Posted by Jan Keller, Security TPM Google CTF 2017 was a big success! We had over 5,000 players, nearly 2,000 teams captured flags, we paid $31,1337.00, and most importantly: you had fun playing and we had fun hosting!
Congratulations (for the second year) to the team pasten, from Israel, for scoring first place in both the quals and the finals. Also, for everyone who hasn’t played yet or wants to play again, we have open-sourced the 2017 challenges in our GitHub repository.
Hence, we are excited to announce Google CTF 2018:
Date and time: 00:00:01 UTC on June 23th and 24th, 2018
The winning teams will compete again for a spot at the Google CTF Finals later this year (more details on the Finals soon).
For beginners and veterans alike
Based on the feedback we received, we plan to have additional challenges this year where people that may be new to CTFs or security can learn about, and try their hands at, some security challenges. These will be presented in a “Quest” style where there will be a scenario similar to a real world penetration testing environment. We hope that this will give people a chance to sharpen their skills, learn something new about CTFs and security, while allowing them to see a real world value to information security and its broader impact.
On this week’s show we’re taking a look at some recent data out of Microsoft trumpeting its Defender antivirus install figures on Windows. They’ve got 18% market share on windows 7/9 and 50% on Win10.
For the AV and endpoint security industry Microsoft has always been the existential threat, but has the plane flown into the mountain already? We’ll speak with Securosis analyst and DisruptOps founder Rich Mogull about that in this week’s feature interview.
In this week’s sponsor interview we’re joined by the always entertaining Haroon Meer of Thinkst Canary. When we spoke Haroon had just wrapped up his first ever booth at the RSA conference. He’ll join us this week to tell us, surprisingly, that it was a really worthwhile exercise for Thinkst, but as you’ll hear he also thinks the broader industry can be a pack of dumbasses when it comes to actually marketing tech at events like RSA. If he becomes global ruler RSA booths will be gimmick-free and just show people product demos.
The show notes/news items are below, and you can follow Adam or Patrick on Twitter if that’s your thing.
In the second of this three-part series examining the stages of firewall management maturity, we look at next generation firewall technology.
Information Security Leadership Insights
In the second of this three-part series examining the stages of firewall management maturity, we look at next generation firewall technology. Next generation firewalls provide tremendous value, but also present unique challenges for organizations trying to manage the technology.
If you want to listen to our past podcasts hit up our Podcasts Page and download the latest episodes.
Our good friends at CSI Tech just put their RAM ANALYSIS COURSE ONLINE – FINALLY.
The course is designed for Hi-Tech Crime Units and other digital investigators who want to leverage RAM to acquire evidence or intelligence which may be difficult or even impossible to acquire from disk. The course does not focus on the complex structures and technology behind how RAM works but rather how an investigator can extract what they need for an investigation quickly and simply
Two-Factor or Not Two-Factor? Why is This a Question?
Two-factor authentication, or “2FA” as the cool kids call it, is a common form of Multi-factor authentication, or MFA. These are not new concepts. In fact, they have been around in one form or another as part of human culture for likely as long as humans started talking to each other. Some examples are asking additional questions or for additional actions being taken to properly determine whether you are who you say you are, also someone vouching for you or sponsoring your entry into some activity.
Technology companies have been slowly introducing these methods to combat online identify theft for many years. Not all forms of MFA are equal by any sense, as NIST has suggested that SMS based 2FA is not sufficient to thwart sophisticated attacks as opposed to security tokens (think Google Authenticator or Duo Mobile) and physical keys.
The Link Between SE and 2FA
How does this relate to social engineering, you ask? Well, social engineering can be used to both learn the additional authentication factors you may or may not use, and the details needed to bypass them if they are in place. While SMS is not recommended as an MFA option by NIST, stronger implementations of MFA can be a decent form of defense against otherwise successful social engineering attacks.
Where would a social engineer get details about your methods of authentication? Well, one possibility is Facebook. The collection of personal information, as described in the Cambridge Analytica stories in the news, was performed via Facebook surveys. Before that was trending, that same mechanism has been used by attackers to learn respondents’ popular security questions. Once an attacker has a bit of your personal information they may be able to leverage that to gain access to your other accounts. This further emphasizes the need for MFA on all accounts since your security questions may not be as secure as you may think.
As a defensive mechanism, friends have told me about working mothers who rely on friends to pick up their kids from school or after-school activities using human-based MFA. These moms establish a code word that only they, their kids, and the proxy know so when someone approaches the children without knowing the code word, the children know not to trust the person. I use a similar technique when I send links to people I regularly communicate with by adding in special key words we have discussed in person to verify the link I am sending is actually from me. If those words are not in the message, I am not the one sending it. It is very effective form of MFA and simple once all parties understand the purpose.
