expand further to trick end users to install a patch that allegedly prevents the new massive ransomware attack.

However, this time it will not be a patch, but a new version or variant of a financially motivated malware.

About the Author Fernando Cuervo, Detect Monitoring Service Leader, Easy Solutions

Fernando Cuervo is an Easy Solutions engineer in charge of Detect Monitoring Service (DMS). He ensures his team is continually protecting brands from cyber fraud through the latest threat intelligence technology.

He has extensive experience in fraud detection and deactivation, network design and data transmission.

Before coming to Easy Solutions, Fernando was a Project Coordinator at RED. He speaks Spanish and English.

The Risks (and Prevention) of Crime-as-a-Service in Healthcare By Kurt Long, Founder and CEO, FairWarning

The recent study from the Brookings Institution detailing that 25 percent of hacking attempts will focus on healthcare data should serve as a critical notification for industry providers. Since 2009 the study found the health data of more than 155 million Americans was breached, representing a massive number of records containing SSN’s, addresses, and payment data.

The vehicle for a considerable number of these hacks comes through “cyber-crime-as-a- service”, where criminals can go online to purchase virtual tool kits to conduct malware attacks. These are packaged in a ready-to-go format, so criminals with limited technical backgrounds can carry out successful ransomware. The payoff can be immense (especially compared to the low risk of being caught), with health records on sale via the “Dark Web” for upwards of $50 each.

Despite the risks, many healthcare sector companies are ill prepared to stop such breaches. And the passage of regulations such as those requiring electronic health records (EHR), there were benefits in terms of accuracy and speed of information, but firms were not ready to secure all of the new virtualized information. This combines with a lack of transparent monitoring (who is accessing what information), and organizations have a difficult time to even spot if a breach occurred.

Detailing the Causes Easy monetary gain is the main cause for such breaches. Thieves that target these records do not need a getaway car, and don’t need to worry about selling a physical product at a pawnshop. They can conduct the attacks from any internet connection, with little fear of law enforcement actions.

Breaches are not always committed by hacker groups. Many of them are performed either intentionally or not by staff members at the provider or a vendor. Perhaps a front desk agent agrees to look up the health records of a friend’s close family members, in violation of HIPPA rules. Or a vendor with expired access decides to access and sell a few hundred records for some quick cash. The problem with these smaller-scale breaches is they are often undetected for weeks or months, and in many cases are not discovered at all. For internal staff, it’s often a case of lack of awareness and faulty training. They might not clearly understand the right and wrong ways to access data, or they might unwittingly provide access to other agents.

Another frequent source of hacks are third-party vendors working with healthcare facilities as many of these workers are granted access, but their activities aren’t often tracked. Vendors might be EHR providers, outsourced IT analysts, technicians, or labs that are all part of coordinated care. These third parties often do not have tight controls over their staff’s actions in regards to systems access, and the actual provider might have zero visibility. Another layer of

63 Cyber Warnings E-Magazine – June 2017 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide complexity is added when the vendors then contract out to other vendors. Many vendor staff are not typically trained on security procedures, including password creation policies, log in/out procedures, avoiding public Wi-Fi, etc. A diagnostics consultant might leave the vendor but then discover their access credentials are still valid a year later and be tempted to offer the access to a hacking group.

The sheer size and complexity of a large multi-faceted hospital and healthcare group underscores the threat. Perhaps this groups has merged with several other providers and worked with hundreds of vendors over the past 20 years. There might be hundreds of systems operated by the group that all contain patient information. During those 20 years there could easily be a hundred thousand personal users, between vendors and actual staff. Manually monitoring all of these potential access points is a massive undertaking.

Managing the Problems with Technology and Training Mitigating the security risks requires a two-pronged “people and technology” approach. On the people front, healthcare providers need to first identify all of the known and unknown users and compile them into a centralized source that is easily managed and analyzed. Such an auditing must include all past staff members and vendors, to provide a true count of potential access threats.

Staff training is essential, with providers offering mandated security awareness training. This should include specialized training for those that work directly with the most sensitive records data. Unfortunately, the current model of training is broken, and staff are not provided with clear direction on log on/off policies, password protection, and rules on distribution of records. Staff might perform seemingly innocuous actions that end up being major breaches of privacy. For example, a RN might look up the x-ray scan of their nephew to check on their broken arm, but find previously undisclosed private health information. This type of breach does not have the same ramifications as a massive cyber breach, but it should still be handled with seriousness and include additional training for the staff.

In order to handle the scale of healthcare organizations (in terms of staff and number of systems), providers must adopt dynamic learning management systems that provide automated and frequent training. Users must receive repeated messages about their part in managing data compliance, so the organization can become a security-focused culture.

The technology piece of improved security is intended to keep track of the entire user base, across staff and third-party vendors. Firms should put in place advanced monitoring tools to identify poor security patterns, spot individual user credentials being used in different locales, and to identify unapproved access. These tools will look at registration and login patterns and send automated alerts to IT and management when it spots surges in patient record access.

Advanced tools will map directly to HIPAA guidelines, which will help providers to successfully manage audits. Tech solutions can also be used to run predictive analytics which can help IT to 64 Cyber Warnings E-Magazine – June 2017 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide spot problem staff members or entire processes which pose a risk. This allows proactive responses which could be the difference between a problem, and a 10-million record breach. Managing and training staff is tricky within healthcare because the clinical information is necessary for the health of patients. Doctors and nurses cannot be restricted from health information, but should not have access to financial payment information. There must be a certain level of trust between the staff and IT that comes from training and smart implementation of technology.

Monitoring should go hand-in-hand with identity management, with full access rights management process for all users that includes where they work, who they are, and the exact rights they should use in their daily work. New users should be on boarded within such a structure, where their user rights are clearly delineated before they start the job.

Moving Forward Technology tools such as advanced user monitoring provide visibility and accountability, and when combined with training they provide organizations with a layer of breach protection. While no solution makes the organization immune to threats, the right approach can make the healthcare provider a much less appealing target and provides IT the chance to stop small breaches before they spiral out of control.

The trend of healthcare breaches continues year-over-year, with a Gartner analyst predicting every person in the country will have their health information hacked by 2024 (if not sooner). Healthcare industry organizations can limit the scope of such incidences by employing the two- pronged approach of training and technology to introduce control and visibility into data access.

About the Author Kurt Long is the Founder and CEO of FairWarning®, whose Patient Privacy Intelligence customers represent over 8,000 healthcare facilities globally, and protects financial services customers with over $500 Billion in assets. Prior to FairWarning®, Mr. Long founded and served as CEO of OpenNetwork Technologies a leader in web single sign on and identity management software solutions. As CEO, Mr. Long led OpenNetwork to over 2,000% growth with customers across the United States, United Kingdom, Europe and Australia. OpenNetwork was acquired by BMC Software of Houston. http://www.fairwarning.com/ https://www.linkedin.com/in/kurt-long-8223211/ https://twitter.com/FairWarningInc

Its customers include the FBI, the US Air Force, the United Nations and Barclays — each of which rely on IS Decisions to prevent security breaches; ensure compliance with major regulations; such as SOX and FISMA; quickly respond to IT emergencies; and save time and money for the IT department. 65 Cyber Warnings E-Magazine – June 2017 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide

Part III: Current and Future IoT Threats

The relationship between IoT and Wi-Fi By Ryan Orsi, Director Product Management, WatchGuard Technologies

In parts one and two of this series, I covered the importance of understanding the anatomy of a Wi-Fi hacker and how to defend your airspace using WIPS and WIDS. For my last article of the series, I’ll cover the growing threat of Wi-Fi enabled Internet of Things (IoT) devices.

Today, most IoT devices fall into two categories: general IoT and industrial IOT (or IIoT). The first consists mostly of consumer devices like cameras, watches, thermostats, color LED light bulbs, and more. The second includes items like electric, gas and water meter devices that attach to the home or business and transmit data back to industrial systems or utility.

As you probably know, the IoT market is growing fast. As a matter of fact, according to Bain, by 2020 IoT annual revenue will reach $470 Billion. And, McKenzie & Company estimates the annual growth rate to be about 33 percent. That’s huge growth, and it’s putting a lot of pressure on manufacturers to produce these devices quickly. As a result, most devices are Wi-Fi enabled (versus using cellular data), delivering low cost connectivity for buyers.

But remember the old saying, “You can get something fast, cheap or good. Pick two.” As IoT manufacturers race to get new products to market, they’re also overlooking (to put it kindly) the major security concerns associated with these new devices.

Which means these products are fast and cheap, but often not good from a security standpoint. Of course, these smart, connected devices make our lives and jobs more convenient, but they also present critical security challenges. The reality is, convenience and security often don’t mix. When you combine the security vulnerabilities of IoT devices and Wi-Fi, these transformative technologies begin to look a lot scarier.

Don’t believe me? Let’s dive into some IoT vulnerabilities, first by looking at the main attack vectors:

• Network Services – IoT devices are connected to the network for a reason: to provide remote access. Unfortunately, when users set up these services, security usually isn’t top-of-mind. So when a webcam is deployed, chances are it’s assigned to an open, unprotected port. Since IoT devices don’t have good security, this means a user’s network could be vulnerable. • Man-in-the-Middle (MiTM) Attack – As mentioned in Part 1 of this series, IoT devices are not actively managed, allowing hackers to launch MiTM attacks in relative obscurity over either wired or wireless networks. Today, the majority of wireless hacks involve a MiTM attack.

• Cloud-based IoT – Most IoT devices have a cloud-based application that helps to manage the device. When these cloud services have poor security, they’re a prime target for hackers. After infiltrating the cloud service, attackers typically gain access to a plethora of user account information and devices. So essentially, access to one device is access to all devices associated with the service.

What is a real-world example of one of these attacks? In September/October of 2016, the Mirai botnet emerged. It took down Brian Krebs’ website, Netflix, Twitter and more. It exploited IP cameras, DVRs, and other common household routers by scanning open ports connected to the Internet and then trying 61 common user name and password combinations that were found in manufacturer user guides.

The process wasn’t rocket science, and once they gained access, hackers had control of these devices and used them to launch the world’s largest DDOS attack against cloud DNS host Dyn. This caused the aforementioned sites to crash. The attack came from more than 160 countries, showing just how vulnerable IoT devices are across the globe.

