In this week’s news roundup I am always intrigued and mildly bemused by the  annual Verizon reports. Information security, Data breaches, firmly on the board agenda, is the problem everyone has to deal with and not the only problem that IT and security professionals have to deal with anymore. Ongoing impacts are continuously felt across the whole business and its eco systems—from Business Continuity and Disaster Recovery Planning to legal teams, tied up in perpetual firefighting mode in term of advisory, seeking external opinion in terms of litigation, to your coalface employees, who can’t execute on the day to day operational activities they need to do their jobs. Everyone is an integral part in managing the risks and issues, people make mistakes and are not always malicious in intent. Visibility is key to understanding the problem, and then, and only then, can decisive action can be taken!

Verizon 2018 Data Breach Investigations Report

Verizon released the 11th version of their Data Breach Investigations Report (DBIR) for 2018 on the 10^th of April.
The headline for this year’s report is ransomware, present in 39% of malware related cases.
Beyond ransomware, other highlights from the report include:

• 53,308 reported security incidents, 2,216 data breaches, 65 countries, 67 contributors
• 76% of reported breaches were financially motivated
• 72% of reported attacks were perpetrated by outsiders
• 50% of reported attacks were perpetrated by organized crime groups
• Pretexting incidents nearly tripled from last year
• Companies are 3x more likely to be breached by social attacks than vulnerabilities

2018 Data Breach Investigations Report | Verizon

Unpatched Vulnerabilities Are The Source Of Most Data Breaches

It is all and well that we are all in the same boat in terms of keeping the lights on within all our own respective enterprises; by 2018 I had an expectation, as a starry eyed kid, that we would be commuting for home to work in flying cars and have automatons as personal assistants enhancing every aspect of our daily lives. The reality for most of the aforementioned enterprises, is that we cannot get the basics right, like patch management, let alone focus on innovation.

Here is an insightful report that the Ponemon Institute and ServiceNow put together detailing how much of a problem we are all facing.
Some of the insights include the concept of “patching paradox”, whereby the idea of hiring more people will improve security hygiene. Though in reality it doesn’t. 64% of companies are planning to hire more dedicated people to handle
vulnerabilities, accounting for a 50% increase in headcount – this alone will not improve their security posture if they don’t fix broken patching processes. The study shows that firms struggle with patching because they use manual processes and can’t prioritize what needs to be patched first. As stated previously due to the manual patching process 61% admit that this manual approach to patching puts them at a disadvantage, and 55% note that they spend more time dealing with internal processes than managing the vulnerabilities. All agree that more than 12 days are lost coordinating between teams to get patches applied. Some key Insights include:

• 73% have no common view of assets and applications across security and IT
• 57% admit that patches slip through the cracks due to emails and spreadsheets used to manage the process
• 62% have no easy way to track whether vulnerabilities of being patched in a timely manner
• 65% say they find it difficult to prioritize what needs to be patched first

Today’s state of vulnerability response: patch work demands attention | Ponemon Institute and ServiceNow

Brian Krebs angers userbase of pr0gramm.com for a good cause

• The angry userbase of pr0gramm.com, a German image board similar to Imgur, blocked by my Zscaler Agent ????, has donated over €103,000 ($126,000) to local cancer research organizations as a way to protest against an article published by Brian Krebs, an IT security journalist.
  
  Angry Users Donate $120K to Cancer Research After Brian Krebs' Coinhive Article| Bleeping Computer

Your Old Bitcoin addresses can be stolen so move now!

All Bitcoin addresses generated using the BitAddress client-side wallet pre-2013 and Bitcoinjs pre-2014 are affected.
Bitcoin users who generated Bitcoin addresses using affected tools are advised to generate new Bitcoin addresses with a new tool and move funds from old accounts to the new ones.

Old JavaScript Crypto Flaw Puts Bitcoin Funds at Risk | Bleeping Computer

How does Facebook make money anyway?

Revenues from Facebook’s two largest markets – North America and Europe - are expected to be affected as a result of the fallout from the Cambridge Analytica scandal. Both are extremely lucrative markets for Facebook. In 2017, Facebook earned an average of $84.41 from each North American user and $27.26 from each user in Europe. In contrast, each user in Asia was worth $7.61. Good news for Facebook investors is that the company is making significant inroads into new markets, such as Africa and Asia. While it does not contribute much to overall revenue, WhatsApp has become a runaway hit with users in Asia and South America. Other services, such as Instagram, are also making inroads into new markets.