As a security professional, I try to convey security best practices to my family and friends, but I cannot force the methods on anyone that is not willing to listen. Now, I don’t send a lot of messaging to family members online, as I don’t participate in a lot of social media and any that I do is not connected to family members. So, when I announced my participation in a charity to my family via a group SMS chat, I didn’t think twice about the message I was sending until after I sent it. It was basically written as “Hey I’m doing this thing, I wanted you to know. Check out this link.” Right after I sent it I thought to myself, “well that’s looks phishy, am I really expecting my family to just follow this link?” As I was typing out a second message explaining the weird post, to my surprise and delight, one of my siblings reached out me not in the chat and asked if I had just sent them a link. I was pretty happy that a couple of seconds of effort seemed worth it to my family, just to be sure it was ok to follow the link. That is human-based MFA at work.
MFA Really Works
Professionally, it is clear that some forms of MFA are effective against social engineering attacks that result in credential theft. This point is illustrated when comparing two recent engagements SECOM performed.
In both cases, phishing emails were sent to targeted users and, in both cases, one or more users clicked the phishing link, filled out the login form, and disclosed valid network credentials. What happens next clearly shows the value of MFA. In one case we successfully accessed email, online shared storage accounts, and sent additional phish from compromised user accounts to gain even more credentials and access to sensitive information. In the other case, we were prompted to insert “our” Ubi key to verify who we were. We didn’t have the necessary key, so no additional access was gained. Without MFA enabled we fully compromised the target, with MFA enabled we were left with credentials we could do nothing with in that moment. Back to the drawing board for us, big props to that client.
The people I talk to about enabling MFA that are not in the computer industry seem intimidated by the process to enable and use, but once they are setup it fits in with normal online activity pretty quickly. If you are curious whether the services you use have MFA options, you can typically find the setup in your account settings, usually under the security or login sections. Also, you can check this site to see which services have MFA options, and which don’t, so you can choose your services based on your desired security preferences. Once most people are accustomed to, and regularly use, MFA for all their accounts, it is much harder for a social engineer to gain access to resources via credential theft. This means attackers will have to work much harder than they need to now to access accounts.
A CSO is a departmental leader responsible for information security, corporate security or both. That's the simplest answer to the question "What is a CSO?", and one that our founding editor Derek Slater offered up to readers way back in 2005 — heck, if there's one website you ought to be able to trust to tell you what a CSO is, it's CSOonline. But of course, no one-sentence answer can encapsulate the complexity of a job like this, and not everyone with the CSO title has the same set of responsibilities.
The title Chief Security Officer (CSO) was first used principally inside the information technology function to designate the person responsible for IT security. At many companies, the term CSO is still used in this way. Chief Information Security Officer (CISO) is perhaps a more accurate description of this position, and today the CISO title is becoming more prevalent for leaders with an exclusive information security focus.
Like most who attend RSA, I set a goal for myself to walk through the North and South exhibit halls and stop by every booth to “keep up” with the latest messaging and capabilities across the cyber landscape. I started off the day optimistic and full of enthusiasm. This year, I decided to keep track of the booths I visited even if it was just for a brief few seconds. I went to 287 booths in the North Hall and 279 in the South Hall. That’s right: I counted and hit 566 booths in a little over three hours.
What did I learn from this year’s event? Aside from the latest industry buzzwords and jargon, — threat sharing, machine learning, AI, data lakes, SOC automation, attack surface discovery and exploitation — every vendor sounded the same, and you had to go beyond the surface level to find out how they differentiate themselves.
I left disappointed that not once did I hear a vendor talk about helping customers by focusing on their desired outcomes, value and service level agreements.
Our marketing team recently released the following data points, which I believe are telling of where we are as an industry.
More than 1,200 vendors compete in the cybersecurity market today. Conservatively, if each vendor offers an average of three products, with each product carrying an average of five features, that would make the cybersecurity market replete with nearly 20,000 features.
There is no shortage of competition for features in our industry. Look at most cybersecurity vendor websites and you’ll find lots of content around product capabilities. It’s no wonder customers are under assault by relentless adversaries. Each new threat vector requires a new defensive technology, which typically takes the form of a new product (if not a new vendor), complete with its own set of features.
That’s why McAfee focuses on sound architectural principles when designing modernized cybersecurity environments. We provide an open, proactive and intelligent architecture to protect data and stop threats from device to cloud. This allows customers to onboard new defensive technologies quickly to maximize their effectiveness. And, with our open, integrated approach, customers benefit from an overall security system with a whole greater than the sum of its parts. They get the benefit of both worlds: abundant vendor choice within a unified, cohesive system.
RSA 2019 Goals: Find vendors who are talking about solving customer challenges by focusing on outcomes, architecture interoperability, efficacy and efficiencies with some service level agreements mixed in for good measure. I really believe McAfee is setting a new higher standard for the cyber landscape that is essential and meaningful to our customers and the partner ecosystem. Let’s see if anybody else does something similar (or, if anybody else follows suit, or something like that).
During this year's RSA Conference, Highwire PR and WSJ Pro Cybersecurity hosted several panel discussions, including this one with CA Veracode CTO Chris Wysopal. Chris joinedAndrea Limbago, chief social scientist at Endgame, Michael Daniel, president and CEO of Cyber Threat Alliance, to talk about the current and evolving threat landscape. Throughout the panel, you'll learn more about how automation is changing the game when it comes to security, why your application security and detection game has to be on point, why the future of development will be secure by design - and more.
