SEC News

What's new arround internet

Last one

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2022-08-06 10:46:21	CISO workshop slides (lien direct)	A glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):	Malware Vulnerability Threat Patching Guideline Medical Cloud	Uber APT 38 APT 37 APT 28 APT 19 APT 15 APT 10 APT 34 Guam
	2022-05-18 15:41:53	Hacking the Microsoft Sculpt keyboard (lien direct)	In its infinite wisdom, Microsoft designed data encryption into the Sculpt wireless keyboard set to protect against wireless eavesdropping and other attacks. The keyboard allegedly* uses AES for symmetric encryption with a secret key burnt into the chips in the keyboard's very low power radio transmitter and the matching USB dongle receiver during manufacture: they are permanently paired together. The matching Sculpt mouse and Sculpt numeric keypad use the same dongle and both are presumably keyed and paired in the same way as the keyboard.This design is more secure but less convenient than, say, Bluetooth pairing. The risk of hackers intercepting and successfully decoding my keypresses wirelessly is effectively zero. Nice! Unfortunately, the keyboard, keypad and mouse are all utterly dependent on the corresponding USB dongle, creating an availability issue. Being RF-based, RF jamming would be another availability threat. Furthermore, I'm still vulnerable to upstream and downstream hacking - upstream meaning someone coercing or fooling me into particular activities such as typing-in specific character sequences (perhaps cribs for cryptanalysis), and downstream including phishers, keyloggers and other malware with access to the decrypted key codes etc.So yesterday, after many, many happy hours of use, my Sculpt's unreliable Ctrl key and worn-out wrist rest finally got to me. I found another good-as-new Sculpt keyboard in the junkpile, but it was missing its critical USB dongle. The solution was to open up both keyboards and swap the coded transmitter from the old to the new keyboard - a simple 20 minute hardware hack.In case I ever need to do it again, or for anyone else in the same situation, here are the detailed instructions:Assemble the tools required: a small cross-head screwdriver; a stainless steel dental pick or small flat-head screwdriver; a plastic spudger or larger flat-head screwdriver (optional); a strong magnet (optional). Start with the old keyboard. Peel off the 5 rubber feet under the keyboard, revealing 5 small screws. Set the feet aside to reapply later.Remove all 5 screws. Note: the 3 screws under the wrist rest are slightly longer than the others, so keep them separate.Carefully ease the wrist rest away from the base. It is a 'snap-fit' piece. I found I could lever it off using my thumbs at the left or right sides, then gradually work around the edge releasing it. You may prefer to use the spudger. It will flex a fair bit but it is surprisingly strong.Under the wrist rest are anot	Malware Tool
	2021-06-26 17:27:23	Are our infosec controls sufficient? (lien direct)	^ Although it's tempting to dismiss such questions as rhetorical, trivial or too difficult, there are reasons for taking them seriously*. Today I'm digging a little deeper into the basis for posing such tricky questions, explaining how we typically go about answering them in practice, using that specific question as an example. OK, here goes.The accepted way of determining the sufficiency of controls is to evaluate them against the requirements. Adroitly sidestepping those requirements for now, I plan to blabber on about the evaluation aspect or, more accurately, assurance.Reviewing, testing, auditing, monitoring etc. are assurance methods intended to increase our knowledge. We gather relevant data, facts, evidence or other information concerning a situation of concern, consider and assess/evaluate it in order to:Demonstrate, prove or engender confidence that things are going to plan, working well, sufficient and adequate in practice, as we hope; andIdentify and ideally quantify any issues i.e. aspects that are not, in reality, working quite so well, sufficiently and adequately. Assurance activities qualify as controls to mitigate risks, such as information risks associated with information risk and security management e.g.: Mistakes in our identification of other information risks (e.g. failing to appreciate critical information-related dependencies of various kinds); Biases and errors in our assessment/evaluation of identified information risks (e.g. today's obsessive focus on “cyber” implies down-playing, perhaps even ignoring other aspects of information security, including non-cyber threats such as physical disasters and hum	Malware Guideline
