Daily Archives: April 13, 2018

IDG Contributor Network: From NSTIC to improved federal identity, credential and access management

7 years ago – the NSTIC and the goal of an identity ecosystem

Seven years ago this month, the Obama Administration published the “National Strategy for Trusted Identities in Cyberspace (NSTIC)”.  NSTIC called for an Identity Ecosystem, “an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities.”

Born out of the NSTIC and operating under grants from the National Institute of Standards and Technology (NIST) is the Identity Ecosystem Steering Group (IDESG), a private sector-led non-for-profit organization. Any identity ecosystem requires trust and specifically a trust framework.  The IDESG’s Identity Ecosystem Framework provides a baseline set of standards and policies that enables individuals and organizations to use a new generation of more secure, convenient, privacy-enhancing credentials that are interoperable across the internet.  Full disclosure, I currently serve on the IDESG’s Board of Directors.

To read this article in full, please click here

Typosquatting: What You Need to Know Now

As it turns out, your high school English teacher was right—spelling does matter. This is especially true now, when mistyping a simple web address could potentially land you in hot water. Although “typosquatting” has been around for a long time, cybercriminals are becoming more systematic in how they use this technique, aiming to steal personal information, make money, or spread malware.

If you’ve ever typed in a web address and landed on a page that is nothing like the one you intended to go to, you may be familiar with this practice, also known as “URL hijacking.” This is when a webpage is put up at a similar web address to another well-known site, in the hopes of capturing some of the legitimate website’s traffic.

These sites often rely on the small typos we make when we type in web addresses, like accidentally omitting the “o” in “.com”. In fact, researchers recently found a whole host of addresses that were registered in the names of well-known sites, but terminating in  “.cm”, instead of “.com”. These copycat addresses included financial websites, such as Chase.cm and Citicards.cm, as well as social and streaming sites.

The .cm sites were used to advertise promotions and surveys used to collect users’ personal information. What’s more, over 1,500 of them were registered to the same email address, indicating that someone was trying to turn typosquatting into a serious business.

While early typosquatting efforts were often aimed at stealing traffic alone, we’re now seeing a move toward clever copycats. Some look like real banking websites, complete with stolen logos and familiar login screens, hoping to trick you into entering your passwords and others sensitive information.

Earlier this year, for instance, the Reserve Bank of India (RBI) warned customers that someone had bought the URL “www.indiareserveban.org”, and put up a fake site, asking for banking details and passwords, even though the real RBI is a central bank that holds no individual accounts.

But, cybercrooks don’t even need to put up fake websites to try to steal your information; they can also trick you into downloading malware. They may lead you to a site that delivers a pop-up screen telling you to update your Adobe Flash Player, for instance.

That’s exactly what happened not too long ago to Netflix users who accidentally typed in “Netflix.om”, instead of “.com”. The cybercrooks had smartly used the Netflix address ending in the top-level domain for Oman to try to redirect at least some of the streaming site’s over 118 million users to a malware-laden site instead. In fact, “.om” was used as part of a larger typosquatting campaign, targeting over 300 well-known organizations.

Given that typos are easy to do, and fake websites are becoming more convincing, here are the steps you should take to protect yourself from typosquatting:

  • Whether you type in a web address to the address field, or a search engine, be careful that you spell the address correctly before you hit “return”.
  • If you are going to a website where you might share private information, look for the green lock symbol in the upper left-hand corner of the address bar, indicating that the site uses encryption to secure the data that you share.
  • Be suspicious of websites with low-quality graphics or misspellings, since these are telltale signs of fake websites.
  • Consider bookmarking sites you visit regularly to make sure you get to the right site, each time.
  • Don’t click on links in emails, text messages and popup messages unless you know and trust the sender.
  • Consider using a safe search tool such as McAfee WebAdvisor, which can alert you to risky websites right in your search results.
  • Always use comprehensive security software on both your computers and devices to protect you from malware and other online threats.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post Typosquatting: What You Need to Know Now appeared first on McAfee Blogs.

US discusses authorizing cyber attacks outside “war zone”

In a nutshell, traditional definitions of war linked to kinetic action and physical space are being framed as overly restrictive given a desire by some to engage in offensive attacks online. The head of NSA is asking whether reducing that link and authorizing cyber attack within a new definition of “war” would affect the “comfort” of those holding responsibility.

“[On offense] the area where I think we still need to get a little more speed and agility — and as Mr. Rapuano indicated it is an area that is currently under review right now — what is the level of comfort in applying those capabilities outside designated areas of hostility,” Rogers asked out loud.

“I don’t believe anyone should grant Cyber Command or Adm. Rogers a blank ticket to do whatever you want, that is not appropriate. The part I am trying to figure out is what is the appropriate balance to ensure the broader set of stakeholders have a voice.”

Rapuano also referenced challenges associated with defining “war” in the context of cyber, which can be borderless due to the interconnected nature of the internet.

“In a domain that is so novel in many respects, and for which we do not have the empirical data and experience associated with military operations per say particularly outside areas of conflict, there are some relatively ambiguous areas around ‘well what constitutes traditional military activities,'” said Rapuano. “This is something that we are looking at within the administration and we’ve had a number of discussions with members and your staffs; so that’s an area we’re looking at to understand the trades and implications of changing the current definition.”

