Why should we be concerned about the successful SHA-1 collision attack that was recently demonstrated by Google researchers?

I take a look at encryption, cryptographic hashing, and why this attack is a big deal.

Today is the last Alien Eye in The Sky episode for 2016, so rather than just recapping the week, we thought we’d take a look at what’s transpired over the course of 2016.

To be honest, I underestimated the huge task at hand, and after researching several hundred breaches, decided that it was better to break down the incidents into trends and take samples from each.

Hopefully this will give a renewed appreciation of how much the cyber security challenge is growing across the world and across all industries.

So, without further ado, all the stories mentioned in the video are linked below.

Happy holidays everybody!

 

Online dating

Adult Friend Finder

Fling,

Mate1,

Shadi.com,

Muslim Match.

Password re-use attacks

Carbonite,

Netflix,

GoToMyPC,

Reddit,

TeamViewer,

Camelot,

Deliveroo,

KFC.

Heathcare

Banner Health which impacted 3.7m patients

Turkish state hospitals 10m patients.

Queen Mary Hospital in Hong Kong saw 3,600 records accessed

Al Zahra Private Medical Centre in the UAE had 4,600 records accessed.

New Jersey Spine Centre,

Center for Neurolosurgical and Spinal Disorders

 

It’s Not all fun and Games

steam game keys stolen.

Evony gaming company saw itself targeted twice during the year.

Forums belonging to Clash of Kings and Funcom were breached.

 

Elections

The Philippines commission on Elections was attacked a month before the country held its 3rd automated elections

The personal information of over 93.4million Mexican citizens had their voter registration details exposed online.

Illinois online voter registration portal hacked, information compromised

Every voter in Louisiana’s details exposed

In Ghana, the Electoral Commission had four computers stolen that were used for biometric voter registration.

Education

The Indian institute of management was hacked and reults of CAT exam released

University of Central Florida

N.C State university

Jacksonville State University

University of Liverpool

University of Ottawa missing hard drive with data on 900 students

Saga prefecture schools

Defcon IoT village saw 47 new vulnerabilities discovered in devices

Ransomware

Banking incidents

Tesco Bank Hack

Bank of New Zealand

Royal Bank of Canada

SunTrust Bank

Qatar National Bank

Miscellaneous hacks and breaches through the year

Oregon Department of Fish and Wildlife

Azerbaijani hackers leak secret data from Armenian intel server

World Anti-Doping Agence (WADA) hacked

Adani Po  wer Ltd. India

Zameen.com Pakistani real estate giant hacked, entire DB leaked.

Siliconware Precision Industries in Taiwan suspected an engineer stole data.

Christians against poverty saw bank details, phone numbers, and other data stolen.

American Association for the Advancement of Science

Rhode Island Blood Enter

Vietnam Airlines

South Africa’s Department of Water Affairs

Yahoo hack

Another week, another set of impactful, bizarre, and interesting security stories.

 

We tried something interesting this week, rather than focusing on a few stories in the video and posting links to others, we’ve crammed them all into one action-packed episode!

Stories covered

 

Toyota dealer sued for stealing intimate photos off couple’s smartphone

 

Nice Security Matrix about Office macros (PDF)

 

Counterproductive security behaviors that must end

 

How HMRC combats phishing by using DMARC

 

How publishers are defeating ad blockers and how ad blockers are fighting back

 

Fake US embassy in Accra ‪Ghana staffed by Turks, flew an American flag and issued fraudulent visas for $6,000.

 

Did someone put you in the TO: instead of the BCC: ? Do This…

 

Every so often, a report gets presented which looks like it was written by the work experience student that was employed by the intern.

So what’s the best way to respond? I went on twitter to ask the opinion of folk who have to deal with this kind of thing on a regular basis, and distilled their wisdom into 15 tips.

Other honourable mentions go to:

 

 


True to form, cyber security continues its domination of technology and mainstream news. Ransomware continues to strike, using different techniques such as Locky’s recent spread through social media, or attacking targets like the San Francisco Municipal Transport Agency.

Password reuse attacks continue to grow. From Deliveroo’s attack a couple of weeks ago, to the UK’s National Lottery this week.

It’s another crazy week – with many “Shatners” thrown in for good measure.

In This Weeks Video

Locky spreads through social media

 

San Francisco Municipal Transport agency gets hit by ransomware

 

National Lottery accounts breached

 

Other interesting stories

 

PhishLulz is a Ruby toolset aimed at automating Phishing activities

 

Syscall Auditing at Scale

 

EU General Data Protection Regulation FAQ’s

 

Security operations centre (SOC) buyers guide

 

InPage zero-day exploit used to attack financial institutions in Asia

 

Generate Geolocation map using WireShark

 

Brief lessons on handling huge traffic spikes

 

WiFi Frequency hacker

A lot went down – some stories in the video and a ton of interesting links below. Enjoy!

