HNNEpisode246

From Security Weekly Wiki
Jump to navigationJump to search

Recorded December 17, 2019 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Doug White
    Cybersecurity professor, President of Secure Technology, and Security Weekly network host.
  • Annoucements:

    • Register for one of our upcoming webcasts with Bryce Shroeder and Barbara Kay of ServiceNow, Kevin O'Brien of GreatHorn, or Steve Laubenstein of Core Security (or all of them!) by going to securityweekly.com -> Click the webcast dropdown & Select Registration! If you have missed any of our previously recorded webcasts, you can find our on-demand library by selecting on-demand from the webcast drop down! If you attend any of our webcasts, you will receive 1 CPE credit per webcast!

    Security News

    The latest in Ransomware

    https://www.krtv.com/news/montana-and-regional-news/several-montana-tv-stations-hit-by-cyberattack -- Montana TV Stations
    https://securitytoday.com/articles/2019/12/16/new-orleans-becomes-latest-city-to-suffer-ransomware-attack.aspx?admgarea=ht.businesscontinuity -- New Orleans (ryuk likely).
    https://www.darkreading.com/threat-intelligence/ransomware-crisis-in-us-schools-more-than-1000-hit-so-far-in-2019/d/d-id/1336634 -- pretty much all the skools
    https://healthitsecurity.com/news/ransomware-attacks-double-in-2019-brute-force-attempts-increase -- and the hospital
    https://healthitsecurity.com/news/ransomware-costs-on-the-rise-causes-nearly-10-days-of-downtime -- can you be down for 10 days?
    https://blog.malwarebytes.com/threat-analysis/2019/07/a-deep-dive-into-phobos-ransomware/ -- phobos and dharma, but mostly I want to talk about Ransomware as a service.
    https://content.govdelivery.com/attachments/USDHSFACIR/2019/07/31/file_attachments/1257654/Ransomware%20Statement.pdf -- so some recommendations? Well, all this seems to have a common problem.

    So:

    https://vantaylor.house.gov/uploadedfiles/digital_one_pager.pdf -- is this bill something? Well, we need to do something. Look, only about 8 percent of the 90kl government entities in the US, utilize MS-ISAC and CISA. Well, that's great and all but telling a school district that relies on Mr. Clark, the English Classics instructor, to go read up on MS-ISAC alerts and use CISA hardening on the servers probably isn't going to cut it.

    https://vantaylor.house.gov/uploadedfiles/bill_text_strengthening_state_and_local_cybersecurity_defenses_act.pdf -- the actual bill. HR 5394

    Salary Surveys https://www.securitymagazine.com/articles/91398-cybersecurity-salary-survey-reveals-variance-across-industries-and-geolocations-in-2020 -- Where to go to make the big bucks? Is that PhD really going to be worth it?
    https://go.cynet.com/hubfs/2020-Salary-Survey-Report.pdf

    Crime and Punishment
    https://securitytoday.com/articles/2019/12/17/orbitz-and-expedia-settlement-data-breach.aspx?admgarea=ht.businesscontinuity -- so, is a 110k fine, going to bring Orbitz around? https://www.securitymagazine.com/articles/91412-more-than-60-of-all-leaked-records-exposed-by-financial-services-firms -- but the real breaches are over in the financial services sector. Sure, Orbitz, has your information but the bank? Well, they have everything. 60% of all leaked records were over here.

    Meanwhile, in the drone swarm...
    https://newyork.cbslocal.com/2019/12/14/ring-smart-cameras-password/ -- how could we not talk about Ring. But it wasn't their fault, right?

    https://www.securitymagazine.com/articles/91431-the-new-security-achilles-heel -- the idea of "gestalt" computing is increasingly driving the end of the "perimeter". Does this mean that we have to push down do a different level of management in order to have a chance?

    https://www.zdnet.com/article/predictions-2020-cloud-computing-sees-new-alliances-and-new-security-concerns/ -- predictions for 2020, is it skynet?

    /* These are mine
    Cloud security will be even more critical as we move more services into cloud native environments. This means more buy ups of security services by the big players.
    Alibaba may well exceed Google in the massive global cloud. I mean do you really trust google more than Alibaba? Really?
    Ransomware as a service is going to continue to pummel public and private interests.
    More global crackdowns on internet information sharing in both what you get to see, and what they can share.
    More IoT exposures due to firmware weaknesses lead to greater effect. */

    Expert Commentary: Be Careful Who You Do Business With - Paul Asadoorian, Security Weekly

    Paul Asdoorian is the CTO and Founder of Security Weekly.

