Archive for cybercrime

The Top 10, Top 10 Predictions for 2017

2017.jpgThe time of year when crystal balls get a viewing and many pundits put out their annual predictions for the coming year. Rather than thinking up my own, I figured I’d regurgitate what many others are expecting to happen.

8 Predictions About How the Security Industry Will Fare in 2017 – An eWeek slideshow looking at areas like IoT, ransomware, automated attacks and the security skills shortage in the industry. Chris Preimesberger (@editingwhiz), who does a monthly #eweekchat on twitter, covers many of the worries facing organizations.

10 IoT Predictions for 2017 – IoT was my number 1 in The Top 10, Top 10 Predictions for 2016 and no doubt, IoT will continue to cause havoc. People focus so much on the ‘things’ themselves rather than the risk of an internet connection. This list discusses how IoT will grow up in 2017, how having a service component will be key, the complete mess of standards and simply, ‘just because you can connect something to the Internet doesn’t mean that you should.’

10 Cloud Computing Trends to Watch in 2017 - Talkin' Cloud posts Forrester’s list of cloud computing predictions for 2017 including how hyperconverged infrastructures will help private clouds get real, ways to make cloud migration easier, the importance (or not) of megaclouds, that hybrid cloud networking will remain the weakest link in the hybrid cloud and that, finally, cloud service providers will design security into their offerings. What a novel idea.

2017 Breach Predictions: The big one is inevitable – While not a list, per se, NetworkWorld talks about how we’ll see more intricate, complex and undetected data integrity attacks and for two main reasons: financial gain and/or political manipulation. Political manipulation? No, that’ll never happen. NW talks about how cyber attacks will get worse due to IoT and gives some ideas on how to protect your data in 2017.

Catastrophic botnet to smash social media networks in 2017 – At the halfway point the Mirai botnet rears its ugly head and ZDNet explains how Mirai is far from the end of social media disruption due to botnets. With botnets-for-hire now available, there will be a significant uptick in social media botnets which aim not only to disrupt but also to earn money for their operators in 2017. Splendid.

Torrid Networks’ Top 10 Cyber Security Predictions For 2017Dhruv Soi looks at the overall cyber security industry and shares that many security product companies will add machine learning twist to their products and at the same time, there will be next-gen malware with an ability to bypass machine learning algorithms. He also talks about the fast adoption of Blockchain, the shift towards mobile exploitation and the increase of cyber insurance in 2017.

Fortinet 2017 Cybersecurity Predictions: Accountability Takes the Stage - Derek Manky goes in depth with this detailed article covering things like how IoT manufacturers will be held accountable for security breaches, how attackers will begin to turn up the heat in smart cities and if technology can close the gap on the critical cyber skills shortage. Each of his 6 predictions include a detailed description along with risks and potential solutions.

2017 security predictions – CIO always has a year-end prediction list and this year doesn’t disappoint. Rather than reviewing the obvious, they focus on things like Dwell time, or the interval between a successful attack and its discovery by the victim. In some cases, dwell times can reach as high as two years! They also detail how passwords will eventually grow up, how the security blame game will heat up and how mobile payments, too, will become a liability. Little different take and a good read.

Predictions for DevOps in 2017 – I’d be remiss if I didn’t include some prognosis about DevOps - one of the most misunderstood terms and functions of late. For DevOps, they will start to include security as part of development instead of an afterthought, we’ll see an increase in the popularity of containerization solutions and DZone sees DevOps principals moving to mainstream enterprise rather than one-off projects.

10 top holiday phishing scams – While many of the lists are forward-looking into the New Year, this one dives into the risks of the year end. Holiday shopping. A good list of holiday threats to watch out for including fake purchase invoices, scam email deals, fake surveys and shipping status malware messages begging you to click the link. Some advice: Don’t!

Bonus Prediction!

