Category Archives: RSA

Beers with Talos Ep. #49: POS Malware, RSA Highlights, and SOL OpSec Fails



Beers with Talos (BWT) Podcast Ep. #49 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded March 15, 2019. We recorded this after coming back from RSA, with some on-location highlights included. This episode opens a bit more thought-provoking than we typically do, and we move toward discussing point-of-sale malware like Glitch. After the RSA highlights, we discuss OpSec fails, and Nigel becomes a Burning Man convert after learning there are people there on drugs with rockets that he watches for fun.

The timeline:

  • 01:15 — Roundtable: Some different, if not important takes today.
  • 16:00 — Glitch POS: Why POS is a hot vector ($$$$)
  • 34:00 — RSA Highlights and random musings (with Ashely Kane and Matt Watchinski)
  • 45:10 — OpSec fails: Try to avoid sending photos of your felonies to police
  • 54:00 — Closing thoughts, parting shots

The links:

==========

Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).

Hosted by Mitch Neff (@MitchNeff).


Subscribe via iTunes (and leave a review!)


Subscribe to the Threat Source newsletter



Give us your feedback and suggestions for topics: beerswithtalos@cisco.com

RSA Recap: CTO Zulfikar Ramzan talks about Trust, Zero Trust and the Debate over Going Dark

I talk with Zulfikar Ramzan, Chief Technology Officer (CTO) at RSA Security* about the major trends at this year's RSA Conference including the growing focus on digital risk and trust, the debate around encryption, law enforcement and "going dark" and what people mean when they talk about "zero trust" networks.

The post RSA Recap: CTO Zulfikar...

Read the whole entry... »

Related Stories

McAfee CTO @ RSA: Catching Lightning in a Bottle or Burning Bridges to the Future?

I spoke last week at the RSA Conference in San Francisco on the subject of AI related threats and opportunities in the cybersecurity field. I asserted that innovations such as AI can strengthen our defenses but can also enhance the effectiveness of a cyber attacker.  I also looked at some examples of underlying fragility in AI that enable an attacker opportunity to evade AI based defenses. The key to successfully unlocking the potential of AI in cybersecurity requires that we in the cybersecurity industry answer the question of how we can nurture the sparks of AI innovation while recognizing its limitations and how it can be used against us.

We should look to the history of key technological advances to better understand how technology can bring both benefits and challenges. Consider flight in the 20th century. The technology has changed every aspect of our lives, allowing us to move between continents in hours, instead of weeks. Businesses, supply chains, and economies operate globally, and our ability to explore the world and the universe has been forever changed.

But this exact same technology also fundamentally changed warfare. In World War II alone, the strategic bombing campaigns of the Allied and Axis powers killed more than two million people, many of them civilians.

The underlying technology of flight is Bernoulli’s Principle, which explains why an airplane wing creates lift. Of course, the technology in play has no knowledge of whether the airplane wing is connected to a ‘life-flight’ rescue mission, or to a plane carrying bombs to be dropped on civilian targets.

When Orville Wright was asked in 1948 after the devastation of air power during World War II whether he regretted inventing the airplane he answered:

“No, I don’t have any regrets about my part in the invention of the airplane, though no one could deplore more than I do the destruction it has caused. We dared to hope we had invented something that would bring lasting peace to the earth. But we were wrong. I feel about the airplane much the same as I do in regard to fire. That is, I regret all the terrible damage caused by fire, but I think it is good for the human race that someone discovered how to start fires, and that we have learned how to put fire to thousands of important uses.”

Orville’s insight that technology does not comprehend morality—and that any advances in technology can be used for both beneficial and troubling purposes.  This dual use of technology is something our industry has struggled with for years.

Cryptography is a prime example. The exact same algorithm can be used to protect data from theft, or to hold an individual or organization for ransom. This matters more than ever given that we now encrypt 75% of the world’s web traffic, protecting over 150 exabytes of data each month.  At the same time, organizations and individuals are enduring record exploitation through ransomware.

The RSA Conference itself was at the epicenter of a debate during the 1990’s on whether it was possible to conditionally use strong encryption only in desirable places, or only for desirable functions.  At the time, the U.S. government classified strong encryption as a munition along with strict export restrictions.   Encryption is ultimately just math and it’s not possible to stop someone from doing math.  We must be intellectually honest about our technologies; how they work, what the precursors to use them are and when, how and if they should be contained.

Our shared challenge in cybersecurity is to capture lightning in a bottle, to seize the promise of advances like flight, while remaining aware of the risks that come with technology.  Let’s take a closer look at that aspect.

History repeats itself

Regardless of how you define it, AI is without a doubt the new foundation for cybersecurity defense. The entire industry is tapping into the tremendous power that this technology offers to better defend our environments. It enables better detection of threats beyond what we’ve seen in the past, and helps us out-innovate our cyber adversaries. The combination of threat intelligence and artificial intelligence, together or human-machine teaming provides us far better security outcomes—faster—than either capability on their own.

Not only does AI enable us to build stronger cyber defense technology, but also helps us solve other key issues such as addressing our talent shortage. We can now delegate many tasks to free up our human security professionals to focus on the most critical and complex aspects of defending our organizations.

“It’s just math..”

Like encryption, AI is just math. It can enhance criminal enterprises in addition to its beneficial purposes. McAfee Chief Data Scientist Celeste Fralick joined me on stage during this week’s keynote to run through some examples of how this math can be applied for good or ill. (visit here to view the keynote).  From machine learning fueled crime-spree predictors to DeepFake videos to highly effective attack obfuscation, we touch on them all.

It’s important to understand that the cybersecurity industry is very different from other sectors that use AI and machine learning. For a start, in many other industries, there isn’t an adversary trying to confuse the models.

AI is extremely fragile, therefore one focus area of the data science group at McAfee is Adversarial Machine Learning. Where we’re working to better understand how attackers could try to evade or poison machine learning models.  We are developing models that are more resilient to attacks using techniques such as feature reduction, adding noise, distillation and others.

