In addition to routine activities such as briefings, vendor showcases, and book signings, big conferences like Black Hat usually bring to light a "new" keyword which reveals a strong recent trend or/and defines the industry direction for upcoming years. I said "new" in quotes because usually it is not really new but something known to a narrow circle of experts for many years and lies in hiding without much attention until its time comes. This year, such a keyword is software liability. At first glance, you may not see any direct link to cyber security. In reality, however, it's possible that our (virtual) life would be significantly different if we had software liability in place from the beginning of computer and especially Internet era. Imagine a world where you could sue Microsoft for data files deleted by malware from your PC, or get paid by Apple for pictures stolen from your iPhone. Businesses could invest their money in more reliable operating systems and applications instead of various extra security tools. I don't know how big the chances are that software liability will ever become a reality, but at least now we are allowed to dream about it.
Interesting blog post with my opinion on the topic.
I am impressed by today's Blackhat USA 2015 keynote by Jennifer Granick. One of her "areas of interests" is protecting hackers from persecution by governments and corporations. I wish I could meet her two years ago when I was finishing my book about payment security Hacking Point of Sale. So here is my book's keynote. This is first time I am publicly speaking about the real story behind the book. I was literally being threatened by my then employer - the point of sale software vendor. They did not want this book to be published so they could continue hiding the facts about real state of security of their products, holding information about vulnerabilities from public disclosure, and lulling their customers into a false sense of security. I was forced to leave my job. They did not fire me but I was placed in a "vacuum" environment where I could not productively work anymore. I don't regret at all because eventually I had an opportunity to develop my career at much better work places. However, many important facts and technical details were excluded from the book as a result of those events so I could protect myself and my family from persecution by corporate lawyers. The final version of the book is mostly focused on grim role of PCI DSS while shading a not less important role of POS vendors in an endless chain of card data breaches. Maybe if I had a support from some organizations and people like Jennifer Granick, I could prevent much more card data breaches which happened just about the same time the book was released (remember famous Target breach just to name one?). If I ever get a second chance (Wiley, how about second edition?), I will do my best to include more specifics and clues that would help retailers to avoid further breaches.
Good article explaining in layman's terms the basics of hacking and cyber security in general, as well as Black hat and defcon conferences (Black hat starts tomorrow in Las Vegas).
I am looking for Security Engineer to join our security team here at PCCI!
You can submit resume directly on my website:
or through Parkland website:
This is PCCI company profile: http://www.pccipieces.org/
Interesting article about new Google approach to access control for enterprise applications. I agree with their approach because it seems that BeyondCorp is neither more nor less than just another implementation of web app with two factor authentication (2FA) by client certificates plus Web Application Firewall (WAF) functionality and some elements of risk based authentication, so there is nothing really revolutionary. I guess it fits mostly large enterprises as it requires significant additional hardware, software, and human resources (I like the author’s job title – “site reliability engineering manager”), unless there will be specialized hardware/software/services which are designed, implemented, and supported by third party vendors (Google?).
Note that the “privileged networks” still exist “behind the scenes” – in order to support all internal application deployments (such as database servers, etc.) and access control infrastructure. In fact, all the BeyondCorp elements in Figure 1 (see below) are located in privileged network, which is still accessed using “old fashion” ways such as remote VPN etc. Only the front end (they call it “access proxy”) is accessible from “unprivileged network”, so there is nothing unique in this model – in fact, it is used by most web applications hosting providers who can say that they are implementing some limited version of BeyondCorp too.
In a typical simplified case, the provider's data center (DC) environment is such a "privileged network", which serves the web applications’ back end and access control infrastructure (see red marks in the picture below). WAF can be used as an “access proxy”. The second authentication factor -- such as SMS, email, or Google Authenticator -- is a replacement for the device certificates utilized by BeyondCorp (which are just another classic example of the second “something you have” authentication factor implementation). The only element that is probably missing is the risk-based authentication, but there is always room for improvement.
Pay attention to this phrase: "The breach took place in June last year but was only recently discovered."
A US health insurer has admitted it has been hacked and the data of 1.1 million of its customers exposed.
Connecting on-board entertainment network with the flight control system sounds stupid and unreal, but many hacks have been done using mistakes in network and system design, so there is a theoretical possibility of such a hack into flights...
I think this article is good starting point for new big discussion: is healthcare going to be the next primary hacking target as the focus is being moved out of PCI which is slowly but surely transitioning towards more secure technologies such as EMV, P2PE, and Apple Pay? Anyway, I like this break down of the problem:
Healthcare companies keep patients’ personal and financial data.Many patients use online payment options, which means their records may have information such as bank accounts and debit/credit card numbers.
According to Brian Krebs' blog, it's possible that both Premera Blue Cross and Anthem attacks could be performed by the same state-sponsored group of hackers.