How Does Facebook Make Money? | Rakesh Sharma

During one of my binge-induced Netflix comas I discovered an “interesting” show: “The Same Sky” which basically plays out in East Berlin and West Berlin during the Cold War, whereby the premise of the story being the Soviets sending over an undercover officer who does nothing but seduce, steal information and manipulate information against the west. This made me think about how everyone knew this was happening and played many political games, almost tongue in cheek, at the cost of many lives; fast forward to today, the same is happening virtually everywhere with the same disregard, nay, contempt of peoples ignorance of todays version of the “Digital Berlin Wall”.

With this in mind, enjoy our roundup of stories for this week…

Cyber, is a domain of conflict

@thegrugq recently posted a tweet highlighting “A very succinct version of my keynote on cyber conflict”, I found this to be a very engaging perspective.

Cyber, the short version | the grugq, Medium

Nothing is at it seems

Netflix seems to be one of those companies that always seems to find its way into the technology news for the right reasons. They have been running, with some level of success, their private vulnerability disclosure program since 2013, resulting in 190+ issues being discovered and addressed. Recently the public at large have been invited to participate through the Bugcrowd bug bounty program.

Launching the Netflix Public Bug Bounty Program | Netflix, Medium
Netflix bug bounty program | Bugcrowd

Security scammers

There are many different types of scammers that operate on the internet. Security scammers approach website owners with claims that their website is infected or vulnerable and offer to fix the issues for a fee. A Scammer Tried to Scare Troy Hunt into Buying Their Security Services - Here's How It Went Down

A Scammer Tried to Scare Me into Buying Their Security Services - Here's How It Went Down | Troy Hunt

YARA!

Speak to any security professional, that does any searching, analysing, and alerting.  It underpins almost any keyword that can be uses to describe the actions taken during security work. Outlining what it can do at a high level is simple to express, but it’s unreasonable to expect that you are as familiar with YARA as I am.  If you are up for a little exploration, dive into the details for a minute or two.

YARA Rules for Finding and Analysing in InfoSec | Monty St John

Spotlight: John McLoughlin, Managing Director, J2 Software

Get to know our commander in chief, whom has made much personal sacrifice to change the perception of our industry over the past 15 years.
Having worked with many Titans of industry, I am yet to meet anyone more knowledgeable and experienced with a passion or dedication to the ideology of “Doing things differently” and “Getting it Done!” -  Meet John McLoughlin…

Get to Know: John McLoughlin, Managing Director, J2 Software | Paul Rogers, Intelligent CIO

 J2SECOPS WEEKLY NEWS:

This week in the J2 CSC, Most things are grey as gamers, at least according to some, will save cybersecurity

The fast pace of our daily goings on; does not afford us the time to think and read as much as we should. The past couple of weeks have afforded me the slightly higher than normal opportunity to think, and catch up on all outstanding reading, and think and read I did… all while performing the usual monthly cybersecurity threat analysis for our client base…
A few stories have been swimming around my mind and I thought I would take you on the journey.

Let’s get to it then!

Blacklist, Greylists and Whitelists

Blacklists in general terms are items on a list that denies access. The opposite is a whitelist, which means only items on the list are let through whatever gate is being used.
A Greylist contains items that are temporarily blocked (or temporarily allowed) until an additional step is performed.
Looking for a free blacklist of domains? The Anti-Social engineer has a great start.

The Anti-Social Engineer Blacklist | The Anti-Social Engineer

Gamers, the Saviours of Cybersecurity

As an avid enthusiast of the RTS genre I enjoyed the insights that Grant Bourzikas, McAfee's chief information security officer (CISO), swore by and how gamification as one of the key ways to invest in and retain security talent. His own companys adoption of building out its security operations centre in the wake of its spin-off from Intel, and new data from a study by Vanson Bourne on behalf of McAfee found that nearly three-quaters of organizations believe hiring experienced video gamers is a solid option for filling cybersecurity skills and jobs in their organizations.

