Is someone hiding their servers in your data center?

Christopher Naples is on track to become the second most infamous person for bringing his own computer gear to work illicitly. He was recently charged with using more than 40 devices to mine Bitcoin and other cryptocurrencies, connecting them to his office computer racks. Naples is (was) an IT supervisor for the Suffolk County Long Island government. His gear was placed under raised floors and inside unused power panels, clearly to avoid obvious detection. The crypto mining gear generated so much heat that the HVAC folks had to rebalance their systems to cool everything off, costing the county thousands in added electrical power.

His case will now be heard by the courts, and I wish them well in being able to sort out the situation. Mining, or creating new crypto value, is a very energy-intensive operation because it uses very high-end computing gear that draws power. There have been some estimates that the total power consumed by all the worlds’ Bitcoin users is more than the demand by Finland, which has 5.5M people.

I think the case against Naples is pretty solid: this was gear that he was using to enrich his own personal gain. The reason why I say his second place entry in this unique category is because of the case of Aaron Swartz, a computer scientist who ten years ago hid his server in a MIT closet. Swartz was unhappy that an online academic research consortium called JStor was charging for copies of articles to private citizens but granting free access to certain academic users. Hence the location. Over the course of several months, he managed to download millions of articles to his server, which eventually tripped a network monitor and brought a huge federal case of 13 felony charges against him. He killed himself shortly before he was to begin serving a long jail term. (Carl Malamud, who worked with Swartz, documents the situation nicely here.)

A case could be made that Ed Snowden deserves to be on this list somewhere: he did bring USB thumb drives to his office to download various NSA secret documents, although he didn’t leave any gear in his office closet. Unlike Swartz and Naples, his frantic document copying tactics weren’t detected by his employer, which is more ironic given the nature of the NSA and presumably the various scans and network checks that should have been in place to detect this massive effort.

What Swartz, Snowden and Naples to some extent prove is the value of intrusion detection, particularly as it relates to exporting data to a remote network. Of course, now that many of us are working remotely, this brings up special challenges to detect these massive data exports when they are part of the normal operations and not something fishy going on.

You might think that hiding your personal servers at work could be solved by moving more resources into the cloud. But this just makes finding these illicit servers a lot harder to find. There are a number of tools that can specifically search for non-sanctioned servers, but you still need IT staffers to keep track of things.

Avast blog: Instagram bans are now being sold as crime-as-a-service

Cybercriminals are expanding their “services” by offering to ban an Instagram user for the low, low price of $60. This was recently reported by Motherboard, whose research showed that anyone on Instagram can harass or censor anyone else. The notion is actually pretty clever, because the same criminals (and their close accomplices) can then offer a “restoration” service to the victim for several thousands of dollars.

Instagram has a support page that walks you through how to protest a disabled or banned account. It isn’t very good. In my post for Avast’s blog, I mention the issues and what you can do to harden your Instagram account.

CSOonline: How to find the right testing tool for Okta, Auth0, and other SSO solutions

If you have bought a single sign-on (SSO) product, how do you know that is operating correctly? That seems like a simple question, but answering it isn’t so simple. Configuring the automated sign-ons will require understanding of the authentication protocols they use. You will also need to know how your various applications use these protocols—both on-premises and SaaS—to encode them properly in the SSO portal. It would be nice if you could run an automated testing tool to find out where you slipped up, or where your SSO software is failing. That is the subject of this post. You can read more on How to find the right testing tool for Okta, Auth0, and other SSO solutions on CSOonline here.

 

 

NokNok blog: Next level metal credit cards

I got my first metallic credit card from Apple a few years ago. I thought it was more a curiosity than anything else. Soon after, my wife got a metallic card from Chase. American Express and Discover have both been making metal cards for years as well. Now, thanks to a partnership between NokNok and CompoSecure, you will see new types of cards that have something besides their outer skin to offer consumers: the ability to include authentication tokens and cold cryptocurrency wallets. You can read more in my blog post for NokNok here.

Avast blog: Protect your online store against Magecart attacks

Shopping cart malware, known as Magecart, is once again making headlines while plying its criminality across numerous ecommerce sites. Its name is in dishonor of two actions: shopping carts, and more specifically, those that make use of the open-source ecommerce platform Magento. Magecart malware compromises shopping carts in such a way that credit card data collected by the cart is transmitted to cybercriminals, who in turn resell this information to other bad actors. In my blog for Avast, I review some of the more notable attacks over the past several years and catalog the confluence of trends that have made Magecart a popular threat vector.

In addition to some suggestions on how you can strengthen your ecommerce storefront, here are a few other tips  to try to prevent this from happening to your website:

  1. Use this browser-based tool from Trustwave to check if your site has been compromised, along with other tips listed in the blog post to help you investigate your web storefront code.
  2. Use isolation tools such as this one from SourceDefense to better control access rules and prevent malicious script injections.
  3. Finally, whatever website server software you use, make sure you apply updates as soon as possible. Magento users who were compromised by early attackers delayed these updates and the attackers found these outdated versions and took advantage of them. The software vendor lists current patches and also has a free vulnerability scanning tool too.

Avast blog: Here’s how hackers can steal your data using light, radio, and sound waves

Most of us are familiar with the primary methods for moving data into and off of our computers: think Wi-Fi networks, USB ports, and Bluetooth connections. However, there are additional, lesser known ways in which data can be retrieved from a device. An elite group of cyber researchers from Ben-Gurion University (BGU) in Beersheva, Israel, have made it their mission to figure out more than a dozen different ways that bad actors with lots of time can extract information, even if you think your PC isn’t connected to anything obvious.

