Tuesday, September 19, 2017

Incremental wins: iOS11 strengthens the idea of Trust

Two years ago, a friend piqued my curiosity with a question about a iPhone / iPad app teenagers were using to hide content from nosy peers (and parents). This person wondered whether the app was more than "security by obscurity" - did the app actually protect and encrypt the hidden data, or did it merely hide it out of obvious sight?

The answer turned out to be the latter, but along the way I noticed a curious oversight in the iOS security model.

Monday, September 18, 2017

Avast download site compromised to host a malicious CCleaner

If you downloaded "CCleaner" software from antivirus company Avast between August 15 and September 12, you have a problem. Cisco's Talos threat research group discovered that company's software download page was compromised to host a malicious version of CCleaner that contains malware.

Computers that downloaded and ran that software became part of a botnet, a network of computers under the control of whomever is behind that malware.

Those that follow my advice to use the free OpenDNS service for their home networks are partially protected - your computer would still download and install the malware, but would be prevented from accessing the command and control servers the criminals use to deliver instructions to your computer.

If you use CCleaner, check your antivirus software to be sure it is completely up-to-date, and run a full system scan. Now that the malware is known, most commercial antivirus programs will begin to detect it (with varying degrees of success).

I have long recommended automatically updating software with the latest available patches and updates, as a core tenet of basic security for individuals and small businesses. After a Ukranian software company was hacked to deliver malware to taxpayers in that country, I wrote up an analysis of why I still held that recommendation. 

I said then:
In over twenty years as a systems administrator and security professional - much of that time overseeing patching for a Fortune 100 company with a quarter million systems to update - I can count on one hand the number of catastrophic failures caused by patching, and still have fingers left over. Conversely, hardly a month goes by that I don't see malware and criminals exploit vulnerabilities in Windows, browsers, office productivity software, mobile apps, building automation systems, industrial control systems, and other computing software.
It is becoming increasingly difficult to maintain that position... I suspect I am up to two hands now, but for the time being, I still find quickly updating is less risky than not patching.

Thursday, September 14, 2017

A change of scenery for this security engineer

If you are looking for a seasoned infosec architect with red team skills, or know someone that is, take a few seconds to read on. I am currently in Austin, Texas, but could be talked into relocating for the right opportunity.

Who am I? An incident responder, a log correlation junkie, a malware analyst, a forensic investigator, a threat intelligence handler (real intelligence, not the threat data often thrown under that label), a network engineer, and a security architect. I break and fix things, so I can stop others from breaking or detect them when they do.

Having recently found myself on the wrong side of a "reduction in force," I now have a chance to build security for you.

I'm a dyed-in-the-wool defender. I have some red team skills (and a few CVEs to my credit), but those skills just make me a better defender and detector. My ideal job is building systems and automation to detect and triage incidents, and to find and address risks before they become incidents. It's what I've done for the better part of 20 years.

I've built security from the ground up for a mid-sized company you may not even know works for you. I ran vulnerability scans and assisted SMEs with prioritizing patching versus business priorities, and with coming up with mitigating options when patching was not immediately advisable. I built the company’s incident response program, then drilled it with a simulated data breach. I designed a log management strategy, enriched logs with open-source and company-specific context, and built a SIEM with open-source software to correlate events and highlight potential incidents.

Prior to that, I spent 20 years with a Fortune 50 enterprise. The early years were Windows and *nix system administration, along with switch, router and firewall administration, while from 2001 on it was a variety of direct security roles - primarily network defense; intrusion detection, triage and incident handling; risk assessment and threat intelligence. 

Friday, September 8, 2017

Equifax breach exposes 143 million to identity fraud

Updated to add a link to Equifax's official incident response website, https://www.equifaxsecurity2017.com/ . Fake sites and phishing email are already appearing, by criminals attempting to deceive and defraud worried consumers. Also updated to add a comment about identity theft potentially leading to tax fraud.

This breach is likely to be in the news for a while, and the effects will linger long after the media moves on.

Between mid-May and the end of July 2017, criminals accessed sensitive information on a website owned by financial credit reporting bureau Equifax. According to the company, personal information for approximately 143 million US consumers was compromised. An undisclosed number of Canadian and UK residents were also affected. This being a credit bureau - a company whose primary business is keeping track of consumers' financial identities - the information stolen was significant: social security numbers, birth dates, and addresses. In some cases, driver's licenses, credit card numbers and specific details related to dispute documents were also compromised.

For perspective, 143 million is more or less the same number as every working-age human in the United States.

I do not plan on going into how it happened - Brian Krebs did an excellent job of that. My goal is to provide my readers with advice on what to do now.