Paying the Ransomware

As we venture further into ethical hacking and network scanning, I think we begin to enter the gray area of where ethical and non ethical hacking meet. Port scanning, I believe, is right in the middle of this gray area as tools like nmap do not cause any damage to a system but is very revealing of how someone “could” cause damage. The comparison I have seen people make to explain the ethics of port scanning is it’s like going up to someone’s house and checking which windows and doors are unlocked. Could you necessarily go to jail for this? Maybe in some county in some state. Would the home owner be happy you came on to their property and started opening doors? Definitely not. Port scanning may technically not be illegal but it’s probably not ethical. There have been numerous court cases in which scanning was not found to be illegal. The article references Moulton v. VC3 to highlight this. The article also references the Computer Code of Conduct at Rochester Institute of Technology which makes no mention of scanning. As Professor Mackey stressed in the beginning of the course, it is best to get permission before any scanning/hacking activities!

https://www.sans.org/reading-room/whitepapers/legal/ethics-legality-port-scanning-71

The article I read was title Vulnerability Management Technique: Managing Asset Exclusion to Avoid Blind Spots. The article can be viewed at:

https://community.rapid7.com/community/nexpose/blog/2016/09/09/managing-asset-exclusion-avoiding-blind-spots?CS=social

The author opens the article by discussing recent advances in the maturity of vulnerability management programs, but suggests that one area that needs further development is avoiding asset risk blind spots. One way to do this is to manage excluded assets better. Some assets are excluded from vulnerability scan for various reasons (an example being, the asset has a known vulnerability and vulnerability scanning will cause damage to the system) and as a result, organizations neglect to manage the risks associated with these assets. In fact, many times organizations will put an asset on an exclusion list and practice ‘set it and forget it.’  However, vulnerability management is meant to be a cyclical process. In order to eliminate the blind spot associated with forgotten excluded assets, the author suggests a four step process:

1.       Assessment – identify assets to be excluded

2.       Reporting – run periodic reports on excluded assets

3.       Remediation/mitigation – Try to find a solution to the problem that prompted an asset to be excluded.

4.       Verification – Reassess assets to determine if they still need to be excluded

I found this article interesting as it explores an important niche of vulnerability scanning. While programs/sites that need to be excluded from vulnerability scanning are the minority, it is still important to have a means of managing those assets rather than taking the set it and forget it approach. Moreover, the cyclical process the author suggests doesn’t just accept that an asset has to be excluded from vulnerability scanning, but rather attempts to find a solution to the root problem necessitating the exclusion. Even if a solution can’t be found, the author’s process will revisit the asset in case new technology or a new approach can lead to a solution. This article takes a valuable approach to vulnerability scanning by advocating the development of the process to be adaptive and as inclusive as possible.

Recently, tech companies including Uber, Dropbox, Twitter, and Docker have joined farce to create the Vendor Security Alliance (VSA) for improving internet security. With the VSA, security experts and compliance experienced officers will team up to release a yearly questionnaire to benchmark its members’ risks. The questionnaire will measure risks based on policies, procedures, privacy, vulnerability management and data security. By sharing the expertise and practices across businesses, VSA will create standards and scoring processes to assess the security level of its members, and ensure appropriate controls are in place to improve security.  The first questionnaire will be available on Oct. 1 free of charge.

I think this article is interesting that some tech leaders decided to team up to standardize the cybersecurity practices. I think it is a good thing that the VSA takes advantages of collective expertise across different industries to improve the security practices. With the standards, companies belonging in the VSA are able to evaluate and measure their own risk levels and determine their vulnerabilities and strengths without additional audits.

Article: http://www.darkreading.com/vulnerabilities—threats/vulnerability-management/uber-dropbox-other-tech-leaders-team-up-to-boost-vendor-security-/d/d-id/1326926

Distributed denial of service attacks are on the rise, even as attack volume falls. According to the article, total DDoS attacks increased 129 percent in Q2 2016 from Q2 2015, and during the second quarter, Akamai mitigated a total of 4.919 DDoS attacks.

This reminds me of last week’s article that talked about 911 emergency phone system is vulnerable to DDoS attacks. When the total volume of attack falls, DDoS is still a major way that used by hackers since it is relatively simple. This gives FCC another warning, they should solve the problem as soon as possible.

The article also mentioned, as far as regional notes go, Brazil experienced a 197% increase in attacks sources from the region-the top country of origin for all web application attacks. The United States meanwhile ranked second among countries for total web application attacks, seeing a 13% decrease in attacks compared to Q1 2016.

Link: http://www.infosecurity-magazine.com/news/ddos-sees-tripledigit-growth-in/

When I originally posted, I didn’t see that someone already posted the news about CyMotive, so here is a different article that focuses on a study conducted by Tripwire, an industry leader in enterprise-class security, compliance, and IT operations solutions.

“According to the Department of Homeland Security, the energy sector faces more cyber attacks than any other industry. Despite the frequency in attacks, energy IT professionals participating in Tripwire’s survey were very confident in their ability to collect the data needed to detect a cyber attack…

“‘These results show that most security professionals are assuming they are doing the right things to secure their environments, but lack real world data to back up their assumptions,’ said Travis Smith, senior security research engineer for Tripwire. ‘This highlights the importance of testing security controls to ensure they are functioning as expected. It’s not enough to install security tools throughout the environment. You must test the policies and procedures to be confident the controls in place will stop or detect real-world intrusions…'”

http://www.businesswire.com/news/home/20160919005017/en/Tripwire-Study-Energy-Sector-Professionals-Overconfident-Cyber

I find it especially worrisome that an industry so essential to our success as a country—and demonstrably under constant cyber attack—seems to overestimate its capability to detect and respond to such attacks.

Sometimes aspiring Pokemon masters want that extra edge to their game and go looking for guides on how to play the game better. Looking in the Google Play Store may have led the players astray as one guide was secretly malware. Kaspersky was able to detect a trojan inside the app but said that multiple defenses made it difficult to reverse engineer to see how it fully works. One defense is that it delays any bad activity by two hours to try to thwart those who are trying to see what it can do. It also doesn’t do anything bad until it receives a respond from the server that is calling the shots. Once its determined its a desireable victim, it downloads files to attempt to root the phone and then grant itself root access. The Play Store reports half a million installs but Kaspersky claims they have only confirmed 6,000 infections live right now. Luckily the worst thing the app has done so far is install its own ads to make money.

The hacker may continue to publish under other psuedonyms for the next big gaming craze that might hit app stores. It is also worrying that hackers are trying to implement anti-virtual machine technology making it harder to create a testing environment that you can reset if things go wrong.

http://news.softpedia.com/news/rogue-pokemon-app-roots-and-hijacks-android-devices-508310.shtml

https://blog.kaspersky.com/pokemon-go-malware/12953/

With all the recent concern about the security of Internet-connected cars, it probably comes as no surprise that Volkswagen has formed an automotive cyber security firm with three former members of Israel’s Shin Bet intelligence agency, including its former head Yuval Diskin. They are calling the new firm CyMotive Technologies. According to Gartner, there are already 22 cyber security companies either focused on automobiles or containing divisions that do. The article seems to suggest that CyMotive will be the first such company directly affiliated with a car manufacturer.

http://www.usatoday.com/story/tech/news/2016/09/16/volkswagen-cymotive-israeli-group-car-automotive-cybersecurity-company/90491834/