This article was shocking. First of all between now and 2021 cyber-security spending will exceed 1 TRILLION. What is more amazing is that that 1 trillion is not enough as hackers will commit cyber-security crimes that will result in totals of over 6 trillion. I am curious how the numbers were calculated for those 2 stats. What did not surpise me is how the article detailed the amount of open security jobs and that the number of people using the internet will continue to increase rapidly. Lastly ransomware throughout the worldwide damage was roughly 5 billion. The article conclusion was very true: “During the next five years, cyber crime might become the greatest threat to every person, place and thing in the world.”
Week 08: Social Engineering, Encoding and Encryption
This is another interesting article about the job world in the cyber security realm. It talks about how there are not enough people who have the necessary skills for the jobs that are available. It means there are more jobs available for us to apply for. There are some pretty interesting statistics in the article as well.
More than 200 major organizations in Europe, most of them from Russia, Ukrane, Turkey, and Germany were attacked in the past few hours by this new widespread Ransomware.
This new Petya-like targeted ransomware attack that mainly attacks corporate networks called Bad Rabbit.
The attackers are demanding from the victims about $285 dollars to unlock their systems.
The ransomware was spreader through drive-by download attack according to this initial analysis provided by the Kaspersky. It was done by using a fake Adobe Flash players installer to lure the victims in to install malware unwittingly.
According to Kaspersky Lab, the victims had to manually excecute the malware dropper, with provands to be an Adobe Flash installer. The downloads were done from different websites, most of them are news or media websites.
Other researchers at ESET have detected Bad Rabbit malware as ‘Win32/Diskcoder.D’ which is a new Petya Ransomware. It uses DiskCryptor, which is an open source full drive encryption software to encrypt files on infected computers with RSA 2048 keys.
After the successful attack and the network becomes affected, the Ransom note asks the victim to log into a Tor onion website to make a payment, which giving them a 40 hours countdown before the price of decryption goes up.
Researchers are analyzing the Bad Robbit to see if there is anyway to decrypt computers without paying ransomware and how to stop it from spreading further.
Thanksgiving at my family’s house looks like a day on the trading floor at the New York Stock Exchange. The 50+ people, including adults and children requires multiple days of preparation and clean-up. We always seem to find time to get it done, but having a Vicki from Small Wonder would make life so much easier.
Here are a few items you may see around the place you spend Thanksgiving.
These items are great and seem like a big help. They are easy to use and most have an app to manage the device. I did notice one thing… I couldn’t find the word encryption, security, protection, or anything like that anywhere… Oh well, as long as the Turkey is done, it doesn’t matter if someone is spying on us while we watch the football game…
According to the article, research finds that the iPhone has a serious privacy concern that allows IOS app developers to take your photographs and record your live video using both front and back cameras without any notification or your consent. This permissions system is not a bug or a flaw instead it is a feature, and it works exactly in the way Apple must design it. The problem with this permissions system is that any malicious app could take advantage of this feature to silently record user’s activities.
The Equifax hacks are a case study in why we need better data breach laws
This article talks about the following: The systems of Equifax, one of the largest credit reporting agencies in the world, was hacked recently and seems it took 6 weeks for the company to let its 143 million customers know about it. This is a huge time in letting its customers know of the risk and the company has been shamed for focusing more on its bottom line rather than on the safety of its customers. To prevent customer grievance, the company offered free credit monitoring and identity theft protection to its customers. While it is known that reporting should be done only after careful examination of the attack and its impact, but 6 weeks is a total collapse of the system and deviation from industry standards.
It will be interesting to see how things unfold in the future. Will offering free credit monitoring systems save the company from the delay in reporting the risk to its customers? How soon can the company take measures to mitigate the attack and install anti-theft systems for any attacks in the future? What is the damage done or will be done with the data hacked? These are questions that need answers to quickly.
Singapore wants ethical hackers to get a license, or else
This article talks about the following: With the recent advancements in Information Security in Singapore, it has become a mandate by the government to have a license for all ethical hackers in the country. Singapore is known to have the best Information Security Practice in the world and despite this there are changes that are being brought up to further secure or mitigate any potential threats. Any Ethical hacker without a license will be levied upon a penalty of 2 years in jail or up to $36,000 in fines. These norms have come with the rise in ethical hackers who are not qualified enough or who do not practice in academic settings.
It will be interesting to see how things unfold in the future. How much will Ethical Hackers have to shell out to undertake license? Will it take the same amount of time for professional hackers who also take CISSP certifications? Will this license be applicable or allowed for professionals to gain access to job market too? This policy might be a bottleneck and might see reduced number of legitimate ethical hackers in the future.
Medical device makers wake up to cyber security threat
This article talks about the following: Medical Industry is one of the most crucial and vulnerable industries to security threats and the results of which can be devastating on the lives of so many people. In the wake of this, many companies like Johnson & Johnson and Philips have started focusing efforts to learn about new hacking practices in the wake of security threats issued by hackers on medical equipment. The US Food and Drug Administration has also issued warning to such companies to step up their security measures. Medical Device makers are working with white hat hackers to know security flaws in their devices.
It will be interesting to see how things unfold in the future. Medical Industry, especially, Hospitals and Medical centres use legacy medical devices and systems for patient use. How will companies replace those existing devices without compromising on the treatment of the patient? At what cost will companies or industries that are using billion dollar machines have to replace with new ones? Will these companies have the best practices to prevent future threats or will they keep replacing devices? These are questions that require immediate attention
Don’t use hard-coded keys (DUHK), a new cryptographic vulnerability that allows attackers to recover encryption keys from VPN sessions and web browsers, has been reported from KRACK Wi-Fi attack. The vulnerability affects vendor’s devices that rely on ANSI X9.31 RNG and “in conjunction with a hard-coded seed key.” ANSI x9.31 RNG is an algorithym that was commonly used to generate cryptographic keys in order to secure VPN connections and web browsers.
The DUHK vulnerability could allow a “state recovery attack, allows man-in-the-middle attackers, who already know the seed value, to recover the current state value after observing some outputs.”