Reverse Engineering Incentives to Improve Security. New Jersey school district computers held for ransom & the flash bug that lives on from 2011 with a twist!

Plus some great networking questions, drone powered Internet & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Reverse Engineering Incentives — to Improve Security

• Gunnar Peterson writes a blog post about an interesting way to improve security in the enterprise
• Based on a scheme Walmart used in the 1980s, where employees got a bonus if “stock shrinkage” (theft) was below a certain level
• This kept more employees from stealing, where before they had no incentive not to
• So, he morphs the idea for information security:
• “I’ve often said that no one wants to write insecure code, and I wonder if something similar would work in infosec. Could a company put a fixed number each year towards an “average” breach cost and then if one does not occur, credit it back in a bonus to the tech staff, developers and sys admins?”
• “Think – digital version of days since last workplace injury. My guess is that incentives along those lines would very probably work way better than the majority of products on RSA trade show floor, and at a fraction of the cost.”
• He discusses the various problems with the idea
• How do you define what is a breach
• Instead what about a “pay for each bug found”?, but he points out the possibility of the Cobra Effect
• So the idea is: “we do not end up on the front page of the newspaper in a breach story” means everyone gets a bonus payout roughly equal to what we would pay in response cost on a rolling two years basis. This should tend to focus the mind and inspire people. Fired up? Ready to go? Now let’s go install some patches!
• “Its not perfect of course, but has the advantage of focusing attention onto the issues of strategic impact and puts security people, developers, sys admins and other on the same side of the table. To me, this is long overdue and a powerful organizational tool.”
• “Some might argue that incentives are silly, these are professional developers. What we need is regulation. We have used regulations, for example PCI or Company security policies, for a long time in infosec, they are not worthless, but they are not optimal either. At the very least they are only one tool in the toolbox and we should look at others.”
• “Security people’s main role is to be a barrier between an organization and stupid. So the real question is – what kind of barrier is the most effective? Regulations create the hostile, tactical and divided environments in which security people operate today. Bonuses have a way of getting people’s attention I have noticed and they have a way of getting people to work together.”
• “What I think the outcome here would look like is to simplify the coordination between the security team and dev/ops teams. On any engagement I easily spend 30-50% of my time on James Baker-style shuttle diplomacy trying to convince devs and ops folks that security is not deliberately setting out to destroy their timeline, bonus and career. If you just took that portion out of it, that means that any security time and dollars that get spent are spent on trying to solve actual security problems not Security/Dev/Ops Glasnost.“
• It is an interesting idea, although it only seems to work for commercial software development

New Jersey school district computers held for ransom

• An attacker has taken over a Gloucester County school’s district’s computer network, and is demanding payment of 500 bitcoins ($128,000) to return control of the system
• “Without working computers, teachers cannot take attendance, access phone numbers or records, and students cannot purchase food in cafeterias. Parents cannot receive emails with students grades and other information.”
• The superintendent said the attacker “did not access any personal information about students, families or teachers”
• It is unclear how the attacker could prevent teaching from accessing records, but not give the attacker access to those same records
• The Superintendent said, without Smartboards, students used pens, pencils and papers, going back to, what he described, “education as it was 20 or 30 years ago.”
• “We are still a long way from being fully operational. We have to work to restore the functionality of all of our computers.”
• “The school district is being forced to postpone the Common Core-mandated PARCC state exams”
• It seems like the school needs a better backup system
• A similar cryptolocker style attack hit the college I was consulting for a few weeks ago
• They immediately dumped the system and restored from that mornings backup, and were back up in a few hours
• I teased them that if they were using ZFS, they could have just done “zfs rollback” and been back up in a few minutes, with less data loss
• You still need backups, of everything
• A full Disaster Recovery plan is in order for a school board, students should still be able to use the Cafeteria no matter what is wrong with the computers
• A cold spare using a read-only backup, that doesn’t allow new changes, but at least allows access to important information like parents’ phone numbers, seems to be in order
• NJ School District Hit With Ransomware-For-Bitcoins Scheme t

Flash bug from 2011 still lives on

• CVE-2011-2461 was an interesting Flash bug
• Unlike a typical flash bug, the problem was in the Adobe Flex SDK, used to write the flash programs that run in your browser (.swf files)
• So, the fix wasn’t a newer version of the Flash player, but a patch to the tools used to author the flash files
• However, even years later, it seems many of these old flash files are still around, and users are still vulnerable because of it
• “The particularity of CVE-2011-2461 is that vulnerable Flex applications have to be recompiled or patched; even with the most recent Flash player, vulnerable Flex applications can be exploited. As long as the SWF file was compiled with a vulnerable Flex SDK, attackers can still use this vulnerability against the latest web browsers and Flash plugin.”
• Adobe released a tool to patch .swf files, seems to be rarely used
• Researchers at NibbleSec ran into the problem while investigation a SOP (Single Origin Policy) bypass attack
• Researchers presented their findings at the Trooper 2015 conference
• During their scan, they found that many sites still host vulnerable Flash applications, including Google, Yahoo, Adobe, SalesForce, and more
• “SOP prevents scripting content loaded from one website—or an origin—from affecting the content of another website. For example, a script hosted on website X that’s loaded by website Y in an iframe should not be able to read sensitive content about the other site’s visitors, like their authentication cookies. Neither should website Y be able to obtain information about users of website X by simply loading a resource from it.”
• “Without this mechanism in place, any malicious site could load, for example, Gmail in a hidden iframe and when authenticated Gmail users visit the malicious site, it could steal their Gmail authentication cookies.”
• It will be interesting to see if the new found attention actually gets this bug solved

Feedback:

• Friendly backup
• Encrypting Your ownCloud Files — ownCloud User Manual 7.0 documentation

• How ownCloud uses encryption to protect your data | ownCloud.org

• Networking issue

• Additional SSH Tunnelling Considerations

• Free Experian for the Premera hack

Round Up:

• Despite privacy policy, RadioShack customer data up for sale in auction
• Flaw in Hilton Honors reward site allowed any account holder to hijack other accounts
• Squid bug in Red Hat performs an ‘rf -fr /*’ on restart.
• Healthcare and Software still not getting along
• Because of CloudFlare shared SSL, Ted Cruz’s New Presidential Campaign Donation Website Shares Security Certificate With Nigerian-Prince.com
• Advice for dealing with tax fraud, straight from the scammers who cause it
• Facebook’s Aquila Drone Will Beam Down Internet Access With Lasers
• Apple buys FoundationDB, immediately removes downloads from website
• Amazon Cloud Drive goes unlimited: $11.99/year for photos and $59.99/year for everything
• SnapChat burns up your data plan
• Bruce Schneier | Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World
• Still, no one knows what is, and what is not, a “cyber incident”
• Bitcoin exchange AllCrypt, had their wordpress blog installed on the same server. Attacker drains entire wallet by modify database
• A brilliant Tinder hack made hundreds of bros unwittingly flirt with each other