	2020-07-06 17:45:47	NBlog July 6 - of APTs and RPTs (lien direct)	Do you recall when APTs were A Thing? Advanced Persistent Threats were exemplified by Stuxnet, a species of malware that was stealthy enough to penetrate the defences of an Iranian nuclear fuel processing plant ten years ago, persistent enough to undermine numerous layers of control, and sophisticated enough to over-speed and wreck the centrifuges without alerting the plant operators until the damage was done. We seldom hear of weapons-grade APTs these days, suggesting they are no longer newsworthy or effective. Maybe they have gone the way of the trebuchet or musket ... but I believe it's much more likely that APTs have become even more sophisticated, stealthier and more damaging now than ever before, especially given the ascendance of IoT, IIoT and 'cyber-physical systems'. Now, Things are A Thing.Meanwhile, we are frequently constantly assaulted by ordinary, conventional, old-school malware - Retarded Persistent Threats as it were.In contrast to APTs, RPTs are relatively crude and commonplace - more blunderbuss than sniper's rifle but every bit as devastating at close range. Despite becoming increasingly sophisticated and capable, they are presumably well behind APTs, especially given governmental investments in cyber capabilities as part of national defence spending.RPTs 'persist' in the sense that they steadfastly refuse to go away. Bog-standard malware has dogged computer systems, networks and users since the 1980s. It has grown in prevalence at least as fast as IT, and in some ways it has driven advances in IT. The few percent of system resources needed to run today's antivirus packages and firewalls would surely have brought systems from previous decades to their little silicon knees.Whereas most RPT incidents are, well, incidental in relation to our global society, they threaten the very large number of vulnerable systems, individuals and organisations out there. It has become painfully obvious during COVID-19 that vanishingly few organisations stand alone, immune to the global repercussions. We are all entangled in, and highly dependent upon, a global mesh of information, goods and services. Just as a single COVID case causes knock-on effects, an RPT incident creates ripples.We're lucky that, so far, neither real-world nor	Malware
	2020-01-30 11:02:19	NBlog Jan 30 - simplicity itself (lien direct)	"Simplicity is the default unless there's a good business reason to do something else. What is typically lacking are the business reasons ..."That comment on CISSPforum set me pondering during this morning's caffeine fix. We've been chatting about some training webinar sessions recently promoted by (ISC)2. Some say they over-simplify information security to the point of trivialising and perhaps misleading people.If you follow NBlog, you'll know that this month I have been slaving away on an awareness module covering malware, a topic we've covered many times before - particularly the avoidance or prevention of infections but this year a customer asked us for something on publicly disclosing incidents in progress, a disarmingly simple request that turned into a fascinating foray into the post-malware-infection incident management and resolution phase for a change. I've been exploring and writing about what does, could or should happen after malware 'hits' - from that dramatic moment the ransomware demands appear on everyone's screens, for example. What follows is quite an intricate and frantic dance, in fact, involving management, IT and other staff, customers, suppliers and partners, regulators/authorities, journalists and the news + social media etc. plus the Incident Management Team, infosec and business continuity pros trying to keep everything on track, the legal team figuring out who to sue, the compliance pros wondering how not to get sued, and various hired-hands helping with forensics, disinfection and finding then retrospectively plugging whatever holes were initially exploited by the malware. All the while, the menacing hackers and cybercrims are wielding big coshes in the shape of threats to make the disruption permanent and terminal, and/or to disclose whatever juicy tidbits of corporate and personal info they've previously stolen (the CEO's emails, or browser history perhaps?). And all the while the systems, data, business processes/activities, websites and apps are being maintained, recovered or restored. Brands and relationships are under pressure, along with all the dancers. It's an intensely stressful time for them, I'm sure. The approach we've taken is to explore the timeline of an actual incident, in real time as it happens (as it happens), building a case study around the ongoing Travelex ransomware incident: the sequence forms a convenient thread to lead people through the story, thinking about what's going on at each stage and imagining how it would be if a similar incident happened 'here'. I've drawn up a simplified Travelex incident timeline in the same style as the one I drew for the Sony Pictures Entertainment fiasco 5 years back, pointing out some of the key events plus the phases of the overall process. The new Travelex version ('in press'!) is simpler	Ransomware Malware Guideline
