Home Black Hat Deep Tech Essays Fireside Chat My Take News Alerts Q&A RSAC Videocasts About Contact



VIDEO: Cyber criminals use cheap devices to jam, disrupt signals in everyday objects

By Byron V. Acohido

The risk of being hacked comes with living in the digital age. But now another form of digital disruption—signal jamming— is rapidly gaining traction and shaping yet another type of risk for consumers and businesses to worry about.

We’ve come to rely on digital signals moving through the Internet cloud and in and out of our computing devices. The problem is: it turns out that jamming digital signals is an easy thing to do.

Just when you thought it was safe

Security and privacy experts are starting to discuss how the disruptions wrought by digital signal jamming can cause harm ranging from the trivial to potentially catastrophic. Clearly, the horse is out of the barn.

The largest fine ever issued by the Federal Communications Commission—$34.9 million—was levied in June 2014 against Chinese online retailer CTS Technology for marketing nearly 300 signal jammers in the United States over more than two years.

Digital jammers are illegal in the United States because they can block 911 and law enforcement communications. Yet the devices remain cheap and easy to acquire on the Internet. People with a range of motivations are buying jammers and putting them to different uses.

Dean Liptak, a high school science teacher in Pasco County, Florida, for instance, earlier this year got fed up with his students disregarding school policy requiring them to turn off their cell phones while class was in session.

So Liptak used a jammer to shut down cell phone usage while he was lecturing. Verizon detected their customers’ phones being jammed in and around the high school and put a stop to Liptak’s use of a jammer as a teaching aid.

Meanwhile, last May a ring of clever car thieves in the United Kingdom used a type of jammer available for less that $50 on the Internet to disrupt shoppers in the act of digitally locking their vehicles at the Manchester Fort Shopping Park.

The thieves … more

VIDEO: Ripples from Internet of Things create sea change for security, liability

By Byron V. Acohido

Fact about Dick Cheney: When he was vice president of the United States, Cheney so fretted about someone remotely hacking into his heart defibrillator that he had his doctors disable the device’s wireless feature.

Cheney’s prescience about unprecedented exposures arising from the Internet of Things has been borne out.

Manufacturers are foisting Internet-connected medical devices, automobiles, TVs, gaming consoles, webcams, thermostats, utility meters and household appliances on consumers faster than hackers—both white hats and black hats—can identify the intrinsic coding flaws.

About 70 percent of the most commonly used IoT devices contain password, encryption, authentication and other vulnerabilities, according to a 2014 Hewlett Packard study. HP reviewed 10 of the most popular IoT devices and uncovered an average of 25 software flaws per device.

The good news is that the tech sector is cognizant of these new risks and is moving to establish baseline stability for the Internet of Things.

It may take a while. A cabal of IT security startups and entrenched tech giants has emerged as the source of proposals to shape a stable foundation on which IoT can stand. Ideas range from software patching to assembling innovative wireless networks dedicated to IoT devices.

“You can think of a future where … there will be tons of sensors around our physical environment,” says Chenxi Wang, vice president of cloud security and strategy at cloud encryption vendor CipherCloud. “It can collect data about our movement, even our body temperature. Privacy is a big issue. Safety could be an issue when those devices are operating critical tasks, like driving a car.”

Unique characteristics

IoT devices tend to have limited networking and storage capacities. So there’s little room for traditional security software, says May Wang, co-founder and CTO of Silicon Valley-based ZingBox, a startup that provides IT network security services.

“It’s hard to deploy per-device security measures,” says May Wang, no relation to Chenxi Wang.

What’s more, IoT devices often … more

Q&A: Chinese military hacking tactics used against major U.S. retailer

By Byron V. Acohido

This actual snapshot of a cutting edge cyber attack was discovered by analysts at Norse Corp, a security vendor that  has developed an amazing global network of honeypots emulating all sorts of common workplace and home appliances connected to the Internet, with embedded operating systems rife with vulnerabilities. Norse uses this honeypot network to monitor as cybercriminals  scan for, infect, take control of and finally and deploy vulnerable IoT  appliances. Company founder and CTO Tommy Stiansen shared these stunning details with LastWatchdog.