AI and False Positives: A Warning

We must recognize that this technology, while incredibly powerful, is also incredibly different from what many cybersecurity defenders worked with historically. In order to deal with issues such as evasion, models will need to be tuned to high levels of sensitivity. The high level of sensitivity makes false positives inherent and something we must fully work into the methodology for using the technology.

False positive can have catastrophic results.  For an excellent example of this, watch the video of the keynote here if you haven’t seen it yet.  I talk through the quintessential example of how a false positive almost started World War III and nuclear Armageddon.

The Take-Away

As with fire and flight, how we manage new innovations is the real story.  Recognizing technology does not have a moral compass is key.  Our adversaries will use the technology to make their attacks more effective and we must move forward with our eyes wide open to all aspects of how technology will be used…. Its benefits, limitations and how it will be used against us.

 

Please see the video recording of our keynote speech RSA Conference 2019: https://www.rsaconference.com/events/us19/presentations/keynote-mcafee

 

The post McAfee CTO @ RSA: Catching Lightning in a Bottle or Burning Bridges to the Future? appeared first on McAfee Blogs.

Artificial Intelligence, Machine Learning and More at RSAC 2019

Last week, the RSA Conference painted San Francisco’s Moscone Center purple with the theme ‘Better’, and the cybersecurity industry did not disappoint in making the digital world a better and safer place. Below, we’re sharing a few McAfee highlights from this year’s event.

Behind the Scenes of MGM Resorts’ Digital Transformation at CSA Summit

In its tenth year at the RSA Conference, the CSA Summit welcomed Rajiv Gupta, Senior Vice President, Cloud Security Business Unit at McAfee and Scott Howitt, Senior Vice President & Chief Information Security Officer at MGM Resorts International to the stage. During the keynote, Howitt discussed MGM’s digital transformation and how adopting the cloud into MGM’s business model resulted in delivering a modern experience to customers and more engaged and productive employees. We also heard Gupta share statistics from our Cloud Report on how cloud data distribution has changed dramatically ,which now requires new and better solutions. Before attendees headed out for lunch, Howitt and Gupta closed the first half of the CSA summit by solidifying the positive impact the cloud can have on enterprise businesses. 

Tapping into the Tremendous Power of Artificial Intelligence at RSAC

On Tuesday, SVP and Chief Technology Officer, Steve Grobman and Chief Data Scientist, Dr. Celeste Fralick, took the mainstage at RSAC. During their keynote, Grobman and Fralick discussed how the industry needs to think about artificial intelligence, its power, how it can be used against us and its adversarial uses. Fralick shared how “most people don’t realize how fragile AI and machine learning can really be” and voiced how her team is involved in a technical area called the adversarial machine learning, where they study ways that adversaries can invade or poison machine learning classifier. In closing, Grobman told RSA attendees that “we must embrace AI but never ignore its limitations. It’s just math. It’s fragile. And there is a cost to both false positives and false negatives.”

EXPO- nentially Better

This year’s RSAC expo didn’t disappoint, with over 400 exhibitors showcasing unique content from the world’s top cybersecurity minds and the latest security solutions. Every day our booth was full as we connected with our customers, partners, and prospects. At this year’s conference, we hosted a fun and interactive Capture the Flag challenge which tested the investigative and analytical skills of RSA attendees. Contestants were given various challenges and received “flag” details on how to complete each challenge as quickly and accurately as possible.

RSAC was full of announcements with new and better products along with the buzzing of cybersecurity professionals making better connections with peers from around the world, with the same goal of keeping the digital world safe and making the real world a better place.

The post Artificial Intelligence, Machine Learning and More at RSAC 2019 appeared first on McAfee Blogs.

A week in security (March 4 – 11)

Last week, Malwarebytes Labs released its in-depth, international data privacy survey of nearly 4,000 individuals, revealing that every generation, including Millennials, cares about online privacy. We also covered a novel case of zombie email that involved a very much alive account user, delved into the typical data privacy laws a US startup might have to comply with on its journey to success, and spotlighted the Troldesh ransomware, also known as “Shade.”

Other security news

Stay safe, everyone!

The post A week in security (March 4 – 11) appeared first on Malwarebytes Labs.

The sights and sounds of Cisco Talos at RSA 2019


An estimated 45,000 people attended this year’s RSA Conference in San Francisco to hear talks from some of the greatest minds in security.

As always, Cisco and Talos had a massive presence at the conference, topping off the week with a keynote address featuring Matt Watchinski, the vice president of Cisco Talos, and Liz Centoni, a senior vice president and general manager of Cisco’s Internet-of-things business group.

Blue and orange Snorts could be seen all over the conference floor, and our researchers spent the past few days speaking at the Cisco Security booth, discussing some of the latest and most pressing threats.


After their keynote on how to protect IoT devices, Matt and Liz continued the rounds throughout the week, including sitting down for an interview with Shira Rubinoff, a cybersecurity social media influencer and author, to talk about the dangers the recent influx of IoT devices represents.



You can also watch a recording of their keynote below and read our recap here.



Cisco Talos would like to thank anyone who stopped by the booth, viewed our threat map or interacted with any of our threat researchers this week. For a look at what we were up to this week, click through the slideshow at the top of the post.

Videos and Links from the Public-Interest Technology Track at the RSA Conference

Yesterday at the RSA Conference, I gave a keynote talk about the role of public-interest technologists in cybersecurity. (Video here).

I also hosted a one-day mini-track on the topic. We had six panels, and they were all great. If you missed it live, we have videos:

  • How Public Interest Technologists are Changing the World: Matt Mitchell, Tactical Tech; Bruce Schneier, Fellow and Lecturer, Harvard Kennedy School; and J. Bob Alotta, Astraea Foundation (Moderator). (Video here.)

  • Public Interest Tech in Silicon Valley: Mitchell Baker, Chairwoman, Mozilla Corporation; Cindy Cohn, EFF; and Lucy Vasserman, Software Engineer, Google. (Video here.)