	2020-01-29 18:59:32	NBlog Jan 29 - taking it to the wire (lien direct)	Today since before 5am I've been slaving away over a hot keyboard in a steamy hot office on a flaming hot topic: malware awareness. As you may have noticed here on the blog, all month long I've been systematically tracking the ongoing Travelex incident, observing from a safe distance the unsightly aftermath of another ugly malware - and business continuity - incident unfolding before our very eyes.With our end-of-month delivery deadline looming large, it's time to draw out the lessons from the case study and weave the whole episode into a compelling tale for February's awareness module - well, three closely-related tales in fact since as always we're catering for the differing perspectives, concerns and information needs of our customers' staff, management and professional audiences. What have we learnt this month? What has happened, and why? What do we think might/should have been going on behind the scenes, out of the glare of the media spotlight? What were the dilemmas facing Travelex's management and IT people?How might things have played out if the incident had been handled differently?And, most importantly of all, what are our carry-outs, our take-home learning points and the Things We Ought to be Doing? Taking the whole sorry episode into account, what does it mean for us, our organization, right now?You'll find a few clues to the answers in the blog ... but for the full nine yards you'll need to hang on just a few short days until the awareness module is completed and published. Or of course	Malware
	2020-01-29 05:30:36	NBlog Jan 28 - woe betide ... (lien direct)	.... any organization unfortunate enough to suffer a privacy breach today, of all days, being "Data Privacy Day". In the unlikely event that there are no new ones today, recent newsworthy breaches are liable to be trawled up and paraded across the media, again. I've been writing about preparing to deal with malware incidents all this month. Managing or controlling the publicity aspects is trickier than it may appear. Sony pulled a master stroke in getting its legal team to threaten action against journalists who continued to exploit the tittle-tattle disclosed in the Sony Pictures Entertainment breach five years ago - but that's not a universally applicable approach. Travelex did well to get basic, static web pages published quickly, plus a talking-heads video explanation/apology by the CEO ... but ask their retail customers whether they feel 'informed', while the promised restoration of services is patently taking longer than anyone (except perhaps the cybercrims behind the attack) wants.Blend in the compliance aspects as well for good measure. I suspect British Airways and Marriott International, for instance, would have much preferred to take their corporal punishment under GDPR in private, rather than baring their bottoms on News At Ten.There's a fine line between their being directly blamed for causing the incidents, and being blamed for failing to prevent them - a line which Public Relations teams might do well to consider. The real culprits here are the cunning VXers, hackers and cybercrims, rather than their targets. Defending all points at once is undoubtedly much tougher than exploiting one or more vulnerabilities. It's not a fair fight! Too bad: that's how it is ... but maybe it wouldn't hurt to explain that.By the way, the issues multiply when you take into account the wide range of people and organizations who want to know and/or should be kept informed. Take employees, for instance:	Malware
	2020-01-27 16:54:17	NBlog Jan 27 - MD/CISO\'s question time (lien direct)	Seems I'm not the only ravenous shark circling the Travelex ransomware incident.Over at the Institute of Chartered Accountants in England and Wales website, Kirstin Gillon points out there are learning opportunities for senior management in this "horror story".Specifically, Kirstin suggests posing six awkward questions of those responsible for managing incidents and risks of this nature ...Rhetorical questions of this nature are not a bad way to get management thinking and talking about the important issues arising - a valuable activity in its own right although it falls some way short of taking decisions leading to appropriate action. Admittedly, there's an art to framing and posing such questions. Kirstin's questions are along the right lines, a good starting point at least.Faced with such questions, some Boards and management teams will immediately 'get it', initiating further work to explore the issues, evaluate the risks and controls more deeply, and if appropriate propose corrective actions to a	Ransomware Malware Guideline
	2020-01-23 09:00:00	NBlog Jan 23 - awareness quiz on malware (lien direct)	Trawling through our back catalogue for content worth recycling into next month's awareness module, I came across a quiz we set in 2017. The challenge we set the group was this:Aside from malware (malicious software), what other kinds of “wares” are there?The idea was to prompt the group to come up with a few obvious ones (such as software), then start digging deeper for more obscure ones. Eventually they would inevitably start to improvise, making up 'ware' terms but, if not, here are our tongue-in-cheek suggested answers, provided for the quiz master in case the group needed prompting towards more creative, lateral thinking: Abandonware – software long since given up on by its author/support krew and left to rot Adware – software that pops up unwelcome advertisements at the least appropriate and most annoying possible momentAnyware - web-based apps that can be used while in the office, on the road, in the bath, wherever ... provided the Internet is accessibleBeggarware – smelly, homeless software that periodically rattles its virtual cup, begging loose change "for a cup of tea"Bloatware – software that has grown fatter than a week-old beached whale with 'features'Botware - software to stop the bots becoming bored and naughtyBrochureware – over-hyped marketing, promotional or advertising copy ab	Spam Malware
