Inside | Real news, curated by real humans
Inside Security

Inside Security (Sep 12th, 2016)

David’s Take

We all remember where we were and what we were doing 15 years ago. (This last link goes to an interesting story in Politico.) I was living in the suburbs of NYC and saw the attack from afar, and lost two people that I knew personally. One of the reasons I work in infosec is to hopefully not see that again. So this week take a few moments to remember the events of 2001 and those that you knew – and didn’t – who left us that day. Here is a wonderful series of annual posts since 2001 from a great colleague and veteran New Yorker Tristan Louis.
We’ve added a few new features to our newsletter; let us know what you think.

-- David Strom, editor of Inside Security
Top story
Two posts by Brian Krebs track the downfall of an Israel criminal pair who have owned the attack service vDOS. They, along with several American-based hackers, allegedly run this service that has coordinated more than 150,000 DDoS attacks. Last week the Israelis arrested the pair, after information about their criminal customers was hacked and released. The pair weren’t very careful about covering their tracks, even publishing a paper describing their activities (mostly in Hebrew) here. The duo also made use of DDoS protective service CloudFlare to hide behind, and the company released access logs of their victims.  – KREBS ON SECURITY
M and A
Intel bought McAfee for $7.7 billion in 2011 as one of the chip giant’s diversification efforts. At that time, it paid a 60% premium for the security company. Last week they announced they would spin off McAfee as a separate company, which will be worth about 40% of what they originally paid, when the deal closes next year. Chris Young will be its new CEO and is the current head of the Intel Security division. – NETWORK WORLD

Iovation, a provider of authentication devices, last week announced the acquisition of multifactor authentication company LaunchKey.  The two companies had been working together to produce an interactive multi-factor tool that was also announced last week.  The new tool supports a variety of authentication methods, including fingerprint verification, PIN codes, Bluetooth device proximity, and many others.– YAHOO FINANCE
IT Manager of the week
We introduce a new feature in our newsletter, highlighting an IT Manager or security professional. This week we look at what happens when you take a page from the US Secret Service playbook in how you run your IT security department. I interview Nathaniel Gleicher, who is trained as a computer scientist and a lawyer, and currently is the Head of Cybersecurity Strategy at Illumio, a security vendor. He spoke to me about how to get visibility inside the data center and cloud and then be able to truly lock the doors from the inside. -- STROM BLOG 
Methods and tools
There has been another legal move in a case that goes back to 2013, when the FBI placed its own malware – what it calls a network investigative technique – on suspects’ PCs to help track down child pornographers. This time, the ACLU is trying to get the Feds to open up and provide more details about where and how this malware was deposited. An article published earlier this year on Ars has more details of similar cases involving the FBI’s tactics. The legal issue turns on the due process rights of the defendants.  – THE HILL

We all know that most browsers notify you somehow when they have made a secure connection to a website. But Google is taking things a step further. Starting in January, they will notify you when you are about to transmit a password or credit card information on a non-secure webpage. With v56 of Chrome, they will explicitly say “not secure” in the URL bar. According to Google, more than half of webpages accessed by Chrome browsers are now secured. -- TECHCRUNCH
Threats and attacks
This oddly shaped USB thumb drive will literally fry your PC, sending 220 volts into the USB port many times a second. The company making such a device, USB Kill, claims it is useful for testing power surge attacks. Right. It sells USB Kill for about $50. In the photo you can see a protective shield that can be purchased as a separate $15 option so you can try it out without damaging your PC. -- COMPUTERWORLD

A new Thai-based ATM-based malware sample has been discovered by security researchers. Called Ripper, this could have been what caused the Thai banking exploit earlier last year.  For the first time, it targets multiple ATM manufacturers and is initiated with a special ATM card.   -- FIREEYE BLOG

Your Seagate-based NAS could be hosting malware and spreading it across your network, according to this post. The Monero cryptocurrency mining malware was recently discovered by Sophos researchers. One reason the Seagate NAS is targeted is because it has an open network share that can’t easily be deleted or disabled. Out of more than 200,000 Internet-connected NAS drives, they found the malware on more than 5,000 of them, located all over the world as you can see from this map. -- HELPNET SECURITY

A group of researchers from Ben-Gurion University has hacked the American 911 emergency system and is able to disable it through a simple Telephone Denial of Service exploit. By using a series of infected smartphones, they could compromise the targeted system. They describe how this would work and suggest counter-measures in their paper. --  HACKREAD

It hasn’t been a good week for Android owners, even those that haven’t yet purchased a defective Note 7. As this article summarizes, a series of critical bugs and copious malware apps on the Google Play store haven’t helped matters. Google has fixed one of the bugs and included proof-of-concept exploit code with the disclosure, but not every Android owner will get the update. – ARS TECHNICA