While I enjoy people characterizing the cyber domain as novel and border-less, let’s not kid ourselves too much. The Internet has far more borders and controls established, let alone a capability to deploy more at speed, given they are primarily software based. I can deploy over 40,000 new domains with high walls in 24 hours and there’s simply no way to leverage borders as effectively in a physical world.

Even more to the point I can distribute keys to access in such a way that it spans authorities and bureaucratically slows any attempts to break in, thus raising a far stronger multi-jurisdictional border to entry than any physical crossing.

We do ourselves no favors pretending technology is always weaker, disallowing for the prospect of a shift to stronger boundaries of less cost, and forgetting that Internet engineering is not so much truly novel as a revision of prior attempts in history (e.g. evolution of transit systems).

My recent talk at AppSecCali for example points out how barbed wire combined with repeating rifles established borders faster and more effectively than the far more “physical” barriers that came before. Now imagine someone in the 1800s calling a giant field with barbed wire border-less because it was harder for them to see in the same context as a river or mountain…

What humans do better than machines

The second in a series of three blogs by Grant and Jason on the process of identifying actionable insights.

In the last post in this series, we looked at the process by which data is collected from the operating environment and is then processed and distributed in a consumable manner as information. The collection and processing actions are typically automated. However, the last phase, analysis, has been almost exclusively the domain of human analysts until very recently.

And it is that human intervention at the “last mile” for intelligence that presents the challenge when your operating environment is throwing off 1,200, of even 100,000 warning bells a day from a chatty Network IPS.

It would be easy to say that the way forward is to apply artificial intelligence (AI) to this analysis phase and automate our way out of the chokepoint. But the reality is that AI, for the foreseeable future is still going to be insufficient for the task.

In data science, there is a direct correlation between the false positive rate and the true positive rate, resulting in a less than 100% accurate model.  While the execution of machine learning and deep learning is critical in the SOC, it is essential to understand the relationship between Receiver Operating Characteristics (ROC) curves in the SOC. Assuming that machine learning models and classifiers will work 100% of the time is setting your SOC up to fail.  Instead, a better approach is to use different technologies to filter out the noise. Then you can identify signals to gather insights that enable you to make a decision.

What is needed here is a reinforcing loop of education and information between humans and machines: “human-machine teaming” to borrow from our CTO, Steve Grobman. The goal is to augment the person, instead of replacing them.

It’s important to say that there are some things that human analysts can do on their own to get to actionable insights without the assistance of any machine, thank you very much. At McAfee, our security analysts focus on:

  • Prevalence – How pertinent is this information to the enterprise? Is it local threat intelligence? Or used in a specialized way? Is it industry-level threat intelligence? Or global threat intelligence?
  • Age – Understanding “new” signals, whether they are process, scripts, or files in the environment.
  • Diversity – By leveraging prevalence, we apply diversity from sources like McAfee’s Global Threat Intelligence (GTI), which allows for more context across the globe.

Additionally, these traits are essential to SOC processes:

  • Completeness – Do you have sufficient noise collection to capture context and evidence to deliver effective detection?
  • Timeliness – Are you acting on the signals quickly?
  • Accuracy – Do you understand the relationship between true positives, false positives, true negatives, and false negatives?
  • Confidence  – Are you aggregating data and models to understand confidence level and importance of the decisions?

You will always want a lot of signals to investigate that can be created using data science methodologies, because these are often the clues that allow you to start the triage and investigate process.

So this is where automation and machine learning can help to bridge the human labor gap. As you start down that path, what you realize is you’re going to need tools that are easier to manage. The focus becomes enabling your staff to do more. Learning mechanisms – for humans and machines – become a vital part of the equation. The idea is to put the human in the middle of the self-reinforcing data science capabilities like machine learning, deep learning and AI.

In the final post in this series, we’ll look at how McAfee Product Management, Engineering and the Office of the CISO are collaborating to generate that self-reinforcing learning loop.

You can look for Grant Bourzikas on Twitter and LinkedIn and at security events like MPOWER, Blackhat, and RSA. Jason Rolleston can also be found at similar events and on Twitter and LinkedIn.

McAfee technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Learn more at mcafee.com. No computer system can be absolutely secure.


McAfee does not control or audit third-party benchmark data or the websites referenced in this document. You should visit the referenced website and confirm whether referenced data is accurate.

The post What humans do better than machines appeared first on McAfee Blogs.

ZenMate VPN review: This simple VPN clears your mind of complexity

ZenMate VPN in brief:

  • P2P allowed: Yes
  • Business location: Berlin, Germany
  • Number of servers: 300+
  • Number of country locations: 29
  • Cost: $60 per year
  • VPN protocol: IPSec + L2TP
  • Data encryption: 2048-bit PSK/ESP 
  • Data authentication: AES 256/HMAC
  • Handshake encryption: IKEv2 sha256 with 4096-bit RSA

When you think of Zen you probably think of monks, meditation, and cryptic sayings meant to expand your understanding of the world. But the word also suggests a certain sparseness and simplicity. Germany-based ZenGuard took those latter notions to heart when it created its ZenMate VPN service.

To read this article in full, please click here