  • Working in Civil Society: Sarah Aoun, Digital Security Technologist; Peter Eckersley, Partnership on AI; Harlo Holmes, Director of Newsroom Digital Security, Freedom of the Press Foundation; and John Scott-Railton, Senior Researcher, Citizen Lab. (Video here.)

  • Government Needs You: Travis Moore, TechCongress; Hashim Mteuzi, Senior Manager, Network Talent Initiative, Code for America; Gigi Sohn, Distinguished Fellow, Georgetown Law Institute for Technology, Law and Policy; and Ashkan Soltani, Independent Consultant. (Video here.)

  • Changing Academia: Latanya Sweeney, Harvard; Dierdre Mulligan, UC Berkeley; and Danny Weitzner, MIT CSAIL. (Video here.)

  • The Future of Public Interest Tech: Bruce Schneier, Fellow and Lecturer, Harvard Kennedy School; Ben Wizner, ACLU; and Jenny Toomey, Director, Internet Freedom, Ford Foundation (Moderator). (Video here.)

I also conducted eight short video interviews with different people involved in public-interest technology: independent security technologist Sarah Aoun, TechCongress's Travis Moore, Ford Foundation's Jenny Toomey, CitizenLab's John-Scott Railton, Dierdre Mulligan from UC Berkeley, ACLU's Jon Callas, Matt Mitchell of TacticalTech, and Kelley Misata from Sightline Security.

Here is my blog post about the event. Here's Ford Foundation's blog post on why they helped me organize the event.

We got some good press coverage about the event. (Hey MeriTalk: you spelled my name wrong.)

Related: Here's my longer essay on the need for public-interest technologists in Internet security, and my public-interest technology resources page.

And just so we have all the URLs in one place, here is a page from the RSA Conference website with links to all of the videos.

If you liked this mini-track, please rate it highly on your RSA Conference evaluation form. I'd like to do it again next year.

Cyberattacks can even take human lives

Cyberattacks by nation-states will soon kill people, either deliberately or unintentionally, a senior security researcher told attendees at the RSA Conference this week.

The May 2017 WannaCry attacks by North Korea and the NotPetya attacks by the Russian military in June 2017 shut down hospitals, disrupted shipping and cost hundreds of millions of dollars in losses — much of it in the form of collateral damage.

It is inevitable, she said during her RSA presentation yesterday (March 5), that future nation-state attacks on such scale will cause loss of life.

"I rarely get to stand up in front of groups and tell them that the news is getting better," Joyce told the crowd. "But if you have purely destructive malware backed by a nation-state, then where does that leave us?"

NotPetya, which targeted tax-collection software that every business in Ukraine was obliged to run, masqueraded as ransomware, Joyce explained. But it was impossible to decrypt the affected data even if a ransom was paid. The goal of NotPetya was purely destructive, and the destruction streamed outward from Ukraine to infect companies and other institutions in 65 other countries.
Part of the collateral damage was at U.S. hospitals, Joyce said, where some patients could not be immediately treated as a result.

"A friend of mine who was suffering from throat cancer was turned away and told to come back next week," Joyce said.

"If you have purely destructive malware backed by a nation-state, then where does that leave us?"
—Sandra Joyce, FireEye senior vice president


Had anyone died as a result of NotPetya, that would have been an unintended consequence of a specific attack on Ukraine's economy. But nation-state malware already exists that is designed to deliberately kill people, according to Joyce.

At RSAC 2019, It’s Clear the World Needs More Public Interest Technologists

Cybersecurity experts are no longer the only ones involved in the dialogue around data privacy. At RSA Conference 2019, it’s clear how far security and privacy have evolved since RSAC was founded in 1991. The 28th annual RSAC has a theme of “better,” a concept that speaks to the influence of technology on culture and people.

“Today, technology makes de facto policy that’s far more influential than any law,” said Bruce Schneier, fellow and lecturer at the Harvard Kennedy School, in his RSAC 2019 session titled “How Public Interest Technologists are Changing the World.”

“Law is forever trying to catch up with technology. And it’s no longer sustainable for technology and policy to be in different worlds,” Schneier said. “Policymakers and civil society need the expertise of technologists badly, especially cybersecurity experts.”

Public policy and personal privacy don’t always coexist peacefully. This tension is clear among experts from cryptography, government and private industry backgrounds at RSAC 2019. In the past year, consumer awareness and privacy regulations, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), has created an intensely public dialogue about data security for perhaps the first time in history.

The Cryptographer’s Panel, which opened the conference on Tuesday, delved into issues of policy, spurred in part by the fact that Adi Shamir — the “S” in RSA — was denied a visa to attend the conference. Bailey Whitfield Diffie, who founded public-key cryptography, directly addressed the tension between the legislature, personal privacy and autonomy. Other keynote speakers called for collaboration.

“We are not seeking to destroy encryption, but we are duty-bound to protect the people,” stated FBI Director Christopher Wray. “We need to come together to figure out a way to do this.”

Moving forward to create effective policy will require technical expertise and the advent of a new type of cybersecurity expert: the public interest technologist.

Why Policymakers Need Public Interest Technologists

“The problem is that almost no policymakers are discussing [policy] from a technologically informed perspective, and very few technologists truly understand the policy contours of the debate,” wrote Schneier in a blog post this week. “The result is … policy proposals — ­that occasionally become law­ — that are technological disasters.”

“We also need cybersecurity technologists who understand­ — and are involved in — ­policy. We need public-interest technologists,” Schneier wrote. This profession can be defined as a skilled individual who collaborates on tech policy or projects with a public benefit, or who works in a traditional technology career at an organization with a public focus.

The idea of the public interest technologist isn’t new. It has been formally defined by the Ford Foundation, and it’s the focus of a class taught by Schneier at the Harvard Kennedy School. However, it’s clear from the discussions at RSAC and the tension that exists between privacy, policy and technology in cybersecurity dialogue that public interest technologists are more critically needed than ever before.

