PolitiHack, Or How I Learned to Stop Worrying About Russians Influencing the US Election and Learned to Love CybersecurityDecember 23, 2016 at 4:12 pm | Posted in cybersecurity, Knowledge | 2 Comments
Tags: attacker, casp, ceh, cfr, CISSP, cozy bear, cybersecurity, DNC, fancy bear, fbi, GSEC, guccifer 2.0, Hackers, Russia, Security+
Hackitivism and cyberespionage are certainly nothing new, especially emanating from Russia. But the 2016 US presidential election was a swift education for Americans and the watching world regarding the widespread consequences of a successful APT (advanced persistent threat). A joint statement issued by the Department of Homeland Security and the Office of the Director of National Intelligence on Election Security stated that the “U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations” (emphasis ours).
Thanks to the detailed reporting from the New York Times, the fog of war is beginning to clear and the full extent of the cyberattack has become clear. And what is increasingly apparent is that at every stage, cybersecurity training could have significantly mitigated or (perhaps) even prevented portions of the attack altogether.
Enter the low-rung MIS contractor hired by the DNC — Yared Tamene. He claims no cybersecurity expertise, much less any cybersecurity-related certification like GSEC, CASP, CISSP, CEH or CFR. So it’s hardly appropriate to assign him the brunt of the blame. Instead, we should use his example to learn how cybersecurity knowledge and skills could have better informed the fateful decisions that he, and many others, made along the way.
In the fall of 2015, the FBI noticed some unusual outgoing network traffic from the DNC network, suggesting that at least one computer was compromised. The early forensics linked the compromise to a known Russian cyberespionage group going by the moniker “the Dukes” (AKA “Cozy Bear” and “APT29”) , who had in just the last few years, penetrated the White House, State Department and Joint Chiefs of Staff email systems. A special agent picked up the phone, called Tamene, and told him what they knew.
Before we even get to Tamene’s response, any trained cybersecurity first responder knows why the FBI called via phone rather than emailing their dire message. Communication protocol during a security incident should be out-of-band, meaning outside of the primary communication channels (primarily network where the attacker could be listening). Ironically, Tamene was convinced that the FBI call was a hoax, and after repeated calls over the new few months, he ignored the urgency. In November, the FBI even confirmed with Tamene that known malware was routing data to servers located in Moscow.
Tags: black hat, cfr, cfr-210, cyber, cybersec, cybersec first responder, cybersecurity, first responder, hacker, lo, Logical Operations, white hat
Who says there’s no news in December? In cybersecurity, it’s never a question of if, but a question of when a breach will occur. So rather than wait for the new year, we thought we’d get the jump on 2017 and together with Logical Operations, release the Cybersec First Responder (CFR-210) practice test today.
What exactly is the CFR certification all about? Well, CFR-210 showcases your ability to to quickly detect and respond to active cyber threats. It’s not just about detailed knowledge of the analysis techniques and tools, but how to identify and respond, in real time, to the broad array of security threats affecting organizations worldwide.
So, white hats, rejoice and black hats, you’re on notice. They’re some new sheriffs rolling into town with some serious skills — and they’re not afraid to use them!
Here’s the press release for your reading pleasure.
Tags: cybersecurity, gangsters, Security+
I always feel that somebody’s watching me (and I have no privacy)
The news has been pretty scary lately. Renegade hackers have been attacking companies left and right. If, like me, you assumed these hackers were a bunch of very intelligent teenagers with a lot of time on their hands, then you, like me, would be wrong. Much more sinister forces were, and still are, at work.
Take Hyundai Capital Service, for example. The company faced being extorted by hackers who wanted money and threatened they would release confidential information. Luckily, the police made arrests. Since then, the CEO of Hyundai Capital Services, Ted Chung, has changed the way things work. He now sees the IT department as central to everything the company does. He learned about the company’s network architecture, its security infrastructure, and the tradeoffs between data protection and customer satisfaction.
Over a decade ago, documentary film maker Michael Moore created a show named “TV Nation.” On one episode he challenged the CEOs of various companies to use their own company’s product. It was shown that very few of the CEOs could actually use their own products. It’s a rule that executives of large corporations are charged with creating value for their stockholders. But I wonder – how many CEOs take an interest in the security of their information like Ted Chung does? How many CEOs can and would “use their own products,” so to speak?
In your typical mob movie, business owners pay gangsters “protection” money so that employees can keep their jobs, and concerns about safety are addressed by locking your doors when the sun sets. In our corporations, we don’t have guys with oily hair and pin-striped suits pointing Thompson machine guns; we have hackers from any corner of the globe looking for quick cash. Unlike paying off the mob, when the hackers are successful it may mean many people lose their jobs and locking your front door isn’t going to protect your personal information from getting into the wrong hands. Concerns like these are keeping us from widespread adoption of cloud-based services, for one.
Another frightening question: how often has a company been hacked and information stolen when the customer is never informed of the breach? Have you ever gotten a letter from your credit card company telling you that “sometime last year” your account was hacked – but not to worry, because they’ve finally fixed the problem? Privacy is no longer a given in the information age, but I still expect my personal data to be safe. I trust companies with my personal information, my digital information, and my money. I have a reasonable expectation that the harder you make it for me to access my own information (username, password, sitekey, security questions) the safer it should be from theft and hacking.
Recently, a company in Michigan who fell victim to an email message disguised as a legitimate bank notification sued Comerica Bank for the losses. Cyber-thieves took nearly $2 million from the company’s account, although they successfully wired only about half a million to offshore accounts. (Read more about it.) I am not a big fan of lawyers, but I hope that lawsuits like these will encourage the corporate world to be more proactive in protecting our data and our money.
Companies must invest in security. More importantly companies must train their employees in security. You may have watched a James Bond movie where the villain has all these high-tech tools to break in. In reality, bad guys still use the simplest ways to steal. Street criminals still prefer to use the classic “smash and grab” to steal property from cars because it’s effective. Cyber-criminals still use phishing schemes and social engineering to get at your data because it’s easy and effective. And in most of these cases, individuals can do a better job or protecting ourselves. What does that software that we downloaded from that funny web site actually do? Is it malware? According to Panda Security, there are 63,000 new malicious programs released per day. My stomach is starting to turn and my palms are beginning to sweat.
However, there is some good news amid all this doom and gloom. Before I finished writing this post, I got an email that says a long lost relative of mine has left me $1 million dollars (U.S.). They misspelled the word “dollars,” but I’m sure it’s legit. Right?
Until next time,