While Mirai was not a Wi-Fi vulnerability per se (it happened over a wired network), it did bring IoT security into the headlines once again, highlighting the fact that Wi-Fi is a major IoT attack vector for hackers.

MiTM attacks are often used to gain access to Wi-Fi networks, and once in, hackers can search for vulnerable IoT devices and plant back-door malware that will give them access to a network from anywhere in the world.

Think about the impact this can have on today’s devices. For example, telemedicine devices like home heart monitors or blood pressure sensors gather information and send them back to physicians over Wi-Fi. These little computers are just as vulnerable as DVRs and webcams. Or, what about Point of Sale (POS) systems?

More and more businesses are running payment-processing systems across a Wi-Fi connected tablet. These tablets can be compromised using MiTM attacks and malware, resulting in stolen payment card information or worse. And the list goes on with connected cars, printers, kitchen appliances, thermostats, light bulbs, industrial systems and more.

If the lack of security on the majority of these devices isn’t scary enough, imagine them all connecting to a massive, city wide public hotspot.

That’s what’s happening today and it’s called Municipal Wi-Fi. Municipal Wi-Fi is designed to allow all devices within range to connect to an open, unsecured Wi-Fi network.

Think the local mall on a small scale, but entire cities on a large scale. For example, today, South Africa has one of the largest municipal Wi-Fi networks, which supports connections from 1.8 million unique devices.

The ability to deploy these large municipal networks is opening the door for companies like Google, Facebook and Microsoft to work with the Internet Governance Forum to create municipal networks in developing countries. It’s an initiative they’re calling “Connecting The Next Billion,” and it’s designed to offer developing nations access to Internet services and connectivity.

The IoT growth potential with these networks in place are staggering. And again, it highlights the need for IoT security.

So, how do we fix the IoT security problem? Consumers, vendors and manufacturers all need to care about securing IoT devices. Unfortunately, right now, they don't. Meaning if you join an unsecure open Wi-Fi network with your IoT device, there’s a chance you're vulnerable to an attack.

Because there is a lack of motivation to secure IoT devices, government regulations may be the fastest way to get manufacturers to prioritize security by design.

This is becoming a hot issue and we’re starting to see industry thought-leaders weigh in on the topic. For example, Bruce Schneier recently testified in Congress regarding the Mirai botnet attack. He addressed the growing need for IoT regulation, when he said:

“What this all means is that the IoT will remain insecure unless government steps in and fixes the problem. When we have market failures, government is the only solution. The government could impose security regulations on IoT manufacturers, forcing them to make their devices secure even though their customers don't care. They could impose liabilities on manufacturers, allowing people like Brian Krebs to sue them. Any of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure.”

While we may not see government regulations anytime in the immediate future, the industry (and external researchers) can continue to shed light on IoT security issues by exposing vulnerabilities in these products.

For example, WatchGuard’s Threat Lab recently discovered a new vulnerability in a cloud- based management portal for a security camera.

Once the issues were found, the team reported the problems to the manufacturer, which was able to quickly patch the vulnerability.

While not all manufacturers and vendors today may have the incentive to build secure IoT devices, organizations offering Wi-Fi can take matters into their own hands to help ensure consumer safety. If you’re delivering Wi-Fi to customers, employees or partners, consider these five tips:

1. Deploy a new Wireless Intrusion Prevention System (WIPS) that can easily isolate rogue APs and stop MiTM attacks in real-time. Yes, these exist (for example, check out WatchGuard’s new Wi-Fi Cloud).

2. Use Wi-Fi network segmentation to separate guest and private networks. Not only will this boost performance, but also should a hacker breach the network, segmentation can help keep the intrusion contained.

3. Use policies to segment IoT devices like web-cameras, thermostats, and others away from guest and private networks.

4. Use a Unified Threat Management (UTM) appliance to secure the traffic as it traverses each network segment.

5. If you’re not an expert in network management or security, hire a managed security service provider (MSSP) to handle the burden.

Our future is dependent on the choices we, as consumers and security professionals, make about our own security today. The reality is that vendors sell what the market buys. And, right now, most people are content buying IoT devices that lack proper security. Either the market demands better security or hackers continue to exploit vulnerabilities in IoT, costing the industry dearly.

As a company, take the necessary steps to deliver secure Wi-Fi for your customers and employees. As IoT continues to grow, having secure Wi-Fi will be vital to keeping them safe. And, as a consumer, take a stand. Tell IoT manufacturers that you want better security. If we don’t take our own security seriously, then neither will they.

About The Author

Ryan Orsi is Director of Product Management at WatchGuard, a global leader in network security, providing products and services to more than 75,000 customers worldwide. Ryan leads the Secure Wi-Fi solutions for WatchGuard. He has experience bringing disruptive wireless products to the WLAN, IoT, medical, and consumer wearable markets. As VP Business Development in the RF industry, he led sales and business development teams worldwide to success in direct and channel environments. He holds MBA and Electrical Engineering Degrees and is a named inventor on 19 patents and applications.

Ryan can be reached online at @RyanOrsi and at our company website www.watchguard.com/wifi

Post-Quantum Information Security By Hunter Bannister, East Carolina University

As long as there is sensitive data there is always going to be another person out there who wants to have it which is why it is necessary to make that data readable only to the authorized parties. This is accomplished by utilizing encryption which renders the information useless to anyone without the capabilities to unencrypt the data. The origin of the word “encryption” is from the Greek language derived from the word kryptos meaning hidden and use of encryption can be dated back thousands of years. Around 1900 BC ancient Egyptians would utilize hieroglyphs not normally seen to hide the meaning of a tablet.

Spartans, around 700 BC, would write messages onto a thin leather strip while it was wrapped around a stick (imagine the leather strip being wrapped around a stick in a similar fashion to stripes on a candy cane or barber pole). When the leather strip was received it would be wrapped around a stick of the same diameter and the characters would line up side by side and form the message. With humanity soon entering the quantum age the majority of our current encryption methods will be obsolete. Forcing us to adapt to the computational strength of those quantum computers and make strong methods of encryption for the post-quantum age.

The type of encryption we use today accomplishes the same goal as the methods used by the Egyptians and Spartans but is more complicated. There are two major types - asymmetric and symmetric encryption. Asymmetric encryption, or public-key encryption, utilizes private and public keys to encrypt and decrypt data. The public key can be distributed to anyone and is used to encrypt messages that can only be decrypted by the private key which is supposed to be kept a secret and not given out to anyone. On the other hand, symmetric encryption uses the same key for encryption and decryption. The two keys being the same it is relatively easy to produce a strong key.

Quantum computing is not a new idea and has been tossed around quite frequently but many people do not actually know how they work. It operates in a vaguely similar fashion to our current computers that use zeros and ones as bits but instead of trying to avoid quantum mechanics the computer is built upon them. The base of a quantum computer is a quantum bit, qubit for short. They are physical particles such as a photon, nucleus, or electron.

Quantum gates take the place of transistors in quantum computers and these quantum gates measure the spin of the qubit by looking at the magnetic field. The two states can either be spin up or spin down comparable to the ones and zeros of current computers. Qubits are in a state called quantum super position which means the qubit is simultaneously in spin up and spin down.

Another theory is called quantum entanglement which states that the only thing we know about two qubits that are paired together is that they are opposite of each other. When one qubit is measured you know the state of its pair without measuring it. With multiple states, four

coefficients are used which show the probability of the state that the configuration is in (up- up/up-down/down-up/down-down). The four coefficients are equivalent to bits in current computers which is where the power in quantum computing comes from. In current computers for two bits you get 2 bits of information, with 2 qubits you get 4 bits of information, with 3 qubits you get 8 bits of information and this curve continues exponentially and can be shown with the equation 2n = X where “n” is the number of qubits in a configuration and “X” is the number of bits you will get out of the configuration.

Quantum computers having all this power make it extremely easy for them to go through huge amounts of data relatively quickly whether that be simulation of a quantum environment, searching a database, or most important for information security, finding the prime factors of a number. Shor’s Algorithm answers the problem of “given a large integer ‘n’ (typically several hundred digits long), factorize ‘n’ as a product of primes” (Moorhouse). The problem with this is that common encryption such as RSA are built upon the fact that factoring a large number into two large prime factors is very difficult and time consuming for current computers. However, this is not difficult for quantum computers as they have the capability to do complex algorithms in a significantly less amount of time.

Old methods of encryption are slowly being replaced by stronger more modern methods that can resist the computing power of quantum computers giving birth to a new age of post- quantum encryption. One of the new methods to withstand quantum computers is a hash-based public-key signature system. In this system the equation of H(x) = y is utilized. “The signer starts by generating a secret x and then computes y = H(x), the signers secret key has 8b2 bits (b=128), namely 4b independent uniform random strings, each string having 2b bits, the signer then computes the public key as H. To sign a message m the signer generates a uniform random string r, computes the bits, and reveals as a signature of m” (Bernstein). This method is known more commonly as the Lamport-Diffie one-time signature system. If a signer wants to sign more than one message they have to chain the messages together. To accomplish this the signer generates a public key to be placed at the end of a message. The next message sent is decrypted with the public key placed at the end of the previous message. This chaining process can be repeated as many times as necessary.

Code-based public-key encryption built on the McEliece cryptosystem utilizes asymmetric encryption and includes both encryption of data as well as a signature scheme for the sender, made in 1978 by Robert McEliece. It was the first scheme to put randomization into the process of how it encrypts data. Due to that randomization, this system is extremely resistant to attacks using Shor’s algorithm making it a good candidate for the post-quantum age (McEliece). This

system utilizes a public key (G) with the equation G = SGsP. The variable S is a random dense nonsingular matrix and P is a random permutation matrix. Gs in the equation is the private key (Wang). This system relies on hidden Goppa code in order to be decrypted. Hidden Goppa code is an algebraic geometric linear code which is made using an algebraic curve over an infinite field. The reason it is hidden is because the public key is derived from the private key and is disguised in the encryption as a general linear code.