In my post for Avast’s blog, I summarize these methods and provide some advice on how to avoid these sorts of attacks.

Two new posts on cybersec certifications advice from Infosec Resources

Figuring out your appropriate certification program isn’t easy and involves almost as much studying as preparing for the certification exams themselves. But these programs can have big payouts in terms of job advancement, increases in responsibility and salary. I wrote two posts for Infosec Resources.

In our first post, we presented the issues a manager should consider in building a training program for their company. Training budgets tend to be the first ones to be cut in any economic downturn and often don’t get fully funded even when the economy is improving. But training can also have a significant impact on an enterprise: it can increase the pool of available skills, help pave the way for a department to take on new challenges, improve morale and create a sense of purpose for workers. In this first post, I talk about what are some of the benefits of training and ways to measure them, explore some of the costs, and the four different modalities that you can use to design your own training program.

In the second post, I explore the benefits and costs from the individual’s perspective and what you should expect from a certificate program and how to evaluate a program. This post also has a handy comparison chart that shows your costs and other considerations from the major infosec certs.

Nine ways to improve your business cybersecurity

Two new reports  show the dismal state of cybersecurity across US federal government networks. First is this report from the General Accounting Office, which found hundreds of its earlier recommendations haven’t been implemented by numerous federal agencies. While there has been some progress since it last review these procedures, much work remains to secure our federal systems.

And more recently is this report from the Senate Homeland Security committee is now out. Despite years of warnings, federal agencies such as the State, Education, Agriculture and Health and Human Services departments have not established effective cybersecurity programs or complied with federal information security standards. We all knew that the feds were lax when it came to implementing better cybersecurity practices, but the lack of many basic security practices is alarming.

Here are nine things that most federal departments don’t do and that your company should implement.

1. Maintain an accurate and current IT asset inventory, including apps and OS versions. Do you know where all your critical apps are, and who is responsible for them? How about where outdated systems (Windows XP anyone) still live and lurk? If you don’t know, you will need to find this out, and the sooner the better.
2. Patch quickly and constantly stay up to date with them. Microsoft issues patches weekly on Tuesdays. Adobe is also generous (ahem) with its patches. But you need to get into the regular habit. Some major cyber attacks happened because businesses — some very big ones at that — took a couple of weeks to get around to doing them. (Remember WannaCry?
3. Know your risk factors and assess them regularly. I have written lots of articles about assessing risk, including this one for CSOonline. The key word in this task is being regular. If you are running an online business, your applications are continuously changing, and that means you need to audit these risks and ensure that something isn’t missed. The GAO report found that “while many agencies almost always designated a risk executive, few had not fully incorporated other key risk management practices, such as establishing a process for assessing agency-wide cybersecurity risks.”
4. Do you track unauthorized users’ access to your systems? It is a simple yes or no answer, but often we don’t know enough to be sure. So many attacks happen because the bad guys have gotten into our networks months ago, and had time to mess around with things before we found evidence of the intrusion.
5. Have you implemented any multi-factor authentication methods? One way to shore up your access is to use MFA. This is gaining traction but still far from universal, whether that be inside government or out.
6. Do you protect your personal identifying information (PII) and do you know when you don’t? It is important to first understand where you can find your PII, who has control over this data, and who has control over protecting it.
7. Do you have a CIO or does anyone have that role carry the authority to fix any of the above problems? While many small businesses don’t have budgets to hire a full-time CIO, someone has to take on the job — either inside the company or as a consultant. Make sure the authority to make improvements is also part of the job.
8. Do you know your IT supply chains well enough? The recent ransomware attacks have shown that many businesses haven’t developed any procedures to ensure that they are protected from these sorts of attacks.
9. Have you read and implemented the NIST standards docs? What, you don’t know what I am talking about? Back in April 2018, the National Institute of Standards published its Framework for Improving Critical Infrastructure Cybersecurity.  Speaking of improving supply chains, another NIST document is worthy of your attention — it lists a bunch of mitigation measures for this particular scourge. While a lot of both documents is written in government mumbo-jumbo, the basics are all spelled out how businesses can reduce the risk of cyber attacks.
Good luck with improving your defenses.

Avast blog: An Ugly Truth: A book review

56470423. sy475 New York Times reporters Sheera Frenkel and Cecilia Kang have been covering the trials and tribulations of Facebook for the past several years, and they have used their reporting to form the basis of their new book, An Ugly Truth: Inside Facebook’s Battle for DominationThe book is based on hundreds of interviews of these key players  and shows the roles played by numerous staffers in various events, and how the company has acted badly towards protecting our privacy and making various decisions about the evolution of its products. Even if you have been following these events, reading this book will be an eye-opener. If you are concerned with your personal security or how your business uses its customer data, this should be on your summer reading list. The book lays out many of the global events where Facebook’s response changed the course of history.

My review of the book and some of the key takeaways for infosec professionals and security-minded consumers can be found here.

Avast blog: Beware of crypto exchange scams

You may already have won! How many scams have begun with these words?

There is a new breed of scammers gaining popularity, thanks to the wild swings in the cryptocurrency market. I worked with Avast researcher Matěj Račinský who has tracked three different fake crypto exchanges, I show you some of the come-on messages, why their tactics are so compelling and — almost — believable — and how they ply their criminal trade, including phony news sites announcements (as shown here).

You can read more about these scammers, and ways to avoid them, in my blog post for Avast here.