HNNEpisode144

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #144

Recorded October 10, 2017 at G-Unit Studios in Rhode Island!

Episode Audio

Recorded October 10, 2017 at G-Unit Studios in Rhode Island!

Hosts

  • Doug White
    Cybersecurity professor, President of Secure Technology, and Security Weekly network host.
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • News


    • 21 - October Providence Hack Con
    • October is Cybersecurity Awareness Month



    Doug's Stories

    • The White House and Equifax Agree: Social Security Numbers Should Go
    1. Designed in the 1930s
    2. 745 million numbers possible
    3. Lots of excluded blocks
    4. Biometrics? Block Chains?

    https://www.wsj.com/articles/russian-hackers-stole-nsa-data-on-u-s-cyber-defense-1507222108

    • Russian Hackers Stole NSA Data on U.S. Cyber Defense

    http://www.zdnet.com/article/what-role-did-kaspersky-play-in-nsa-data-theft/

    • What is Kaspersky's role in NSA data theft? Here are three likely outcomes
    1. Will Kaspersky survive this?
    2. All Federal use of Kaspersky has been stopped.
    3. Evidence?
    4. Russian law allows the govt to compel companies to intercept communications
    5. K's servers are in Russia
    6. K detects Eternal Blue
    7. R's see EB and figure they got a spy
    8. Or...Boris and Natasha did it

    https://www.theguardian.com/technology/2017/oct/06/kaspersky-lab-denies-involvement-russian-hack-nsa-contractor-moscow

    • Kaspersky Lab denies involvement in Russian hack of NSA contractor
    1. Kaspersky Lab denies any involvement
    2. Says the product may be compromised essentially but "so is everyone else"
    3. Boris and Natasha

    http://resources.infosecinstitute.com/duqu-2-0-the-most-sophisticated-malware-ever-seen/

    • Duqu 2.0: The Most Sophisticated Malware Ever Seen

    https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf

    • The Duqu 2.0 Technical Paper from Kaspersky.com
    1. K got spear phished back in the day

    https://www.helpnetsecurity.com/2017/10/10/formbook-malware/

    • Defense contractors, manufacturers targeted with malware-as-a-service infostealer
    • Formbook -- DOC/XLS files
    1. Also pdfs
    2. Logs keystrokes
    3. Basically grabs things
    4. They have multiple plans for every price point 99$ for 3 Months and they except bitcoin, Perfect Money, and Diner's Club

    Expert Commentary

    Meaningful reform coming to credit agencies? Not if history and recent events are any indicator.

    Talking about Equifax’s data breach has been been running at a fever pitch ever since it was announced. The chatter has been all over the news, social media, blogs, congressional hearings, and whatever other format you can think of. 145 million people have had their information copied off by someone. With all the outrage, you might think that this will lead to meaningful changes in the credit reporting industry. (An industry of three companies, basically.). To be honest, I doubt anything useful will come out of it.

    First off, history is against this occurring. There appears to be a pattern in response to data breaches. They’ve played out the same way each time a shocking security incident occurs. The company announces they had a breach (usually grudgingly), the people and the news media get really angry, members of congress make ominous statements and then call executives to hearings. The legislators ask them lots of hostile questions, call into question everyone’s morals and the company shows remorse and says what they are doing in response. A few people get fired, the victims get free credit monitoring for a year and everyone moves on.

    LexisNexis was the subject of this cycle back in 2005 when 310,000 consumers information was compromised and now Equifax is the target with 145,000,000 consumers being impacted. There certainly have been changes to law in response to the various incidents, but the most significant ones seem to only require companies to disclose that a breach occurred. Businesses adjust, audits are done and the same stuff happens.

    We can already see the credit monitoring industry responding to this. On October 2, TransUnion hired and registered a firm named the GCN group to be their lobbyists on capitol hill to help control any fallout from Equifax’s breach. A quick read of the individuals who were registered show significant experience in congress, but none with backgrounds in issues relating to information security. One persons bio stated that The Hill newspaper noted his ability to “kill legislative threats to his clients”. I suspect TransUnion has a strong preference to keeping laws and regulations as they are and not having congress rock the boat.

    So will we have anything useful come out of Equifax’s breach? I don’t think so. Expect lots of smoke being blown, legislative maneuvering, and maybe some new rules that will inconvenience the credit bureaus, but not do anything significant.

    Links