In the need for new encryption multivariate-quadratic public-key signature schemes are a great option for quantum computer resistant signature schemes. These types of encryption are young and similar systems to them have been broken in the past leaving only a few versions that are still used today. Some versions commonly used include: Enhanced Tame Triangular System (enTTS), Rainbow, and Unbalanced Oil and Vinegar(UOV). The strength behind this encryption method comes from the multivariate polynomials which means the polynomials depend on more than one variable to be created. In the UOV scheme variables are grouped into two separate groups and then mixed into a central polynomial.

The unbalanced aspect of this scheme is referring to the relation of the two groups of variables, oil and vinegar. There is always more vinegar than oil variables. The Rainbow scheme is built on the UOV scheme and layers multiple polynomials developed using the UOV scheme on top of each other dependent on the previous layer. The next layer uses the results from the previous below it to calculate the new polynomial for that layer. This process can be repeated an infinite amount of times, theoretically. Due to the layering aspect of this scheme the variables can be smaller leading to a smaller public and private key which makes it easier to decrypt and verify on part of the sender and receiver using the system (Czypek 8).

Quantum computers incorporate the laws of quantum mechanics into the way they operate so it only makes sense for them to have new quantum encryption along with them. Fortunately for us it just so happens that the laws of physics include its own form of encryption along with quantum mechanics. The No-Go theorem, which states that a particular situation is not physically possible, includes several sub-theorems: Bell’s theorem, Kochen-Specker theorem, Gleason’s theorem, no-teleportation theorem, no-cloning theorem, no-broadcast theorem, and no-deleting theorem.

Bell’s theorem is the name for a family of results, showing us that it’s impossible for a local realistic interpretation of quantum mechanics (Bell) meaning it’s impossible to have an accurate definition for quantum mechanics since there is a seemingly random aspect of quantum physics. The Kochen-Specker theorem compliments Bell’s by placing limits on types of hidden variable theories used to explain the probabilistic nature of quantum mechanics. It states that it is not possible to add values to physical observables while, at the same time, preserving the functional relations between them (Kochen).

A quantum particle cannot be observed and have a value added to the quantum particle and still be paired with another particle through quantum entanglement. Gleason’s theorem, in summary, says every quasi-state is already a state and that a quantum state is determined by only knowing the answer to all of the possible yes or no questions (Gleason). These theories together counter the hidden variable theories which attempt to explain the randomness of quantum mechanics as a deterministic model featuring hidden states, saying that all observables defined for a quantum system have definite values at all times.

The no-cloning, no-delete, no-teleportation, and no-broadcast theorem group explains why quantum information is so secure and how it incorporates an encryption like system just from the nature of quantum mechanics themselves. The no-cloning theorem says that it is impossible

to make a copy of an unknown quantum state. A quantum system can be entangled with only one quantum system and, with the definition of entanglement being the only thing we know about paired qubits is that they are opposite, the paired systems are not clones. The reverse of the no-cloning theorem is the no-delete theorem which states that given an entangled quantum state it is impossible to delete one of the copies. The no-teleportation theorem explains that a quantum state cannot be converted into classical bits, ones and zeros.

This relates to the Kochen-Specker theorem which says it is impossible to add values to physical observables meaning that even with an infinite number of classical bits you could not fully describe the state of a quantum system. The no-broadcast theorem branches off of the no- cloning theorem. Quantum information cannot be copied so there cannot be more than two recipients, both sides of the entangled system, for there to be more than two sides that means the information has to be copied in some way. Quantum mechanics having these theorems make for a very safe and efficient type of encryption. It also makes it possible to detect eaves dropping easily because if a quantum state is observed then it changes that very data, which would alert both sides that someone has tampered with the quantum information.

Quantum key distribution, which makes use of all the theorems above, is the only encryption system provably secure by the laws of physics. It uses quantum mechanics to produce a shared random secret key which is only known to each party. The randomly generated quantum key is sent through a fiber optic line as a photon. Information, previously encrypted with that key, is sent over the internet to the intended recipient and the only way to encrypt that data is with the quantum key sent across the fiber line. If information through the internet is copied it is not possible to decrypt it because a man in the middle cannot recreate the quantum state of the private key. If the private key is observed through a man in the middle attack on the fiber optic line it changes since it was observed and once it ends up at its intended destination the receiver of the private key can see that it was observed due to the quantum state having changed. There is a physical limitation to this system, fiber optic lines for quantum key distribution have a maximum length of 60 miles. For this to work successfully, trusted quantum key distributors must be set up every 60 miles in a web shape to cover a wide area.

The quantum age is rapidly approaching making it necessary to adapt our computers to be able to withstand a brute force attack pushing us to stray away from our current factorization-based encryption and adopt new methods like hidden Goppa code, random strings, and multilayered polynomial schemes. The development of current quantum computers, spearheaded by the company D-Wave who is backed by major companies such as Google, Lockheed Martin, and NASA, has passed the “is it possible?” stage and is now moving into the “is it scalable?” stage. The largest current quantum computer is the D-Wave 2000Q which contains 2000 qubits. This computer based on the equation of transferring quantum bits into classical bits (2n = X) and using 2000 for “n,” shows that “X” is essentially an infinite number of bits. Due to this, the future of information security is progressing in the direction of quantum key distribution as it is the only encryption scheme provably secure by the laws of physics.

Works Cited

Bell, J.S. “On the Einstein Podolsky Rosen Paradox”, Physics, 1, 195-200 (1964)

Bernstein, Daniel J. Buchmann, Johannes. “Post-Quantum Cryptography”, Springer-Verlag Berlin Heidelberg. (2009)

Gleason, A.M. “Measures on the closed subspaces of a Hilbert space”, Journal of Mathematics and Mechanics, Indiana Univ. Math. J. 6 No. 4 (1957), 885–893

Held, Carsten. “The Kochen-Specker Theorem”, The Stanford Encyclopedia of Philosophy (Fall 2016 Edition), Edward N. Zalta (ed.)

Kochen, Simon. Specker, Ernst. “The problem of hidden variables in quantum mechanics”, Journal of Mathematics and Mechanics 17, 59–87 (1967)

McEliece, R.J. “A Public-Key Cryptosystem Based On Algebraic Coding Theory”, DSN Progress Report 42-44. (1978), 144-116

Moorhouse, G. Eric. “Shor’s Algorithm for Factorizing Large Integers”, University of Wyoming (2002)

“Public Key Cryptography”, IBM Knowledge Center. Version 1.1.0.1.4

Rouse, Margaret. “Asymmetric Cryptography (Public Key Cryptography)”, Searchsecurity.techtarget.com. (2016)

Rouse, Margaret. “Encryption”, Searchsecurity.techtarget.com. (2014)

“Symmetric Cryptography”, IBM Knowledge Center. Version 1.1.0.1.4

Wang, Yongge. “Quantum Resistant Random Linear Code Based Public Key Encryption Scheme (RLCE)”, Information Theory (ISIT), 2016 IEEE International Symposium. (2016)

About The Author

My name is Hunter Bannister. I’m a student at East Carolina University in the College of Engineering and Technology. My major is information and computer technology with a concentration in security set to graduate December of 2017. I have experience in areas of networking like Red Hat Enterprise Linux, Cisco IOS, and Microsoft server but have always been interested in quantum computers and physics. So I merged both of areas of interest and discovered a lot about where information security will be headed in the future due to the development of quantum computers.

The intelligent control systems and their perspectives

By Milica D. Djekic

The current industry would deal with many intelligent and even smart mechatronics solutions. Also, those sorts of solutions would be used as the part of smart homes, smart buildings and smart cities.

From the perspective of this research effort, we would talk about the intelligent control systems that would become the part of our everyday lives and businesses.

Would a plenty of sensors and detectors make your intelligent asset being more intelligent? The answer is – YES! Through this article, we would try to deal with the concept of intelligent control systems and some of their perspectives making a deeper insight how it’s possible to put more intelligence to your control solution.

By a psychological definition – intelligence is the ability of coping with the unknown environment at a quite advantaged way. So, could we apply such a definition to the technological systems?

The answer is mostly – YES! Well, what would give intelligence to technical assets and why is it important to make the intelligent technological systems?

First, the intelligent systems would so conveniently cope with any environment providing you a lot of useful data about their surroundings.

This would offer you an opportunity to get a clearer picture about some important physical parameters being present in that environment.

Also, if you put the sensors and detectors in a feedback branch of your control system – your controller would deal with lots of accurate data and being led with the smart control algorithm – it would get capable to make the good decisions.

So, the sensors, detectors and measuring devices are only the part of an intelligent solution.

To get something that would deal in a really advantaged manner, you need to do a skillful design of the entire control system.

Maybe the sensors would increase the technological IQ of your asset, but the smart control algorithm would make things deal in an advantaged way to you.

The quite good example of an intelligent control system is illustrated in a Figure 1 as follows.

Figure 1. The intelligent control system

As it’s presented in the Figure above, the intelligent control systems would deal with the controller, plant and sensors. The controller is so commonly hardware with some computer’s generated program that would handle the entire system. In control engineering, it’s so usual to call the actuator a part of the plant for a reason that subsystem would manage some sort of process or activity.

Finally, in a feedback branch – we would get some sensors that would serve as data collectors. In addition, what’s given through the previous Figure is disturbance variable that is only a physical parameter that would distract the entire plant from its operation. Right here, we would give some examples what the mentioned control system could cover on.

For instance, the controller could be some printed board or electronics that would deal with some software solution being previously transferred to its processing unit. On the other hand, the plant could be some robotic arm or pneumatic cylinder that would get actuated using some DC motor or pneumatic driving system. These devices could suffer some disturbance being, for instance, the high network’s voltage or the unstable air pressure. So, the final destination to our plant would be some mechanical, electrical or combined system that would get managed to work so smoothly relying on electronics board and some actuating device.

So, why the sensors, detectors and measuring devices are so important as the part of the feedback channel? As it’s known, we would say that those pieces of the intelligent control system would increase the technological IQ of that solution. When you deal with the intelligent control systems relying on a certain level of simplicity – you would realize the sensors and supporting equipment are so suitable for the good data gathering. The sensor itself is not sufficient to put some intelligence to the entire solution, but if you connect it with the electronics

dealing with some software – it would be absolutely capable to collect some information from its surrounding. Let’s try to explain this using the human being’s organism.