Top 10 Most Popular Robots to Buy in 2017 – All kinds of robots are now entering our homes and appearing in society. From vacuums to automated cars to drones to digital assistants, robots are interacting with us more than ever. While many are for home use, some also help with the disabled or help those suffering from various ailments like autism, a stroke or even a missing limb. They go by many monikers like Asimo, Spot, Moley, Pepper, Jibo and Milo to name a few.

Are you ready for 2017?

If you want to see if any of the previous year’s prognoses came true, here ya go:

ps




Don’t Take the Impostor’s Bait

Posted in Uncategorized, security, f5, big-ip, cybercrime, devcentral, phishing by psilva on September 20th, 2016

detect_phishing_intro.jpg

Phishing has been around since the dawn of the internet. The term was first used in an AOL Usenet group back in 1996 but it wasn’t until 2003 when many baited hooks and lures started dropping. Popular transaction destinations like PayPal and eBay were some of the early victims of these spoofed sites asking customers to update their personal and credit card information. By 2004,it was a full-fledged ‘get rich quick scheme’ with many financial institutions– and their customers – as targets.

Oxford Dictionary defines Phishing as, ‘The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.’

You’ve seen it, the almost perfect looking email with actual logos, images and links to a reputable company only to have it go to a slick looking replica complete with a login form. If you aren’t paying attention and do enter your credentials,you’ve just given a crook access to your money.

The Anti-PhishingWorking Group (APWG) reports a 250 percent jump in the number of detected phishing websites between October 2015 and March 2016. More than in any other three-month span since it begantracking back in 2004. That’s around 230,000 unique phishing campaigns a month.And as recent as last week, AmericanExpress users were hit with a phishing email offering anti-phishing protection. Go figure. If you clicked the link, you were taken to a bogus Amex login page which asks for all the important stuff: SSN, DoB, mother’s maiden, AMEX number plus security code and a few other vitals.

When complete, you’ll be redirected to the authentic site so you think you’ve been there all along. That’s how they work their magic. A very similar domain URL and all the bells of the original, including the real customer service 800 number.

You can combat it however.

F5’s WebSafe Web Fraud Protection can secure your organization (and your customers) against the evolving online fraud and you do not need any special client to detect it. WebSafe inserts an obfuscated JavaScript code which can detect malware like bait, mandatory words or if the fake was loaded from a different domain. It can validate source integrity like comparing fields for multiple users and detect threats like automatic transactions. Alerts are sent to an on premise dashboard and can also be forwarded to F5’sSecurity Operations Center (SOC).

If you are configuring malware protection for the login and transaction pages for a financial application, it’s as simple as adding an Anti-Fraud profile to yourVIP.

First, you create an anti-fraud profile:

anti_fraud.jpg

Then indicate which URL should be watched and the action:

anti_fraud_url.jpg

Then enable Phishing detection:

anti_fraud_pshishing.jpg

And when a phishing attach occurs, both the domain and the username of the victim get reported to the dashboard:

anti_fraud_pshishing.jpg

The code that’s inserted is a little piece of JavaScript added to your website to detect the malicious activity. No action is needed on the part of the user since everything is handled within BIG-IP.

anti_fraud_code_added.jpg

This tiny piece of code will dramatically reduce fraud loss and retain the most important asset in business—customer confidence.

Don't get fooled by a faker.

ps

Related:




The Dangerous Game of DNS

credit-card-perspective.jpg

The Domain Name Service (DNS) is one of the most important components in networking infrastructure, enabling users and services to access applications by translating URLs (names) into IP addresses (numbers). Because every icon and URL and all embedded content on a website requires a DNS lookup, loading complex sites necessitates hundreds of DNS queries.

And because of that, DNS is a precious target and only lags behind http as the most targeted protocol.

DDoS-ing DNS is an effective way to make the service unavailable. As the flood of malicious DNS requests hit the infrastructure, the service can become unresponsive if there is not enough capacity. Organizations can add more servers or turn to their cloud-based security provider for help. One of the strategies cloud-based security providers use to shield DNS is DNS redirection. Cloud providers will divert incoming traffic to their own infrastructure, which is resilient enough to detect and absorb these attacks. The success of this strategy however depends on how well the website's original IP address can be shielded. If the bad guy can find that IP address, then they can get around the protection.

