Daily Archives: May 8, 2018

Google CTF 2018 is here

Google CTF 2017 was a big success! We had over 5,000 players, nearly 2,000 teams captured flags, we paid $31,1337.00, and most importantly: you had fun playing and we had fun hosting!

Congratulations (for the second year) to the team pasten, from Israel, for scoring first place in both the quals and the finals. Also, for everyone who hasn’t played yet or wants to play again, we have open-sourced the 2017 challenges in our GitHub repository.

Hence, we are excited to announce Google CTF 2018:

  • Date and time: 00:00:01 UTC on June 23th and 24th, 2018
  • Location: Online
  • Prizes: Big checks, swag and rewards for creative write-ups
The winning teams will compete again for a spot at the Google CTF Finals later this year (more details on the Finals soon).

For beginners and veterans alike

Based on the feedback we received, we plan to have additional challenges this year where people that may be new to CTFs or security can learn about, and try their hands at, some security challenges. These will be presented in a “Quest” style where there will be a scenario similar to a real world penetration testing environment. We hope that this will give people a chance to sharpen their skills, learn something new about CTFs and security, while allowing them to see a real world value to information security and its broader impact.

We hope to virtually see you at the 3rd annual Google CTF on June 23rd 2018 at 00:00:01 UTC. Check g.co/ctf, or subscribe to our mailing list for more details, as they become available.
Why do we host these competitions?

We outlined our philosophy last year, but in short: we believe that the security community helps us better protect Google users, and so we want to nurture the community and give back in a fun way.

Thirsty for more?

There are a lot of opportunities for you to help us make the Internet a safer place:

SN 662: Spectre – NextGen

This week we begin by updating the status of several ongoing security stories: Russia vs Telegram, DrupalGeddon2, and the return of RowHammer. We will conclude with MAJOR new bad news related to Spectre. We also have a new cryptomalware, Twitter's in-the-clear passwords mistake, New Android 'P' security features, a crazy service for GDPR compliance, Firefox's sponsored content plan, another million routers being attacked, More deliberately compromised JavaScript found in the wild, a new Microsoft Meltdown mistake, a comprehensive Windows command reference, and signs of future encrypted Twitter DMs.

We invite you to read our show notes.

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Bandwidth for Security Now is provided by CacheFly.


Risky Business #498 — There sure is a lot of Microsoft Defender out there these days

On this week’s show we’re taking a look at some recent data out of Microsoft trumpeting its Defender antivirus install figures on Windows. They’ve got 18% market share on windows 7/9 and 50% on Win10.

For the AV and endpoint security industry Microsoft has always been the existential threat, but has the plane flown into the mountain already? We’ll speak with Securosis analyst and DisruptOps founder Rich Mogull about that in this week’s feature interview.

In this week’s sponsor interview we’re joined by the always entertaining Haroon Meer of Thinkst Canary. When we spoke Haroon had just wrapped up his first ever booth at the RSA conference. He’ll join us this week to tell us, surprisingly, that it was a really worthwhile exercise for Thinkst, but as you’ll hear he also thinks the broader industry can be a pack of dumbasses when it comes to actually marketing tech at events like RSA. If he becomes global ruler RSA booths will be gimmick-free and just show people product demos.

The show notes/news items are below, and you can follow Adam or Patrick on Twitter if that’s your thing.

