In this episode we sit down with Mark Tomallo, from Panopticon Labs, and RSA’s Kevin Flanagan. We discuss mentoring, online crime, choosing infosec as a career and even dig out some tidbits from Mark about online gaming fraud and some of the criminal underground around the gaming industry. I think this is a very interesting and fun episode, so check it out and let us know what you think on Twitter (@microsolved, or @lbhuston). Thanks for listening!
Listen Here:
Hey, you, get off my digital lawn and put down my binary flamingos!!!!!
If you have been living under an online rock these last couple of weeks, then you might have missed all of the news and hype about the threats to your SSL traffic. It seems that some folks, like Lenovo and Comodo, for example, have been caught with their hands in your cookie jar. (or at least your certificate jar, but cookie jars seem like more of a thing…)
First, we had Superfish, then PrivDog. Now researchers are saying that more and more examples of that same code being used are starting to emerge across a plethora of products and software tools.
That’s a LOT of people, organizations and applications playing with my (and your) SSL traffic. What is an aging infosec curmudgeon to do except take to the Twitters to complain? 🙂
There’s a lot of advice out there, and if you are one of the folks impacted by Superfish and/or PrivDog directly, it is likely a good time to go fix that stuff. It also might be worth keeping an eye on for a while and cleaning up any of the other applications that are starting to be outed for the same bad behaviors.
In the meantime, if you are a privacy or compliance person for a living, feel free to drop us a line on Twitter (@lbhuston, @microsolved) and let us know what your organization is doing about these issues. How is the idea of prevalent man-in-the-middle attacks against your compliance-focused data and applications sitting with your security team? You got this, right? 🙂
As always, thanks for reading, and we look forward to hearing more about your thoughts on the impacts of SSL tampering on Twitter!
This episode is about 45 minutes in length and features an interview with Dave Rose (@drose0120) and Helen Patton (@OSUCISOHelen) about ethics in security, women in STEM roles and career advice for young folks considering Infosec as a career. Have feedback, let me know via Twitter (@lbhuston).
Despite the fact that the Shellshock bug was disclosed last fall, it appears that a wide variety of systems are still falling victim to the exploit. For example, in the last 30 days, our HoneyPoint Internet Threat Monitoring Environment has observed attacks from almost 1,000 compromised QNAP devices. If you have QNAP devices deployed, please be sure to check for the indicators of a compromised system. If your device has not been affected, be sure to patch it immediately.
Once compromised via the Shellshock bug, the QNAP system downloads a payload that contains a shell script designed specifically for QNAP devices. The script acts as a dropper and downloads additional malicious components prior to installing the worm and making a variety of changes to the system. These changes include: adding a user account, changing the device’s DNS server to 8.8.8.8, creating an SSH server on port 26 and downloading/installing a patch from QNAP against the Shellshock bug.
The map below shows the locations of compromised QNAP systems that we observed to be scanning for other unpatched QNAP systems. If you have any questions regarding this exploit, feel free to contact us by emailing info <at> microsolved.com.
Recently I came across a couple of articles that both centered on the potential roles that young people entering into the IT Security field may face. Some of them, for example, may be lured away from legitimate IT security jobs and into the world of cybercrime. Others may follow the entrepreneurial role and fight cybercrime alongside myself and other professionals.
I suppose such dichotomies have existed in other professions for quite some time. Chemists could enter the commercial or academic world or become underground drug cartel members, ala Breaking Bad. Accountants could build CPA tax practices or help bad guys launder money. Doctors could work in emergency rooms or perform illegal operations to help war lords recover from battle. I suppose it is an age old balancing act.
I am reminded of Gladwell’s Outliers though, in that we are experiencing a certain time window when IT security skills are valuable to both good and bad efforts, and a war for talent may well be waging just beyond the common boundary of society. Gladwell’s position that someone like Steve Jobs and Bill Gates could only emerge within a specific time line of conditions seems to apply here. Have we seen our IT security Bill Gates yet? Maybe, maybe not….