Today, Schneier said, “approximately zero percent” of computer science graduates directly enter the field of public interest work. What can cybersecurity leaders and educators do to increase this number and the impact of their talent on the public interest?

Technology and Policy Have to Work Together

Schneier wants public interest technology to become a viable career path for computer science students and individuals currently working in the field of cybersecurity. To that end, he worked with the Ford Foundation and RSAC 2019 to set up an all-day mini-track at the conference on Thursday. Throughout the event, there was a focus on dedicated individuals who are already working to change the world.

Schneier isn’t the only expert pushing for more collaboration and public interest work. A Tuesday panel discussion focused on how female leaders in government are breaking down barriers, creating groundbreaking policy and helping the next generation of talent flourish. Public interest track speaker and former data journalist Matt Mitchell was inspired by the 2013 George Zimmerman trial to create the nonprofit organization CryptoHarlem and start a new career as a public interest cybersecurity expert, according to Dark Reading.

On Thursday, IBM Security General Manager Mary O’Brien issued a clear call for organizations to change their approach to cybersecurity, including focusing on diversity of thought in her keynote speech. “Cross-disciplinary teams provide the ideas and insights that help us get better,” O’Brien said. “We face complex challenges and diverse attackers. Security simply will not be better or best if we rely on technologists alone.”

It’s Time for Organizations to Take Action

When it comes to creating an incentive for talented individuals to enter public interest work, a significant piece of responsibility falls on private industry. Schneier challenged organizations to work to establish public interest technology as a viable career path and become more involved in creating informed policy. He pointed to the legal sector’s offering of pro bono work as a possible financial model for organizations in private industry.

“In a major law firm, you are expected to do some percentage of pro bono work,” said Schneier. “I’d love to have the same thing happen in technology. We are really trying to jump start this movement … [however, many] security vendors have not taken this seriously yet.”

There are already some examples of private organizations that are creating new models of collaboration to create public change, including the Columbia-IBM Center for Blockchain and Data Transparency, a recent initiative to create teams of academics, scientists, business leaders and government officials to work through issues of “policy, trust, sharing and consumption” by using blockchain technology.

It’s possible to achieve the idea of “better” for everyone when organizations become actively involved in public interest work. There is an opportunity to become a better company, strengthen public policy and attract more diverse talent at the same time.

“We need a cultural change,” said Schneier.

In a world where technology and culture are one and the same, public interest technologists are critical to a better future.

The post At RSAC 2019, It’s Clear the World Needs More Public Interest Technologists appeared first on Security Intelligence.

Imperva Wins Awards for Best Database Security, Coolest Cloud Security Vendor

SC Magazine has long been one of the most respected names in cybersecurity journalism, and one that has written about Imperva’s security research and solutions many times.

So we’re proud to announce that we’ve won the 2019 SC Award for Best Database Security solution at SC’s awards ceremony on March 5th in San Francisco. Held nearby to the RSA Conference 2019, the SC Awards also honored Imperva as a Finalist for Best Web Application Security.

Imperva’s been on a roll awards-wise. Just two weeks ago, CRN magazine named Imperva one of its Top 20 Coolest Cloud Vendors for security. That same month, CRN profiled two of our executives, VP Jim Ritchings and Senior Director Kirt Jorgenson, in its list of 2019 Channel Chiefs. Meanwhile, our AAP solution, which automatically safeguards applications from new and unknown threats, was named a Silver Winner in the Cybersecurity Excellence Awards 2019.

And going back to the end of last year, Imperva Attack Analytics was named a finalist for best security solution in CRN’s Tech Innovator Award, while our Web Application Firewall (WAF) was named one of the best in 2018 by enterprise customers surveyed by Gartner Peer Insights.

See a full list of Imperva honors here.

Why do our capabilities, especially in data security and cloud, win recognition from customers and experts alike? Because Imperva not only secures your data from theft, we also simplify compliance with vital regulations such as GDPR, SOX, PCI, HIPAA, and more. For instance, our Discovery and Assessment capability automatically finds unknown databases, classifies sensitive data, and detects database vulnerabilities. Data Activity Monitoring and Protection reliably monitors and protects databases with little or no impact on performance or availability. We standardize audit across all your databases, enabling organizations to automate compliance whether your databases are on-premises or in the cloud.

Our Data Risk Analytics capability uses machine learning and user data behavior analytics to distill millions of alerts to pinpoint suspicious activity and provide actionable insights in plain language. Our efficient data collection and processing means we require less than half the number of appliances as our primary competitor. And it helped one customer, a computer manufacturer, lower their cost of ownership by 70%. Finally, our Data Masking feature reduces risk in non-production environments by replacing large volumes of sensitive data easily with realistic fictional data.

Through our FlexProtect licensing plans, your enterprise has access to our suite of data security and application security capabilities, which you can quickly deploy wherever your applications and data are located — on-premises, in the cloud, in multiple clouds, or all of the above. And as customers continue moving their applications to the cloud, they can be confident that Imperva will migrate our security there, too.

With FlexProtect, there’s no risk of complicated, inflexible security licenses failing to cover your hybrid data infrastructure or slowing down your digital transformation.

We are at the RSA Conference all week at Booth 527 in the South Expo. Come down and meet our experts to learn more about our data and application security solutions and how our new FlexProtect plans can be as agile as your organization needs to be. Or follow up with us at Imperva.com.

The post Imperva Wins Awards for Best Database Security, Coolest Cloud Security Vendor appeared first on Blog.

Cisco, Talos tout importance of IoT security at RSA keynote

Matt Watchinski, the vice president of Cisco Talos, delivers a keynote address at the RSA Conference in San Francisco on Tuesday.

By Jonathan Munshaw of Cisco Talos and Liza Meak of The Network, Cisco’s technology news site.