	2020-01-22 09:00:00	NBlog Jan 22 - further lessons from Travelex (lien direct)	At the bottom of a Travelex update on their incident, I spotted this yesterday:Customer PrecautionsBased on the public attention this incident has received, individuals may try to take advantage of it and attempt some common e-mail or telephone scams. Increased awareness and vigilance are key to detecting and preventing this type of activity. As a precaution, if you receive a call from someone claiming to be from Travelex that you are not expecting or you are unsure about the identity of a caller, you should end the call and call back on 0345 872 7627. If you have any questions or believe you have received a suspicious e-mail or telephone call, please do not hesitate to contact us. Although I am not personally aware of any such 'e-mail or telephone scams', Travelex would know better than me - and anyway even if there have been no scams as yet, the warning makes sense: there is indeed a known risk of scammers exploiting major, well-publicised incidents such as this. We've seen it before, such as fake charity scams taking advantage of the public reaction to natural disasters such as the New Orleans floods, and - who knows - maybe the Australian bushfires.At the same time, this infosec geek is idly wondering whether the Travelex warning message and web page are legitimate. It is conceivable that the cyber-criminals and hackers behind the ransomware incident may still have control of the Travelex domains, webservers and/or websites, perhaps all their corporate comms including the Travelex Twitter feeds and maybe even the switchboard behind that 0345 number. I'm waffling on about corporate identity theft, flowing on from the original incident.I appreciate the scenario I'm postulating seems unlikely but bear with me and my professional paranoia for a moment. Let's explore the hypot	Ransomware Malware Patching Guideline	APT 15
	2020-01-19 13:14:12	NBlog Jan 14 - a live case study (lien direct)	As we slave away on next month's security awareness module on malware, the Travelex ransomware incident rumbles on - a gift of a case study for us, our customers and for other security awareness pro's out there.A quick glance at Travelex dotcom tells us that (as of this blogging) the incident is ongoing, unresolved, still a public embarrassment to Travelex that is presumably harming their business and their brand ... although having said that I've already mentioned their name three times in this piece. If you believe 'there's no such thing as bad publicity', then headline stories about the incident are all good, right?Hmmm, leave that thought with me. Meanwhile, for the remainder of this piece, I'll call them "Tx" for short.Technically speaking, the Tx dotcom website is up and running, serving a simple information page 'apologising for any inconvenience' [such as retail customers being unable to use the site to access Tx financial services in the normal fashion] and blaming 'a software virus': It refers to another Tx website which appears to be a legitimate Tx customer authentication page ... but, if it were me, given the incident I would be very dubious about submitting my credentials without first ascertaining that the site is legitimate, not simply part of the scam.Anyway, the point is that they are at least	Ransomware Malware
	2020-01-18 09:00:04	NBlog Jan 18 - business discontinuity (lien direct)	As if following a cunning plan (by sheer conicidence, in fact) and leading directly on from my last two bloggings about business continuity exercises, Belgian manufacturing company Picanol suffered a ransomware infection this week, disabling its IT and halting production of high-tech weaving machines at its facilities in Ypres, Romania and China.Fortunately, Picanol's corporate website is still up and running thanks to Webhosting.be, hence management was able to publish this matter-of-fact press release about the incident:Unsurprisingly, just a few short days after it struck, technical details about the "massive ransomware attack" are sparse at this point. The commercial effects, though, are deemed serious enough for trading in its shares to have been suspended on the Brussels bourse. There's already plenty of information here for a case study in February's awareness module. Through a brief scenario and a few rhetorical questions, we'll prompt workers to consider the implications both for Picanol and for their own organizations. If a similar malware incident occurred here, knocking out IT and production for at lea	Ransomware Malware Studies Guideline
