Data breaches from stolen or lost laptops are in the news far too often. And you know it happens even more often off the news. MicroSolved’s recommendation for field laptops that may contain databases with sensitive and personal information is to encrypt the data or entire volume. Using the BitLocker feature on Windows is one such solution.
Over the past few years we have seen plenty of news about data being stolen from misconfigured Amazon S3 buckets and other cloud based services. Now attackers are figuring out ways to further abuse these systems beyond simply stealing data.
In this episode (~45 minutes), I answer questions from the audience around blockchain and smart contract security considerations. I cover some of the reasons why I think these technologies are important, what their potential impacts are likely to be and how information security teams should prepare. Some of the questions drift into changes around store of value, investment insights and other closely related topics.
This episode is sponsored by MachineTruth™ – a new passive, analytics-based solution for network inventory, traffic analysis and security baselining. Learn more at http://www.machinetruth.net.
Prepping? Who wants to prep for incident response?
This particular bit of writing came from a question that I was asked during a speaking engagement recently – paraphrased a bit.
How can a client help the incident team when they’re investigating an incident, or even suspicious activity?
So, I circulated this to the team, and we tossed around some ideas.
Times are getting hard for concerns that collect or sell information about individuals. People are becoming more concerned about their privacy and want their personal information protected. It’s taken a while, but folks are waking up to the fact that information about who they are, where they live, what they like to do, what they like to buy and a plethora of other information is being systematically collected and sold all the time.
National information security and privacy legislation has been bandied about now for a long time, but with no results as yet. So, the States are getting sick of waiting and are drafting their own privacy acts, especially since the inception of the European Union’s General Data Protection Regulation (GDPR).
Several paths led me to a blog on this topic. I have a friend and a close relative who are currently going through a home loan process. In addition, in a work-related project, I have been researching mortgage fraud and real estate scams. Statistics reveal about 1% of loan applications contained an element of fraud, and it has been on a general upward trend for the last decade.
This episode is a tidbit episode, weighing in just under 20 minutes. I sat down last week with Megan Mayer (@Megan__Bytes) in the lobby bar of the Hyatt during the Central Ohio Security Summit. Pardon the background noise, but we riffed on what Megan believes are the top 3 things that every security manager or infosec team should do this week. She had some great insights and I think her points are fantastic.
Give it a listen, and as always, if you have feedback or have someone in mind that you’d like to have interviewed on the podcast or a topic that you’d like to see covered, drop me a line (@lbhuston).
As always, thanks for listening and stay safe out there!
We are at the end of the second decade of the 21st century now, and we are still suffering from poor application coding security practices of all sorts. This is costing us big-time in dollars, intellectual property, privacy, security, apprehension and consternation!
As individual consumers, we tend to think of things like identity theft, invasion of privacy and loss of services when we consider the problem of poorly secured applications. But the problem is much broader and deeper than that. Holes in application coding security can also be used to attack communications systems, utility and industrial control systems, supply chains and transportation systems, and military command and control and weapons systems. These kinds of failures can lead to wide-scale confusion, outages, disasters and the deaths of innocents; possibly lots of innocents.
On May 14, 2019 Microsoft announced a vulnerability in RDP – Remote Desktop Services…formerly known as Terminal Services. The vulnerability is significant enough that Microsoft has chosen to publish a patch for Windows XP and Windows 2003 on May 15th – operating systems that have been out of support for a few years now.
Why is this important? The vulnerability is similar to the one that WannaCry leveraged, and allows an attacker to “worm” through the network. Reports say that there is a proof-of-concept exploit; as of this writing on May 19th, the MSI lab hasn’t laid hands on one to test and our research is ongoing.
To quote Microsoft:
“This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”
So what? So…early this morning, a search on shodan.io for “rdp” showed 1058 exposures indexed. A few HOURS later, that number increased to 1062. Externally facing RDP is a very bad idea, and attackers considered it to be low hanging fruit before this vulnerability came to light…now, the stakes are higher.
“My patching is automated” – we’re all good, right? Well…I contacted a friend in a small office yesterday, and suggested that they check. When she inventoried the 4 computers that were set to update automatically…3 of them had not received this update. Due diligence is your friend here, don’t assume.
Patch. Patch now. Share with your friends and colleagues, particularly those who are less than technically savvy. Friends don’t let friends have RDP as an externally facing service!
(Let’s not leave Adobe out of the mix. Adobe’s Patch Tuesday covers 82 CVE’s. EIGHTY TWO? People, we have to do better…)
And remember…is it really paranoia if they ARE out to get you?