HNNEpisode169

From Paul's Security Weekly
Jump to: navigation, search

Hack Naked News #169

Recorded April 17, 2018 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Michael Santarcangelo
    Founder of Security Catalyst, author of Into the Breach, and creator of the Straight Talk Framework.
  • Jason Wood
    Security consultant, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • Go to itpro.tv/securityweekly and use the code Secweekly30 to try it FREE for 7 days, and receive 30% off your monthly membership for the lifetime of your active subscription.
    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
    • Check out SOURCE Boston 2018 from May 9th - 10th! Go to sourceconference.com and register using the code SW75WMKW to get a $75 discount!
    • The webcast with Distil Networks on 9 Ways To Protect Your Business, is being held on Wednesday, April 25th. Register now at securityweekly.com/distilnetworks.

    News

    FTC Says 'Warranty Void If Removed' Stickers Are Bullshit, Warns Manufacturers They're Breaking the Law

    https://motherboard.vice.com/en_us/article/ne9qdq/warranty-void-if-removed-stickers-illegal-ftc https://www.ftc.gov/news-events/press-releases/2018/04/ftc-staff-warns-companies-it-illegal-condition-warranty-coverage

    • “The Federal Trade Commission staff has sent warning letters to six major companies that market and sell automobiles, cellular devices, and video gaming systems in the United States.”
    • Can’t slap “warranty void if removed” stickers on consumer devices that cost more than $15
    • Falls under the Magnuson-Moss Warranty Act (car people tend to know this one)

    Apple leak memo leaks, threatening employee termination and arrests

    https://venturebeat.com/2018/04/13/apple-leak-memo-leaks-threatening-employee-termination-and-arrests/

    • The leak about the leakers has been leaked — thanks, Monty Python
    • At stake: loss of jobs, arrests or fines, and the challenge of finding future work
    • Apple claims security, but it seems to most like control over the narrative, which drives sales

    Businesses are adopting SaaS too fast to properly secure it

    https://www.techrepublic.com/article/businesses-are-adopting-saas-too-fast-to-properly-secure-it/

    • 64% claimed the rush to the cloud outpaces their ability to secure it
    • 99% point out the role of SaaS to allow remote work; 82% admitted going around company VPN to access SaaS
    • 91% said security policies need to improve
    • Does this signal the rise of shadow IT?

    McAfee: 26% of companies have suffered cloud data theft

    https://venturebeat.com/2018/04/15/mcafee-26-of-companies-have-suffered-cloud-data-theft/

    • 97% use “cloud services,” and 83% store sensitive data in the cloud
    • Only 69% trust “public cloud” to keep data secure
    • 83% report at least one incident: lack of data visibility, theft, lack of control over access control, and shadow IT (23%)
    • “Cloud first” declined from 82% to 65%
    • 40% are slowing adoption due to “cyber security skill shortage”

    63% of Americans more concerned about cybersecurity than a potential war, survey finds

    https://www.beckershospitalreview.com/cybersecurity/63-of-americans-more-concerned-about-cybersecurity-than-a-potential-war-survey-finds.html

    • From the IBM survey - 79% believe businesses focus on profits than addressing security
    • 82% are more worried about cybersecurity than 5 years ago
    • 68% worry they’ll be hacked in the next 5 years
    • 67% agreed “the bad guys are winning over the good guys in the cybersecurity war.”

    National Guard Using Cybersecurity Skills To Protect Integrity Of Midterm Elections

    https://www.npr.org/2018/04/09/600938106/national-guard-using-cybersecurity-skills-to-protect-integrity-of-midterm-electi

    • In response to the attempts on election-related systems in 2016
    • Elections are now part of the US Critical Infrastructure
    • Exciting opportunities for everyone

    Expert Commentary

    Cybercrime on Facebook? A Few Less Groups Now My feed of news articles and blog posts is full of Facebook and the impact that it has on data about us. In the midst of all this, I saw an article by Brian Krebs of KrebsOnSecurity about criminal groups using Facebook. Brian documents the results of 2 hours (that’s right only 2 hours) of searching Facebook for groups that engage in criminal activity. He netted 116 groups with over 300,000 members being part of them.

    “Wait,” you might ask. “What kind of criminal activity?” I’m glad you asked. According to his spreadsheet, the groups sold SPAM services, malicious hacking, carding, 419 scams, account takeovers, DDoS, phishing, tax scams, botnet (access and building) and more! The average age of these groups appears to be about 2 years old. The oldest group had the name “Botnet & Source Bot & Trojan & Keylogger” and was 9 years old. According to Brian, these groups made no effort to hide detection by using even simple misspellings or slang. They were open about what was going on. Hence the reason he was able to catch 116 of these groups in only 2 hours of work.

    Brian notified Facebook of the groups and received this response. "We thank Mr. Krebs for bringing these groups to our attention, we removed them as soon as we investigated," said Pete Voss, Facebook’s communications director. "We investigated these groups as soon as we were aware of the report, and once we confirmed that they violated our Community Standards, we disabled them and removed the group admins. We encourage our community to report anything they see that they don’t think should be in Facebook, so we can take swift action."

    The meaning I get from this is that Facebook responded once they received the report, but hadn’t been looking for them on their own. While they have “Community Standards”, they don’t appear to work to enforce them systematically. Instead they depend on the users of Facebook to be their detection system.

    I think it’s clear to anyone reading the news lately that Facebook is a business and their product is the data that we as the users (and even non-users) provide them. There is limited incentive for them to hunt down groups that violate their community standards, since then the users will stop providing data. There are obviously examples of exceptions to this, but in general they will respond when someone complains. The issue isn’t related just to Facebook, since there are plenty of other companies that make their income with similar services. However, I believe it would be worth some time for companies like Facebook to perform even cursory checks of the activities of groups like this. Brian didn’t work real hard to find the groups he reported. Facebook should be able to make it fairly easy for them to do something similar without depending on their users. Kudos to Brian for tracking this down, reporting the groups and getting them off of Facebook.



    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+