So is DNS redirection effective? Researchers decided to find out.

Scientists from KU Leuven in Belgium built a tool called CLOUDPIERCER, which automatically tries to retrieve websites' original IP address, including the use of unprotected subdomains. Almost 18,000 websites, protected by five different providers, were part to the team's DNS redirection vulnerability tests. In more than 70% of the cases, CLOUDPIERCER was able to retrieve the website's original IP address - the precise info needed to launch a successful attack.

Researchers did share their findings with those cloud-based providers and have made CLOUDPIERCER freely available for organizations to test their own DNS infrastructure.

In another DNS scam, a new version of the NewPosThings PoS (point of sale, not…) malware is using DNS rather than http/https/ftp to extract data from infected PoS terminals. This is an interesting twist since most security solutions monitor http/https traffic for suspicious activity. Anti-virus doesn’t necessarily watch DNS and admins cannot simply turn off DNS since they need it to resolve hostnames and domains. Seems like a clear shot.

The newest version of NewPoSThings is nicknamed MULTIGRAIN and it only targets (and infects) one specific type of PoS platform: The multi.exe process, specific to a popular electronic draft capture software package. If the multi.exe process is not found the malware moves on. Once inside, the malware waits for the Track 2 credit card data and once it has the data, it encrypts and encodes it before sending to the bad guy via a DNS query.

The use of DNS for data exfiltration on PoS devices is not new and shows not only how attackers can adjust to different environments but also, that organizations need to be more aware of their DNS traffic for potential anomalies.

BIG-IP could also help in both instances.

For the redirection issue, BIG-IP or our Silverline Managed Service offers Proxy mode with DNS redirection. With Routed Mode, we offer BGP to Silverline then Generic Routing Encapsulation (GRE) tunnels or L2VPN back to the customer to mask the original IP address.

For the PoS malware, BIG-IP can utilize a DNS response policy zone (RPZ) as a firewall or outbound domain filtering mechanism. An RPZ is a zone that contains a list of known malicious Internet domains. The list includes a resource record set (RRset) for each malicious domain and each RRset includes the names of the malicious domain and any subdomains of the domain.

When the BIG-IP system receives a DNS query for a domain that is on the malicious domain list of the RPZ, the system responds in one of two ways based on your configuration. You can configure the system to return an NXDOMAIN record that indicates that the domain does not exist or return a response that directs the user to a walled garden.

rpz1.png

BIG-IP returns NXDOMAIN response to DNS query for malicious domain

rpz2.png

BIG-IP forwards DNS query for malicious domain to walled garden

DNS is one of those technologies that is so crucial for a functioning internet, especially for human interaction. Yet is often overlooked or seems to only get attention when things are broken. Maybe take a gander today to make sure your DNS infrastructure is secure, scalable and ready to answer each and every query. Ignoring DNS can have grave consequences.

ps

Related:




Time It Takes the Fingers to Remember a New Password? About 3 days

Posted in security, silva, authentication, cybercrime, identity theft, human behavior, access by psilva on March 18th, 2016

unpw.jpg

Recently I changed some of my passwords. Some due to typical rotation time and a couple due to potential breaches and encouragement from the affected site. No, I’m not going to tell you which ones or how I go about it but I noticed that it took about 3 days for my fingers to key the correct combination.

This has probably happened to you too, where after changing a password, you inadvertently enter the old password a number of times since that is what the fingers and hands remember. Yes, I’m sure many of you have password keepers (which have also been breached) locked by a master and I use one too, but for many of my highly sensitive passwords, I keep those in my head.

As I continued to enter the old password for a couple days only to correct myself, I started thinking about habits and muscle memory. Some adages talk about it taking about 30 days (66 days in this study) to either pick up or drop a habit if done daily. Want to keep an exercise routine? Do it daily for a month and you are more than likely to continue...barring any unforeseen circumstances.