Show notes

BREAKING: Documents show how provincial employees misled Halifax police in the FOIPOP security failure
FTC urges Twitter users to change passwords | TheHill
Iran nuclear deal: Trump pulls US out in break with Europe allies - BBC News
Patrick Gray on Twitter: "There are teams workshopping ideas like this in Tehran right now, guaranteed. Personally I'm more worried about Iranian ICS hax. They've gotten good at that stuff.… https://t.co/XQBvRcUKw9"
Caroline O. on Twitter: "NEW: The Senate Intelligence Committee released its prelim findings into Russian targeting of election infrastructure during the 2016 election. "In a small # of states, Russian-affiliated cyber actors were in a position to, at a minimum, alter or delete voter registration data."… https://t.co/Y0GMwUZEFU"
Facebook security analyst is fired for using private data to stalk women | Ars Technica
Sources: Facebook Has Fired Multiple Employees for Snooping on Users - Motherboard
Drive-by Rowhammer attack uses GPU to compromise an Android phone | Ars Technica
Android App With 10 Million Downloads Left Users’ Photos and Audio Messages Exposed to Public - Motherboard
Hundreds of big-name sites hacked, converted into drive-by currency miners | Ars Technica
Report: Chinese government is behind a decade of hacks on software companies | Ars Technica
Over 10,000 companies downloading software vulnerable to Equifax hack
European Central Bank proposes framework to strengthen financial system’s defenses
Hysteria over Jade Helm exercise in Texas was fueled by Russians, former CIA director says | The Texas Tribune
Defector: WikiLeaks ‘Will Lie to Your Face’
SiliVaccine: Inside North Korea’s Anti-Virus - Check Point Research
You Can Finally Encrypt Slack Messages So Your Boss Can't Read Them - Motherboard
Microsoft May 2018 Patch Tuesday Fixes 67 Security Issues, Including IE Zero-Day
Vulnerabilities Affecting Over One Million Dasan GPON Routers Are Now Under Attack
He Fled a Prison in Iceland. Now It’s Good to Be Back. - The New York Times
Report: Software bug led to death in Uber’s self-driving crash | Ars Technica
Carbon Black stocks close 26 percent up on first day of public trading
Why Windows Defender Antivirus is the most deployed in the enterprise – Microsoft Secure
thinkst Thoughts...: Considering an RSAC Expo booth? Our Experience, in 5,000 words or less

Firewall Management Maturity Stage 2: Next Generation Firewall Management

In the second of this three-part series examining the stages of firewall management maturity, we look at next generation firewall technology.


Information Security
Leadership Insights

In the second of this three-part series examining the stages of firewall management maturity, we look at next generation firewall technology. Next generation firewalls provide tremendous value, but also present unique challenges for organizations trying to manage the technology.

Social-Engineer Newsletter Vol 08 – Issue 104

Vol 08 Issue 104
May 2018

In This Issue

  • Two-Factor or Not Two-Factor? Why is This a Question?
  • Social-Engineer News
  • Upcoming classes

As a member of the newsletter you have the option to OPT-IN for special offers. You can click here to do that.

Do you like FREE Stuff?

How about the first chapter of ALL OF Chris Hadnagy’s Best Selling Books

If you do, you can register to get the first chapter completely free just go over to http://www.social-engineer.com to download now!

To contribute your ideas or writing send an email to contribute@social-engineer.org

If you want to listen to our past podcasts hit up our Podcasts Page and download the latest episodes.

Our good friends at CSI Tech just put their RAM ANALYSIS COURSE ONLINE – FINALLY.

The course is designed for Hi-Tech Crime Units and other digital investigators who want to leverage RAM to acquire evidence or intelligence which may be difficult or even impossible to acquire from disk. The course does not focus on the complex structures and technology behind how RAM works but rather how an investigator can extract what they need for an investigation quickly and simply

Interested in this course? Enter the code SEORG and get an amazing 15% off!

You can also pre-order, CSI Tech CEO, Nick Furneaux’s new book, Investigating Cryptocurrencies: Understanding, Extracting, and Analyzing Blockchain Evidence now!

The team at Social-Engineer, LLC proudly uses:

A Special Thanks to:

The EFF for supporting freedom of speech

Keep Up With Us

Friend on Facebook Facebook
Follow on Twitter Twitter

Two-Factor or Not Two-Factor? Why is This a Question?

Two-factor authentication, or “2FA” as the cool kids call it, is a common form of Multi-factor authentication, or MFA. These are not new concepts. In fact, they have been around in one form or another as part of human culture for likely as long as humans started talking to each other. Some examples are asking additional questions or for additional actions being taken to properly determine whether you are who you say you are, also someone vouching for you or sponsoring your entry into some activity.

Technology companies have been slowly introducing these methods to combat online identify theft for many years. Not all forms of MFA are equal by any sense, as NIST has suggested that SMS based 2FA is not sufficient to thwart sophisticated attacks as opposed to security tokens (think Google Authenticator or Duo Mobile) and physical keys.

The Link Between SE and 2FA

How does this relate to social engineering, you ask? Well, social engineering can be used to both learn the additional authentication factors you may or may not use, and the details needed to bypass them if they are in place. While SMS is not recommended as an MFA option by NIST, stronger implementations of MFA can be a decent form of defense against otherwise successful social engineering attacks.