Core finding: Nation state-backed cyber warfare campaigns typically focus on infrastructure such as utilities, defense contractors, financial firms and technology companies. However, forensic experts at Norse Corp. recently documented how a hacking group used military-style breach and data-exfiltration techniques against a large U.S. retailer. The hackers, widely believed to be backed by the Chinese government, ignored the usual pot of gold: payment card transaction data. Instead, they went after intellectual property to support an elaborate counterfeiting campaign.

Attack vector: To get a foothold in the retailer’s network, the hackers spear phish working developers, engineers and designers. The targets get enticed into downloading what they believe to be 3D software to use in their daily work. They actually get the software, but the download also sneaks malware into the company’s network.

Distinctive technique: The infected computers then began to communicate with a command-and-control (C2) server using browser-based URL requests. Data sent back up to the C2 server gets encrypted. Norse analysts have to unravel multiple layers of obfuscation to reveal what’s being exfiltrated, including translating part of the hackers’ encryption string from Japanese to English, and another part from Korean to English.

Wider implications: Retailers, or any other organization with trademarked and/or patented goods and services, should realize financial data isn’t the only data sophisticated hacking groups are proactively seeking. Governments engaging in cyber warfare must now worry that loosing military hacking techniques to breach nonmilitary targets, for whatever … more

VIDEO: Elastica discovers major vulnerability in Salesforce cloud CRM app

By Byron V. Acohido

Cloud application security start-up Elastica should be commended for alerting Salesforce privately about a notable flaw Elastica researchers discovered in one of the subdomains of the official Salesforce website.

Elastica gave Salesforce the heads-up last month, and waited until the CRM giant readied a patch before going public with its finding Wednesday.

Elastica researchers unearthed a cross-site scripting (XSS) vulnerability in admin.salesforce.com, a subdomain used by Salesforce administrators.

Had criminal hackers beat Elastica to the punch, they could have moved to exploit a huge vector of attack. Thousands of companies, many of them small and mid-size organizations that subscribe to Salesforce, would have been exposed.

Security & Privacy Weekly News Roundup: Stay informed of key patterns and trends

An attacker would have been able to execute phishing attacks from inside Salesforce and harvest users’ credentials, with a good chance of eluding spam filters and anti-phishing solutions.

But there is a larger lesson here. Business software can be riddled with flaws like this one, waiting to be discovered. Depending on who finds these so-called zero-day vulnerabilities first, either patching or exploitation can be expected to eventually follow. ThirdCertainty asked Aditya K. Sood, lead architect of Elastica Cloud Threat Labs, to outline the wider context.

3C: Can you characterize how pervasive these types of latent, but as yet undiscovered, vulnerabilities are in business software?

Sood: Any public-facing application is susceptible to an attack. It is difficult to say how many business applications are, but developers can make mistakes, which could result in vulnerabilities. For that reason, we require security assessments of business applications before they are deployed in production environments.

3C: How effective are bounty programs in keeping these types of vulnerabilities mitigated?

Sood: Bug bounties motivate researchers to disclose vulnerabilities to the vendors in a responsible fashion and, in return, researchers get rewarded for their efforts. It definitely helps to build positive relationships with security researchers. It is a very cost-effective … more

VIDEO: Why it’s high time ‘unstructured data’ gets acknowledged, protected

By Byron V. Acohido

Companies are generating mountains of unstructured data and, in doing so, unwittingly adding to their security exposure.

Unstructured data is any piece of information that doesn’t get stored in a database or some other formal data management system.

Some 80 percent of business data is said to be unstructured and that percentage quite obviously has to be rising. Think of it as employee-generated business information—the sum total of human ingenuity that we display in the workplace, typing away on productivity and collaboration software, and dispersing our pearls of wisdom in digital communications.

Unstructured data is all of the data that we are generating on our laptops and mobile devices, storing in cloud services, transferring in email and text messages, and pitching into social media sites.

Many companies are just starting to come to grips with the complex challenge of figuring out how to categorize and manage this deluge of unstructured data.

Sensitive data at risk

But what’s more concerning is the gaping security exposure.

It was unstructured data—in the form of a text message transcript of employees conversing about deflating footballs—that blindsided the New England Patriots NFL team and its star quarterback, Tom Brady.