By 2020, Gartner predicts 20 billion connected devices will be online — and more devices mean more security threats. Connected devices have exploded into the public and corporate landscape, rattling the bars of the cyber security cage.

In a keynote address at the RSA Conference in San Francisco, Matt Watchinski, the vice president of Cisco Talos, said the growing prevalence of these devices has made them an urgent priority to protect them from attackers. Liz Centoni, the senior vice president of Cisco’s IoT (internet-of-things) Business Group, presented along with Watchinski.

“These technologies will make it into our critical infrastructure; they’ll make their way into how we deliver water and power,” he said during the address. “We have achieved so much in IT security. We are now going to have to learn a completely different world of OT [operational technology] security."

One of the most notable and recent IoT security attacks was VPNFilter, which Talos exposed last May. Talos researchers, working with public and private-sector threat intelligence partners and law enforcement, discovered malware infecting hundreds of thousands of networking devices worldwide, ready to act as a “kill switch” to take these devices offline at a moment’s notice.

Watchinski said VPNFilter is a well-known and well-publicized example, but there are many other daily, systemic attacks the public isn’t aware of that could disrupt daily services people need to live, such as electricity, oil and water.

Many companies are unprepared to defend against these kinds of attacks. Watchinski and Centoni reiterated that IT and OT teams need to work together to shield any device that connects to the Internet. Centoni said many Cisco customers are unaware of up to 40 or 50 percent of the devices on their network.

“Security is the reason IT and OT teams are forced to work together,” she said. “Today they work in different worlds.”

Centoni gave an analogy to group existing technology into two different spaces: carpeted and non-carpeted.

The traditional devices in carpeted environments, such as routers, switches and endpoints, are already well-secured thanks to the work of security researchers and in-house IT teams.

But other devices, even oil pipelines, parking meters and electric scooters, connect to those same networks in non-carpeted spaces, meaning they exist out in the open. These devices are most at risk because IT teams aren’t currently paying close attention to them.

Centoni explained the need for security to be baked into the DNA of OT. Once implemented, OT systems usually don’t get upgraded for decades, so security has to be a fundamental part of the original design.

For more coverage of Cisco’s keynote at RSA, check out live tweets during the event below. You can also watch a recording of the presentation here. And for more of what to expect from Talos at RSA, listen to the latest Beers with Talos podcast here.

Unpatched Vulnerability in Microsoft Office

Researchers at the RSA Conference unveiled a zero day flaw in Microsoft Office that, when exploited on a Java enabled system, could lead to complete ownage of the end point. Microsoft Security Research has responded and said they won't be releasing a patch for it now, but might at a future date. Note the flaw is being actively exploited in the wild, not a theoretical situation. However, researchers admit this is not an easy flaw to exploit and requires in-depth knowledge of the format. Details are here at this ThreatPost article:

https://threatpost.com/zero-day-exploit-microsoft/142327/

Beers with Talos Ep. #48: Loaders or trojans, plus an RSA preview



















Beers with Talos (BWT) Podcast Ep. #48 is now available. Download this episode and subscribe to Beers with Talos:
If iTunes and Google Play aren't your thing, click here.

March 1, 2019 - This is a super short episode. We are trying to get it out in time for RSA and Matt is MIA today. We are covering the basics of loaders (and the difference between loaders and trojans). We also talk about some RSA activities we have coming up this week at the conference out in San Francisco.

The timeline:

  • 01:15 — Roundtable: Craig dodges an opportunity for a cannonball run.
  • 15:00 — Bushaloader: Seeing a huge uptick in Brushaloader activity, let’s talk loaders vs. trojans
  • 22:35 — Here’s what’s on tap for RSA and Talos

The links

==========
Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).

Hosted by Mitch Neff (@MitchNeff).

Subscribe via iTunes (and leave a review!)


Subscribe to the Threat Source newsletter


Give us your feedback and suggestions for topics: beerswithtalos@cisco.com

The Best Ways to Catch McAfee at RSA Conference 2019

In just a few weeks, San Francisco will be taken over by cybersecurity professionals and vendors at Moscone Center for the 2019 RSA Conference. There’s a lot packed into the conference—that’s why we’re breaking down the best ways to see McAfee in action. So take out your calendars and make note of the events below.

McAfee Leadership Takes the Stage

CSA Summit Keynote: Case Study: Behind the Scenes of MGM Resorts’ Digital Transformation
Monday, March 4 | 11:35 am – 11:55 am | Moscone Center

Rajiv Gupta, Senior Vice President, Cloud Security Business Unit, McAfee

Scott Howitt, Senior Vice President & Chief Information Security Officer, MGM Resorts International

As a leader in their industry, MGM is transforming into a digital business by aggressively adopting the cloud to make their employees more engaged and productive and to deliver modern experiences to their customers. Join Rajiv Gupta, SVP of McAfee’s Cloud Business, and Scott Howitt, SVP and CISO for MGM Resorts International, to hear how MGM is protecting their enterprise data across the whole spectrum of their evolving infrastructure, from on-prem, to the device, to their SaaS, IaaS and PaaS cloud instances. More, here.

 

Session: #Ransomware – The Rise, Death and Resurrection of Digital Extortion
Monday, March 4 | 4:45 pm – 5:15 pm | Session Code: SEM-M03

John Fokker

Head of Cyber Investigations

Raj Samani

Chief Scientist, McAfee Fellow

 

Hear from cybercrime experts on the successes and lessons learned from the No More Ransom initiative, an online portal that has prevented millions of dollars in ransom payments to cybercriminals. Recent statistics point to a decrease in the number of ransomware variants. So, is ransomware dead? Not so fast. Get up to speed on what’s new in the ongoing effort to combat the threat of ransomware. More, here.

