HNNEpisode147

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #147

Recorded October 31, 2017 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Michael Santarcangelo
    Founder of Security Catalyst, author of Into the Breach, and creator of the Straight Talk Framework.
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements

    • Signal Sciences webcast. Zane Lackey of Signal Sciences joins us for this web app security-based webcast! Zane will share practical lessons learned during his tenure at Etsy on the most effective application security techniques. This webcast is being held this Thursday, November 2, 2017 from 3-4pm EDT. Visit securityweekly.com/signalsciences to register today.
    • Go to itpro.tv/hacknaked and use the code HN30 to try it FREE for 7 days, and receive 30% off your monthly membership for the lifetime of your active subscription. To learn more about ITProTV's team solution, sign up for a free demo of their supervisor portal.

    News


    Kaspersky head says hack claims hurting US cybersecurity sales

    http://thehill.com/policy/cybersecurity/357587-kaspersky-head-says-hack-claims-hurting-us-cybersecurity-sales

    • Note the importance of government actions (purchases, signals)
    • Potential here for a company caught in political crossfire
    • Bold action open source code to independent review

    McAfee stops allowing governments to review source code

    http://thehill.com/policy/cybersecurity/357333-mcafee-stops-allowing-foreign-source-code-reviews

    • Some companies reported as allowing Russian review of source code (McAfee, IBM, HPE Arcsight)
    • While the reviews have a practical aspect, they could also be used to identify new attack methods
    • Bold move by McAfee and/or an attempt to avoid the scrutiny HPE is under?

    AIG to include cyber coverage to commercial casualty insurance

    http://www.reuters.com/article/us-aig-cyber/aig-to-include-cyber-coverage-to-commercial-casualty-insurance-idUSKBN1CV2XE

    • This is the key: cyber is a peril. That means it’s just another vector and needs to be considered.
    • Are you part of the conversation?
    • It’s a notable evolution for the insurance marketplace

    Cybersecurity Expert Calls for Creation of ‘Cyber Peace Corps’

    http://www.govtech.com/civic/Whats-New-In-Civic-Tech-Cybersecurity-Expert-Calls-for-Creation-of-Cyber-Peace-Corps.html

    • Peace Corps with a cybersecurity ‘imperative’?
    • Serve the greater good, learn a skill, solve the shortage?
    • Does this change how the world views and handles cybersecurity?

    ARM unveils its Platform Security Architecture

    http://www.newelectronics.co.uk/electronics-news/arm-unveils-its-platform-security-architecture/162933/

    • Common framework to build secure devices
    • Includes threat models with analysis, hardware and firmware specs, approaches, etc.
    • What about adoption?

    Basetools Extortion: Underground Hacker Forum Hacked, Data Held For Ransom

    http://www.ibtimes.com/basetools-extortion-underground-hacker-forum-hacked-data-held-ransom-2607198

    • Underground hacking forum hacked, people threatened with report to government unless they pay $50k
    • Also seems to have personal motivation
    • What about the tools and their release?

    Expert Commentary: Department of Justice Continues to Fight Against Strong Encryption

    The Department of Justice continues is continuing it’s PR battle over the use of strong encryption. Their position is that strong encryption makes it much more difficult to investigate crimes because even with a warrant encryption locks everyone but the enduser out of the data. Therefore, more bad guys are getting away with their crimes. Law enforcement’s mission is to investigate crimes, gather evidence, arrest suspects and present their findings to prosecutors to lock away the criminals. Anything that significantly hinders that mission is a problem with serious impacts on society. Their solution is that a master key must be created/provided to unlock all encryption once a warrant has been obtained. However, this idea has significant problems associated with it that also have serious impacts on society.

    The rational behind this argument is understandable, but their solution frankly stinks. Let’s look at mobile devices for instance. This is probably one of the major areas that law enforcement wants addressed. Everyone carries their phone with them constantly and people are constantly recording their activity on them; even moments that they probably shouldn’t. There is a high likelihood that evidence could be available on these devices. But the BBC News reported last week that the FBI was unable to unlock about 7,000 mobile devices over an 11 month period. Ouch! So they appear to see an engineering solution to this problem. “You guys built cryptography. Just build new cryptography that allows us to get in later. It can’t be that hard.”

    Perhaps this could be done, but what could happen if laws were passed that required manufactures to build in master keys to unlock devices? First, anyone who has worked in with encryption in any kind of rigorous manner can tell you key management is hard. How do you store the keys? Who has access to them? How do you prevent unauthorized use or disclosure? Can the federal government be trusted to do this well? A quick look at Shadow Brokers and WikiLeaks tells me no, they cannot and that I don’t think anyone can. Not at this scale. Even if manufacturers held the keys in escrow, the same problems exist but are just spread out a little more. These keys would become a prime target for countries to gain access to for surveillance. Countries like China who are actively monitoring their population would demand access to these keys and manufacturers would be hard pressed not to turn them over. “You gave them to the USA. Now give them to us.”

    I get law enforcement’s desire to be able to unlock encrypted communications and data on devices, but their solution is not realistic. “Master keys” would be targeted and compromised. And once out of the bottle, it would be nearly impossible to lock it back down. Their solution for this type of weak encryption would almost certainly result in more surveillance and more data theft. They would enable a new level of criminal activity, put more people and organizations at risk and do so by ignoring the expertise people who actually know what encryption takes to make it effective. My opinion is that they create more problems than they solve.

    Links