Where would a social engineer get details about your methods of authentication? Well, one possibility is Facebook. The collection of personal information, as described in the Cambridge Analytica stories in the news, was performed via Facebook surveys. Before that was trending, that same mechanism has been used by attackers to learn respondents’ popular security questions. Once an attacker has a bit of your personal information they may be able to leverage that to gain access to your other accounts. This further emphasizes the need for MFA on all accounts since your security questions may not be as secure as you may think.

Human-Based MFA

As a defensive mechanism, friends have told me about working mothers who rely on friends to pick up their kids from school or after-school activities using human-based MFA. These moms establish a code word that only they, their kids, and the proxy know so when someone approaches the children without knowing the code word, the children know not to trust the person. I use a similar technique when I send links to people I regularly communicate with by adding in special key words we have discussed in person to verify the link I am sending is actually from me. If those words are not in the message, I am not the one sending it. It is very effective form of MFA and simple once all parties understand the purpose.

As a security professional, I try to convey security best practices to my family and friends, but I cannot force the methods on anyone that is not willing to listen. Now, I don’t send a lot of messaging to family members online, as I don’t participate in a lot of social media and any that I do is not connected to family members. So, when I announced my participation in a charity to my family via a group SMS chat, I didn’t think twice about the message I was sending until after I sent it. It was basically written as “Hey I’m doing this thing, I wanted you to know. Check out this link.” Right after I sent it I thought to myself, “well that’s looks phishy, am I really expecting my family to just follow this link?” As I was typing out a second message explaining the weird post, to my surprise and delight, one of my siblings reached out me not in the chat and asked if I had just sent them a link. I was pretty happy that a couple of seconds of effort seemed worth it to my family, just to be sure it was ok to follow the link. That is human-based MFA at work.

MFA Really Works

Professionally, it is clear that some forms of MFA are effective against social engineering attacks that result in credential theft. This point is illustrated when comparing two recent engagements SECOM performed.

In both cases, phishing emails were sent to targeted users and, in both cases, one or more users clicked the phishing link, filled out the login form, and disclosed valid network credentials. What happens next clearly shows the value of MFA. In one case we successfully accessed email, online shared storage accounts, and sent additional phish from compromised user accounts to gain even more credentials and access to sensitive information. In the other case, we were prompted to insert “our” Ubi key to verify who we were. We didn’t have the necessary key, so no additional access was gained. Without MFA enabled we fully compromised the target, with MFA enabled we were left with credentials we could do nothing with in that moment. Back to the drawing board for us, big props to that client.

The people I talk to about enabling MFA that are not in the computer industry seem intimidated by the process to enable and use, but once they are setup it fits in with normal online activity pretty quickly. If you are curious whether the services you use have MFA options, you can typically find the setup in your account settings, usually under the security or login sections. Also, you can check this site to see which services have MFA options, and which don’t, so you can choose your services based on your desired security preferences. Once most people are accustomed to, and regularly use, MFA for all their accounts, it is much harder for a social engineer to gain access to resources via credential theft. This means attackers will have to work much harder than they need to now to access accounts.

Written By: Ryan MacDougall


As part of the newsletter group, you will be the first to receive special offers to services and products by Social-Engineer.Com.


The post Social-Engineer Newsletter Vol 08 – Issue 104 appeared first on Security Through Education.

What is a Chief Security Officer (CSO)? Understanding this critical role

A CSO is a departmental leader responsible for information security, corporate security or both. That's the simplest answer to the question "What is a CSO?", and one that our founding editor Derek Slater offered up to readers way back in 2005 — heck, if there's one website you ought to be able to trust to tell you what a CSO is, it's CSOonline. But of course, no one-sentence answer can encapsulate the complexity of a job like this, and not everyone with the CSO title has the same set of responsibilities.

The title Chief Security Officer (CSO) was first used principally inside the information technology function to designate the person responsible for IT security. At many companies, the term CSO is still used in this way. Chief Information Security Officer (CISO) is perhaps a more accurate description of this position, and today the CISO title is becoming more prevalent for leaders with an exclusive information security focus.