Keynote: Lightning in a Bottle, or Burning Down the House?
Tuesday, March 5 | 8:35 am – 8:55 am | RSA, West Stage

Dr. Celeste Fralick 

Chief Data Scientist 

Steve Grobman

Senior Vice President and Chief Technology Officer

 

Fire. In the wild, it’s a force for destruction. Controlled, it powers civilization’s forward evolution. But containing phenomena—natural or manmade—is a devilish challenge. Today’s regulatory hotspots include AI and quantum computing, because innovations that strengthen defenses can also fuel targeted threats. The weaponization of AI to amplify cyberattack impacts is enough to give anyone pause, so discussion of export controls on these and other technologies is a worthy conversation. What is the path forward to advance and protect human progress? How do we nurture sparks of innovation without burning bridges to the future? More, here.

Session: Using Machine Learning to Improve Security Predictions
Tuesday, March 5 | 11:00 am – 11:50 am | Session Code: SPO2-T06

Grant Bourzikas

Chief Information Security Officer (CISO) & Vice President of McAfee Labs Operations

 

 

 

Organizations are overwhelmed by data and dependent on outdated (nonpredictive) tools and methods. Security companies can’t keep up with the frequency of attacks, 50% of which are missed by traditional antivirus programs. In this session, McAfee’s CISO will share his experiences, providing valuable information for security organizations to predict attacks by relying on data science and machine learning. More, here.

Session: Mulitparty Vulnerability Disclosure: From Here to Where?
Wednesday, March 6 | 9:20 am – 10:10 am | Session Code: PDAC-W03

As the world grows ever more dependent on complex technological systems, the risk of broadly impactful vulnerabilities in software and hardware is driving the need for improvements in how the global ecosystem addresses identification and disclosure of those vulnerabilities. This panel will discuss what works, what doesn’t, and suggest a path forward that can benefit everyone globally. More, here.

Moderator: John Banghart, Senior Director, Venable

Panelists: Kent Landfield, Chief Standards and Technology Policy Strategist, McAfee LLC

Art Manion, Vulnerability Analysis Technical Manager, CERT Coordination Center

Audrey Plonk, Director, Global Security Policy, Intel Corporation

Session: Law Enforcement: The Secret Weapon in the CISO’s Toolkit
Friday, March 8 | 11:10 am – 12:00 pm | Session Code: AIR-F03

John Fokker

Head of Cyber Investigations

 

 

 

This session will show you how to get the most out of working with law enforcement agencies (LEA) before, during or after a security breach. Learn why partnering with law enforcement can be a valuable strategic asset in the CISO’s ever-expanding toolbox of security measures. More, here.

Hack Your Way Through the Crowds at the McAfee Booth

We’re hosting a fun and interactive Capture the Flag challenge at our RSA booth to test the investigative and analytical skills of RSA attendees. Contestants will be given various challenges and will receive “flag” details on how to complete each challenge as quickly and accurately as possible. Want to know who is in the lead? Don’t worry, we’ll have a live scoreboard. The winner of the RSA Capture the Flag contest will get bragging rights and a cool prize to take home. Visit us at booth #N5745 in the North Hall.

Cloud Security BarCade Challenge

Tuesday, March 5 | 6:00 pm – Midnight | Coin-Op Game Room, San Francisco | 508 4th Street

We’re hosting an epic cloud security networking event at Coin-Op Game Room in San Francisco! What’s the challenge? Come out to see us and find out. There will be prizes, games, food, networking, and more. Register here.

RSA After-Hours Social & Cloud Security Panels

Wednesday, March 6 | 6:30 pm – 11:00 pm | Mourad, San Francisco | 140 New Montgomery Street

We’re bringing the cloud community together for a night of networking at Mourad, so grab your peers and head over to the after-hours social. We will have a DJ, awesome food, creative libations, and a VIP area upstairs for a private whiskey tasting. Throughout the night, we’ll be hosting cloud security panels, where you’ll hear perspectives from industry experts on the current security landscape, best practices, and how to elevate your cloud security posture. Register here and join us as we close out RSA at the after-hours social of the year.

There’s a lot to look forward to at RSA 2019, so be sure to stop by booth #N5745 in the North Hall for demos, theater sessions, and more. Feel free to use code XSU9MCAFEE for a free RSAC expo pass. Also, be sure to follow @McAfee for real-time updates from the show throughout the week.

The post The Best Ways to Catch McAfee at RSA Conference 2019 appeared first on McAfee Blogs.

Customers Blame Companies not Hackers for Data Breaches

RSA Security latest search reveals over half (57%) of consumers blame companies ahead of hackers if their data is stolen. Consumer backlash in response to the numerous high-profile data breaches in recent years has exposed one of the hidden risks of digital transformation: loss of customer trust.

The RSA Data Privacy & Security Survey 2019 identified that companies have lost the trust of customers as a disconnect has formed between how companies are using customer data and how consumers expect their data to be used.

Despite the fact that consumers harbour heightened concerns about their privacy, they continue to exhibit poor cyber hygiene, with 83% of users admitting that they reuse the same passwords across many sites, leaving them more vulnerable.

Key takeaways from the RSA Data Privacy study, include:

  • Context matters: Individuals across all demographics are concerned about their financial/banking data, as well as sensitive information such as passwords, but other areas of concern vary dramatically by generation, nationality and even gender. For example, younger demographics are more comfortable with their data being used and collected than older survey respondents. 
  • Privacy expectations are cultural: Consumers respond to data privacy differently based on their nationality due to cultural factors, current events and high-profile data breaches in their respective countries. For example, in the months of the GDPR being implemented, German attitudes shifted in favour of stricter data privacy expectations, with 42% wanting to protect location data in 2018 versus only 29 percent in 2017.
  • Personalisation remains a puzzle: Countless studies have demonstrated that personalised experiences increase user activity and purchasing. However, the survey results showed that respondents do not want personalized services at the expense of their privacy. In fact, a mere 17% of respondents view tailored advertisements as ethical, and only 24% believe personalisation to create tailored newsfeeds is ethical. 
“With a growing number of high-profile data breaches, questions around the ethical use of data and privacy missteps, consumers increasingly want to know how their data is being collected, managed and shared,” said Nigel Ng, Vice President of International, RSA. “Now is the time for organisations to evaluate their growing digital risks, doubling down on customer privacy and security. Today’s leaders must be vigilant about transforming their cybersecurity postures to manage today’s digital risks in a way that ensures consumer trust and confidence in their business.

