Inside | Real news, curated by real humans
Inside Security

Inside Security (Jul 25th, 2016)

David’s Take
I am only part way through watching the recording of last week’s MIT seminar but still find it worth watching about various hacking methods. That brought me to the announcement about the latest EFF lawsuit and highlighted how bad actors can locate your phone when you travel. This week we also have lots of research reports to highlight, including the tools terrorists use and the transition to a privately-run Internet.
 
We’d love to hear from you on any of these topics.
-- David Strom, editor of Inside Security
New and noteworthy product

Version 7.0 of CloudShell helps automate DevOps and now supports creating hybrid cloud sandboxes in VMware vCenter, AWS, OpenStack and Azure. You can automate workflows with their APIS and speed up your development cycles by quickly setting up new testing environments. The developer edition of the tool is free and the Enterprise Edition is available for new users as a subscription of $30,000 per year plus $3000 per concurrent user.  -- QUALI
 
Threats and attacks
Brian Krebs has revealed the real-life identity of the Canadian man and the author of the Orcus remote access Trojan
Krebs feels the hacker is spreading malware because it steals passwords, spreads across your network and can handle thousands of hosts at once. – KREBS ON SECURITY
 
Any recent RATs that you have discovered on your networks?
 
Reports and evaluations

There is a new report entitled Tech For Jihad: Dissecting Jihadists' Digital Toolbox that details and analyzes 36 specific tools used by jihadist groups. The report claims an increase in the release of OpSec and InfoSec proprietary jihadi manuals, suggesting the increasingly comprehensive outlook jihadists have on their cyber security and online operations. The actors’ use of social media are well documented, but less well known are other tools they use, such as secure browsers and email clients (such as Hushmail, above), VPNs and proxy servers, and a custom encryption tool called Asrar Al-Mujahideen. -- FLASHPOINT
 
The US Commerce department has begun its transition towards private-sector control over the Internet’s domain name system, IP address space management, and other technical aspects that currently are under its authority.  This process began several years ago, and has seen countless hours of work from various parties. There is still a lot of work to be done, including testing by ICANN and Verisign to transmit root zone changes properly. The FAQ can be found here. – NATIONAL TELECOMS AND INFO ASSN.
 
Methods and tools
The Electronic Frontier Foundation sued the U.S. government last week to overturn what they claim are onerous provisions of copyright law contained in Section 1201 of the DMCA. It says these rules violate the First Amendment, limit tampering with digital rights software and can prevent security researchers from divulging flaws in digital code. The suit follows earlier complaints that the EFF has filed with the US copyright office over remixing videos and music, breaking the copy protection on older video games so they can continue to be played, and jailbreaking cellphones to run alternative OSs. -- EFF

Please share your thoughts about this lawsuit.
 
Before you know it Windows Server 2016 will be upon us, and here is some very practical information on setting it up in the Azure cloud. The authors recommend that you should know your way around PowerShell along with setting up a resource group, a storage account and your vNetwork before you get too involved. – TOM’S ITPRO
 
Do you have plans to upgrade your existing servers to 2016 this year?
 

The CSO of consulting firm Zuora shares his tips about six ways to build a solid security team for your organization. Included are understanding your overall strategy, defining key functional areas such as infrastructure and individual product security, and managing an overall security roadmap (an example illustrated above). -- SECURITYCURRENT
 
Self Serving Dep't

My latest blog post is on the need for more cybersecurity games and a review of existing games (like Watchdogs, above). The idea is that we have to use video games to heighten some new interest in the field, and to start with young children. By grabbing kids’ attention and building a solid foundation of skills and infosec knowledge, these kinds of games could help motivate a passion towards finding a career in cybersecurity later in life. – WEB INFORMANT
 

The Endpoint Security Survival Guide is a pretty basic manual (and somewhat self-serving) that covers implementation of six security controls to create a solid protection foundation. The six areas including endpoint discovery, vulnerability management, and log management and the guide contains tips such as establishing a network baseline scan to use as a starting point. There are lots of links to free tools and other white papers to learn more. -- TRIPWIRE
 
 
Noteworthy webinar
 
Last week’s conference at MIT’s Media Lab called Forbidden Research has been recorded. And all nine hours’ worth are on YouTube here. The first hour or so features Ed Snowden (via video from Moscow) and Andrew Huang (better known as “bunnie”) talking about a new research project to determine if your various cellular radios are really off despite what the phone’s indicators say is happening. The goal is develop a separate execution environment that can’t easily be circumvented by bad actors, using open source tools and using a piece of hardware that connects to the SIM card slot of the phone. This isn’t a new problem, as a 2013 article on hacking the phone’s airplane mode indicator states. As Snowden says, “Our technology is beginning to betray us, and one well-placed journalist can make a difference in the outcome of a war.” – MIT MEDIA LAB
 
Do you have any policies for international travelers you would care to share?
 
Just for fun
 

If you ever needed evidence that Google’s public DNS servers are useful, check out the above photo from Turkey, showing that the next revolution is happening online. The Turkish government tried to block its 33 million Internet users by taking down their own DNS servers, but protestors put up graffiti of the IP addresses of the servers on various buildings. One Turkish blogger wrote: "Everybody is teaching each other how to change their DNS, how to use VPNs and clearly they're catching on quickly, since so many people are still tweeting!" – MIC.COM
 
You would think a mass appeal to collect fan’s Twitter passwords would fail, but then you probably aren’t a teenaged fan of Jack Johnson. The teen heart throb has been running a campaign with the hashtag #HackedbyJohnson: the trick is getting his attention and he’ll then post something on your account such as a short Vine video or something else that references you. It is the ultimate next step for the selfie generation. – NEW YORK TIMES
 
Speaking of passwords, this book, the Encrypted Pocketbook of Passwords seems sincere but bizarre. Tired of trying to remember all your passwords? Then why not write then down in some sort of code “that only you would remember. Store hundreds of separate account, username and password details, using one or more secret keys to help keep the password information secure, even if the book itself is accessed or stolen.” Uh, right. The author of Cybersecurity for Beginners is director of a security consulting firm.
 
Want to take a high-res look around the Apollo 11 command module? Now you can, thanks to an annotated 360-degree view. Be patient as there are a lot of bits to download to your browser.  -- SMITHSONIAN
 
How likely are you to recommend Inside Security to a friend or colleague?

          
More from Inside
 
Inside Security is just one of Inside's network of newsletters. Here are some others you might like:

Inside VR & AR: Diving deep into the virtual/augmented reality products, companies, communities, and news. (2x/week)

Inside Electric Vehicles: From Tesla to Faraday Future to the big car manufacturers, we're tracking everything in the EV industry. (2x/week)

Inside Daily Brief: A roundup of all the most interesting news, across verticals. (2x/day)

ReadThisThing: One link to a fascinating piece of journalism, daily.
 
Copyright © 2016 Inside, All rights reserved.


You're receiving this email because you are subscribed to Inside Security. If you don't want to receive it anymore, go ahead and unsubscribe – or just hit reply and tell us how to make it better.

Subscribe to Inside Security