    Paul Asadoorian spent time “in the trenches” implementing security programs for a lottery company and then a large university. Paul is offensive, having spent several years as a penetration tester. He is the founder of the Security Weekly podcast network, offering freely available shows on the topics of information security and hacking. As Product Evangelist for Tenable Network Security, Paul built a library of materials on the topic of vulnerability management. When not hacking together embedded systems (or just plain hacking them) or coding silly projects in Python, Paul can be found researching his next set of headphones.

    JetFlix: The Netflix for Pirates

    Undercover FBI agents were able to stream pirated content, thanks to a completely illegal streaming operation call JetFlix. This is not like some of the pirated streaming sites out there (that my friends tell me about). JetFlix gave the appearance of a completely legit streaming service, charging $9.99 / month and made available just about any TV show and Movie on the planet. Some of the facts in the articles are really interesting:

    • A grand jury indictment this week charged eight people with allegedly operating two of the biggest illegal streaming sites in the country. They ran not out of some Eastern European server farm but in Las Vegas, Nevada. They had a customer service line, a US bank account, and even put out the occasional press release.
    • at one point claiming to host 183,000 television episodes and more than 37,000 subscribers. And in one year claimed over $750,000 in revenue.
    • They racked up the felony charges: Which is to say, rather than simply point users in the direction of a pirated show, Jetflicks allegedly stored that content on its own servers in the US. And it allowed customers not only to stream but to download those shows to their own devices, upgrading the charges from “public performance” to “distribution," and a conspiracy to commit criminal copyright infringement, which comes with up to five years of jail time. The government claims that Polo went one step further, creating a separate piracy service called iStreamItAll that streamed movies like Us and Finding Dory before their commercial release—another felony, also punishable by up to five years in prison. Additional money-laundering charges carry a penalty of up to 20 years each.
    • Ironically, they did not like people stealing from them: , Jetflicks suffered the same plague of password-sharing that its legitimate competitors do—and took a more hardline stance against it than Netflix and HBO have. The indictment alleges that the Jetflicks team would search the internet to find anyone sharing their logins, and sought to "prevent individuals from 'stealing' Jetflicks content."
    • I wonder if they used a DevOps development process: “Polo used sophisticated computer programming to scour global pirate sites for new illegal content; to download, process, and store these works; and then make the shows and movies available on servers in Canada to ISIA subscribers for streaming and downloading,” the DOJ announcement reads. “Polo also admitted to running several other piracy services — including a Usenet NZB indexing site called SmackDownOnYou — and earning over $1 million from his piracy operations.”

    Credits:

    Murfie's Law In Action

    I have to admit, I did not even consider that such a service existed and am excited about this idea, however, after reading this story I am hesitant. I have, like many, a large collection of CDs, Tapes and Vinyl records. I ripped them manually, a painstaking process. Murfie was a service that did this for you, stored all of your media, and allowed you to download and stream your own content (I'd immediately look for session handling bugs because imagine having access to everyone's media! But that would be wrong, and illegal). But suddenly, Murfie went out of business, cease all communications with customers, and did not send everyone their media back. Some interesting things:

    • Customers had always expected to get their discs back — it was part of the company’s promise. “I went back and looked at the terms of use,” says Arik Hesseldahl, who paid Murfie to rip and store 668 CDs. “Those CDs are my property. And they even include a line that says if they fail, you still own your CDs.” The most recent version of Murfie’s terms of use said that if Murfie goes away, the company is still on the hook for “returning your CDs, vinyl, and cassettes to you,” so long as you pay its typical shipping fee. Except shipping fees are a lot higher now, if you can get a hold of someone at the company.
    • An email was sent on November 22nd telling customers Murfie was shutting down and to await instructions on how to get their stuff. Those instructions came a week later, on Black Friday, when a second email said customers had four days to claim their collections or they’d be marked “abandoned.” Not only that, but they’d have to pay a shipping fee over 10 times higher than Murfie’s normal return cost in order to get back their discs. A third email on December 2nd extended the deadline to December 5th, and said there might be one or two in-person pickup days scheduled for those in Madison “if we can obtain the permission of the landlord.” “Abandoned discs will be recycled by the end of December,” read an email, “when the storage facility must be vacated.”

    Credits:

    Follow us on Twitter Watch Security Weekly videos Listen to Security Weekly Security Weekly fan page Connect with Paul Google+