As it’s known – people would use their five senses to collect the information about the external world. Such collected data would get sent to the brain through the person’s neural network being extended through the entire human body. The brain would process those data and send back the signal what got necessary to get done. We would also mention that the nervous cells would use the electrical impulses to transfer the information. So, you would see the similarities between the human organism and the intelligent control system. For instance, if the person would touch anything hot – his brain would suggest him to move his hand from that place.

For such a purpose, the human would use the power of his muscles to make that move on. The similar situation is with the intelligent control systems. For example, when the robotic arm gets in the final position, the sensors would send that signal to the processing unit that would talk back to the robotic arm to stop. For such a purpose, the system would use the power of its actuating device being – let’s say, the DC motor. So, if we make a correlation between sensors and our five senses; processing unit and the brain; actuators and the human muscles – we would realize it’s quite simple to understand how the intelligent control systems work.

Finally, we would mention that the sensors would move up our technological IQ. This could be assumed as a quite good illustration of how we could approach those parts of our intelligent control system. More sensors you put into your control system – the better its capacity to deal with the unknown environment would be. In other words, your processing unit would gather more data and if you do a good programming – it would respond intelligently to the certain set of situations being predicted with such software.

The technical systems are quite limited with the laws of physics and mathematics, so they would get intelligent or even smart only if their designers put lots of effort to make them being like so. In conclusion, we would use the quite simple illustration how the intelligent control systems work in a practice and we would recommend to everyone dealing with them to think hard how those systems could face on the next generation of their designs which would make them getting safe and secure at the same glance.

About The Author

She writes for American and Asia-Pacific security magazines. She is a volunteer with the American corner of Subotica as well as a lecturer with the local engineering society. 78 Cyber Warnings E-Magazine – June 2017 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide

Reducing the attack surface: how to empower your staff while keeping your network secure

Goverlan’s Pascal Bergeot considers what the recent Google Document hit means for remote workers and advises what companies need to do to reduce the risk of such attacks.

News this month of the Google Docs phishing scam is not the first time that shared cloud-based resources have hit the headlines for all the wrong reasons. Many popular collaboration and IT management tools – such as Teamviewer and Slack to name just two – have had their time in the spotlight for compromises and breaches.

The truth is these systems unwittingly provide an easy backdoor for cybercriminals, and add yet another dimension to the expanding surface of attack that modern companies find themselves faced with, which is already escalating thanks to the growing number of mobile devices and the increasing presence of the Internet of Things (IoT).

The way we work is changing – today’s connected world is customer-driven and business happens everywhere. More and more organizations are realizing that their applications must move with the business. From laptops and computers to tablets and smartphones, enterprises are becoming more flexible and customer experience is becoming seamless.

However, mobile workspaces must satisfy not just employees, but also IT teams as well. Employees expect to be productive and be able to collaborate with their colleagues; IT teams expect to deliver applications and tools seamlessly across any device while having enterprise- level control to ensure data security.

So how can companies continue being flexible while at the same time reducing security threats? The answer is to remove as much of the attack surface as possible. Here are five tips to help IT departments secure their borders as effectively as possible:

1/ Remove the parts you cannot control

If you cannot control a part of your process you cannot secure it, and must rely on the controlling agent to warrant its integrity. While you may not be able to remove every potential weak link in the chain, you can minimize your risk exposure by reducing your reliance on third- party cloud-based systems. On-premises alternatives remove the single external point of failure that can put your networks at risk of compromise.

2/ Ensure you have secure privileged access

There are three key points that need to be made here:

• Don’t allow for weak privilege access, such as single password authentication that provide backdoors to gain system access. Instead, strong native authentication mechanisms should be enforced.

• Do not authorize system access account credentials to be registered and stored outside of your controllable realm. Allowing a third-party vendor to store credentials for your end points opens a prime attack vector.

• Don’t allow system access accounts to be easily shared or distributed as the sharing and distributing itself will require protection.

3/ Don’t expose your data and system information

Any type of system information, as harmless as it may seem, represents intelligence data that can be used to exploit known vulnerabilities. As with privilege access accounts, do not let system information leave your premises. Allowing this information to be managed and stored by third-party vendors means you are relying on their security risk compliance policies to protect your data.

4/ Stay connected to your users By making greater use of background endpoint management tools, you can perform scans and pre-empt any issues – without involving or interrupting the user. Crucially this also enables you need to ensure that your users’ remote laptops are patched and up to date, which is one of the quickest ways to stop the vast majority of malware threats gaining access to your systems.

5/ Audit, Audit, Audit! When it comes to your IT systems management, you must ensure that you audit every system access and operator action. Even though auditing is an after-the-fact reactive measure, it can also be pre-emptive as it enables you to prevent an error from being repeated. Additionally, it can act as an additional layer of internal security; if users/admins know they are being audited, they are less inclined to do harm.

Conclusion

Remote working and the need for collaboration are not going to go away, in fact it’s likely to increase in the coming years. The tightrope that IT departments need to walk is one of allowing users as much freedom as possible while at the same time keeping a tight rein on security. Do this and they can rest assured that even though the user is remote, no data is leaving the company premises and they have complete management capability.

About the Author

Pascal Bergeot is CEO of Goverlan

How context-aware security adds layers of protection to single sign-on services By François Amigorena, CEO, IS Decisions

Single sign-on, to the user, is a godsend. No more wasting time putting in passwords to individual sites or applications, no more trying to remember a fistful of different username/password combinations.

To businesses, the benefits are also compelling. First, single sign-on improves staff productivity. IS Decisions research found that complex IT security costs each individual employee 21.88 minutes every week, which equates to 182 days of lost productivity for companies of 250 people, and 21.9 days for companies with 30 people.

Single sign-on services help lower this figure, saving money for businesses. Secondly, single sign-on means fewer help requests to the IT department from users who have forgotten their login, which in turn means the IT team has more time to focus on other important work.

Such is single sign-on’s popularity that around 20% of people use their social media login over traditional email and password logins for different applications.

Tom’s IT Pro argues that single sign-on services are a must for large enterprises, and Business 2 Community calls it a “hot commodity for businesses”.

However, while the charge to productivity is all well and good, it must not and cannot compromise security.

Anything that makes your corporate systems less safe is not worth pursuing because, at the end of the day, convenience is not more important than security.

Which is why the recent hack on password manager OneLogin is worrying. Attackers managed to obtain the login credentials of users “served by our [OneLogin’s] US data centre” — and the even more worrying part of the breach is that the perpetrators have the power to crack the encrypted data they now have their hands on. This spells bad news for businesses…

Why single sign-on services are now vulnerable

The implications of an attack of this kind are serious. Consider this analogy — each individual login is a troop on the frontline of security for the defence of the network. The more troops you have, the stronger that frontline is.

However, by implementing single sign on, a company effectively reduces the number of troops on the front line, rendering what’s left very vulnerable.

To mix that metaphor with a simile, it’s a bit like putting all your eggs in one basket.

We’re not the only ones who hold this opinion. Gartner financial fraud analyst Avivah Litan agrees, saying: “It’s just such a massive single point of failure.

And this breach shows that other [cloud-based single sign-on] services are vulnerable, too.

This is a big deal and it’s disruptive for victim customers, because they have to now change the inner guts of their authentication systems and there’s a lot of employee inconvenience while that’s going on.”

Single sign-on services are certainly a ‘massive point of failure’. All it takes is one instance of bad user behaviour to lead to a severe breach, for example, an employee sharing a password or leaving a workstation unlocked, an employee falling victim to a phishing attack, or a malicious user stealing colleague’s credentials.

The OneLogin attack has therefore cast doubt over the security of single sign-on services, and understandably, businesses who use single sign-on services are wondering how to better protect their corporate systems.

Whatever the method, the key is to protect the basket in which you’ve placed all your eggs.

How context-aware technology can protect single sign-on services

One way to do that is through ‘context-aware’ security. The trouble with passwords is that they behave exactly like keys.

As long as you have the key, you can unlock the door. Context-aware security, though, goes way beyond keys, and analyses the situation in which an access attempt takes place to determine whether the person trying to log in is exactly who they say they are.

For example, context-aware security can analyse what geographical area the login is taking place, what device the user is logging in on, what time it’s happening, what the IP address is, and many other pieces of contextual information.

All of this information together builds up a profile of the person logging in, and can shed light on anything suspicious.

For example, say you restrict single sign-on logins to particular workstations, departments, devices, IP addresses, times of day or geographies, organisations can reduce the size of the opportunity for would-be attackers.

For example, if Chuck were using Larry’s credentials to log in from his own desktop, and the company had restricted Larry’s logins to just his own devices, Chuck wouldn’t be able to gain entry. Or if someone in one department used the credentials from someone in another department to gain entry from the wrong workstation, again, the system would deny access.

Context-aware technology has been around for a number of years but its popularity is growing considering the need to better protect logins.

Some of the most devastating security breaches recently have occurred as a direct result of compromised credentials, and with the growth of single sign-on popularity, the consequences of compromised credentials are only set to get worse.

Context-aware security, therefore, is the equivalent of changing your wicker egg basket into a virtually impenetrable thick iron box.

About the Author François Amigorena is the founder and CEO of IS Decisions, a provider of infrastructure and security management software solutions for Microsoft Windows and Active Directory.

IS Decisions offers solutions for user-access control, file auditing, server and desktop reporting, and remote installations.

Its customers include the FBI, the United Nations and Barclays who rely on IS Decisions to prevent security breaches; ensure compliance with major regulations; such as SOX, FISMA and HIPAA; quickly respond to IT emergencies; and save time and money for the IT department.

5 ways small businesses can be affected by a cyber security breach

A large-scale cyber security breach is hugely damaging for any organization, and with hackers becoming increasingly sophisticated, the chances of getting caught out are constantly growing. No one is safe from attack either; companies hit by cyber crime during 2016 include behemoths such as Yahoo, Tumblr, LinkedIn, and AdultFriendFinder. For such a sizeable business, the damage to customer relationships and public image can be extremely costly, but ultimately they’ll survive. For a smaller company on the other hand, a security breach can be utterly devastating – yet they are no less likely to fall victim to such an event.

How do cyber breaches impact companies?