How gamers could save the Cybersecurity skills gap | Dark Reading

“AI AI, Captain!”

Microsoft in its quest for staying ahead of the curve, is establishing training courses available to the public for anyone wanting to learn how to AI.

Microsoft’s AI training efforts range from internal offerings tailored to employees on specific teams and product groups, such as software engineers at LinkedIn, to external ones designed for a variety of expertise levels.

The Microsoft AI Residency Program and Microsoft NERD Artificial Intelligence Program recruit people to learn AI by working alongside researchers, designers and engineers who are developing AI capabilities and serve as a pipeline of talent into the company.

Aiming to fill skills gap in AI, Microsoft makes training courses available to the public | Microsoft

Ransomware impacting incident response

The report, which is based on the analysis of data from hundreds of millions of protected endpoints and servers across nearly 100 countries, also reveals that there was a 424% increase in breaches related to misconfigured cloud infrastructure, largely due to human error.

Ransomware puts pressure on incident response | Computer Weekly

Intellectual Property Stolen! Again…

Too often I hear of intellectual property being stolen by competitors. A far less common practice is the theft of IP from an IT Security vendor – becoming more and more common...

I found this developing story of interest and thought you might enjoy it. CyberByte was using Malwarebytes’ IP to augment its AV engine. So Malwarebytes laid a trap to prove its theory.

Key take-away: how “honey” -tokens, -words and -pots can be used to catch someone with their hand in the proverbial cookie jar.

CyberByte steals Malwarebytes’ intellectual property | Malwarebytes

Why I (still) don’t trust Self-Driving Cars

March 18^th, a dark day for Humanity and AI; when an Uber self-driving car struck and killed a woman pedestrian in Tempe, Arizona.
The accident took place while the car was in autonomous (self-driving) mode, marking this the first death caused by a self-driving vehicle in the world.

Uber Self-Driving Car Strikes and Kills Arizona Woman | Bleeping Computer

(In)security (Mis)conceptions

I’ve been in the industry for a while now, and although sloppy security reporting is far too common, with common sense far too uncommon these days, nothing riles me more than idiots with opinions.

I discovered this little gem by one of my favourite bloggers, Javvad Malik on CSO Online.

Information Security Misconceptions | CSO Online

♪ I Can See Clearly now that the Rain is Gone ♫ – with my data…

The Cloud, it brings convenience, rain and plenty of storms; in this case it was used to store unprotected database files containing sensitive customer data online in the form of a vulnerable Amazon S3 bucket, which in 2018 is astonishing, and it is completely inconceivable that a company would store passwords in plain text instead of encrypting them…

Open AWS S3 bucket managed by Walmart jewellery partner exposes info on 1.3M customers | SC Magazine

Protecting Diddums aka DNS

When DNS is brought up in polite conversation, or in the hushed catacombs of the bowels of the IT dungeons, words like: “address protocol”, “packet priority”, “DNSSEC” and “Net Neutrality” are used in hushed tones. So, why do we care about “Diddums” - DNS?
DNS basically runs the Internet. Imagine, your mobile address book only with numbers in it without any names, strings of numbers are just simply not how humans identify information. They help, but in reality, words linked to numbers are what separate us from our impending “AI” masters.

Here is the definitive DNS Checklist to assist in slowing the AI advance

• Set up and maintain your own internal DNS.
• Block external DNS requests on port 53 (or any port).
• Created exceptions to DNS requests only to port 53, with RNDC keys. Revolving them often.
• Set low TTL value; like 30 minutes. A poisoned cache will only impact you for the duration of time you have selected.
• Protect the “Hosts File” wherever you use it and make sure its disabled if not used.
• SMTP traffic must be protected, don’t ever use defaults. Create and properly maintain your PTR zones, especially the local zones.
• Use STUB zones for commonly accessed domains.
• Use DNS forwarders ONLY to verified DNS servers. Learn how to use “dig” and use it often.
• Block DHCP on the firewall, obviously other than yours - Prevent "rogue" proxies with DHCP and DNS on your network.
• Skill yourself up on DNS, this is still one of the weakest links I a vast IT ecosystem and still one of the least understood.
• Protect your DNS from DDOS attacks by subscribing to an online service that also comes with built-in load-balancing, automatic failover, rate-limiting, and filtering.