To read this article in full, please click here

With More Than 1,200 Cybersecurity Vendors in the Industry, How Do You Stand Out?

Like most who attend RSA, I set a goal for myself to walk through the North and South exhibit halls and stop by every booth to “keep up” with the latest messaging and capabilities across the cyber landscape. I started off the day optimistic and full of enthusiasm. This year, I decided to keep track of the booths I visited even if it was just for a brief few seconds. I went to 287 booths in the North Hall and 279 in the South Hall. That’s right: I counted and hit 566 booths in a little over three hours.

What did I learn from this year’s event? Aside from the latest industry buzzwords and jargon, — threat sharing, machine learning, AI, data lakes, SOC automation, attack surface discovery and exploitation — every vendor sounded the same, and you had to go beyond the surface level to find out how they differentiate themselves.

I left disappointed that not once did I hear a vendor talk about helping customers by focusing on their desired outcomes, value and service level agreements.

Our marketing team recently released the following data points, which I believe are telling of where we are as an industry.

More than 1,200 vendors compete in the cybersecurity market today. Conservatively, if each vendor offers an average of three products, with each product carrying an average of five features, that would make the cybersecurity market replete with nearly 20,000 features.

There is no shortage of competition for features in our industry. Look at most cybersecurity vendor websites and you’ll find lots of content around product capabilities. It’s no wonder customers are under assault by relentless adversaries. Each new threat vector requires a new defensive technology, which typically takes the form of a new product (if not a new vendor), complete with its own set of features.

That’s why McAfee focuses on sound architectural principles when designing modernized cybersecurity environments. We provide an open, proactive and intelligent architecture to protect data and stop threats from device to cloud. This allows customers to onboard new defensive technologies quickly to maximize their effectiveness. And, with our open, integrated approach, customers benefit from an overall security system with a whole greater than the sum of its parts. They get the benefit of both worlds: abundant vendor choice within a unified, cohesive system.

RSA 2019 Goals: Find vendors who are talking about solving customer challenges by focusing on outcomes, architecture interoperability, efficacy and efficiencies with some service level agreements mixed in for good measure. I really believe McAfee is setting a new higher standard for the cyber landscape that is essential and meaningful to our customers and the partner ecosystem. Let’s see if anybody else does something similar (or, if anybody else follows suit, or something like that).

The post With More Than 1,200 Cybersecurity Vendors in the Industry, How Do You Stand Out? appeared first on McAfee Blogs.

Video: State of the Current Threat Landscape (RSA 2018)

During this year's RSA Conference, Highwire PR and WSJ Pro Cybersecurity hosted several panel discussions, including this one with CA Veracode CTO Chris Wysopal. Chris joined Andrea Limbago, chief social scientist at Endgame, Michael Daniel, president and CEO of Cyber Threat Alliance, to talk about the current and evolving threat landscape. Throughout the panel, you'll learn more about how automation is changing the game when it comes to security, why your application security and detection game has to be on point, why the future of development will be secure by design - and more.



‘World of Warcraft’ cyberattacker sentenced to year in prison

One World of Warcraft player is paying the price for taking a virtual rivalry too far. A US federal court has sentenced Romanian man Calin Mateias to spend a year in federal prison after he pleaded guilty to launching a distributed denial of service attack against WoW's servers in response to being "angered" by one player. The 2010 traffic flood knocked thousands of players offline and cost Blizzard $30,000 (which Mateias repaid in April) in recovery expenses.

Source: NBC Los Angeles

IDG Contributor Network: How consumer omnichannel authentication benefits businesses

Consumers' rising expectations for an omnichannel experience are driving innovations in user authentication methods. From a business perspective, the idea of switching over to new authentication methods can be hard to swallow. After all, security is not a profit center. But the cost-benefit reality of omnichannel authentication is more nuanced; the innovative methods that are transforming consumers’ authentication experiences also benefit the business with:

  • Improved security posture
  • Less technology to manage
  • Happier customers

Authentication trends and changing user expectations

Many enterprises are already working to introduce omnichannel authentication experiences for customers. For example, a bank may think in terms of the different channels through which it interacts with consumers and strive to apply a common set of security layers for:

To read this article in full, please click here

You, Your Company, and BYOD: A Love Triangle

BYOD, or bring your own device, has become the new normal in the corporate workplace. But with this convenience comes impending security concerns. Although BYOD costs companies less, mobile devices are often used without proper security measures in place. This makes it difficult for employers to determine how much access employees should receive to company networks. The more access an employee has to company networks, the more opportunities for not only their personal information becoming vulnerable, but company data as well. With BYOD becoming more prevalent in the workplace, it is vital companies and employees understand the perks and security concerns that are associated with BYOD and take necessary steps to ensure personal devices and company information is protected.