And then there’s muscle memory. Things like riding a bike, signing your name, catching a ball or any repetitious, manual activity that you complete often. Your muscles already know how to do it since they’ve been trained over time. You do not need to think about, ‘OK, as it gets closer, bring your hands together to snag it from the air,’ it just happens. This is one of the reasons why people change or update certain exercise or resistance routines – the muscles get used to it and need a different approach to reach the next plateau.

I wondered if anyone else had thought of this and a quick search proved that it is a bona fide technique for password memory. Artists like musicians use repetitive practice for scale patterns, chords, and melodic riffs and this trains the muscles in the fingers to 'remember' those patterns. It is the same notion with passwords. Choose a password that alternates between left and right hands that have some rhythm to it. After a bit, the hands remember the cadence on the keyboard and you really do not need to remember the random, committed numbers, letters or Shift keys pounced while typing your secret. This is ideal since only your fingers remember not necessarily your mind.

Granted, depending on how your head works this technique might not work for everyone but it is still an interesting way to secure your secrets. And you can brag, 'If you break my fingers, it'll wipe the device.'

ps

Related:




Hello Infiltrators - Our Doors are Wide Open

Posted in security, f5, silva, privacy, mobile, cybercrime, iot, things, risk, sensors, society by psilva on March 11th, 2016

Gossamer_restored.jpg

In the 1946 classic ‘Hair Raising Hare,’ Bugs Bunny asks, ‘Have you ever have the feeling you were being watched? Like the eyes of strange things are upon you?’ Like Bugs often did, he breaks the fourth wall and involves the audience directly, invoking a feeling that someone is looking over your shoulder.

Today, it is likely the case that you are being watched by the strange (internet of) things that are starting to infiltrate our homes, cars, bodies and the whole of society. While there is a mad rush by people purchasing these things and a similar rush for companies to develop applications and services around those, many are not pausing to either understand the risks or build security into the products.

From home security systems to surveillance cameras to baby monitors to televisions to thermostats, examples pour in daily about flaws and vulnerabilities that leave you, your family and your home exposed. The way things are going, even if you’ve closed and locked your front door physically, that door is wide open to the digital world.

Here are just a few recent examples.

Might as well start with our dwellings. Security researchers at Rapid7 found flaws in in Comcast’s Xfinity Home Security system that would cause it to falsely report that the home’s windows and doors are closed and secured even if they’ve been opened. It also failed to detect an intruder’s motion inside the house. Attacking the system’s communications protocol, they used radio jamming equipment to block the signals that pass from the door, window, or motion sensor to the home’s baseband hub. The system didn’t notice the communication was breached and essentially, failed open without any alert to the owner. When the jammers were turned off, it took minutes to hours for the sensors to reconnect and still didn’t give any indication that a catastrophe could have occurred.

Next, to some of the things inside the insecure house. Experts are predicting that as more connected, smart-TVs enter the home, this will be an avenue for the bad guys to breach your home network. Almost half of U.S. households already have a smart-TV and close to 70% of the sets sold this year will have connectivity capabilities. A threat researcher with Symantec was able to infect his new Andriod-based smart-tele with some ransomware. Within a few seconds, the TV was locked and unusable with the fear inducing pay-up-pop-up ransom note.

Also giving outsiders a view of the inside, Princeton researchers found that certain IoT thermostats were leaking customer zip codes over the internet in clear text. Fortunately, when the manufacturer was notified they quickly issued a patch. There are many horror stories about strangers watching and talking to children via insecure baby monitors. Add to that, toys that record your kid's conversations puts the whole family at risk.

And out on the road, we’ve seen how researchers were able to control a Jeep and last week, researchers were able to remotely control any of the Nissan Leaf’s functions by using the mobile app’s insecure APIs. The unsecured APIs allowed anyone who knows the VIN of a car to access non-critical features like climate control and battery charge management from anywhere on the Internet. Also, someone exploiting the unauthenticated APIs can see the car's estimated driving range. They too, pulled access to the app until they can properly secure the infrastructure and application that supports the mobile app.

