What happens in Vegas will be in tomorrow’s breach report

16 April 2018 in Digital Download

What happens in Vegas will be in tomorrow’s breach report

Black Hat is going on this week in Las Vegas and it continues to be one of the best places for hackers to get free drinks and new ideas. For example, an analyst presented research that shows how adversaries can abuse web caching services to expose sensitive information of authenticated users, and even take control of their accounts. The so-called “web caching attack” targets sites that use Content Delivery Network (CDN) services such as Akamai and Cloudflare. These services act as traffic load balancers and reverse proxies, and store files that are frequently retrieved in order to reduce latency from a web server. Unfortunately, I wasn’t able to attend this year. I did however go to a shoplifting conference where I learned about food-related vulnerabilities at grocery stores. I haven’t paid for grapes or trail mix in months. Read more >

EU GDPR is not AOK

Organizations across the globe mistakenly believe that they are in compliance with the upcoming GDPR. Veritas claims, after polling over 900 business decision makers from the US, the UK, France, Germany, Australia, Singapore, Japan ,and the Republic of Korea. The GDPR is intended to standardize data privacy and protection across European Union (EU) member states. The rules will take effect on May 25, 2018 and will apply to any organization – inside or outside the EU – that offers goods or services to EU residents. According to the survey findings, 31 percent of respondents said that their enterprise already conforms to the legislation’s key requirements. However, when those same respondents were asked about specific GDPR provisions, most provided answers that show they are unlikely to be in compliance. (Which is a nice way of saying they are clueless.) Upon closer inspection, only two percent of all the polled organizations actually appear to be in compliance. For example, 50 percent of so-called compliant organizations said that former employees are still able to access internal data. This is the equivalent of a conversation I once had with my daughter when she was a toddler. “Did you eat the cookies? NO. Are those crumbs on your face? YES. What’s in your hand? A COOKIE.” And then I fined her €20m. Read more >

First You Get the Bitcoin, Then You Get the Power…

Police in Greece have arrested a man wanted in the United States for allegedly running a massive Bitcoin-based money laundering operation. Authorities say the 38-year-old Russian man was responsible for converting $4 billion in illicit, conventional cash into virtual currency. While bitcoins have become popular among criminals due to the lack of regulation and the ability to buy and sell anonymously, transactions are recorded on a public ledger called blockchain, making it possible to follow the coins. Over the years, law enforcement agencies around the world have been able to identify users behind pseudonymous wallets connected to illegal activities by tracking bitcoin movements. It's kind of like stamping “made from selling drugs” on the cash you gave to that guy with the Bob Marley t-shirt in your dorm at college. Read more >

Report Predicts Security Trends for Remainder of 2017

Accenture released a report this week that has exactly 0.0 surprises among the predictions of anticipated cyber threats over the next 6 months. Based on in-depth analysis, the report anticipates a growth in the number of threat actors who are rapidly expanding their capabilities due to factors such as: the proliferation of affordable, customizable and accessible tools, and exploits. Observations include, and I am paraphrasing, the bad guys will continue to try to hide their intentions, phishing campaigns will get more sophisticated, and more exploits and malicious tools will be available. Interesting read, but nothing groundbreaking here. Reminds me of my predictions in the neighborhood newsletter, which included 1) Bob’s dog will wake me up every night around 3 am, 2) Mary’s teenager will play music too loud from his Honda coming home from Band practice, and 3) Steve will leave his trash can out 2 days after the truck comes. They come every Tuesday, Steve, get your act together! Read more >


Security Pros Aren’t Doing Their Job so Employees Can do Theirs

A study released this week report that 40% admit to turning security off to accommodate a request from another part of the organization. These are troubling statistics. The people whose job it is to protect the network are weakening defenses because they are tired of employees whining about not being able to post on Instagram. Even I have limits within the organization. Yes, it would be great if I could install Minecraft mods onto the company laptop, but it’s not good policy. (Of course, neither is the dual boot and hidden partition, but what they don’t know won’t hurt me.) People need to learn that security is like a prostate exam after 50. Sure, it’s a little uncomfortable but it’s for the greater good. And try to relax – if you’re tense it’s worse for everyone. Read more >