Category: oversitesentryapproved

Why is Cybersecurity so Difficult to Understand?

Not everyone understands all of  the complex pieces and the economic ramifications of them.

What makes this  decision so difficult to require an owner to spend at least 3-4 hours a week on a topic which will not make any money, but will just help you keep running your business.  In fact this “expenditure” of resources (time) makes it increasingly unlikely you will be ready for a possible extinction level event.

The problem is a matter of perception – the owner that is running their business has many hats, performs many different functions.  The ultimate goal of a business is to sustain itself and grow, make a profit, perform a specific function in the marketplace. The goal of the business does not usually include a strategy to protect the business in case of disaster.  That is something that should be done but it is not in the goals of the business.

So to perform the function well and ensure that it is done it will require a concerted effort.  Otherwise as the informationweek.com article mentions: “SIM study points to Lax Focus on cybersecurity”

Cybersecurity has become more important, but the ‘paying attention’ department is a difficult one.

To some degree it is a level of understanding – should we meander our way to making things ‘right’? Or should we push and cajole the business owners to do the right thing?

How else to explain this?  It is a matter when some systems need to be upgraded  instead of just the software patch. (Some patches require a lot of changes).  But when one gets a new computer it is sometimes a wrenching change – so this decision is sometimes delayed.  This is why a Security Policy is so important by codifying the thoughts and actions of many decisions made and to be done.

The other aspect of Cybersecurity that may be challenging is the ever changing nature of it. Due to constant patch management and End of Life decisions by software and hardware companies nothing in the environment stays the same for very long.

The following image is a small snapshot of what happening in the IT world on a monthly basis.

  1. Patch Tuesday – (Microsoft releases it’s slew of patches on 2nd Tuesday of month.
  2. This month Windows7 End of Life, but all devices have an end of life.
  3. Chinese hacking groups are being uncovered again -(which means there are others)
  4. Vulnerability management  is not easy.

While your business may have marketing and cost challenges due to changes in the world, the IT world is in constant flux of new vulnerabilities, older systems, and many other issues like new adversaries.  So to make sure you do not have a disaster in your hands and control this cybersecurity beast it requires 3-4 hours per week in my opinion.  Contact Us to discuss

Keep An Eye On Google ‘Security’ Projects

There are quite a few Google projects of which some are focused on security(there are many more projects, but these are the ones that could be cybersecurity. The explanation which is in italics- i.e. copied from theGoogle project webpages):

https://opensource.google.com/projects/

Abseil   Abseil  an open-source collection of library code.   also at https://abseil.io/

Abseil C++ code is designed to augment the C++ standard library. In some cases, Abseil provides pieces missing from the C++ standard; in others, Abseil provides alternatives to the standard. Abseil is not meant to be competitor to any standard library code; we’ve found that many of these utilities serve a purpose within our code base, and we now want to provide those resources to the C++ community as a whole.  

AdaNet  Fast and flexible AutoML(Machine Learning) with learning guarantees  also at https://github.com/tensorflow/adanet

AdaNet is a lightweight TensorFlow-based framework for automatically learning high-quality models with minimal expert intervention. It uses the AdaNet algorithm by Cortes et al. 2017 to learn the structure of a neural network as an ensemble of subnetworks while providing learning guarantees. Importantly, AdaNet provides a general framework for not only learning a neural network architecture, but also for learning to ensemble to obtain even better models.

Angular – a web application framework for mobile, desktop, and web. also at https://angular.io/

Angular is a development platform that aims to make web development feel effortless, focused on developer productivity, speed and testability. Applications built with Angular can be deployed to mobile devices and desktops as websites and native applications.

Apache Beam – unified model to define and execute processing pipelines. also at https://beam.apache.org/

Apache Beam provides an advanced unified programming model, allowing you to implement batch and streaming data processing jobs that can run on any execution engine. It is easy to use with Apache Apex, Apache Flink, Apache Spark, and Google Cloud Dataflow among other distributed processing back-ends.

badssl.com – memorable site for testing clients against bad configs – also at Apache Beam

badssl.com has a suite of subdomains with various HTTPS configurations. These can be used to test browsers and other TLS clients to see how they behave when they encounter sites with various security-sensitive issues on the web.