There are a number of factors that can dictate the effect of a breach on a business, such as the nature and timing of the attack, the industry that the company works in, its size, and location. Consider how a financial institution might be affected as compared to a car manufacturing company, or the importance of keeping a social network’s user data safe in contrast to a mailing list for a small technology firm. Having said this, there are a number of concerns that should always be kept in mind when assessing and securing your company’s online presence. Here, we list the top five business impacts of a cyber security breach:

1: Damaged reputation

If a company has worked hard to build and maintain a positive public image, the last thing it needs is to suffer a loss of faith from customers, suppliers, investors, and even potential employees because of a cyber attack. And if the press covers the story widely, the damage to the brand’s reputation can have a knock-on effect lasting way beyond the time it takes to fix the security issue itself. People need to feel safe in order to do business, and if they’re uncomfortable with an organization’s ability to keep their data and resources secure, they’ll likely look elsewhere.

2: Loss of assets

There are a number of valuable resources that cyber criminals might target, including money, data, and intellectual property. A monetary theft from a high-profile organization may provide a big financial reward, but there are also advantages to raiding smaller companies, who tend to be easier to target as they lack the resources to protect themselves adequately. While stealing money seems obvious, data can often be worth far more to cyber thieves, who can make creative use of valuable information or simply sell it on the dark web. Login details for hotel loyalty programs and online auction accounts can sell for anything from $20 to $1400, and credentials for PayPal and other online payment services can go for hundreds of dollars. The loss of copyrighted material and protected developments can potentially be even more damaging to a company though, putting years of investment in R&D to waste and compromising the value of new products or ground-breaking technologies. 86 Cyber Warnings E-Magazine – June 2017 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide

3: Monetary loss

Aside from theft, there are several ways in which a company can incur financial losses as a result of cyber crime. According to Kaspersky Lab, the direct expenses of recovering from a data breach cost small businesses an average of $38,000, and this doesn’t even account for the ongoing costs caused by a loss of trust or valuable resources. Large companies with deeper pockets can be expected to pay closer to half a million dollars, but they’re much better equipped to ride the waves of uncertainty that follow an attack, even if the amounts of money involved are much greater for them. Ironically, it’s small companies with fewer resources to protect themselves who have the stronger imperative to do so.

4: Penalties for failing to protect data

A company may have its own assets put at risk by cyber crime, but this doesn’t negate the responsibility to protect sensitive customer data. This is reflected by the threat of fines from global authorities, whose aim is to protect the interests of the population by refining and enforcing data protection laws. In the coming years, these authorities can be expected to develop sanctions to ensure that companies are giving adequate protection to the data they hold. One figure mooted by the European Parliament as a fine for privacy breaches, is as much as 20 million euros – an amount that would put many smaller companies out of action for good.

5: Intangible costs

Being the victim of a cyber attack will inevitably place a huge immediate financial burden on any organization, but there are many additional costs hiding beneath the surface, that may not be seen at first glance. Especially where a company has poor continuity planning or business resilience strategies in place, it could see its operations suffer long into the future as it struggles to get back on track. Add increasing insurance premiums and interest payments into the mix, and the road to recovery can be a rocky one indeed.

In the modern business world, it’s becoming ever clearer that cyber security is no longer solely an IT issue; and the requirement to be safe isn’t restricted to larger companies either. Any organization that fails to protect itself well enough is placing its very existence at risk – these days, putting comprehensive security measures in place is simply an unavoidable part of running a business.

About the Author

Lazarus: Data Leakage With Cryptographic System

You have most probably already received the recommendation or even the imposition of keeping a "strong password" in your applications. Strong password is a password that has at least 10 characters involving letters, uppercase and lowercase letters, digits and special characters that are not words present in our dictionary. Another thing you may have heard of is cryptography. Cryptography is a method by which text is scrambled so that no one who does not have a key (password) can read.

Who needs cryptography? Governments, companies and you! Various open source or paid computer programs promise to help you, your company, and your country maintain privacy and information security. These programs use modern mathematical algorithms to turn your intellectual property into a set of characters that will be completely unreadable to a stranger but can be read by someone who has the correct password. Notice that this protection over, brings us back to the system of passwords. However, it is not enough to require people to keep dozens of "strong passwords" for their bank accounts, e-commerce sites, systems in their jobs, and their personal devices. Some only accept numbers, others have only 6 positions, others require you to enter a password that is impossible to remember, which ends up making the whole process less secure.

To circumvent this problem, there are appalling procedures from the point of view of information security as a recovery key present in Microsoft's BitLocker®. This encryption system allows the user to create a password of up to 256 characters with all keyboard options, but the system itself generates an automatic "recovery key" of 48 unique numeric positions. That would be the equivalent of locking your house with a thick, thick padlock at the front door, but your house automatically and imperatively put a padlock similar to the ones you normally see in baggage at the airports.

BitDefender's encryption systems and all open source systems derived from Truecrypt have a security hole that is closely linked to the usage procedure. To really bring security, it is imperative that the user install the system himself, and only he / she creates the cryptographic containers. Unfortunately, that is not what usually happens to CEOs, politicians, researchers and home users. These people usually rely on an IT professional to perform these activities. In large companies, it is common for this activity to be delegated to the IT trainee. Moreover, that is where we have the big security flaw. No matter how many times the CEO changes the password of the cryptographic container, that trainee will always be able to have fully access the information recorded in the container even after he eventually goes to work on the competitor. Perhaps the most famous program is PGP (Pretty Good Privacy) created by Zimmerman and now owned by security giant Symantec. Symantec has created a corporate encryption system that allows multiple users to use the same cryptographic container. An interesting idea, therefore, allows the management of each user to have access to the container or not.

It is the fault in this system that gives name to the article, referring to the Holy Bible and the story of Lazarus, who according to the scriptures has returned from the world of the dead. With 95 Cyber Warnings E-Magazine – June 2017 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide

a relatively simple technique, it is possible for an attacker to bring a deleted user to life by having the attacker access data encrypted by the credentials retrieved from that user.

You, your politicians, your companies and your governments have their secrets when they blindly trust the advertisements. Understanding the general aspects of what is a cryptographic system and working correctly handling credentials can save your business. As important as how big the padlock protects your secret, it is in the hands of whom your key has walked until it reaches you and where and how you keep it. Based on the original researches Corrosive secrecy and confidence: the paradox among bypassing cryptographic software, the loss of privacy and information security published in Cyber Security Review Magazine and the original article Lazarus: Data Leakage with PGP and Resurrection of the Revoked User published in Journal of Cyber Security and Mobility. You can read the full research in author researchgate profile.

https://www.researchgate.net/publication/310607421_Lazarus_Data_Leakage_with_PGP_and_ Resurrection_of_the_Revoked_User?_iepl%5BviewId%5D=9DIHNND8hTkc6UXT6eKXLmXm& _iepl%5BprofilePublicationItemVariant%5D=default&_iepl%5Bcontexts%5D%5B0%5D=prfpi&_i epl%5BtargetEntityId%5D=PB%3A310607421&_iepl%5BinteractionType%5D=publicationTitle

https://www.researchgate.net/publication/297232147_CORROSIVE_SECRECY_AND_CONFID ENCE_THE_PARADOX_AMONG_BYPASSING_CRYPTOGRAPHIC_SOFTWARE_LOSS_OF _PRIVACY_AND_INFORMATION_SECURITY?_iepl%5BviewId%5D=9DIHNND8hTkc6UXT6e KXLmXm&_iepl%5BprofilePublicationItemVariant%5D=default&_iepl%5Bcontexts%5D%5B0%5 D=prfpi&_iepl%5BtargetEntityId%5D=PB%3A297232147&_iepl%5BinteractionType%5D=public ationTitle

About the Authors:

Rodrigo Ruiz is researcher of CTI – Information Technology Center - Renato Archer, Campinas, Brazil, also he is a member of the SDIWC (The Society of Digital Information and Wireless Communications) have some papers about privacy and he is co-author of Apoc@lypse: The End of Antivirus and he is author of papers about privacy and security. https://www.researchgate.net/profile/Rodrigo_Ruiz3

[email protected]

Rogério Winter is colonel at the Brazilian Army and head of Institutional relations of CTI Renato Archer with more than 25 years of experience in military operations and cybersecurity. He is master degree in Electronic Engineering and Computation by Aeronautics Technological Institute-ITA, also he is a member of the SDIWC (The Society of Digital Information and Wireless Communications) and at present, one dedicates to the warfare issues, cybernetics, command and control, and decision-making process and he is co-author of Apoc@lypse: The End of Antivirus. 96 Cyber Warnings E-Magazine – June 2017 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide

Legal Steps of Action to Take If Your Privacy Has Been Compromised by the State

All of us agree on the fact that the invasion of privacy is a serious issue, even more so if it is done on behalf of the state itself. The right to privacy is one of the fundamental rights given to us by the Constitution and it must be upheld. The Fourth Amendment of the United States Constitution clearly states that “People must be protected from unreasonable searches and seizures by the government”.

The foundation of the discourse on privacy is not older than 100 years. In fact in 1890, Harvard Law Review published an article titled “The Right to Privacy”, whose authors were deeply concerned with the rise of newspaper and their photography which had a tremendous potential to expose people’s images and personal information to the public. Thereafter, the dissemination of narratives like these led the successive US governments to come up with much needed privacy laws. In general, when an individual’s privacy is unlawfully invaded by another party, either the defendant will have to pay the damages or will be put behind the bars. The defendant will subsequently need a bail bond company to get out of jail.

The moot issue, however, is how valid is the breach of privacy of citizens by government agencies when the US law recognizes it as against Constitutional rights. It is important to 97 Cyber Warnings E-Magazine – June 2017 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide

understand that while spying on citizens by the state for the purpose of national security could be justified to a certain extent, there is the chance that the personal information may be misused or used for extortion due to vulnerability. The Privacy Act of 1974, therefore, establishes certain controls over what personal information is collected by the federal government and how it should be used.