Yet the full scope of risk created by unstructured data is much more profound.

“The risk that unstructured data poses dwarfs that of any other type of data,” says Adam Laub, product management vice president at STEALTHbits Technologies.  “It is the least understood form of data in terms of access, activity, ownership and content.”

I met with Laub as he was pitching STEALTHbits’ technology at the recent RSA Conference in San Francisco. “Any single file can contain the data that puts an organization in the headlines, and turning a blind eye to the problem or claiming it’s too big to handle is not a valid excuse for why unstructured data hasn’t been secured properly,” Laub says.

STEALTHbits helps companies that use Windows Active Directory … more

FIRESIDE CHAT: Why board directors, senior execs must gain full understanding of data breaches

By Byron V. Acohido

Driven by the fallout of major data breaches at Target, Sony Pictures, Anthem and hundreds of other large and small organizations elsewhere, cybersecurity is now a problem of strategic importance in organizations of all sizes.

ThirdCertainty sat down last week at the RSA Conference in San Francisco with Howard Schmidt, former White House Cybersecurity Advisor under Presidents Bush and Obama, to discuss the wider context. The fireside chat was sponsored by TaaSera, supplier of pre-emptive breach detection systems.

3C: Are the dots starting to connect in the minds of senior executives that their organizations are facing profound new exposures?

Schmidt: Yes, they are starting to look at cybersecurity as a strategic issue that needs to be dealt with at the corporate level. The financial services sector years ago said, “OK, we can lose this amount of money through credit card fraud, and we can work within that.” Now the exposures are much more than that. It’s reputation, it’s government regulation, it’s customer confidence, and so a lot of attention is going into it.

Security & Privacy News Roundup: Stay informed of key patterns and trends

3C: Security vendors certainly are paying attention. There’s no shortage of clever technology to defend networks.

Schmidt: Yes, clearly. Every year at RSA and at Infosec Europe, I see products developed to react to what happened this past year or last week or last month, so you wind up in a situation where you are chasing the problem instead of developing systems to deal with those problems before they occur. For example, we have tremendous capabilities: intrusion detection, intrusion prevention, malware protection, breach detection, all those sort of things. They’ve been good, but they have not been as effective as we need them to be.

3C: Because they’re perimeter focused?

Schmidt: That’s correct, they’re all perimeter-based, so when somebody gets in and it looks like they should be inside, they can start doing … more

Q&A: Is ‘FIDO’ on Samsung Galaxy superior to Apple Pay on iPhone?

By Byron V. Acohido

A day after Apple successfully hyped the ability for iPhone 6 users to biometrically authenticate the purchase of a Big Mac, using Apple Pay and Touch ID, Google rolled out Google Security Key, a new type of USB key based on the FIDO standard. Security Key can make your Gmail account nearly impossible to hack.

The two announcements are related. Both point the way to mainstream use of biometric sensors and other mechanisms for affirming you are who you say you are in digital communications and transactions.

LastWatchdog asked Brett McDowell, Executive Director of the FIDO Alliance to handicap the competition to dominate the next generation of authentication technologies.

LW: In plain language, what is FIDO?

McDowell: FIDO stands for Fast IDentity Online. It’s a new set of industry standards, much like WiFi, Bluetooth and NFC. Any device manufacturer, software developer or online service provider can build support for FIDO standards into their existing products and services to make online authentication simpler and more secure.

The fact that this is all being standardized means the FIDO ecosystem can grow and scale. Any new implementation of the standards that pops up on the Internet will be able to immediately interoperate with any other implementation.

FIDO standards allow online service providers the option to set their own policies about what kind of authenticators they are willing to trust. That includes PIN codes, voice or face recognition software, fingerprint reader, Iris scanners, etc.

LW: What is the key distinction between how Apple is moving to popularize biometrically authenticated consumer purchases vs. the course the FIDO alliance is on?

McDowell: Apple Pay is a payment application, and just like every other application, it requires authentication. The Touch ID sensor, which is used as the authenticator for other applications, including but not limited to Apple Pay, is quite relevant to a discussion about FIDO standards.

To level set, the FIDO Alliance is an … more