RSA Conference 2016

Posted on March 2, 2016 by Carmelo

This week, I’m at the Moscone center in San Francisco, learning from those who have learned the lessons through trials and tribulations and have experienced them in such a way that they have put them into practice, have gained passion about their rites of passage, and have decided to give a presentation on those such topics.

True story, more people are afraid of getting up in front of a group of people to give a presentation than they are of spiders and death.

I’ve learned in the last two days that more people are starting to follow Jack Jones’ Factor Analysis of Information Risk, which was quoted in several presentations that I’ve attended. I really like this. Jack Jones taught me Factor Analysis of Information Risk. How awesome is that?

Jack Jones at RSA 2016

Jack Jones at RSA 2016

There has been some talks about aligning organizations to incorporate a Chief Information Risk Officer to stand parallel to the Chief Information Security Officer to have better conversations regarding business risks from technical risks. It’s a vision that many in my organization have already shared, without giving a name to that position. We tackle it as a group effort.

There has been some talks regarding better integration between Security Operations, who is doing the real monitoring and incident response and the Governance, Risk, and Compliance teams to increase the visibility of internal real threats to the senior level teams and the C level teams.

Though we are about half-way done, it seems pretty clear to me that the determination of analysis of risk is heading to be the FAIR model as a defacto standard. SWEET!!!

Here is some bits I wrote about Risk! A very good, and fairly short, read about qualitative/quantitative risks.

Also, throughout the expo, there is a sea of vendors pitching their products and services, trying to gather contacts, and really showing off the best they can do. It’s quite a site! Rami Malek from Mr. Robot was there.

Stay tuned for part 2.

Posted in Security Blog | Tagged , , , , , | Comments Off on RSA Conference 2016

This is Sparta!!!

Posted on February 27, 2016 by Carmelo

Damien and I did the Spartan Race today and it was awesome!

More Galleries | Comments Off on This is Sparta!!!

This Guy Asks Hackers to Ruin His Life!

Posted on February 25, 2016 by Carmelo

An eye-opening video about the capability of hack attacks, from social engineering to complete digital-life and real life takeover. Not only is the journalist asking people to do it, experts blatantly show how they do it.

Please take the time to watch this and share it with your family, friends, and co-workers.

Posted in Security Blog | Tagged , , , , , , | Comments Off on This Guy Asks Hackers to Ruin His Life!

Nissan Leaf API has NO SECURITY

Posted on February 24, 2016 by Carmelo

Is it hacking if there is no security by design? If the doors on a bank are unlocked, is it breaking and entering?

The API (application program interface) for the Nissan Leaf was found to be vulnerable. How vulnerable?

Well, the problem stems from the APIs Nissan uses for its iOS and Android apps, which let owners check the state of their batteries, initiate recharging, check the estimated driving range, and turn their cars’ climate systems on and off (unauthenticated!).

There is no immediate threat to lives with this vulnerability, aside from bad guys learning personal information about the Leaf owner.

Perhaps with enough publicity about these vulnerabilities, car makers will include security by design and even deploy a patch to the vehicles.

Read more here.

Posted in Security Blog | Tagged , , , , , , | Comments Off on Nissan Leaf API has NO SECURITY

The Robot Uprising

Posted on February 24, 2016 by Carmelo

I wouldn’t be surprised if it’s first words are “I’m going to need your, clothes, your boots, and your motorcycle”.

Boston Dynamics is getting closer to making Atlas, one of their robots, more human like, with better balance, the ability to follow basic orders, replace all mail/parcel workers, and it can get up when knocked down. Alpha is no longer tethered to a power source and can carry it’s own.

I need an Atlas simply because I for some horrible reason, pick the grocery line where the person who bags groceries is always on a smoke break or something. That and to help me fight zombies.

Posted in Security Blog | Tagged , , , , | Comments Off on The Robot Uprising

Opening a Safe with a Sock and a Magnet

Posted on February 21, 2016 by Carmelo

Are your belongings in a safe? You may want to re-evaluate your safes.

Posted in Security Blog | Tagged , , | Comments Off on Opening a Safe with a Sock and a Magnet

Going Rogue with PoS

Posted on February 18, 2016 by Carmelo

This picture is making it’s way across the Internet. A point of sale machine that will use touch enabled pay credit/debit cards.

It’s probably time for an RFID wallet.
roguePOS

Posted in Security Blog | Tagged , , , | Comments Off on Going Rogue with PoS

A Letter From Tim Cook at Apple

Posted on February 17, 2016 by Carmelo

Below is a letter from Tim Cook of Apple.

February 16, 2016 A Message to Our Customers

The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand.

This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake.