How Your Privacy Is Invaded

The invasion on American citizen’s privacy by state-corporate surveillance network is a disturbing emerging trend. The complex intertwining of policing forces and private companies for monitoring domestic life has eroded the line that separates what is legal and what is illegal. The breach of privacy of US citizens can broadly be classified into following four categories:

1. Federal surveillance

In the wake of the 9/11 attack, federal surveillance is being carried out by none other than the National Security Agency (NSA), Department of Homeland Security (DHS), and Department of Defense (DoD) along with the FBI and IRS. These agencies use public and private sources to gather personal information, which ranges from birthday and marriage status to property registrations and tax records. The collusion of these agencies with private companies can have serious implications in the future. Many people, therefore, believe that these authorities are overriding guarantee of privacy provided by the 4th Amendment.

2. State and local law enforcement agencies

As per a report, in 2011 alone the federal, state, and local law enforcement agencies made 1.3 million requests to cellphone companies for personal records. In another case, cell-phone tracking carried out by 200 local law enforcement agencies had no warrant to do so. There is an increasing concern that these law enforcement agencies are spending multi-millions of dollars for state surveillance on different communities.

3. Telecommunications, websites and “apps” companies

A revelation came not long ago that the major telecom companies like AT&T and Verizon along with the software giants like Google, Facebook, and Amazon have been systematically collecting user data and commercializing it for corporate purposes. In this spying game, the “app” industry is not far behind. Most smartphone users are unaware that when they download a “free” app they are downloading a Trojan horse.

4. Private data aggregators

The modus operandi of private data aggregators is to collect personal data, repackage it, and offer it for sale. Companies like ChoicePoint, Intelius, and Lexis Nexis are striking example of this type of spying. With the help of technology, these companies track an individual’s keystrokes, bill payments, and phrases inside emails as well as GPS tracking.

Judicial remedies and penalties for violating the privacy by the Government

The Privacy Act, Section 552 A of title 5 of the US Code is the most relevant law that can be invoked whenever an individual’s privacy is violated by the state or state agencies. For the purposes of this law, an individual is allowed to bring a civil action in federal district court whenever an agency fails to comply with the Privacy Act. If it is conveniently proven that the agency acted in a manner that was “intentional and willful”, the United State Government shall be liable for “actual damages” sustained by the individual as a result of the government’s failure to comply with the law.

In the end, the actual damages will be awarded to the plaintiff for intentional or willful refusal by the agency to comply with the Act.

In a landmark judgment regarding Katz v. United States, 389 US 347 (1967), the Supreme Court gave its ruling that refined the previous interpretations of the unreasonable search and seizure clause of the 4th Amendment to count immaterial intrusion with technology as a search.

Within common law tort, in order to successfully establish the wrongdoing of a government agency, a plaintiff must prove the following facts:

1) The defendant (in this case the government or state agencies) owed the plaintiff a legal duty 2) The defendant violated that duty by failing to exercise reasonable care 3) This failure of duty on the part of defendant caused the plaintiff’s injuries; and 4) The plaintiff suffered harm as a result of defendant action or inaction.

Conclusion

Every citizen needs a certain amount of privacy for his or her emotional well-being. The government itself is not above the law and should limit its use of various machinations for intruding in the lives of individuals. In light of this, the United States Supreme Court declared that the writers of the U.S. Constitution conferred the right to be let alone — the most comprehensive of rights and the right most valued by civilized men.

About the Author

Hannah is a teacher by profession and has experience of over 5 years. She has done graduation on Law. Latest technology and gadgets keeps her mind occupied besides her professional duties. An avid blogger, Hannah loves to read and write about new technology.

Trump’s Cybersecurity Executive Order: A Promising Start to Securing Digital Infrastructure...But Don’t Forget What’s Beyond the Firewall

By Lou Manousos, CEO, RiskIQ

After some high-profile cyberattacks and information breaches, the cybersecurity posture of the U.S. government has never been more front and center in the public consciousness.

Following President Trump's signing of an executive order calling for the strengthening of the cybersecurity of federal networks and critical infrastructure, the tools and processes of government security teams will be under even more intense scrutiny.

There’s no doubt that lots of this focus will fall on the modernizing of internal networks including moving to shared IT services and the cloud—and rightly so.

But to be in full compliance with the new guidelines outlined in the order, agencies will still have to deal with a lingering blind spot comprised of thousands of unknown and unmanaged internet- facing assets that are potential inroads for cyberattacks and data breaches.

With ever-changing administrations, projects, and initiatives, those in control of processes and initiatives for today's agencies aren't necessarily the people who started them.

The result is a digital debris field of assets that security teams aren't aware they own, which hackers can target to devastating effect.

This dilemma doesn’t affect agencies only: according to the 2017 Verizon Data Breach Investigations Report, more than 75% of the incidents that lead to data breaches originate externally, almost half of which target unknown—and thus unmanaged—digital assets.

Given this new threat landscape, government organizations need to keep visibility outside the firewall in mind while revamping their cybersecurity tools, as major threats no longer need to traverse the traditional computer environments that they control.

For example, even the hardest, most robust network defenses could not have stopped the very simple phishing campaign targeting former Chairman of the Democratic National Committee (DNC) John Podesta, which resulted in the outing of private communication that shook the political foundation of the U.S.

Phishing remains one of the most efficient ways for threat actors to compromise legitimate credentials and gain access to sensitive information, financial details, and critical systems— RiskIQ detected 158,904 phishing incidents a day in 2016—but there's a whole laundry list of threats that do not directly target corporate networks.

How many .gov websites employ compromised third-party components like CDNs in their digital supply chain? How many are asking for PII but don't have a current SSL cert? How many were registered outside of compliance?

Because many organizations lack this visibility outside the firewall, allegations that Russian hackers influenced the 2016 election cycle have caused many people to wonder if federal agencies are prepared to defend their modern attack surfaces.

Because the stakes couldn’t be higher, I commend the order’s emphasis on agency leadership’s responsibility for cybersecurity, which will help make cybersecurity issues a main priority. After all, the hackers potentially working on behalf of Russia are just some of many adversaries attempting to disrupt the U.S. government.

As agencies expand their digital footprints across web, social, and mobile channels, thousands of global adversaries—nation-states, hacktivists, and cybercriminals—do the same, leveraging the same technologies to propagate malware and fool users into giving up credentials and other sensitive information.

According to the order, effective immediately, each agency head shall use the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (NIST), which calls for the implementation of five core functions to organize basic cybersecurity activities at their highest level: Identify, Protect, Detect, Respond, and Recover.

Leaders responsible for filling these functions should be expected to consider security on their networks as well as internet beyond their firewalls, enabling their teams to:

• Understand their digital attack surface • Keep track of how it changes • Monitor existing, new, and changing assets • Stay under compliance

Having this type of visibility on the internet requires internet data and automation. What does this look like?

For Security Defenders: In addition to monitoring and protecting the agency’s network and network perimeter, security defenders must continually discover and rediscover the agency’s digital footprint and monitor it for changes.

Such vigilance requires current, full internet intelligence across the web, social media platforms, and mobile apps.

Always in discovery mode, defenders should be aware of new assets and properties and immediately be able to assess them for security threats and compliance with government regulations.

For Security Threat Hunters: Threat hunters must be able to investigate and respond to incidents and suspicious events on the their network that are linked to external threats.

Most hunters today are plagued by floods of false positives and must sift through the inconsequential to find meaningful threats.

Having up-to-the-minute, comprehensive knowledge of external threats hastens investigations and the process of triaging incidents and events.

For the Security Operations Center (SOC): While threat hunters may be proactively tracking down clues about internal security issues, the SOC team needs to quickly respond to problems prompted by the SIEM or individual security components.

Again, a surfeit of false positives is a major obstacle, and differentiating between the significant and insignificant is time-consuming and problematic. SOC teams can only assess a fraction of security alerts, and they could easily miss an important security event in alerts they are not able to review.

The cybersecurity executive order is a great first step in suring up the nation's digital infrastructure and protecting against modern threats. But fulfilling its requirements goes beyond the firewall.

To protect government networks, they must be able to discover and monitor assets across all channels, including all application stores and portals, social media properties, DNS changes and web content or destinations.

About the Author

Elias (Lou) Manousos is a recognized expert in internet security and fraud prevention. He has been developing and delivering enterprise protection technologies for more than 15 years. As CEO of RiskIQ, he has spearheaded a new approach that helps internet, financial services, healthcare, media and consumer packaged goods companies protect their brands from online fraud. He is also co-chair of the Online Trust Alliance (OTA) Anti-Malvertising Working Group and is responsible for Malvertisements.com, the first and only public database documenting malvertising incidents on a continuous basis. Prior to RiskIQ, Elias was VP of R&D at Securant Technologies (acquired by RSA), which pioneered identity and access management for web applications. At Securant, he was instrumental in creating now-commonplace technologies for single sign-on (SSO) security.

State Cybersecurity Regulation: Another Patchwork Approach? By Jami Mills Vibbert with Venable LLP

Until recently, state oversight of cybersecurity has been relatively limited. Indeed, although 48 of 50 states have laws related to data breach notification, those laws govern only a small part of cybersecurity practice—the time following a security incident. Those breach notification laws form a complicated morass requiring notification of a security breach under certain, different circumstances, depending on the type and amount of data involved. That is, the who, what, when, where, why, and how vary from state to state, often requiring an in-depth analysis by a breached company to determine what its notification obligations are while also trying to handle the crisis situation that arises post-breach.

The Health Insurance Portability and Accountability Act (HIPAA) has a breach notification provision that applies nationwide, but applies only to protected health information, and does not preempt any state law notification requirements. Attempts at an overarching federal breach notification law have stalled in the past couple of years, and thus companies must continue to spend time and resources following a security incident dealing with analysis under these separate laws.

On the other hand, states have remained relatively silent on specific cybersecurity requirements for companies doing business in that state. A handful of states have attempted to force companies to focus on cybersecurity by requiring companies to implement “reasonable” or “adequate” data security measures (including Arkansas, California, Florida, Indiana, Kansas, Maryland, Minnesota, Rhode Island, Texas, and Utah). These general requirements typically impose no more on companies than the companies impose on themselves through contracts with third parties. Only a couple of states have implemented regulations requiring specific cybersecurity controls. For example, Massachusetts law 201 CMR 17.00 sets forth specific cybersecurity requirements, including with respect to encryption, monitoring, patches, firewalls, training, and other controls.