	2020-01-06 19:24:42	NBlog Jan 6 - post-malware-incident notification & other stuff (lien direct)	A couple of days ago here on NBlog I wrote: "One screamingly-obvious lesson from the rash of ransomware incidents is that we need to anticipate malware infections when the preventive controls fail, which means strengthening the security protecting our business-critical systems and being ready to recover IT services and data efficiently following incidents." That's not all.Anticipating that, despite all we do to prevent them, malware infections are still likely to occur implies the need for several post-event controls. These are the kinds of controls I have in mind:Reliable, efficient, effective, top-quality incident response and management processes - in particular, speed is almost always of the essence in malware incidents, and the responses need to be well-practiced - not just the run-of-the-mill routine infections but the more extreme/serious "outbreaks";Decisive action is required, with strong leadership, clear roles and responsibilities, and of course strong awareness and training both for the response team and for the wider organization;Clarity around priorities for action e.g. halt the spread, assess the damage, find the source/cause, recover;Technological controls, of course, such as network segmentation (part of network architectural design), traffic filtering and (reliable!) isolation of segments pending their being given the all-clear;Clarity around priorities for reporting including rapid escalation and ongoing progress updates, in parallel with the other activities;Forensics, where appropriate, feasible and helpful (e.g. which preventive controls failed, why, and what if anything can be done to strengthen them);	Ransomware Malware Guideline
	2020-01-06 10:25:54	NBlog Jan 5 - plus ça change, plus c\'est la même chose (lien direct)	Malware has clearly been an issue for a long time. It was prevalent enough to be the topic of our second NoticeBored security awareness module way back in July 2003. I've just dug the old NB newsletter out of the archive to see what's changed. In 2003, I wrote about viruses (macro, boot sector and parasitic types), Trojans, worms and logic bombs. Although other forms of malware were around back then, we elected to stick with the basics for awareness purposes. Getting on for 18 years later, we're taking a broader perspective. Today's workers need to know about spyware, BEC & VEC (Business/Vendor bmail Compromise), phishing, infectious mobile apps and more. Actual computer viruses are practically unheard of now, although the term remains.We're still concerned about preventive, detective and corrective controls, and malware risks that include data corruption - only now it's mostly deliberate in the form of ransomware rather than cybertage or bugs in the malware code.The 2020 and 2003 newsletters have a very similar style with minor differences that only catch my eye because I wrote them, and I've been responsible for using and updating the format throughout. We've changed from Arial to Calibri font. Shouty "EMAIL" became calmer "email" at some point. The Hinson Tips on awareness migrated from the newsletter to the train-the-trainer guide, and the NoticeBored banner logo was smartened up. We have reverted from 'American English' to English spelling. The two-column newsletter format remains, though, despite the layout problems that has caused me over the years, particularly when I wanted to include full-page-width diagrams. I've learnt to overcome most of the limitations of MS Word but not always without grief! We have more actual news now, too, finding short but relevant news items on the web to push the point home that the information risks are not merely theoretical: actual incidents are occurring all the time. Finding quotable news clips is becoming harder, however, due to the spread of paywalls: it's simply not economic for us to subscribe to all the commercial sources we'd need to maintain a broad-based newsletter, so we're increasingly using soundbytes from blogs and	Ransomware Malware
	2020-01-04 09:16:03	NBlog Jan 4 - malware awareness update 2020 (lien direct)	Our security awareness topic for February will be malware, malicious software - viruses, Trojans, worms, crytpminers, APTs, ransomware, spyware and Tupperware. Well OK, maybe not all of them: viruses are vanishingly rare these days.An increasingly important part of the malware problem is the wetware: we humans evidently find it hard to sense and react appropriately to the dangers presented by infected messages, web pages and apps. Addressing that is a key objective of the awareness module, and quite a challenge it is given that the bad guys are forever coming up with new ways to conceal their intentions or trick us into doing something inappropriate. Digging a little deeper, I feel we also need to explain why we can't rely on antivirus software etc. to save the day because the baddies are also finding novel ways to evade the technological controls, despite