Lastly, if you think this is contained within a consumer based household, think again. A recent Ponemon/Lookout survey revealed that an average of 1,700 malware laced mobile devices per company, connect to an enterprise network. Wait ‘til all the insecure wearables start connecting. Employees are often referred to as the weakest link. Today it is mostly their insecure mobile devices but multiply that by a wardrobe, now the risk is enhanced.

ps

Related:

Image courtesy: https://en.wikipedia.org/wiki/File:Gossamer_restored.jpg



RSA Security Octagon: What’s the Best Way to Secure Applications?

Posted in security, f5, application security, silva, web application, cybercrime, hackers, rsa, infrastructure by psilva on February 29th, 2016

vs.jpg

We're doing something a little different this year at #RSA with a Security Octagon. Everyone loves a good debate and in the security community discussions pop up constantly around a myriad of topics at any given point - with individuals or groups in the community taking opposing sides in these quarrels. While we’re not looking for a knock-down drag out geek fight, we are looking for a spirited debate in hopes of engaging with security pros to lend their support and opinions to the topic.

In the first debate we focus on the topic of application security. Is application security just secure coding or is it more than that? Preston Hogue from F5 and Jeremiah Grossman from WhiteHat Security are our first participants to discuss 'What's the Best Way to Secure Applications?'

How can you play along?

Visit https://f5.com/securityoctagon to cast your vote and comment on the discussion.

1. Make sure to use the appropriate #hashtag:

      a. #TeamGrossman

      b. #TeamHogue

2. Can’t pick a camp to support, promote the program overall:

      a. #SecOctagon

If you're at RSA, visit F5 booth 1515 and say 'Aloha' to DevCentral folks John Wagnon and Jason Rahm and ask how you can Integrate WhiteHat Scans With BIG-IP ASM.

And a very special thanks to Jeremiah for participating this year. Always appreciate his security insight and for a look back at previous RSAs, here are the past 5 years of interviews we did together.

RSA2015 - The InfoSec Landscape with Jeremiah Grossman

RSA 2014: Jeremiah Grossman Interview

RSA2013: Interview with Jeremiah Grossman

RSA 2012 - Interview with Jeremiah Grossman

RSA2011 - Interview with Jeremiah Grossman

Enjoy the show!

ps

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



My Blog Roll 2015

It’s that time of year when we gift and re-gift, just like this text from last year. And the perfect opportunity to re-post, re-purpose and re-use all my 2015 blog entries. If you missed any of the 89 attempts including 59 videos, here they are wrapped in one simple entry. I read somewhere that lists in blogs are good. I broke it out by month to see what was happening at the time and let's be honest, pure self-promotion.

Thanks for reading and watching throughout 2015.

Have a Safe and Happy New Year.

Jan 2015

Feb

March

April

May

June

July

August

September

Oct

Nov

Dec

And a couple special holiday themed entries from years past.

ps

Related

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



Identity Theft: Not So Scary Anymore

Posted in security, silva, privacy, cybercrime, identity theft, humans, risk by psilva on November 17th, 2015

This article originally appeared on F5.com on 10.20.15.

With Halloween in our rearview mirror and the holiday shopping season upon us, a couple surveys are out examining our fears and in particular, our concerns about identity theft. Apparently, ID theft is not so scary anymore - like entering a haunted house for the hair-raising screams but walking out with nervous giggles.

Over at Bankrate.com, only 54% of surveyed tricksters says they are somewhat or very frightened of ID theft. That's down 80% from those who expressed the same level of concern back in 2008. Almost half, 43%, claim they have little or no fear, trouncing the 19% who were brave in 2008. This is all while the overall victim count remains at similar levels - 12.5 million in 2008 verses 12.7 million in 2014 according to Javelin Strategy & Research. As far as knowing someone who has been hit, 46% say they or a friend has been a victim compared to 34% in 2008.