Cyber Security Predictions for 2019

A guest article authored by Jim Ducharme, Vice President of Engineering and Product Management at RSA

1. Prepare for IOT, the “Identity of Things”
From personal assistants, to wearables, smartphones, tablets and more, there is no shortage of connected devices. The explosion of IOT has finally reached a tipping point where the conversation of identity will start to take on a whole new meaning. The billions of new digital identities being created don’t come without risk – including new privacy and cybersecurity vulnerabilities. With businesses and consumers all in on IOT, how do we protect and securely manage the “identity” of the things? 

2. Biometrics vs. the Four-Digit Pin
Biometrics are under a lot of pressure these days to be the silver bullet of authentication. So how could a simple 4-digit pin, which has at most 10,000 possible combinations, give biometrics like FaceID with a 1 in 50 million entropy a run for its money? The industry will come to realize when 4-digit pins are combined with AI and machine learning, the four-digit pin, similar to what has been used for decades to protect access to our bank accounts, can provide a very high level of security. The ultimate goal for identity and access management is not to find the unbreakable or “unhackable” code for authentication, but rather, to layer security to create a much stronger identity assurance posture. AI and machine learning will be a game changer, allowing for intelligence-driven authentication that will open up additional options of security layers for organizations.  

3. Death of the Password?
We have long seen predictions that passwords are in their final days. But it’s time to come to grips that passwords will be here for a long time. But perhaps there is still hope that while we may be living with passwords for generations to come, they may be a lot less scary than the monster we have created. It’s time to reverse the trend of how complex passwords have become (MyKitsH8Me!) and how hard they are to manage (having to change them every 60 days) in an attempt to improve password strength. We can uncomplicate the password and unburden it from having the ultimate responsibility of security. A much more simple password coupled with additional layers of risk-based authentication, especially those factors invisible to the user like behavioral, location and device context, and even transparent biometrics can help businesses better secure access to critical resources.

4. A New Generation of Risk-based Authentication
With a seemingly endless stream of high-profile data breaches and malicious cyberattacks, the need to ramp up security and manage identities is evident. 2019 will see the beginning of a new generation of risk-based authentication, powered by machine learning and user behavior analytics. Organizations will start to uncover their own unique context and identity insights to gain a more comprehensive view of user identities including locations, behavior patterns, frequency of use and more. This new generation of risk-based authentication will allow organizations to reduce the friction on end users when accessing applications and information while strengthening the assurance that the user is who they claim to be.

Jim Ducharme, Vice President of Engineering and Product Management at RSA

    Introspection on a Recent Downward Spiral

    Alrighty... now that my RSA summary post is out of the way, let's get into a deeply personal post about how absolutely horrible of a week I had at RSA. Actually, that's not fair. The first half of the week was ok, but some truly horrible human beings targeted me (on social media) on Wednesday of that week, and it drove me straight down into a major depressive crash that left me reeling for days (well, frankly, through to today still).

    I've written about my struggles with depression in the past, and so in the name of continued transparency and hope that my stories can help others, I wanted to relate this fairly recent tale.

    If you can't understand or identify with this story, I'm sorry, but that's on you.

    The Holy Trinity: Health, Career, and Relationships

    This story really starts before the RSA conference. 2016 was an up-and-down year for a variety of reasons, but overall my health had been ok as I was able to re-establish a regular exercise routine. My weight was higher throughout the year (a negative), in large part to ending 2015 with a major flu bug and sinusitis that lingered for several months. Frankly, even today, I'm worn out and not as resilient as I think I should be.

    At any rate, I was doing ok in the health department until November when I traveled to Austin, TX, to speak at a small event. The night before I was supposed to speak I ended up eating something bad (I suspect a pickled jalapeño plucked from a jar on the table of a BBQ place) and contracting food poisoning. I got no sleep and was unable to eat all day, so speaking at 4pm after all of that to an audience of 5 (or less) was... not good. This lead into more travel in early December such that by the middle of the month, I was sick. Two weeks of vacation on the road (sick), and suffice to say, by the time 2017 rolled around, I was completely worn out. Once health falls, poor diet routines tend to fall into place as I caffeinate to be functional during the day, which negatively impacts sleep, which negatively impacts weight, which creates the negative, reinforcing cycle around which everything else starts to circle and devolve.

    Suffice to say, one of the three pillars had fallen, and as is common for me the past few years (ever since get pneumonia in June 2014), the road back is slow and requires a lot of willpower. From a mental health perspective, once health falls, the danger is real that a depressive episode may approach if anything else takes a hit. Enter the career/work angle...

    I'm not going to say a lot about this, but suffice to say, there's been a lot of personal job stress. Such an occurrence has been a trigger for me in the past, because - like so many people - a lot of my personal identity is wrapped around the work that I do. For the rare person reading this post who doesn't know, I work in the cybersecurity space, which is already beset with far above average burnout rates, which means the conditions are already tilted against success, happiness, and mental well-being. Add in my career history that's been so incredibly adverse and challenging, and the picture quickly shapes up that I can very quickly start feeling like I'm nothing more than a waste of space. After all, if work isn't fulfilling, and if I don't feel like I'm doing anything meaningful with my life, then it translates into feeling like I am meaningless. Don't argue, don't comment, don't provide some response about "no, man, you matter." It's not about rationality in this context, it's about how I feel at my core, which tends to be incredibly dark when the wheels fall off and the downward spiral commences.

    To sum up, all of this describes the conditions going into RSA week. I was feeling fat, I was feeling tired, I was feeling incredibly undervalued and worthless at work... which set the conditions for what happened next, which was the sense of loss of the third pillar of relationships.