the best efforts of the good guys in IT.One screamingly-obvious lesson from the rash of ransomware incidents is that we need to anticipate malware infections when the preventive controls fail, which means strengthening the security protecting our business-critical systems and being ready to recover IT services and data efficiently following incidents. Another less-obvious lesson from incidents such as cryptominers, spyware, Vendor Email Compromises and Advanced Persistent Threats is that detecting infections in progress is harder than it appears ... and, again, it makes sense not to over-depend on detection. Taking that to its logical conclusion, what could/should we do if we presume the organization is currently infected by some sneaky malware? I'm talking about the malware element of counter-espionage, for example deliberately seeding false information, or creating situations designed to reveal 'moles in the camp'.There we are then: malware issues to discuss with general employees, tech/specialists and management, respectively. Now all I need to do is prepare the content for those three streams and Bob's yer uncle!	Ransomware Malware
	2019-12-01 17:44:15	NBlog December - social engineering awareness module (lien direct)	December 2019 sees the release of our 200th security awareness and training module, this one covering social engineering. The topic was planned to coincide with the end of year holiday period - peak hunting season for social engineers on the prowl, including those portly, bearded gentlemen in red suits, allegedly carrying sacks full of presents down chimneys. Yeah right!I'm fascinated by the paradox at the heart of social engineering. Certain humans threaten our interests by exploiting or harming our information. They are the tricksters, scammers, con-artists and fraudsters who evade our beautiful technological and physical security controls, exploiting the vulnerable underbelly of information security: the people. At the same time, humans are intimately involved in protecting and legitimately exploiting information for beneficial purposes. We depend on our good people to protect us against the bad people.Vigilance is often the only remaining hurdle to be overcome, making security awareness and training crucial to our defense. It's do or die, quite literally in some cases! The module concerns information risks, controls and incidents involving and affecting people:Various types of social engineering attacks, scams, cons and frauds – phishing being just one of many topical examples;Exploitation of information and people via social media, social networks, social apps and social proofing e.g. fraudulent manipulation of brands and reputations through fake customer feedback, blog comments etc.;The social engineer's tradecraft i.e. pretexts, spoofs, masquerading, psychological manipulation and coercion.	Malware Hack
	2019-11-29 06:59:00	NBlog Nov 28 - risks, dynamics and strategies (lien direct)	Of information risk management, "It's dynamic" said my greybeard friend Anton Aylward - a good point that set me thinking as Anton so often does.Whereas normally we address information risks as if they are static situations using our crude risk models and simplistic analysis, we know many things are changing ... sometimes unpredictably, although often there are discernible trends.On Probability-Impact Graphs (PIGs), it is possible to represent changing risks with arrows or trajectories, or even time-sequences. I generated an animated GIF PIG once showing how my assessment of malware risks had changed over recent years, with certain risks ascending (and projected to increase further) whereas others declined (partly because our controls were reasonably effective).It's tricky though, and highly subjective ... and the added complexity/whizz-factor tends to distract attention from the very pressing current risks, plus the uncertainties that make evaluating and treating the risks so, errrr, risky (e.g. I didn't foresee the rise of cryptomining malware, and who knows what novel malware might suddenly appear at any time?).A simpler approach is to project or imagine what will be the most significant information risks for, say, the year or two or three ahead. You don't need many, perhaps as few as the "top 5" or "top 10", since treating them involves a lot of work, while other risks are often also reduced coincidentally as controls are introduced or improved. It's possible to imagine/project risks even further out, which may suit a security architec	Malware
	2018-02-28 21:54:40	NBlog March 1 - Invasion of the Cryptominers (lien direct)	That's it, we're done! The 2018 malware awareness module is on its way to NoticeBored subscribers, infecting customers with ... our passion for the topic.There are 28 different types of awareness and training material, in three parallel streams as always: Stream A: security awareness materials for staff/all employees [if !supportLists]-->1. [endif]-->Train-the-trainer guide on malware MS Word document [if gte vml 1]>	Malware	APT 15

Last update at: 2024-05-05 10:07:45
See our sources.

To see everything: Our RSS (filtrered)