Inside | Real news, curated by real humans
Inside Security

Inside Security (Jul 21st, 2016)

David’s Take
The Httpoxy exploit is making the rounds again, and the St. Louis Cardinals are an example of what not to do with passwords. New products worth looking at this week are from Sophos, Thycotic and Dwolla and a new attack on a Polish phone company that should know better. Plus ways to keep your Joomla servers protected and how to play on the Red Team.
-- David Strom, editor of Inside Security
New and noteworthy products
Sophos introduces an always-on cross-platform file encryption product called SafeGuard. What is interesting is that it works for data shared across Windows, Mac, iOS and Android platforms, using the native encryption tools built into the OS, such as Bitlocker and FileVault. As the vendor says, “we play nice with all devices.” That remains to be seen, but the product starts at $40 per seat per year and can be lower for quantity purchases, and there is a 30-day free trial.  – SOPHOS

Do you presently use any file encryption service and what has been your experience?
A new application control solution for Windows product (that is what it is actually named) is available from Thycotic and adds to its line of privilege management tools. It revokes default local administrator privileges from most business users while seamlessly elevating privileges when required by trusted applications. This prevents the spread of malware that is looking to worm its way into your networks with admin rights, and allows IT managers to specify the correct level of access for your various apps. Other features include application whitelisting, real-time application reputation and threat intelligence.  -- THYCOTIC
What if you could make use of a specialized development sandbox to test online payment apps? That is what Dwolla, a leading payments provider, is now doing. They have built a comprehensive staging environment for their partners to build and test their integrations, and it’s available for free to any developer interested in integrating with their APIs. The idea is to allow companies to test high-volume events and complex scenarios before launching them into real apps.  -- DWOLLA
Threats and attacks
The St. Louis Cardinals baseball team is finding out the cost of reusing a former front office admin password in this sordid case that was just adjudicated. One of its scouting executives got a 46 month prison sentence for guessing a rival team’s password to access scouting reports and other confidential information. While there is still a lot not yet known about what happened, it is a lesson for all of us to have more complex passwords, and certainly change them when we change employers. – NAKED SECURITY
A major breach for one of the top Polish telecom providers occurred in early July. The company, Netia, lost control over 14GB of its customer data through compromised web-based forms that weren’t using SSL connections. It has called in outside security experts to try to improve its procedures. The Ukrainian ultra-nationalist Right Sector party claimed responsibility for the attack-- SC MAGAZINE
Have you checked all your web forms lately to make sure they aren’t transmitting sensitive data in the clear?
Joomla websites have been lately been compromised with the Realstatistics malware campaign. It is a variation on something seen at the end of 2015, involving remote execution. Thankfully, most web app firewalls catch this nasty code, but that doesn’t stop the bad guys from trying. The new version uses a slightly different infection vector that is described here. Make sure your Joomla servers are patched and current. -- SUCURI

Remember back in the day when folks tried to get you to call 900 numbers and stay on the line? That is pretty much the script for a new series of exploits that use multi-factor authentication call-back features, only directly at premium phone lines to collect the fees. It is a pretty clever proof of concept, but could be used to move some serious funds if enough calls were made to these premium numbers.  – ARNE SWINNEN BLOG

Httpoxy sounds like it could be one of those designer diseases, but it really is a nasty exploit that has been around for more than a decade. It is a set of vulnerabilities that hit CGI application code by exploiting namespaces for man-in-the-middle attacks. The link above has more details about how it works, and various security researchers have finally found instances of it in the wild. SearchSecurity has more information about its recent activities, NakedSecurity goes into more specifics, and meanwhile Cloudflare says its customers are protected.
Report and evaluation
Researchers at Sandia National Laboratories in New Mexico are experimenting with encrypted DNA storage for archival applications. Say what? The idea is to store data into the millions of base pairs of DNA molecules. The density is so great that you could theoretically store 2.2 petabytes of information in one gram of DNA! And unlike digital forms of storage, DNA never becomes obsolete. -- DARK READING
Methods and tools
This is a fascinating article about one of the internal Red Team Yahoo hackers who tries to break things as part of his job. "We can crush bugs all day, but when you apply different attack chains to your entire company, that's when you get an idea of how strong or weak your defense is," said one of the team members. There is a reason why offense is the best defense. -- ZDNET
This is some great advice on several app security lessons that should be a part of every development team’s playbook. Such chestnuts as never trust input from endusers, steer clear of hard coded credentials, and heavy use of threat modeling are all good things to internalize.   -- TECHBEACON

Any other rules of the road you want to share with other readers?
If you are looking to find a great listing of free computer forensics training classes, Ed Tittel has put together a helpful list of places that you should check out first, such as EH Academy, Charles Stuart University in Australia, and the National White Collar Crime Center, among others. All have some solid course offerings.  -- TOMS IT PRO
Self Serving Dep't

Dell announces the results of its global Digital Transformation Security Survey, and not surprisingly, 85 percent of those polled say security teams can better enable digital transformation initiatives if they are included early in their projects. The majority of the respondents say that IT security teams are brought into too late to be effective. One of the key technologies that should be used is identity and access management. Of course, Dell has solutions in this area.  -- DELL
IBM has made some significant improvements in how it serves up its cloud-based Blockchain services, according to this article. IBM started offering code for the Hyperledger Project, the open source Blockchain implementation, through its Bluemix service, but it wasn’t as secure as its high-security industrial customers wanted, and moved it over to LinuxOne. This offers the ability to sign and encrypt the entire software stack along with the data.– THE NEW STACK
Noteworthy webinars
Former assistant secretary of defense for international security affairs Derek Chollet discusses his new book "The Long Game" in this Facebook Live presentation. Chollet’s book proposes that Obama has profoundly altered the course of American foreign policy for the better and positioned the United States to lead in the future. Given that he was a member of the administration, it is interesting that one reviewer says  the book “explains even more than it defends.” -- DEFENSEONE


Seven ways MSPs can protect their clients from ransomware is the subject of a new hour-long webinar held next Wednesday July 27. The speaker is Martin Marrell, a Senior Sales Engineer with StorageCraft, which sells a data recovery solution if you are already hit by this exploit. -- REDMOND CHANNEL PARTNER MAGAZINE

Two researchers from Incapsula (Ben Herzberg and Avishay Zawoznik) provide an inside look as to what happens during a real-time DDoS attack, and how it exploits security gaps and vulnerabilities in your network. That sounds like something worth spending 45 minutes to watch. – INCAPSULA
What has been your experience with DDOS and can you recommend other useful resources?
Just for fun

Do you know who actually said this quote without looking it up? Hint, it wasn’t Grace Hopper.

While this isn't exactly about security, we liked the idea of tiling your bathroom with a nice educational component for those chemistry buffs among us. Perhaps you can send in a photo of the ISO model next?
How likely are you to recommend Inside Security to a friend or colleague?

More from Inside
Inside Security is just one of Inside's network of newsletters. Here are some others you might like:

Inside VR & AR: Diving deep into the virtual/augmented reality products, companies, communities, and news. (2x/week)

Inside Electric Vehicles: From Tesla to Faraday Future to the big car manufacturers, we're tracking everything in the EV industry. (2x/week)

Inside Daily Brief: A roundup of all the most interesting news, across verticals. (2x/day)

ReadThisThing: One link to a fascinating piece of journalism, daily.
Copyright © 2016 Inside, All rights reserved.

You're receiving this email because you are subscribed to Inside Security. If you don't want to receive it anymore, go ahead and unsubscribe – or just hit reply and tell us how to make it better.

Subscribe to Inside Security