Nevada law NRS 603A.215 requires encryption of personal information transmitted “outside of the secure system of the data collector.” And a couple of other states require cybersecurity controls with respect to specific data elements, such as Social Security Numbers or personal health information. As with breach notification, some federal laws contain requirements for certain industries or types of sensitive information, including HIPAA with respect to protected health information and the Gramm-Leach-Bliley Act, which governs some financial institutions. These are also not preemptive of different or more stringent state laws. Companies subject to multiple cybersecurity regimes must, as with breach notification, expend resources in understanding the different requirements of the different federal and state laws to ensure compliance with each.

This state-specific quilt of cybersecurity controls is growing, which will likely lead to an even

more time-consuming process of ensuring compliance with differing and potentially conflicting cybersecurity controls for companies operating in multiple states. The legislation of specific cybersecurity controls is often similar to existing state standards, but with key differences. On March 1, 2017, the New York State Department of Financial Services (DFS) mandatory cybersecurity requirements for financial services became effective. The requirements broadly cover all DFS-regulated entities, including, by extension, unregulated third-party service providers to regulated entities.

This not only includes state-chartered banks, licensed lenders, private bankers, service contract providers, trust companies, and mortgage companies, but also foreign banks licensed to operate in New York and any insurance company doing business in New York. This regulation delineates various minimum standards and requires a risk-based cybersecurity program tailored to each company’s specific risk profile. Significantly, the regulation requires covered entities to file an annual certification of compliance with the regulation and potentially significant changes to the cybersecurity program for many institutions. Unlike existing state laws with specific provisions, the DFS regulation requires annual cybersecurity risk assessments and specific steps that must be undertaken with respect to all third-party service providers. It also contains minimum standards similar to other laws, including with respect to multifactor authentication and encryption.

Other states have recently become active as well. This may be a reaction to a perceived lack of adequate federal legislation, weakened enforcement by federal regulatory bodies, or the prevalence and high-profile nature of major security incidents. We have seen states step in to fill such perceived gaps, including with the introduction (and passage) of legislation in several states following the repeal of the Federal Communications Commission regulation expanding privacy rules to broadband providers. Similarly, states have introduced legislation attempting to place parameters on what a reasonable cybersecurity program must have, including what minimum standards would be required (focusing on risk assessments, training, policies, ensuring appropriate responsibility, and third-party service provider management).

One pending bill in California attempts to place some parameters (with respect to both privacy and security) on connected devices. The bill, SB-327, defines connected devices as any device, sensor, or other physical object that can connect to the Internet or another connected device, directly or indirectly. In addition to data collection and consent requirements, the provisions of the bill may inhibit the growth of the Internet of Things (IoT) market or make the manufacture of IoT devices subject to the California bill difficult. The bill requires all manufacturers of connected devices to detail the process by which a connected device consumer can obtain security patches and feature updates for the IoT device. It is unclear how manufacturers will be able to implement this requirement should it pass, but shows the desire of states to regulate cybersecurity.

State legislatures are not the only state parties that have shown an increased focus on regulating cybersecurity. For several years, the Federal Trade Commission (FTC) has been the most active regulatory body concerning data security, investigating and entering into consent 105 Cyber Warnings E-Magazine – June 2017 Edition Copyright © Cyber Defense Magazine, All rights reserved worldwide

orders with companies for failing to maintain reasonable data security practices or for misrepresenting data security practices. Prior to this year, state attorneys general limited their activity in the cybersecurity space to bringing actions against companies that had suffered a data breach. The settlements of those actions often resulted in large fines and comprehensive requirements for implementing a more secure information security program. As of last month, however, states have ventured into new territory. The New York Attorney General brought an action against a wireless lock company, Safetech Products LLC. Safetech is a Utah-based company selling its locks online via Amazon and its own retail website. Interestingly, Safetech had not suffered a data breach; rather, security researchers reported that Safetech did not encrypt user passwords in transmission between a user’s mobile device and the locks. Upon hearing of the security researchers’ report, the New York Attorney General launched an investigation. The investigation confirmed the security researchers’ report and determined that Safetech also did not require users to change default passwords. Because these practices could have potentially led to a data breach, the Attorney General alleged that Safetech had failed to reasonably protect its customer’s information. Safetech and the Attorney General entered into a comprehensive settlement agreement that requires Safetech to implement and establish a comprehensive data security program with several parts. Particularly given the oversight by the Attorney General, the security program may be onerous and expensive to implement.

Now that the states have shown an increased interest in regulating, through legislation or an enforcement action, the cybersecurity practices of companies, many companies will be faced with complying with several states’ laws and requirements. In practice, companies may attempt not to do business in states with restrictive cybersecurity laws or may apply the most restrictive standard to the entire organization nationwide.

This of course assumes that none of the regulations will conflict, which, in an area as complex and ever-changing as cybersecurity, is not a given. It may also lead to a compliance state, where companies are focused on ensuring legal compliance, rather than on ensuring a robust cybersecurity program, which comes from a healthy risk management process that includes appropriate risk assessments. Given the high-profile nature and number of data breaches, however, it is unlikely that states will engage in less legislation and enforcement, and the patchwork of state laws will continue to grow.

About the Author: Jami Mills Vibbert is a Counsel in Venable’s Privacy and Data Security practice who advises and counsels clients on matters related to data security, data protection, and data risk management. Jami is based in the firm’s New York office. For more information, visit www.venable.com.

NK is the new Iraq?

Referring to the television series Orange is the new black, I can not but consider it very convenient to blame the North Koreans for the worldwide incident that is still being counted but clearly has thousands of dollars worth of damage. Not for security companies of course Fig. 1. They are posting many profits on the stock exchanges around the world, although they have not been able to protect thousands of WannaCry victims. In my article Symbiosis and fear: Evolutionary Benefits of Cybersecurity, published in the United States Cyber Security Magazine, I present this relationship of promiscuity between the fear and the money that security costs accumulate. It is funny; I think that Cyber Security Market is the only business that have Dow Jones/Nasdaq going to the Moon when his products fail shamefully.

Fig. 1 - http://quotes.wsj.com May 17/2017

Spring 2016 of Cyber Security Review Magazine present an article Apoc@lypse: The End of Antivirus, When the Antivirus is the Threat that alert a vulnerability that can put down each machine using any antivirus in the globe.

Today the cyber weapons have power to cause big damage like a mass destruction weapon.

We can’t compare the human tragedy, but the potential of destruction in natural world and cyber world. The cyber weapons can be compared more than KT event that a nuclear weapon.

Unfortunately Governments lies and we need serenity to analyze before chose any guilt . It was so with Iraq where the UK and USA created a false fear.

Supposed weapons of mass destruction "legitimized" an invasion that had as its main purpose the war business. After WW2 US learn how to make money with War.

Selling weapons and/or destroy to rebuild (with American companies of course). The fact is that many years have passed, the public embarrassment occurred, especially for the British. But in the end Saddam Hussein is dead and oil is British/American.

The war business does not stop, so America funds many organizations to destabilize countries around the globe and create fear, like Osama.

It creates fear and spends millions to eliminate this fear. Maybe in this case things got out of control because fear became reality in America's backyard.

But he is already dead too despite the collateral effect of the Islamic State. In fact, if Sun Tzu wrote the Art of War, America rewrote the concept of war by creating all of generics Bin Laden.

Fig. 2 - North Korea. (Pixabay image)

The need to sell heavy armament instigates America and its biggest business. It is necessary to destroy and rebuild successively to continue to keep the population in fear of financing any war. Always outside the American gates of course.

In a place where only 26% of Americans know where it is Fig. 2. In this respect, North Korea is perfect. It is far away and will be a Communist regime less. It is true that there is no oil or large land there.

But the lands it has are rare and account for two-thirds of the planet's reserves. This is much money. Second the site http://www.rareelementresources.com “ The US Department of Energy calls them “technology metals.”

They make possible the high tech world we live in today – everything from the miniaturization of electronics, to the enabling of green energy and medical technologies”.

We need to hear the human history and ask: What natural resources does your nation have?

Fig. 3 - Do you know this place? (pixabay image)

References

http://www.uscybersecurity.net/united-states-cybersecurity-magazine/spring- 2017/mobile/index.html#p=61

http://edition.cnn.com/2013/03/19/opinion/iraq-war-oil-juhasz/

https://www.theguardian.com/uk-news/2016/jul/07/us-and-britain-wrangled-over-iraqs-oil-in- aftermath-of-war-chilcot-shows

http://thediplomat.com/2014/01/north-korea-may-have-two-thirds-of-worlds-rare-earths/

http://www.rareelementresources.com/rare-earth-elements#.WRurReXyvIU

https://www.nytimes.com/interactive/2017/05/14/upshot/if-americans-can-find-north-korea-on-a- map-theyre-more-likely-to-prefer-diplomacy.html?smid=fb-share

https://www.wired.com/2017/05/wannacry-ransomware-link-suspected-north-korean-hackers/

http://www.independent.co.uk/news/uk/politics/chilcot-report-iraq-war-inquiry-tony-blair-george- bush-us-uk-what-happened-a7119761.html

http://www.theinsider.org/news/article.asp?id=0228

http://money.cnn.com/2017/05/15/investing/ransomware-attack-cybersecurity-stocks/

http://www.cybersecurity-review.com/articles/apocalypse-the-end-of-antivirus-when-the- antivirus-is-the-threat/

https://www2.jpl.nasa.gov/sl9/back3.html

http://fortune.com/2017/05/19/wannacry-cyber-security-firms/

#WannaCry; #Korea

About the Author

Rodrigo Ruiz is researcher at CTI - Centro de Tecnologia da Informação Renato Archer, Campinas, Brazil. In addition, he is a member of the Society of Digital Information and Wireless Communications, as well as the co-author of Apoc@lypse: The End of Antivirus. He has also authored papers about privacy and security for Cyber Defense Magazine, Cyber Security Review, JCSM, 2600 Magazine, US Cybersecurity Magazine, ICCYBER, ICCICS, WCIT2014,YSTS, IJCSDF, ICISCF, SIGE.

