Previous month:
March 2015
Next month:
May 2015

April 2015

Top 5 #InfoSec Reads: April 19-24

An embarrassing surveillance revelation for Germany, an important finding regarding blacklists, a vulnerability affecting 1500 iOS apps, a DDoS war story, and unintended consequences for legit CloudFlare customers are this week's Top 5 #infosec reads.

German intelligence helped the NSA spy on European politicians and defense contractors

While reviewing Germany's information sharing agreement with the United States, German Parliament has learned that Germany's BND has  provided the NSA with intelligence data associated with telephone numbers, IP addresses and email addresses when requested. Parliament is now looking to narrow the terms of access allowed by the NSA. As criticism mounts, important trade and other agreements are now in jeopardy. Angry reaction remains anchored at the US, but it will be interesting to see how long this theme persists as country after country has its own surveillance and information sharing practices exposed. 

Blacklist Ecosystem Analysis Update: 2014

Blacklists are security data feeds that identify malicious domains or internet addresses. This study examines eighty-five (85) Internet blacklists  for patterns in entries the lists have in common. A number of different comparison techniques were used during the analysis. An important finding for blacklist users - basically, everyone from individual users with antispam measures on devices to enterprise IT - was that "there is surprisingly little overlap between any two blacklists". The most important action for blacklist users? Don't rely on one blacklist, use several... or many!

1,500 iOS apps have HTTPS-crippling bug. Is one of them on your device?

A vulnerability in an open source library used by 1,500 iOS apps exposes users to SSL traffic interception. The AFNetworking library creates opportunities for attackers to intercept SSL connection requests of vulnerable iOS devices on shared, open (WiFI) networks, where they impersonate a secure site using a fraudulent SSL certificate. SourceDNA, who discovered the vulnerability, has developed a search tool to helpusers check if  apps they use are vulnerable.

A true story of combating a large-scale DDoS attack

This article relates the defensive measures a SaaS-based supplier of web content management took during a thirty-nine hour distributed denial of service (DDoS) attack against one of its customers. The author describes the initial attack vector, attack traffic composition and origins, and the initial abatement tactics. The author next describes subsequent attack stages where the attackers changed tactics and how supplier chose to respond, and concludes with a summary and useful discussion on how to protect against a DDoS attack. These recommendations are similar to those I've mentioned in some of my DDoS protection articles (1, 2).

Pirate Bay Blockade Censors CloudFlare Customer

A UK ISP put blocking in place to prevent access to the Torrent sharing site, Pirate Bay. These included conventional domain and IP address blocking; however, the ISP did not consider the impact their blocking would have on legitimate customers who shared the same IP addresses as a Pirate Bay proxy. This incident provides a good opportunity to remind readers (and ISPs) about unintended consequences and how to choose wisely when blocking, seizing or taking down domains, sites, or content.

Top 5 #InfoSec Reads: April 8-13

Top 5 #InfoSec Reads is back!

Offensive censorship by China, the APWG reports on popular phishing targets, Snowden oversimplifies our sharing habits, Troy Hunt cries for sanity when we use the term "hacked", and a WSIS nomination for ICANN's Investigating DNS Abuse/Misuse training are this week’s Top 5 #InfoSec Reads.

Great Cannon represents a significant escalation in state-level information control  

CitizenLab's report on the attack infrastructure that China has added to complement the Great China Firewall (Golden Shield Project) explains in detail how China has taken the offensive in "state level information control" efforts by incorporating "a distinct attack tool that hijacks traffic to (or presumably from) individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle." The analysis includes a discussion of the nature of recent (DDoS) attacks, how CitizenLabs attributes the Great Cannon activities to the Chinese government, and most disturbingly, how the cannon might be used to target individuals (e.g., dissidents or reporters).

Report from APWG: Phishing against banks and ISPs rose markedly in 3Q 2014

I routinely summarize APWG's quarterly phishing reports and biannual global phishing surveys. Help Net Security's done a fine enough summary that I'll simply point you to their post: attacks against ISPs and banks are up. more brands are being targeted, healthcare records have become increasingly attractive, and crimeware mutations are on the rise. 

Snowden keeps saying that US is still catching our emails

During a John Oliver Tonight interview, Eric Snowden took the opportunity to allege that "your email is kept" and that while it's good that the US NSA has capabilities to fight hackers, it's not good that it can use these capabilities against the American people. If only the distinction were as simple as a ten word sound bite. Snowden also is quoted in the article as saying, "we shouldn’t change our habits of sharing whatever we want to share, just because the government its doing the wrong thing." This is simply overly simplified or wrong advice.  It's overly simple because we should worry equally - yes, equally - about third party data collection because we have no assurances how those parties will share or to whom (including governments). But it's wrong, too. 

We should change our habits of sharing because they are bad habits.

Security Sense: Hacking ain't Hacking

Troy Hunt's rant over the exasperatingly frequent misuse of the term "hacked" among journalists is amusing yet raises some important points. Hunt explains that not every attack should be coined a "hack", and not only because certain attacks do not involve hacking in the classical sense but also because classifying certain attacks such as DDOS "gives the culprit too much credit and judges them too harshly in the eyes of the law". This is an important read, especially if you are reporting on #infosec.

Investigating DNS Abuse/Misuse training nominated for a WSIS 2015 Project Prize 

I'd call this a shameless plug if I weren't so excited to share. I began developing informal training at the request of law enforcement colleagues several years ago. That training has evolved to full day and continuing engagement for ICANN's Security Team, who have now delivered it to individual law enforcement agencies or public sector actors in every region and in multiple languages. As the program title suggests, the training describes how criminals use the domain name system (DNS) and registration services in malicious or illegal activities, and how attendees can gather information/evidence of these abuses. I'm delighted to have ICANN honored by the World Summit on Information Society nomination and want to thank my Global Stakeholder Engagements and Comms teams for flogging through the nomination process on my/our behalf.