They chalk it up to people being desensitized to breaches due to the almost weekly confessions of data intrusions. The general feeling is that if large retailers, health care providers and credit agencies can't keep my data safe, how can I. More of those same folks however are also following some good advice of shredding sensitive documents (72%), checking their credit report regularly (56%), avoiding insecure WiFi (54%) and almost 20% have frozen their credit files. These are all good ways to help you worry less.

And Chapman University published their Survey of American Fears, Wave 2 (2015) examining the fears of average Americans. The domains of fear include areas like crime, natural and man made disasters, personal anxieties, environment, technology and others. Along with the corruption, terrorism and warfare, identity theft comes in at 39.6% and credit card fraud sits at 36.9%. Both in the Top 10.

Top10Fears.jpg

So, while ID theft is still one of our top fears, by the time you get to Nightmare on Identity Street 4, Freddy isn't so freighting and you have some tools to deal with him.

Besides, your insecure connected kettles could be exposing your WiFi passwords without your knowledge. Now that's scary!

ps

Related

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



Blog Roll 2014

Posted in security, f5, big-ip, availability, cloud computing, silva, blogging, cybercrime, family, sensors by psilva on December 16th, 2014

It’s that time of year when we gift and re-gift, just like this text from last year. And the perfect opportunity to re-post, re-purpose and re-use all my 2014 blog entries. If you missed any of the 96 attempts including 57 videos, here they are wrapped in one simple entry. I read somewhere that lists in blogs are good. I broke it out by month to see what was happening at the time and let's be honest, pure self promotion. 

Thanks for reading and watching throughout 2014.

Have a Safe and Happy New Year.

 

January

February

March

April

May

June

July

August

September

October

November

December

And a couple special holiday themed entries from years past.

 

ps

Related

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



The Breach of Things

Posted in security, f5, silva, cybercrime, humans, breach, iot, things by psilva on September 9th, 2014

Yet another retailer has confessed that their systems were breached and an untold number of victims join the growing list of those who have had their data was stolen. This one could be bigger than the infamous Target breach. I wonder if some day we'll be referring to periods of time by the breach that occurred. 'What? You don't remember the Target breach of '13! Much smaller than the Insert Company Here Breach of 2019!' Or almost like battles of a long war. 'The Breach of 2013 was a turning point in the fight against online crime,' or some other silly notion.

On top of that, a number of celebrity's private photos, stored in the cloud (of course), were privately stolen. I'm sorry but if you are going to take private pictures of yourself with something other than a classic Polaroid, someone else will eventually see them.

Almost everything seems breach'able these days. Last year, the first toilet was breached. The one place you'd think you would have some privacy has also been soiled. Add to that televisionsthermostatsrefrigerators and automobiles. And a person's info with a dangerous hug. Companies are sprouting up all over to offer connected homes where owners can control their water, temperature, doors, windows, lights and practically any other item, as long as it has a sensor. Won't be long until we see sensational headlines including 'West Coast Fridges Hacked...Food Spoiling All Over!' or 'All Eastern Televisions Hacked to Broadcast old Gilligan's Island Episodes!'

As more things get connected, the risks of a breach obviously increase. The more I thought about it, I felt it was time to resurrect this dandy from 2012: Radio Killed the Privacy Star for those who may have missed it the first time. Armed with a mic and a midi, I belt out, karaoke style, my music video ‘Radio Killed the Privacy Star.’ Lyrics can be found at Radio Killed the Privacy Star.

Enjoy.


https://link.videoplatform.limelight.com/media/?mediaId=485cad6cd3a8440ead67a8a2a04e309a&width=560&height=420&playerForm=e654e4bff58a4a4f8a92c4c7a99dd587

http://link.videoplatform.limelight.com/media/?mediaId=485cad6cd3a8440ead67a8a2a04e309a&width=560&height=420&playerForm=e654e4bff58a4a4f8a92c4c7a99dd587





« Older episodes ·