BYOD can offer some really great perks: 1) employers spend less on technology and providing devices to employees thus saving the company money and 2) you get to use your own device(s) with which you are already accustomed to. Your company may already allow BYOD in your office, but do you know the associated security risks? They are complicated. Three looming concerns of BYOD that companies and employees should be addressing are accessibility to company data, lost or stolen devices, and overall maintenance. Let’s delve into why these concerns are the most pressing.

  1. Accessibility. The overarching question of BYOD is who gets access to company data on their personal devices, when and where? For example, if you are at a meeting, outside of the office and you are on a limited-access BYOD policy with your employer, you would only be able to access work email and contact but nothing stored on the company servers. If your client asks to see a specific document hosted on your company server during the meeting, you won’t be able to access it because it is sensitive and lives on the private severs. This is where BYOD backfires for the employee.
  2. Lost or stolen devices. A personal device that contains confidential company information poses a huge security threat if it is lost or stolen, and begs the question: who is responsible for retrieving the device and/or data? What is the proper response to this sort of breach? It is your personal device, with both personal and company data, so should it be locked, tracked and retrieved, or completely wiped immediately? There is no clear or correct answer, which is why companies need a clear BYOD policy and culture of security that fits both parties’ needs.
  3. Maintenance and malware. Frequency of device maintenance, software updates and uniformed app downloads can open the door to a slew of security vulnerabilities. Organizations have a hard-enough time implementing their own software across the corporate network, let alone ensuring all employees are adhering to the required software updates from device operating systems and applications. With the breadth of different phones and tablets being used around the globe, it can be nearly impossible to keep track of employees’ security posture on their personal devices.

Without the right security measures in place, there is the possibility of malware being downloaded through sketchy apps or unpatched versions of software, which could be transferred onto corporate servers depending on the employee’s access level. McAfee Labs detected over 16 million mobile malware infestations in the third quarter of 2017 alone, nearly doubling the number one year previously. This uptick in cyberattacks on mobile devices illustrates the importance of comprehensive cybersecurity policies across the board.

So how do you protect yourself when it comes to using your smartphone or tablet for both business and pleasure? Here are a few tips:

  • Practice discretion when alternating between personal and business tasks on your mobile device. Separate the two by using different, verified apps for company and personal uses to maintain safety.
  • Avoid downloading apps from third-party vendors that could make your device prone to malware, and always check permissions of any apps before downloading, particularly those that ask for to access to your device’s data.
  • Regularly update your device to ensure they are equipped with vital patches that protect against flaws and bugs that cybercriminals can exploit.
  • Avoid accessing data-sensitive apps on your device over public Wi-Fi. Cybercriminals could use this as an opportunity to take a look at your mobile data.
  • Keep your personal and work information secure with comprehensive mobile security, such as McAfee® Mobile Security, that will not only scan your device for viruses and threats but also help you identify apps that are accessing too much of your valuable personal information.

McAfee is the device-to-cloud cybersecurity company helping to secure data at all levels, on all devices. We’re helping you stop threats and protect your data wherever it resides, from your fingertips to the skies, enabling you to protect what matters on your digital journey.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post You, Your Company, and BYOD: A Love Triangle appeared first on McAfee Blogs.

Getting grounded in IoT networking and security

(Insider Story)

Interruptions Are Bad – Business Security Weekly #84

This week, Michael and Paul interview Senior Attorney, Elizabeth Wharton! In the Article Discussion, the work required to have an opinion, why email is so stressful, productivity, and more! In Tracking Security Innovation, we have updates from Carbon Black, Trusted Key, Namogoo, IronNet Cybersecurity, and more on this episode of Business Security Weekly!

Full Show Notes: https://wiki.securityweekly.com/BSWEpisode84


Visit https://www.securityweekly.com/bsw for all the latest episodes!