 

Stories in Video

Tesco Bank Hacked

Adult Friend Finder hack

Facebook buyingstolen passwords

IP Bill set to becomelaw

Other interesting stories  

Cyber Security Challenge UK crowns youngest ever champion

GCHQ wants internet providers to rewrite systems to block hackers

Researchers’ Belkin Home Automation Hacks Show IoT Risks

UK halts Facebook’s WhatsApp data dip

Data Cleanliness and patch verification

A Cybercrime Report Template

Smart Light bulb worm hops from lamp to lamp

I always get excited when I get to travel to new places and meet interesting people as part of my job.

To sdsc_0849ay I was extremely excited and humbled to have been invited to attend Tactical Edge in Bogota, Colombia would be an understatement.

However, as the days drew closer, I found that fewer of my friends and family shared my enthusiasm. The constant asking of “have you got kidnapping and ransom insurance” had given me second thoughts. Not the kind that would make me cancel the trip. But the kind that you get when you get on a roller coaster after a long wait and get the butterfly’s in your stomach that question whether it was such a great idea.

Edgar Rojas was putting on the conference and couldn’t have been a better host. He sent us all relevant information up front, a detailed itinerary of events and generally had everything under control. Upon arriving in Bogota, I found whatever concerns I had disappeared almost instantaneously. Not only had Ed arranged a pickup from the airport and our rooms, but had included site-seeing tours of the city as well as dinners in some of the best restaurants. It turned a work trip into a more enjoyable experience than some holidays I’ve been on! dsc_0814

When it comes to conferences though, having an exotic location, good food, and a few shenanigans are all fine. But ultimately, a lot of it boils down to the actual content and knowledge-sharing that takes place – and the event didn’t disappoint.

 

There were many foreign speakers that flew in for the conference, including Wendy, Dave, Paul, Jayson, Paul, David, Greg, Erin, Zack, Valerie, Wolf, Andrew, Frank, and Tracy amongst others (apologies in advance I’ve definitely forgotten some people)

dsc_0815
But perhaps more interesting was interacting with some of the local security professionals. Communication was somewhat challenging as I don’t know any Spanish beyond what I’ve picked up from watching Dora the Explorer and Handy Manny. But it was good to hear and understand the security challenges faced by security peers based in Colombia, and indeed the wider South America. The economy is surprisingly strong and big businesses are expanding rapidly. So many of the challenges are similar to the ones we see in elsewhere. However, there are some cultural and technology maturity differences which means there are variations in how security is sold and implemented.

A few of the attendees I spoke to were interested in three broad areas:

  • The first was to understand models by which security can be best implemented and measured within enterprises.
  • The second was around how to sell security to the executives by way of media real-life examples. This seemed to be a common thought, as several of the local speakers spoke at length about breaches, their impact, how their occurred, and what companies could do to protect themselves.
  • The final area which I had some interesting discussions around was around security technologies. Like most other places, compliance drives some purchases. But many were interested in open source tools and looking for alternatives to the vendors they saw in the Gartner Magic Quadrant. One person stated that they felt the Magic Quadrant was a limited list and wanted an easy way to understand the variety of providers out there, but didn’t have anyone locally that could offer that expertise.dsc_0868

Overall, it was a real eye-opener. An educational and highly enjoyable event. In between the conference, the site-seeing, and the networking, I think tactical edge set the bar for security conferences.

 

 

After a hiatus of a week while I was attending Tactical Edge in Colombia – I’m back with a roundup.

Stories in the video

http://www.theregister.co.uk/2016/10/24/chinese_firm_recalls_webcams_over_mirai_botnet_infection_ddo…

http://www.bbc.co.uk/news/technology-37761868

https://www.veracode.com/blog/managing-appsec/do-you-use-open-source-components-find-out-what-our-la…

https://www.ft.com/content/ed9ff168-9b03-11e6-8f9b-70e3cabccfae (may require subscription to read)

https://www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m-vehicles-bug-fix/

Other interesting links

Independent researchers have confirmed MedSec’s findings, including hack to zap someone’s heart (PDF)

Surveillance Evasion

15 hacker kids under 15

Is Ireland ready to police the data world?

Silicon Valley Decides it’s just too hard to build a car

Guide to automatic security updates for PHP developers

Dyn Analysis summary of October 21st attack

Mozilla no longer accepts audits carried out by Earnst & Young

The difference between SecDevOps and Rugged DevOps

Crack WPA/WPA2 Wifi Password Without Dictionary/Brute Fore Attack using Fluxion

Microsoft: Google has put our customers at potential risk

I blogged something about Mirai over on the AlienVault blog. But that didn’t ease my pain, so I went and made a video as a kind of open letter to manufacturers.