It is certainly an interesting and pivotal time isn’t it? These articles further solidified my resolve to close a set of podcast interviews that I have been working on. In the next couple of months I will be posting podcast interviews with teams of IT and Infosec leaders to discuss their advice to young people just entering our profession. I hope you will join me for them. More importantly, I hope you will help me by sharing them with young people you know who are considering IT security as a career. Together, maybe we can help keep more of the talent on the non-criminal side. Maybe… I can always hope, can’t I? 🙂
Until next time, thanks for reading, and stay safe out there! If you have questions or insights about advice for young security professionals, hit me up on Twitter (@lbhuston). I’ll add them to the questions for the podcast guests or do some email interviews if there is enough interest from the community.
Have you ever wanted to know what is being said in regards to your business or product line on social media? How about getting the scoop on a company prior to your big merger or acquisition? Perhaps you have a need for continual code of conduct monitoring for your business or franchise. These are but a few of the things that we at MicroSolved, Inc can provide for you and your company! MicroSolved has a whole host of proprietary software including TigerTrax, that will give your company an edge over your competition!
With our TigerTrax platform we can help provide you with a competitive advantage by receiving actionable intelligence about your product line from the social media hemisphere. Imagine scouring the entire population of Twitter, which boasts some 645 million registered users with over 115 million active users monthly. That is an enormous market that you can tap into with our help. A market where you can see where you think that your product line may be heading versus what people are actually talking about in regards to your product line. Imagine being able to fine-tune your marketing campaign based on our intelligence gathering ability!
In every business there are times whether for a short duration or a long term one where you may want us to provide you with code of conduct information about your employees. Perhaps their contracts clearly state what sort of things they may or may not post on social media and the internet; but also and more importantly you may want to know what everyone else is posting about them. We can help provide you that information. Our TigerTrax platform does in minutes what takes a roomful of employees days or weeks to do and in a very short time you can have actionable information that may be used to help protect your companies brand!
As you can see TigerTrax is a wonderful tool in your arsenal for providing actionable data that will enable you to adjust your marketing campaign or perform ongoing code of conduct monitoring. We can also perform threat intelligence, assess whether your intellectual property has been leaked online, and of course perform brand intelligence. As you can imagine we are only scratching the surface of what we at MicroSolved, Inc and the TigerTrax platform can do for you. So please if you need any assistance for your company feel free to contact us by sending an email to: info@microsolved.com.
This post by Preston Kershner.
Prior to joining MicroSolved as an Intelligence Engineer, I was the Information Security Officer and Infrastructure Manager for a medical management company. My company provided medical care and disease management services to over 2 million individuals. Throughout my tenure at the medical management organization, I kept a piece of paper on my bulletin board that said “$100,000,000”.
Why “$100,000,000”? At the time, several studies demonstrated that the average “street value” of a stolen medical identity was $50. If each record was worth $50, that meant I was responsible for protecting $100,000,000 worth of information from attackers. Clearly, this wasn’t a task I could accomplish alone.
Enter: MicroSolved & HoneyPoint
Through my membership with the Central Ohio Information Systems Security Association, I met several members of the MicroSolved team. I engaged them to see if they could help me protect my organization from the aforementioned attackers. They guided me through HIPPA/HITECH laws and helped me gain a further understanding of how I could protect our customers. We worked together to come up with innovative solutions that helped my team mitigate a lot of the risks associated with handling/processing 2 million health care records.
A core part of our solution was to leverage the use of HoneyPoint Security Server. By using HoneyPoint, I was able to quickly gain visibility into areas of our network that I was often logically and physically separated from. I couldn’t possibly defend our company against every 0-day attack. However, with HoneyPoint, I knew I could quickly identify any attackers that had penetrated our network.
