Sunday 24 November 2019

Wednesday 9 October 2019

NIST standards

800-30 - Guide for Conducing Risk Assessments

800-37: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy

800-39 - Managing Information Security Risk: Organization, Mission, and Information System View

800-53 - Security and Privacy Controls for Information Systems and Organizations

800-154 - Guide to Data-Centric System Threat Modeling

800-115 - Penetration Testing

800-60: Volume 1: Guide for Mapping Types of Information and Information Systems to Security Categories

NIST SP 800-53A,Guide for Assessing the Security
Controls in Federal Information Systems

Friday 6 September 2019

NIST 800-82 Industrial Control Systems

NIST 800-82:

NIST Cyber Security Framework

Good 2019 paper on the NIST CSF:

The US identified 16 critical infrastructure sectors: Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Financial Services; Food and Agriculture; Government Facilities; Healthcare and Public Health; Information Technology; Nuclear Reactors, Materials, and Waste; Transportation Systems; and Water and Wastewater Systems.

Sunday 9 June 2019

SSL Inspection

The following gives a very good overview of the pros and cons of SSL inspection. Some I hadn't thought about.

Good document from Symantec describing certificate pinning:

Monday 11 February 2019

Russia prepares to disconnect its Internet

In December 2018, Russia passed a law mandating that ISPs must be able to disconnect the Russian Internet space (Runet) from the rest of the Internet, in case of foreign aggression. They also mandated that ISPs forward traffic to the Russia's telecoms watchdog for inspection.

The apparent preparations by countries such as Russia and China for cyberwar are concerning. Russia, China, Iran and North Korea, amongst others, can easily cut themselves from the rest of the global Internet to protect themselves. Western countries, such as the US and UK, are far less able to do this.

Saturday 26 January 2019

Vulnerable Cisco routers

A recent The Register article describes some security flaws in the Cisco RV320 WAN routers.

Recently I've been asked, by customers, about running devices in their network that are now end of life and no longer supported by the vendor. Although these RV320 routers are not obsolete and security patches are therefore available, this is the sort of vulnerability that could cause a major problem if security patches are not available. I would therefore recommend that only vendor supportable infrastructure is deployed in a network, even if the devices only appear to be basic devices, such as a switch.

Wednesday 16 January 2019

Do SIM Swap Attacks make 2FA useless?

Interesting Wired article on SIM swaps. Allegedly, an attacker convinced AT&T to forward a cryptocurrency victim's calls to the attacker's SIM. They're now seeking over $200 million in damaged.

However, my interest in SIM swaps was due to some of the recent discussions about why 2FA using SMS messages is pointless, as a SIM swap attack allows an attacker to circumvent the control. Although this is obviously possible, it still takes considerable effort on the part of the attacker and it's therefore only likely to be used in a targeted attack. For protecting accounts from opportunistic attacks, I think this still remains a very viable option. An authentication app, like Google or Microsoft Authenticator, would obviously be much better.

Sizing a Next-Gen Firewall

Good article by Andres Herrera of Fortinet. Applies to all vendors.

Friday 11 January 2019

Simple 2FA may have prevented theft of 1.5 million Singapore patient records

Full report is here:

Boston Children's Hospital DDoS attacker gets 10 years in jail

The Anonymous culprit who performed a DDoS attack against the Boston Children's Hospital in 2014 gets 10 years in jail. I remember this attack as it was one of the examples in my MSc. dissertation.

Particularly like the fact that he tried to flee the US in a small boat, but was returned to the US when he was rescued by a Disney cruise ship off the coast of Cuba.

Wednesday 9 January 2019

Email security SPF, DKIM and DMARC

I was looking for a description DKIM and DMARC, came across the following blog post by Liquid Galaxy.

Directly from the article:

SPF (Sender Policy Framework) is a DNS text entry which shows a list of servers that should be considered allowed to send mail for a specific domain. Incidentally the fact that SPF is a DNS entry can also considered a way to enforce the fact that the list is authoritative for the domain, since the owners/administrators are the only people allowed to add/change that main domain zone.