[email protected]

https://www.researchgate.net/profile/Rodrigo_Ruiz3

NSA Spying Concerns? Learn Counterveillance

Free Online Course Replay at www.snoopwall.com/free

"NSA Spying Concerns? Learn Counterveillance" is a 60-minute recorded online instructor-led course for beginners who will learn how easily we are all being spied upon - not just by the NSA but by cyber criminals, malicious insiders and even online predators who watch our children; then you will learn the basics in the art of Counterveillance and how you can use new tools and techniques to defend against this next generation threat of data theft and data leakage.

The course has been developed for IT and IT security professionals including Network Administrators, Data Security Analysts, System and Network Security Administrators, Network Security Engineers and Security Professionals.

After you take the class, you'll have newfound knowledge and understanding of:

1. How you are being Spied upon. 2. Why Counterveillance is so important. 3. What You can do to protect private information.

Course Overview:

How long has the NSA been spying on you? What tools and techniques have they been using? Who else has been spying on you? What tools and techniques they have been using? What is Counterveillance? Why is Counterveillance the most important missing piece of your security posture? How hard is Counterveillance? What are the best tools and techniques for Counterveillance?

Your Enrollment includes :

1. A certificate for one free personal usage copy of the Preview Release of SnoopWall for Android 2. A worksheet listing the best open and commercial tools for Counterveillance 3. Email access to the industry leading Counterveillance expert, Gary S. Miliefsky, our educator. 4. A certificate of achievement for passing the Concise-Courses Counterveillance 101 course.

Visit this course online, sponsored by Concise-Courses.com and SnoopWall.com at http://www.snoopwall.com/free

Top Twenty INFOSEC Open Sources

Our Editor Picks His Favorite Open Sources You Can Put to Work Today

There are so many projects at sourceforge it’s hard to keep up with them. However, that’s not where we are going to find our growing list of the top twenty infosec open sources. Some of them have been around for a long time and continue to evolve, others are fairly new. These are the Editor favorites that you can use at work and some at home to increase your security posture, reduce your risk and harden your systems. While there are many great free tools out there, these are open sources which means they comply with a GPL license of some sort that you should read and feel comfortable with before deploying. For example, typically, if you improve the code in any of these open sources, you are required to share your tweaks with the entire community – nothing proprietary here.

Here they are:

1. TrueCrypt.org – The Best Open Encryption Suite Available (Version 6 & earlier) 2. OpenSSL.org – The Industry Standard for Web Encryption 3. OpenVAS.org – The Most Advance Open Source Vulnerability Scanner 4. NMAP.org – The World’s Most Powerful Network Fingerprint Engine 5. WireShark.org – The World’s Foremost Network Protocol Analyser 6. Metasploit.org – The Best Suite for Penetration Testing and Exploitation 7. OpenCA.org – The Leading Open Source Certificate and PKI Management - 8. Stunnel.org – The First Open Source SSL VPN Tunneling Project 9. NetFilter.org – The First Open Source Firewall Based Upon IPTables 10. ClamAV – The Industry Standard Open Source Antivirus Scanner 11. PFSense.org – The Very Powerful Open Source Firewall and Router 12. OSSIM – Open Source Security Information Event Management (SIEM) 13. OpenSwan.org – The Open Source IPSEC VPN for Linux 14. DansGuardian.org – The Award Winning Open Source Content Filter 15. OSSTMM.org – Open Source Security Test Methodology 16. CVE.MITRE.org – The World’s Most Open Vulnerability Definitions 17. OVAL.MITRE.org – The World’s Standard for Host-based Vulnerabilities 18. WiKiD Community Edition – The Best Open Two Factor Authentication 19. Suricata – Next Generation Open Source IDS/IPS Technology 20. CryptoCat – The Open Source Encrypted Instant Messaging Platform

Please do enjoy and share your comments with us – if you know of others you think should make our list of the Top Twenty Open Sources for Information Security, do let us know at [email protected].

(Source: CDM)

National Information Security Group Offers FREE Techtips

Have a tough INFOSEC Question – Ask for an answer and ‘YE Shall Receive

Here’s a wonderful non-profit organization. You can join for free, start your own local chapter and so much more.

The best service of NAISG are their free Techtips. It works like this, you join the Techtips mailing list.

Then of course you’ll start to see a stream of emails with questions and ideas about any area of INFOSEC. Let’s say you just bought an application layer firewall and can’t figure out a best-practices model for ‘firewall log storage’, you could ask thousands of INFOSEC experts in a single email by posting your question to the Techtips newsgroup.

Next thing you know, a discussion ensues and you’ll have more than one great answer. It’s the NAISG.org’s best kept secret.

So use it by going here: http://www.naisg.org/techtips.asp

SOURCES: CDM and NAISG.ORG

SIDENOTE: Don’t forget to tell your friends to register for Cyber Defense Magazine at: http://register.cyberdefensemagazine.com where they (like you) will be entered into a monthly drawing for the Award winning Lavasoft Ad-Aware Pro, Emsisoft Anti-malware and our new favorite system ‘cleaner’ from East-Tec called Eraser 2013.

Job Opportunities

Send us your list and we’ll post it in the magazine for free, subject to editorial approval and layout. Email us at [email protected]

Free Monthly Cyber Warnings Via Email

Enjoy our monthly electronic editions of our Magazines for FREE.

This magazine is by and for ethical information security professionals with a twist on innovative consumer products and privacy issues on top of best practices for IT security and Regulatory Compliance. Our mission is to share cutting edge knowledge, real world stories and independent lab reviews on the best ideas, products and services in the information technology industry. Our monthly Cyber Warnings e-Magazines will also keep you up to speed on what’s happening in the cyber crime and cyber warfare arena plus we’ll inform you as next generation and innovative technology vendors have news worthy of sharing with you – so enjoy.

You get all of this for FREE, always, for our electronic editions.

Click here to signup today and within moments, you’ll receive your first email from us with an archive of our newsletters along with this month’s newsletter.

By signing up, you’ll always be in the loop with CDM.

Cyber Warnings E-Magazine June 2017

Sample Sponsors:

To learn more about us, visit us online at http://www.cyberdefensemagazine.com/

Don’t Miss Out on a Great Advertising Opportunity. Join the INFOSEC INNOVATORS MARKETPLACE: First-come-first-serve pre-paid placement One Year Commitment starting at only $199 Five Year Commitment starting at only $499 http://www.cyberdefensemagazine.com/infosec-innovators-marketplace

Now Includes: Your Graphic or Logo Page-over Popup with More Information Hyperlink to your website BEST HIGH TRAFFIC OPPORTUNITY FOR INFOSEC INNOVATORS

Email: [email protected] for more information.

Cyber Warnings Newsflash for June 2017

Highlights of CYBER CRIME and CYBER WARFARE Global News Clippings

Here is a summary of this month’s cyber security news. Get ready to read on and click the links below the titles to read the full stories. So find those of interest to you and read on through your favorite web browser…

New cyberattack spreads fast across the globe http://www.cbsnews.com/news/cyberattack-ransomware-ukraine-websites-hackers-similar- wannacry-malware/

Global ransomware attack causes turmoil http://www.bbc.com/news/technology-40416611

DLA Piper Victim of Massive Malware Attack https://bol.bna.com/dla-piper-victim-of-massive-malware-attack/

Is Mac malware a growing threat? http://www.houstonchronicle.com/business/article/Is-Mac-malware-a-growing-threat- 11248602.php

New cyberattack wallops Europe; spreads more slowly in US

http://abcnews.go.com/Technology/wireStory/hackers-strike-europe-sparking-widespread- disruption-48301067

Scam Report: PowerPoint social engineering attack installs malware

http://www.readingeagle.com/business-weekly/article/scam-report-powerpoint-social- engineering-attack-installs-malware

Is This Ukrainian Company The Source Of The 'NotPetya' Ransomware Explosion?

https://www.forbes.com/sites/thomasbrewster/2017/06/27/medoc-firm-blamed-for-ransomware- outbreak/#3a3b66fe73c8

New malware hits JNPT operations as APM Terminals hacked globally

http://indianexpress.com/article/india/cyber-attack-new-malware-hits-jnpt-ops-as-apm-terminals- hacked-globally-4725102/

Thailand in top 10 for malware in Asia

http://www.bangkokpost.com/business/news/1274739/thailand-in-top-10-for-malware-in-asia

Malware goes after financial info of Android users http://www.winknews.com/2017/06/26/malware-goes-after-financial-info-of-android-users/

Stolen American malware used to take over traffic cameras in Australia

http://www.sandiegouniontribune.com/news/cyber-life/sd-me-wannacry-malware-20170622- story.html

This malware activates when you hover over a link in Microsoft PowerPoint

https://qz.com/1003250/this-malware-activates-when-you-hover-over-a-link-in-microsoft- powerpoint/

Virus scanner -- or malware? Beware app store fakes https://www.cnet.com/news/virus-scanners-filled-with-malware-are-flooding-app-stores/

Malware in encrypted traffic uncovered with machine learning

http://searchsecurity.techtarget.com/news/450421296/Malware-in-encrypted-traffic-uncovered- with-machine-learning

Copyright (C) 2017, Cyber Defense Magazine, a division of STEVEN G. SAMUELS LLC. 848 N. Rainbow Blvd. #4496, Las Vegas, NV 89107. EIN: 454-18-8465, DUNS# 078358935. All rights reserved worldwide. [email protected] Cyber Warnings Published by Cyber Defense Magazine, a division of STEVEN G. SAMUELS LLC.Cyber Defense Magazine, CDM, Cyber Warnings, Cyber Defense Test Labs and CDTL are Registered Trademarks of STEVEN G. SAMUELS LLC. All rights reserved worldwide. Copyright © 2016, Cyber Defense Magazine. All rights reserved. No part of this newsletter may be used or reproduced by any means, graphic, electronic, or mechanical, including photocopying, recording, taping or by any information storage retrieval system without the written permission of the publisher except in the case of brief quotations embodied in critical articles and reviews. Because of the dynamic nature of the Internet, any Web addresses or links contained in this newsletter may have changed since publication and may no longer be valid. The views expressed in this work are solely those of the author and do not necessarily reflect the views of the publisher, and the publisher hereby disclaims any responsibility for them.

Cyber Defense Magazine - Cyber Warnings rev. date: 06/28/2017