    (many) People Suck

    I'm not by nature a misanthrope, but I've started to become one over the years, because at the end of the day, I lot of people are miserable, awful, and just downright mean. I unfortunately experienced all of this first-hand during RSA week (all day Wednesday, to be precise - literally starting around midnight, early in the morning). What I found is that there are lots of hateful, evil people in the world who love nothing more than to shit all over everyone; especially people with whom they think they disagree. The best/worst part of this is that they're willing to shit all over people for things you may have never said, but to which statements were (falsely) ascribed.

    In the cab home from our company RSA party late Tuesday (aka early Wednesday) I made the mistake of responding to someone's tweet (on the Twitters). A person whom apparently is a major figure in the "women in science" movement (a true dyed-in-the-wool hard core feminist in all the worst connotations) had shared an article about getting more women into science (a worthy goal), but I felt the tone was very anti-male, which I view as being anti-helpful in many ways. So, I replied in what I thought was a very neutral, thoughtful manner, along the lines of "I think this is great, but we need to be mindful not be inclusive via exclusion." I later added "Building one group up by tearing another down is not a net positive." as well as "When the oppressed becomes the oppressor, you still have oppression, which is not truly beneficial to everyone."

    It was appalling the degree and amount of raw, vile vitriol leveled at me for what I had viewed as thoughtful, respectful, constructive comments. Moreover, these comments were spewed at me literally day Wednesday, to the tune of hundreds of tweets attacking me, calling me names and declaring things about me (clearly I'm such a product of "white male privilege," what with having grown up in a predominantly white rural community in a single-income academic household where we typically lived paycheck to paycheck and were consistently among the lowest social ranks). In some ways it was infuriating, but the constant onslaught of negativity and ad hominem attacks also took a severe toll on me in that I was already feeling crappy, and the NOP slide (so to speak) hit hard, driving me straight into the ground.

    Even Small Things Amount to Piling-On

    For those unfamiliar with the RSA Conference, Wednesday night during RSA week is historically an evening filled with corporate sponsored parties/receptions. As the event has grown, this has quickly become an overloaded evening of frivolity. Except this year I literally received no invitations. It was surreal. When I was with Gartner, it was all I could do to find a free moment. Even post-Gartner, as a buyer, there were myriad invitations. However, this year? Nothing. It was beyond strange, and by the time I realized it, pretty much all the parties were fully booked.

    I figured, at worst, I could just tag along with people to a couple events, have a little fun, call it an early night. Sounded ok in theory. Right up until I got ditched twice in 30 minutes (by different people), and the tailspin started. Add onto this that I'd been trying to meet-up with a couple dear friend in particular, to no avail (busy schedules). And, because of work-related issues, I ended up with far too much unscheduled down time during the week (a rant for another day). But, for someone teetering on an emotional collapse, this became a rather big deal.

    The biggest disaster of the night was when my phone got smacked out of my hand causing it to fly and smash against something (in the dark). When I retrieved it, I found the screen was now non-functional... which was highly problematic considering it was the only computing device that I'd brought with me for the week. I had no laptop, no back-up phone, nothing. I was terrified! I immediately felt cutoff (from the world abusing me). I was already in emotional freefall, and now was completely offline and unavailable in case anyone did try to reach out. Panic ensued. It was late at night and I had to wait until morning.

    All of these things (and many more) piled onto a bad day and rapidly accelerated a downward spiral. By Thursday morning I was exhausted and disconsolate. The only reason I got out of bed was the drive to replace my phone. I dragged myself to the Verizon Wireless store, only to find out they didn't open for another hour. I went to the office, only to find out that we don't actually have *any* phones (not even a polycom!). I was able to use one of the conference room computers to look up info for phone replacement, and then when a coworker arrived in the office, I borrowed her phone to call VzW to get details on my options. I then headed to the store a little before opening time (still ended up 4th in line) and quickly picked up a replacement device (which I subsequently hated and replaced once I got home). A couple hours after that and I finally was back online to an adequate reasonable degree. But... the damage was done... and I was just ready to be done, too...

    All of these things might strike you as trivial or insignificant, but you have to understand things in context. Already down due to ongoing health issues. Dragged/driven down even further by work issues. And then to have the social stuff go completely sideways? The spiral into the black hole was a rapid ascent, and the recovery less than trivial. Imagine falling into a hole, and as you try to climb out, the ground falls away and you collapse into a deeper hole. And then everything starts to fall in on you... as you fall deeper into the hole, the darker it gets, but gravity also increases, crushing you, making it harder to breathe, not to mention being buried, buried, buried... you feel like there's no way out... you feel like there's no air to breathe... you feel crushed... that is what it felt like...

    ---
    This is my RSA story. It could have been an ok week overall, but the bottom quickly fell out of it. There really were several potential positives (plus a few negatives), but it was hard to recognize them given Wednesday's NOP slide to disaster.

    How am I doing today? If I'm being honest, no better than so-so. Including travel, I logged 101 hours Sun-Sat for RSA week. I was exhausted last wk and am simply not recovered. I don't feel like my health or diet are in a good place yet. Work is still very stressful and I'm just not in a good place there. I'm in fact incredibly frustrated with work/career stuff right now. It's hands-down the single most vexing and depressing thing to me (I feel like a failure. I'm literally on my 3rd post-Gartner job in 2 years). It's really hard to bounce back when the pillars continue to remain shattered. Things don't feel right, and that makes everything more difficult.

    But... if there's good news, it's that there are positives to be found, if I let myself see them. I do see the patterns, and I recognize changes I need to make to interdict those bad patterns. At least, to do so where I have actual control. But, it's really not an easy thing to do, and it's very difficult not to see and feel the dark cloud as it shrouds everything else. In the meantime, I do my best to soldier on, and try very hard to make better choices, such as around diet and exercise - asserting some degree of conscious choice and control where I can. Really, that's about all that one can do...

    Here's to hoping 2017 turns around!