DKIM (DomainKeys Identified Mail) should be instead considered a method to verify that the messages’ content are trustworthy, meaning that they weren’t changed from the moment the message left the initial mail server. This additional layer of trustability is achieved by an implementation of the standard public/private key signing process. Once again the owners of the domain add a DNS entry with the public DKIM key which will be used by receivers to verify that the message DKIM signature is correct, while on the sender side the server will sign the entitled mail messages with the corresponding private key.

DMARC (Domain-based Message Authentication, Reporting and Conformance) empowers SPF and DKIM by stating a clear policy which should be used about both the aforementioned tools and allows to set an address which can be used to send reports about the mail messages statistics gathered by receivers against the specific domain [1].

Saturday 5 January 2019

Marriott leaks 5.25 million passport numbers

The latest information from Marriott breach is that 5.25 million passport numbers were lost in their recent hack.

The Cathay Pacific hack recently affected 9.4 million customers, including passport numbers.

These are indeed worrying times. I understand that passport numbers are an extremely hot target and so hard to obtain that they're not even available on the dark web.

Companies are not adequately securing this information and customers have no choice but to provide these details to use everyday services. I wrote in an earlier blog post about my reticence to provide the TV licensing agency with my details in future. The problem is, once these details about someone have leaked, they're impossible to get back. I suspect most people would be shocked if they realised just how much personal information about them has already been stolen and probably available on the dark web.

Unfortunately, my prediction is that medical records will be one of the next pieces of sensitive data to be hacked en masse.

Friday 4 January 2019

UPDATE! TV Licensing agency - Lack of security?

Noticed the following story on the BBC website about 5,000+ complaints to Action Fraud about this scam. However, still nobody putting two and two together that TV licensing are probably leaking these email addresses in the first place.

I recently provided my new address details to the UK's TV licensing agency website . I don't actually need a TV licence, as I only watch some on-demand programmes from Netflix that make me exempt from needing one, so I dutifully made them aware. However, the following day, and every few days after that, I received a phishing email from ''TV licensing''.

Now, it is possible that these two events were completely unconnected, but I think the chances are very to extremely low. My guess is that cyber intruders have installed malware inside the TV licensing network and are siphoning customer details in near real time.

Being a good Internet citizen, I raised a ticket to make them aware. About a week later I had a standard response, saying they knew about these phishing emails and to just delete them. I responded to them again, making them aware I work in the information security business and providing further detail on my suspicions. I even offered to speak to their information security analyst. A few days later, I had a further email from them, telling me to delete the phishing emails, as it was nothing to do with them and effectively telling me I was stupid.

After doing a bit of digging, guess how surprised I was to find they'd already had security issues towards the end of 2018:

Until companies take cybersecurity a bit more seriously, it's the consumers and customers that are at risk. Denying that it is anything to do with them (TV licensing), they're just innocent victims as well, doesn't cut it. I won't make TV licensing aware next time that I don't need a licence from them, as I don't trust that they can keep my details safe. If I needed one, then I'd have no choice but to sign up and put my details at risk of compromise. Companies need to take cybersecurity more seriously, rethink how they respond to reported security incidents and make sure that there are proper reporting mechanism in place. If I see that they report a breach in the future, I'll be sending my emails to the Information Commissioner's Office to prove that they were made aware. It's sad, but fines and bad publicity seem to be the only way to get these companies to take security more seriously.

Thursday 3 January 2019

First Round of MITRE ATT&CK Vendor Evaluations

MITRE have been doing some interesting work with a number of vendors to evaluate capabilities for detecting and protecting against known, real-world adversarial techniques.

The initial evaluations are for the APT3 / GOTHIC PANDA threat actor. The seven vendors include Carbon Black, Cylance, RSA and Sentinel One.