Things I Hearted this Week, 29th June 2018

1
[ This article was originally published here ]

It’s been an absolutely lovely warm week in London. The sun has been shining, allergies have been high, and kids have been missing out on all the wonders because they’re too busy being indoors staring at a mobile device or tablet.

Things were very different back in my days… and just like that, I’ve turned into my Dad!

Have I Been Pwned – The Saga Continues

I like to think of myself as a bit of a hipster because I was following Troy Hunt before he was widely recognised as being cool. I remember reading his posts on OWASP top 10 for .NET developers and thinking to myself that this guy really knows his stuff.  

Which is why I was optimistic when Troy launched Have I been Pwned – but I don’t think I foresaw how big the project would become and now it is being integrated into Firefox and 1Password. Not bad going for the blogger from down under.    

Defining Hacker In 2018

If you do a Google Image Search against the word hacker, you’ll get images of scary-looking balaclava-clad cybercriminals hunched over a quintessentially green computer terminal. They’re up to no good… Stealing your data, crashing critical systems, or causing general Internet badness.

In reality, the word “hacker” applies to a much broader group of people, one that extends well beyond cybersecurity. Merriam-Webster defines a “hacker” as “an expert at programming and solving problems with a computer”.

Lessons From nPetya One Year Later

This is the one year anniversary of NotPetya. It was probably the most expensive single hacker attack in history (so far), with FedEx estimating it cost them $300 million. Shipping giant Maersk and drug giant Merck suffered losses on a similar scale. Many are discussing lessons we should learn from this, but they are the wrong lessons.

An example is this quote in a recent article:

“One year on from NotPetya, it seems lessons still haven’t been learned. A lack of regular patching of outdated systems because of the issues of downtime and disruption to organisations was the path through which both NotPetya and WannaCry spread, and this fundamental problem remains.”

This is an attractive claim. It describes the problem in terms of people being “weak” and that the solution is to be “strong”. If only organizations where strong enough, willing to deal with downtime and disruption, then problems like this wouldn’t happen.

But this is wrong, at least in the case of NotPetya.

German Researcher Defeat Printers’ Doc-Tracking Dots

Beating the unique identifiers that printers can add to documents for security purposes is possible: you just need to add extra dots beyond those that security tools already add. The trick is knowing where to add them.

Many printers can add extra dots to help identify which device printed a document, as it’s handy to know that when they fall into the wrong hands. The technique works: it helped to sink NSA leaker Reality Winner, among others, and has also helped in its original purpose of defeating counterfeiters.

This isn’t the first time anti-printer-dot techniques have been tried though.

Security Reports

Both McAfee and Kaspersky have released research reports. Both are freely available and don’t need you to surrender any details to access them. Some good stuff from the research community.

McAfee’s report showcases new coin miner malware jumped a huge 1,189% in Q1 while new ransomware attacks dropped 32%.

The decline of ransomware and rise of cryptocurrency mining is a trend that Kaspersky has also seen in its recent ransomware and malicious crypto miners in the 2016-2018 report.

Kaspersky’s other report on the other hand takes a look at the state of industrial cybersecurity in 2018.

A Primer On Breach And Attack Simulations

Attack simulation is the technology that enables use cases in this market. In short, it can answer some of the most elusive and sought-after questions in enterprise security, like:

  • How secure are we?
  • If we got hit with a targeted attack today, would our staff see it?
  • Are we monitoring and alerting on the right things?
  • Could we respond to a threat quickly enough to make a difference?
  • Could we contain and clean up the threat effectively?
  • (and if vendors are comparing customer data:) How do we compare to our peers?

It is a sort of Question Answerer for some key security questions. It separates reality from fantasy. Replaces assumption with fact. A common trope in books and movies is a device or an animal that helps the protagonist see past glamours. In this age of vendors offering simple solutions to complex problems, defenders need the ability to see past the glamour of marketing.

Or perhaps The Emperor’s New Clothes is the better analogy?

Mikko Hyppöen

This is a really well written interview with Mikko Hyppönen.

Few industry names carry quite as much weight as internationally renowned security expert Mikko Hyppönen. Don’t just take my word for that; he’s been selected among the 50 most important people on the web by PCWorld magazine, included in the Foreign Policy’s Top 100 Global Thinkers list and made worldwide news for tracking down and visiting the authors of the very first PC virus in history. To put it simply, if InfoSec celebrities exist, then Mikko is one.

It might therefore come as a bit of a surprise to some that, despite his fame, expertise and recognition, Mikko has served the same company, F-Secure, for the best part of 30 years. Having first walked through its doors in 1991, the firm back then was a small Finnish start-up called Data Fellows and Mikko was studying computer science at university. Fast forward 27 years and now he’s the chief research officer and F-Secure has more than 1000 employees with over 25 offices around the globe.

Randomness

A few other stories I enjoyed reading recently.