Be careful when you are testing your Halon fire suppression system in your data center, as ING found out last week when they did so in their Bucharest data center. The release of the gas was accompanied with a large “bang” that was louder than 130 decibels. The sound created a huge vibration, which hosed the hard drives in the data center and ironically took the bank offline for half a day. It was like putting a storage system next to a running jet engine. This effect has been known for years, but is worth reading this Siemens analysis from last year for details.  -- MOTHERBOARD 
 Self-serving dep’t

This site contains some solid educational information about passive DNS and how it can be helpful for analyzing spam and malware.  You can use their tool to investigate domains or IP addresses for free, and join their community to add your own research to their database. The tool is built by RISKIQ, a security management vendor. -- PASSIVETOTAL 
 Reports and evaluations
The recent G20 economic summit held in China had numerous discussions about economic cooperation among the member nations, but one item not on the agenda was how to fight cyber crime. Apart from a brief mention in a meeting between Obama and Putin, it wasn’t addressed at all. This post looks at various nation-on-nation attacks over the recent past and suggest that the world leaders “should also have addressed cybersecurity issues that pose such large and growing economic and strategic threats.”  – DEFENSE ONE

The flight of Ed Snowden from Hong Kong to Russia is mostly well known, and a new Oliver Stone movie will be out this week about the NSA leaker. But what is less well known is how his escape was engineered. In this post, the principals involved in getting him out of Hong Kong were interviewed and tell how he was hidden and transported to different apartments before leaving the country and then having his passport revoked. – NATIONAL POST

One unexpected pairing is the Consumer Product Safety Commission’s DNS resolver and its use in DDoS attacks. This report from security researchers shows how attackers can use the CPSC DNS servers to amplify their activities, since it returns a very large record in response to queries. Researchers have found the CSPC servers present in nearly all of their observed DNS hacks.– CLOUDFLARE BLOG
Noteworthy conferences
OPSWAT is a great resource for security education and their upcoming (and free!) Symposium in Silicon Valley later this month should be on your radar. They will provide updates on their tools such as Metadefender and Metascan along with vendor demos and malware research. – CONFERENCE SITE

Global cybercrime-fighting association APWG.EU is hosting its eCrime 2016 program on October 5-7 in Bratislava, Slovakia, presenting advanced data analysis and data exchange schemes to automate the global response to cybercrime.  – CONFERENCE SITE

The National Initiative for Cybersecurity Education is having their annual conference November 1 in Kansas City. The event features two days’ worth of public/private executives and stakeholders in infosec education, sponsored by the National Institute of Standards and the US Department of Commerce. Keynotes are by the founder of Opportunity@Work, and the president of BAE Systems.  – NICE CONFERENCE SITE

This blog has put together a nice list of noteworthy NYC-based infosec events called Empire Hacking. As they say, “ industry professionals have much to learn from emerging academic innovations and we hope to bring them together.” – TRAIL OF BITS BLOG
Graphs of the week

Ever wondered what it looks like when an entire country goes offline? Here you go. The folks at Cloudflare have tracked the blackout happening in Gabon. Reuters reports political unrest and massive rioting after a contested election. After turning off the Internet for several days, the government has imposed 12-hour Internet curfews each evening, as you can see in the graphic. -- CLOUDFLARE

Here is how fileless ransomware typically works, where malware is embedded into a scripting language or written straight to memory, using Powershell commands. – CROWDSTRIKE BLOG
Noteworthy podcasts and webinars
This 25-minute video shows you how local administrator attacks were used to spread attacks inside a enterprise.  Called pass-the-hash, they explain how it works and how to stop it. The video tutorial is based on their experience of a hundred different white-hat attacks. This is one of a series of other attacks they have produced videos on.  – PRAETORIAN
 Bug Bounties
Bug-finding programs are valuable to enterprises, but they require a lot of planning and effort to be effective. Here is what you need to know before you implement a bounty program, including specific focus, how to work with security researchers, how much to offer as a bounty, whether to emply a third-party bounty management vendor and other elements. -- SEARCHSECURITY

This week Yelp announced its own bug bounty program. Using HackerOne, they will offer up to $15,000 for proven vulnerabilities. This expands a private program they have been running for two years that previously had a top bounty of $2000 and payouts of more than $65,000. The scope of the new program will include Yelp's consumer site, its business owner's site, mobile apps, its reservations site and apps, the firm's public API, support site, and its blogs.  –DARK READING
Just for fun
Love those Apple ads and can speak Russian? Then you might enjoy this post, which talks about a new political campaign ad that spoofs the sparse simplicity of Apple that is running right now in Russia. -- BBC

Here is how the Mozilla community can be a good first step for newbie open source developers. It is more informative than funny, but still interesting to read how this one developer got her way into becoming more influential within one community. – DEV.TO

Inside Security is supported by Varonis, a leading provider of software solutions that protect data from insider threats and cyberattacks. Learn more about Varonis.
Copyright © 2016 Inside, All rights reserved.

You're receiving this email because you are subscribed to Inside Security. If you don't want to receive it anymore, go ahead and unsubscribe – or just hit reply and tell us how to make it better.

Subscribe to Inside Security