New Yorker Article on Digital Vigilantes

securityIf you are interested in Cybersecurity, there is an article I found well worth reading (or at least skimming) in the New Yorker – The Digital Vigilantes Who Hack Back. It seemed like something I’d be more likely to find in Wired than The New Yorker, but I’ll take stories like this where I can find them.

The article talks about some of the techniques and issues for moving beyond a pro-active cyber defence.

With tools like Canary and techniques to create homegrown honeypots becoming more prevalent, it’s good to see (what I saw as) a well thought out article discussing some of the technical and legislative issues, using layman terminology.



Symantec Security Report

security compromizeAbout a month ago, I wrote a post about a new Cisco security report that was totally missing the concept of cyber mining and its impact on home and server devices.

I just had a chance to look at Symantec’s annual security center report and it went overboard the other way. Quoting statistics like an increase in coinmining by 8,500% — using the law of small numbers to provide headlines, since coinmining was in its infancy a year ago.

Other than that little bit of histrionics, the report did more effectively cover the concerns that I’ve seen over the last year, with significantly greater software supply chain attacks and mobile malware incidents (their number is up by 54%).

I thought the report well worth reviewing.

Facebook and intrusion creep

hotwaterI was in a conversation with some folks the other day about Facebook and the current ‘torch wielding mob’ concerned about privacy and organizations capitalizing on ‘their’ information. We came to rest on the perspective: “What did this people think was going to happen when they shared all kinds of private information publically?” Now ensconced in our righteous indignation and firm in the knowledge that we were OK, we moved on to other topics.

This morning I opened up Facebook and looked at the apps settings. I was surprised to see that there were probably 50 apps (mainly from encroaching from my mobile phone) that add various levels of access. I quickly pruned this list down to only those I was actually using. This surprised me a bit since I had uninstalled Facebook from my phone long ago and use it so rarely on my PC that I don’t have the password at my fingertips. The gradual erosion of our personal security fortress can happen to anyone, who is not diligent. I should have known better, since I wrote a piece about and how that site tried to raise security awareness back near the turn of the century.

I now need to go to all the other environments, where I use OAuth (the mechanism typically used to log into one system to grant authorization on another website without giving them a specific password). That list can be quite long, for those who are active on the Internet, including: Amazon, Google, Facebook, Microsoft and Twitter.

Another concept we discussed was how some portion of the next generation typically rejects the ideas of the previous generation. Since many of the Millenials are so open about their personal lives – will the next generation hold their connections and actions more close to the chest?? Or has the domination of convenience over privacy/security gone so far that confidentiality is no longer part of our contextual understanding. The business models of some of these companies are betting on the later.

Was something missing from the Cisco Annual Cybersecurity Report?

security compromizeAccording to Cisco’s 2018 Annual Cybersecurity Report:

  • “Burst attacks” or short DDoS attacks affect 42% of the organizations studied
  • Insider threats are still a huge issue
  • More Operational Technology and IoT attacks are coming
  • Hosting in the cloud as a side benefit of greater security
  • Nearly half of security disks come from having multivendor environments
  • New domains tied to SPAM campaigns

Many of these findings seem like common sense or in some ways in CISCO’s interest at first glance, but this 60+ page report goes into much greater detail than these one-liners. It breaks down the analysis by region and time and concludes about the difficulties of cyber defense:

“One reason defenders struggle to rise above the chaos of war with attackers, and truly see and understand what’s happening in the threat landscape, is the sheer volume of potentially malicious traffic they face. Our research shows that the volume of total events seen by Cisco cloud-based endpoint security products increased fourfold from January 2016 through October 2017”

The breadth and volume of attacks can overwhelm any organization and it is not a case of ‘if’ but ‘when’.

One thing I didn’t see mentioned at all was cryptojacking, the unapproved leveraging of processing cycles for mining cryptocurrency. This form of cybersecurity risk affects large entities as well as individuals through their access of websites. Generally, this is less destructive than the previous cyber attack methods and may even be seen as an alternative to advertisements on sites, but it seemed odd to me that this rapidly advancing trend wasn’t mentioned.