Bazel –  a Build System for fast and correct builds – also at.  https://bazel.build/

Bazel is Google’s own build tool. Bazel has built-in support for building both client and server software, including client applications for both Android and iOS platforms. It also provides an extensible framework that you can use to develop your own build rules.

Blockly -Open Source Library for adding drag and drop block coding to apps. also at https://developers.google.com/blockly

Blockly is a library for adding drag and drop block coding to an app. This is primarily used for computer science education, but can also give users a way to write their own scripts or configuration for an app. Blockly has libraries for Web (JavaScript), Android (Java), and iOS (Swift/Obj-C).

BoringSSL

BoringSSL is a fork of OpenSSL that is designed to meet Google’s needs. also at https://boringssl.googlesource.com/boringssl/

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don’t recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.

Bullet Physics SDK – Real-time collision detection and multi-physics simulation  for VR, games, visual effects and robotics. also at http://bulletphysics.org/

The Bullet Physics SDK is a professional open source collision detection, rigid body and soft body dynamics library written in portable C++. The library is primarily designed for use in games, visual effects and robotic simulation. The library is free for commercial use under the zlib license.

Portable laser range-finders and simultaneous localization and mapping (SLAM) are an efficient method of acquiring as-built floor plans. Generating and visualizing floor plans in real-time helps the operator assess the quality and coverage of capture data. Building a portable capture platform necessitates operating under limited computational resources.

Cauliflower Vest – A recovery key escrow solution. also at https://github.com/google/cauliflowervest

The goal of this project is to streamline cross-platform enterprise management of disk encryption technologies. The project initially started with end-to-end Mac OS X FileVault 2 support, and later added support for BitLocker (Windows), LUKS (Linux), and Duplicity.

Cauliflower Vest offers the ability to:

  • Automatically escrow recovery keys to a secure Google App Engine server.
  • Delegate secure access to recovery keys so that volumes may be unlocked or reverted.
  • Forcefully enable FileVault 2 encryption.
  • Sync BitLocker recovery keys from Active Directory.

Chromium – A safer , faster, and more stable web browser. also at  https://www.chromium.org/

Chromium is the web browser that Google Chrome is built on. It is meant to feel lightweight (cognitively and physically) and fast. When released, it brought a sandbox security model, minimalist user interface, and tabbed window manager that many other browsers have since adopted.

Copybara – A tool for transforming and moving code between repositories. also at https://github.com/google/copybara

Often, source code needs to exist in multiple repositories, and Copybara allows you to transform and move source code between these repositories. A common case is a project that involves maintaining a confidential repository and a public repository in sync.

Copybara requires you to choose one of the repositories to be the authoritative repository, so that there is always one source of truth. However, the tool allows contributions to any repository, and any repository can be used to cut a release.

 

dart – a language designed to be productive, stable, and free of surprises. also at https://www.dartlang.org/

Dart is a programming language developed at Google and approved as a standard by Ecma. It is ideal for web development and can be transcompiled to JavaScript, but can also be used to build server, desktop, and mobile applications. Dart is designed with a ‘batteries included’ philosophy and minimizes magic, such as automatic type coercion in order to avoid surprises when developing large applications.

deepMind lab a customizable 3D platform for agent-based AI research. also at https://github.com/deepmind/lab

DeepMind Lab is a first-person 3D game platform designed for research and development of general artificial intelligence and machine learning systems. It provides a suite of challenging navigation and puzzle-solving tasks that are especially useful for deep reinforcement learning. Its simple and flexible API enables creative task-designs and novel AI-designs to be explored and quickly iterated upon.