One World of Warcraft player is paying the price for taking a virtual rivalry too far. A US federal court has sentenced Romanian man Calin Mateias to spend a year in federal prison after he pleaded guilty to launching a distributed denial of service attack against WoW's servers in response to being "angered" by one player. The 2010 traffic flood knocked thousands of players offline and cost Blizzard $30,000 (which Mateias repaid in April) in recovery expenses.
Consumers' rising expectations for an omnichannel experience are driving innovations in user authentication methods. From a business perspective, the idea of switching over to new authentication methods can be hard to swallow. After all, security is not a profit center. But the cost-benefit reality of omnichannel authentication is more nuanced; the innovative methods that are transforming consumers’ authentication experiences also benefit the business with:
Improved security posture
Less technology to manage
Authentication trends and changing user expectations
Many enterprises are already working to introduce omnichannel authentication experiences for customers. For example, a bank may think in terms of the different channels through which it interacts with consumers and strive to apply a common set of security layers for:
BYOD, or bring your own device, has become the new normal in the corporate workplace. But with this convenience comes impending security concerns. Although BYOD costs companies less, mobile devices are often used without proper security measures in place. This makes it difficult for employers to determine how much access employees should receive to company networks. The more access an employee has to company networks, the more opportunities for not only their personal information becoming vulnerable, but company data as well. With BYOD becoming more prevalent in the workplace, it is vital companies and employees understand the perks and security concerns that are associated with BYOD and take necessary steps to ensure personal devices and company information is protected.
BYOD can offer some really great perks: 1) employers spend less on technology and providing devices to employees thus saving the company money and 2) you get to use your own device(s) with which you are already accustomed to. Your company may already allow BYOD in your office, but do you know the associated security risks? They are complicated. Three looming concerns of BYOD that companies and employees should be addressing are accessibility to company data, lost or stolen devices, and overall maintenance. Let’s delve into why these concerns are the most pressing.
Accessibility. The overarching question of BYOD is who gets access to company data on their personal devices, when and where? For example, if you are at a meeting, outside of the office and you are on a limited-access BYOD policy with your employer, you would only be able to access work email and contact but nothing stored on the company servers. If your client asks to see a specific document hosted on your company server during the meeting, you won’t be able to access it because it is sensitive and lives on the private severs. This is where BYOD backfires for the employee.
Lost or stolen devices. A personal device that contains confidential company information poses a huge security threat if it is lost or stolen, and begs the question: who is responsible for retrieving the device and/or data? What is the proper response to this sort of breach? It is your personal device, with both personal and company data, so should it be locked, tracked and retrieved, or completely wiped immediately? There is no clear or correct answer, which is why companies need a clear BYOD policy and culture of security that fits both parties’ needs.
Maintenance and malware. Frequency of device maintenance, software updates and uniformed app downloads can open the door to a slew of security vulnerabilities. Organizations have a hard-enough time implementing their own software across the corporate network, let alone ensuring all employees are adhering to the required software updates from device operating systems and applications. With the breadth of different phones and tablets being used around the globe, it can be nearly impossible to keep track of employees’ security posture on their personal devices.
Without the right security measures in place, there is the possibility of malware being downloaded through sketchy apps or unpatched versions of software, which could be transferred onto corporate servers depending on the employee’s access level. McAfee Labs detected over 16 million mobile malware infestations in the third quarter of 2017 alone, nearly doubling the number one year previously. This uptick in cyberattacks on mobile devices illustrates the importance of comprehensive cybersecurity policies across the board.
So how do you protect yourself when it comes to using your smartphone or tablet for both business and pleasure? Here are a few tips:
Practice discretion when alternating between personal and business tasks on your mobile device. Separate the two by using different, verified apps for company and personal uses to maintain safety.
Avoid downloading apps from third-party vendors that could make your device prone to malware, and always check permissions of any apps before downloading, particularly those that ask for to access to your device’s data.
Regularly update your device to ensure they are equipped with vital patches that protect against flaws and bugs that cybercriminals can exploit.
Avoid accessing data-sensitive apps on your device over public Wi-Fi. Cybercriminals could use this as an opportunity to take a look at your mobile data.
Keep your personal and work information secure with comprehensive mobile security, such as McAfee® Mobile Security, that will not only scan your device for viruses and threats but also help you identify apps that are accessing too much of your valuable personal information.
McAfee is the device-to-cloud cybersecurity company helping to secure data at all levels, on all devices. We’re helping you stop threats and protect your data wherever it resides, from your fingertips to the skies, enabling you to protect what matters on your digital journey.
Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.
The internet of things already consists of nearly triple the number of devices as there are people in the world, and as more and more of these devices creep into enterprise networks it’s important to understand their requirements and how they differ from other IT gear.
This week, Michael and Paul interview Senior Attorney, Elizabeth Wharton! In the Article Discussion, the work required to have an opinion, why email is so stressful, productivity, and more! In Tracking Security Innovation, we have updates from Carbon Black, Trusted Key, Namogoo, IronNet Cybersecurity, and more on this episode of Business Security Weekly!