The report is still worth looking over.

NIST standards draft for IoT Security

IoTThe draft version of NIST’s “Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT)” was  released this week and is targeted at helping policymakers, managers and standards organizations develop and standardize IoT components, systems and services.

The abstract of this 187 page document states: “On April 25, 2107, the IICS WG established an Internet of Things (IoT) Task Group to determine the current state of international cybersecurity standards development for IoT. This Report is intended for use by the IICS WG member agencies to assist them in their standards planning and to help to coordinate U.S. government participation in international cybersecurity standardization for IoT. Other organizations may also find this useful in their planning.”

The main portion of the document is in the first 55 pages with a much larger set of annex sections covering definitions, maturity model, standards mappings… that will be likely of great interest to those strategizing on IoT.

The document is a great starting point for organizations wanting an independent injection of IOT security perspectives, concerns and approaches. My concern though is the static nature of a document like this. Clearly, this Information Technology area is undergoing constant change and this document will likely seem quaint to some very quickly but be referenced by others for a long time in the future. A wiki version may make this more of a useful, living document.

Comments on the draft are due by April 18. Reviewers are encouraged to use the comment template, and NIST will post comments online as they are received.

AWS Redshift and analytics?

data insightRecently, I had the opportunity to test out Amazon Redshift. This is a fast, flexible, fully managed, petabyte-scale data warehouse solution that makes it simple to cost effectively analyze data using your existing business intelligence tools. It’s been around for a while and matured significantly over the years.

In my case, I brought up numerous configurations of multi-node clusters in a few minutes, loaded up a fairly large amount of data, did some analytics and brought the whole environment down – at a cost of less than a dollar for the short time I needed it.

There are some great tutorials available and since Amazon will give you an experimentation account to get your feet wet. You should be able to prove out the capabilities to yourself without costing you anything.

The security of the data is paramount to the service, since it is available in public AWS as well as GovCloud and can be configured to be HIPAA or ITAR compliant… Data can be compressed and encrypted before it ever makes it to AWS S3.

You can use the analytic tools provided by Amazon or use security groups to access your data warehouse using the same tools you would use on-site. During my testing, I loaded up both a large star schema database as well as some more traditionalize normalized structures.

Since this is only a blog post, I can’t really go into much detail and the tutorials/videos are sufficient to bootstrap the learning process. The purpose of this post is to inform those who have data warehouse needs but not the available infrastructure that there is an alternative worth investigating.

Got the VPN working in my new house

vpnNow that I’ve moved into my new house, I wanted to get a VPN on the Raspberry Pi working. Having a VPN will allow me to log into my home network securely, no matter where I am. Just thought I’d document the process I used, in case it is useful to anyone else.

The process is straightforward.

  1. First, I wrote down the address of my router and assigned my Raspberry Pi a fixed IP address on my LAN.
  2. Next, I got an account with a Dynamic DNS provider. This is not necessary, but does make using the VPN more useful, if your ISP ever changes your IP address. I used to use DuckDNS, but found out that my router had an interface in the security settings to noIP, so I used noIP. I defined my address information on the Dynamic DNS system. Now whenever the router sees that the address has changed, it should update the domain I have defined. I can just use that address to reach the VPN server.
  3. I installed Raspian on my Raspberry PI and then used the pivpn command to set it up:
    curl -L | bash
  4. This process is well documented on the pivpn site. Once that was completed, I made sure the Pi was up to date with the updated command:
    sudo apt-get upgrade
  5. Next you need to go into your router and defined the dynamic DNS information as well as define the port forwarding to your Raspberry Pi
  6. Now you can use the pivpn -a command on the Raspberry Pi to create a new certificate for each device that will use the VPN.
  7. Then I installed OpenVPN on the devices (android, windows, linux…) and provided them the key file created in step 6.

That’s a very high-level overview of the process. The VPN allows me to see the screen, access files… just like the device was on my home network, when I am away.