I wrote a whole blog to accompany this video – you can read it here

TL;DR? Behavioral monitoring is more about finding out what’s normal than not.

 

It’s been a busy week in the land of information security. But don’t worry, we’ve got it all covered in our roundup.

Links to stories in video:

Ransomware operator shut down

Stealing an AI

Nobody is bidding on shadowbrokers files

US government IP address contract ends

Don’t be Yahoo

Verizon wants $1bn discount

You don’t have to be stupid to work here

Links to other interesting stories from the week

MMD-0056-2016 – Linux/Mirai, how an old ELF malcode is recycled

Hacker releases code that powered Botnet attack against Krebs

Microsoft has announced it is to harden the edge browser for enterprise users

A really sweet presentation format and great information for incident response and security operations teams by Frode Hommedal

Thrillseekers stuck on rides at Universal Studios after massive power outage — redundancy fail? Or all part of the show?

Halvar flake was asked why he works in security – and gives a nice response. What he didn’t give was my 3 favourite answers. Good pay, Sponsorship money, and VC money

What makes call-out culture so toxic?

The three infrastructure mistakes your company must not make

Hootsuite’s CEO on what he learned from getting hacked on social media

AlienVault OTX Maltego Transforms

Security Serious Week is five days dedicated to helping UK businesses understand the importance of information security. It consists of a one-day conference, the unsung heroes awards, and over 50 webinars, amongst other activities.

AlienVault was a proud sponsor of the 2016 Unsung Heroes Award, and so I went along to check it out..

The Unsung Hero Awards are designed to give the unsung heroes in IT Security the recognition they deserve.

With 14 categories and a plethora of nominations, even the shortlist began to look rather long. The event was well-attended, with winners receiving trophies in addition to superhero capes and masks. Adding much needed levity to such events that can often end up taking themselves a bit too seriously. (no pun intended).

I was there to capture all the glory of the event which turned out to be a great night.

 

The full list of winners is below.

 

  • CISO Supremo

–          Mark Jones, Allen & Overy

–          Avtar Sehmbi, HSBC

–          Dr Robert Coles, GSK

–          Thom Langford, Publicis Groupe

–          Andrew Rose, NATS

  • Godfather of Security

–          Brian Shorten, Charities Security Forum

–          Professor Fred Piper, Royal Holloway University

  • Security Avengers

–          Publicis Groupe Team

  • Best Security Awareness Campaign

–          Amar Singh, GiveADay

  • Social Media Saviour

–          Katie Sanderson, Lockcode Cyber Security

  • Mobile Mogul

–          Charles Brookson, Azenby

  • Security Leader

–          Quentyn Taylor, Canon

  • Cloud Security Superhero

–          Andrew Hardie, BCS

  • Fraud Fighter

–          Luis Aguair, Metro Bank

  • Game Changer

–          Hugh Boyes, IET Cyber Security

  • Marathon (Wo)Man

–          Vicki Gavin, Economist Group

  • Spidey Sense

–          Professor John Walker, HEX Forensics

  • Captain Compliance

–          Eddie Dynes, Gatwick Airport

  • Cyber Writer

–          Warwick Ashford, Computer Weekly

 

 

 

Things I hearted has been probably one of the most regular series of posts I’ve done in recent times. At the same time, I was doing a weekly roundup over at my AlienVault blog. So, in the interest of saving time, energy, and preserving my youthful good looks; I decided to not only combine both into one weekly roundup – but also add a video element to it.

It ends up being all the same links you love – just a new home and a new format. I’ll still be listing out all the links and stories I found interesting during the week from the world of security and beyond. But this time with added video commentary.
Let me know what you think of the newish format.

It’s NCSAM – National Cyber Security Awareness Month. So I am doing one theme a week for AlienVault on a good practice that companies should adopt.

For week 1, I’ve decided to talk about assets. Video is embedded, and you can read the entire blog post about why assets over on the AlienVault blog.

I felt it was time to get back on the video saddle on a regular basis (famous last words). You can probably tell I’m rusty because the sound peaks are all off – I think the onboard mic on my Drift camera is a bit old.

But the big news has been around Yahoo and the massive breach. The first thing that came to my mind when reading about the breach was the fact that under a regulation like GDPR, there’s no way the details of the breach could have been kept hidden from the public for so long. According to article 33 – notification of a personal data breach to the supervisory authority,

 

  1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

 

That’s right – 72 hours.

 

And GDPR is no little slap on the wrist. Under the regulation, the authorities could impose fines on companies of up to €10m or 2% of global annual turnover, whichever is greater.

 

Given that in 2015 Yahoo’s revenue was reported as $4.968 billion (source: http://yahoo2015.tumblr.com) – a 2% fine would represent $99,360,000 – yep, just over 99 million.

 

That should cause every company facing GDPR implementation in 2018 reason to stop and think about the implications to itself.