Working for a SMB, I wore many hats. This meant that I didn’t have time to manage another appliance that required signature updates. I quickly found out that HoneyPoint didn’t require much upkeep at all. A majority of my administrative tasks surrounding HoneyPoint were completed when I deployed agents throughout our LAN segments that mimicked existing applications and services. I quickly gained the real-time threat analysis that I was looking for.
If you need any assistance securing your environment or if you have any questions about HoneyPoint Security Server, feel free to contact us by sending an email to: info@microsolved.com.
This post contributed by Adam Luck.
One of the biggest challenges that our M&A clients face is discovering what networks look like, how they are interconnected and what assets are priorities in their newly acquired environments. Sure, you bought the company and the ink is drying on the contracts — but now you have to fold their network into yours, make sure they meet your security standards and double check to make sure you know what’s out there.
That’s where the trouble begins. Because, in many cases, the result is “ask the IT folks”. You know, the already overworked, newly acquired, untrusted and now very nervous IT staff of the company you just bought. Even if they are honest and expedient, they often forget some parts of the environment or don’t know themselves that parts exist…
Thus, we get brought in, as a part of our Information Security Mergers & Acquisitions practice. Our job is usually to discover assets, map the networks and perform security assessments to identify gaps that don’t meet the acquiring company’s policies. Given that we have had to do this so often, we have designed a great new technique for performing these type of mapping and asset identification engagements. For us, instead of asking the humans, we simply ask the machines. We accumulate the router, switch, firewall and other device configurations and then leverage TigerTrax’s unique analytics capabilities to quickly establish network instances, interconnections, prioritized network hosts & segments, common configuration mistakes, etc. “en masse”. TigerTrax then outputs that data for the MSI analysts, who can quickly perform their assessments, device reviews and inventories — armed with real-world data about the environment!
This approach has been winning us client kudos again and again!
Want to discuss our M&A practice and the unique ways that TigerTrax and MSI can help you before, during and after a merger or acquisition? Give us a call at (614) 351-1237 or drop us a line at info (at) microsolved /dot/ com. We’d be happy to schedule a FREE, no commitment & no pressure call with our Customer Champions & our security engineers.
Everything is about efficiency and economies of scale now days. That’s all we seem to care about. We build vast power generation plants and happily pay the electrical resistance price to push energy across great distances. We establish large central natural gas pipelines that carry most of the gas that is eventually distributed to our homes and factories. And we establish giant data centers that hold and process enormous amounts of our private and business information; information that if lost or altered could produce immediate adverse impacts on our everyday lives.
Centralization like this has obvious benefits. It allows us to provide more products and services while employing less people. It allows us to build and maintain less facilities and infrastructure while keeping our service levels high. It is simply more efficient and “cost effective”. But the “cost” that is more “effective” here is purely rated in dollars. How about the hidden “cost” in these systems that nobody seems to talk about?
What I am referring to here is the vulnerability centralization brings to any system. It is great to pay less for electricity and to avoid some of the local blackouts we used to experience, but how many power plants and transmission towers would an enemy have to take out to cripple the whole grid? How many pipeline segments and pumping stations would an enemy have to destroy to widely interrupt gas delivery? And how many data centers would an enemy need to compromise to gain access to the bulk of our important records? The answer to these questions is: not as many as yesterday, and the number becomes smaller every year.
However, I am not advocating eschewing efficiency and economies of scale; they make life in this overcrowded world better for everyone. What I am saying is that we need to realize the dangers we are putting ourselves in and make plans and infrastructure alterations to cope with attacks and disasters when they come. These kinds of systems need to have built-in redundancies and effective disaster recovery plans if we are to avoid crisis.
Common wisdom tells us that “you shouldn’t put all your eggs in one basket”, and Murphy’s Law tells us that “anything that can go wrong eventually will go wrong”. Let’s remember these gems of wisdom. That way our progeny cannot say of us: “those that ignore history are doomed to repeat it”!
Thanks to John Davis for this post.