The Need for Encryption

Smartphones, led by iPhone, have become an essential part of our lives. People use them to store an incredible amount of personal information, from our private conversations to our photos, our music, our notes, our calendars and contacts, our financial information and health data, even where we have been and where we are going.

All that information needs to be protected from hackers and criminals who want to access it, steal it, and use it without our knowledge or permission. Customers expect Apple and other technology companies to do everything in our power to protect their personal information, and at Apple we are deeply committed to safeguarding their data.

Compromising the security of our personal information can ultimately put our personal safety at risk. That is why encryption has become so important to all of us.

For many years, we have used encryption to protect our customers’ personal data because we believe it’s the only way to keep their information safe. We have even put that data out of our own reach, because we believe the contents of your iPhone are none of our business.

The San Bernardino Case

We were shocked and outraged by the deadly act of terrorism in San Bernardino last December. We mourn the loss of life and want justice for all those whose lives were affected. The FBI asked us for help in the days following the attack, and we have worked hard to support the government’s efforts to solve this horrible crime. We have no sympathy for terrorists.

When the FBI has requested data that’s in our possession, we have provided it. Apple complies with valid subpoenas and search warrants, as we have in the San Bernardino case. We have also made Apple engineers available to advise the FBI, and we’ve offered our best ideas on a number of investigative options at their disposal.

We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them. But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.

Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.

The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.

The Threat to Data Security

Some would argue that building a backdoor for just one iPhone is a simple, clean-cut solution. But it ignores both the basics of digital security and the significance of what the government is demanding in this case.

In today’s digital world, the “key” to an encrypted system is a piece of information that unlocks the data, and it is only as secure as the protections around it. Once the information is known, or a way to bypass the code is revealed, the encryption can be defeated by anyone with that knowledge.

The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.

The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals. The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe.

We can find no precedent for an American company being forced to expose its customers to a greater risk of attack. For years, cryptologists and national security experts have been warning against weakening encryption. Doing so would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data. Criminals and bad actors will still encrypt, using tools that are readily available to them.

A Dangerous Precedent

Rather than asking for legislative action through Congress, the FBI is proposing an unprecedented use of the All Writs Act of 1789 to justify an expansion of its authority.

The government would have us remove security features and add new capabilities to the operating system, allowing a passcode to be input electronically. This would make it easier to unlock an iPhone by “brute force,” trying thousands or millions of combinations with the speed of a modern computer.

The implications of the government’s demands are chilling. If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.

Opposing this order is not something we take lightly. We feel we must speak up in the face of what we see as an overreach by the U.S. government.

We are challenging the FBI’s demands with the deepest respect for American democracy and a love of our country. We believe it would be in the best interest of everyone to step back and consider the implications.

While we believe the FBI’s intentions are good, it would be wrong for the government to force us to build a backdoor into our products. And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect.

Tim Cook

Posted in Security Blog | Tagged , , , , | Comments Off on A Letter From Tim Cook at Apple

Valid Apple Employee Logins Worth Up To $23,000

Posted on February 17, 2016 by Carmelo

At the Apple headquarters of Cork, Ireland, low hanging fruit employees are being offered to sell their logins online, for up to $23,000 US. Easy Pickings!

An employee login is very valuable, allowing for legitimate authentication to internal systems can lead to a detailed analysis of the network, exploring file-shares that haven’t been cleaned up in decades (like everywhere else), exfiltration of intellectual property, and perhaps access to other accounts. Many hackers, once in, will try to escalate privileges and set up remotely accessible back doors.

I advise companies to ramp up their social engineering programs to include bribing at after hours events to get a feel for lower paid workers, the beef up the security awareness and ethics training. Also, pay attention to privileged access management.

Posted in Security Blog | Tagged , , , , , , , , | Comments Off on Valid Apple Employee Logins Worth Up To $23,000

Hackers Hold Hospital Healthcare Data Hostage

Posted on February 17, 2016 by Carmelo

Hollywood Presbyterian Medical Center’s data systems have been infected with encrypted ransomware. The hospital says patient care has not been compromised, though the cyber-attack has forced them to revert to paper registrations and medical records and send patients seeking emergency care to other area hospitals.

For more than a week, hackers have shut down the internal computer systems at the Hollywood hospital for a ransom of 9,000 bitcoin, roughly $3.6 million US.

It’s highly likely this was a result in a staffer clicking a malicious link online or through phishing.

In the past the FBI has advised the victims to just pay the ransom, since the encryption is near unbreakable.

How much do you budget for your security awareness program?

Posted in Security Blog | Tagged , , , , , , , , | Comments Off on Hackers Hold Hospital Healthcare Data Hostage