Dopamine – A research framework for fast prototyping of reinforcement learning algorithms. also at  https://github.com/google/dopamine

Dopamine is a TensorFlow-based research framework for fast prototyping of reinforcement learning algorithms. It aims to fill the need for a small, easily grokked codebase in which users can freely experiment with wild ideas (speculative research).

fastlane – automate building and releasing iOS and Android apps. also at https://fastlane.tools/

fastlane allows you to automate the complete release process of your iOS and Android apps. It handles tedious tasks like generating screenshots, dealing with code signing and releasing your application.

Firebase SDK – An app development platform to develop high-quality apps. Also at https://firebase.google.com/

Firebase is an app development platform that provides integrated tools to help you build, grow and monetize your apps. The Firebase SDK enables access to the Firebase services in an intuitive and idiomatic manner on several platforms.

FlatBuffers – A serialization library for games and other memory constrained apps. Also at  http://google.github.io/flatbuffers

FlatBuffers is an efficient cross platform serialization library for C++, C#, C, Go, Java, JavaScript, PHP, and Python. It was originally created at Google for game development and other performance-critical applications. It allows you to directly access serialized data without unpacking/parsing it first, while still having great forwards/backwards compatibility.

Flutter – Build apps for iOS and Android from a single codebase. Also at Flutter

Flutter is a mobile app SDK for building high-performance, high-fidelity apps for iOS and Android, from a single codebase. The goal is to deliver apps that feel natural on different platforms, embracing differences in scrolling behaviors, typography, icons, and more.

FontDiff – tool for finding visual differences between font versions. Also at Flutter

FontDiff is a utility for testing fonts. When you modify a TrueType or OpenType font, FontDiff generates a PDF showing the typeset text both before and after the change. You can use this PDF to easily review the changes and spot any errors caused by a font switch.

FontView– demo app displays fonts using a free stack. Also at https://github.com/googlei18n/fontview

FontView is a little demo app that shows the contents of a font file. It opens *.ttf, *.otf, *.ttc, *.otc, *.pfa, and *.pfb files. To render text, FontView uses open-source libraries.

Forseti Security – Open source tools for Google Cloud Platform(GCP) Security. Also at  Forseti Security

Forseti Security helps you secure your Google Cloud Platform organization.

Keep track of your environment

Gerrit – web-based code review system for projects using Git. Also at https://www.gerritcodereview.com/

Gerrit is a highly extensible and configurable tool for web-based code review and repository management for projects using the Git version control system. It allows teams to discuss code, serve Git as an integrated experience within the larger code review flow, and manage workflows with deeply integrated and delegatable access controls.

Go – open source programming language to make it easy to build simple, reliable and efficient software. Also at https://golang.org/

Go is expressive, concise, clean, and efficient. Its concurrency mechanisms make it easy to write programs that get the most out of multicore and networked machines, while its novel type system enables flexible and modular program construction. Go compiles quickly to machine code yet has the convenience of garbage collection and the power of run-time reflection. It’s a fast, statically typed, compiled language that feels like a dynamically typed, interpreted language.

Google Cloud datalab

 

Kritis – open source solution for securingyour software supply chain for Kubernetes applications, by enforcing deploy-time security. Also at https://github.com/grafeas/kritis

Kritis (“judge” in Greek), is an open source solution for securing your software supply chain for Kubernetes applications. Kritis enforces deploy-time security policies using the Google Cloud Container Analysis API, which uses Grafeas underneath.

MOE: Make Open Easy – Synchronizes, translates, and scrubs source code repositories. Also at  https://github.com/google/moe

MOE is a system for synchronizing, translating, and scrubbing source code repositories. Often, a project needs to exist in two forms, typically because it is released in open-source, which may use a different build system, only be a subset of the wider project, etc. Maintaining code in two repositories is burdensome.

mtail – extract whitebox monitoring data from application logs for collection in a timeseries database. Also at https://github.com/google/mtail

mtail is a tool for extracting metrics from application logs to be exported into a timeseries database or timeseries calculator for alerting and dashboarding.

It aims to fill a niche between applications that do not export their own internal state, and existing monitoring systems, without patching those applications or rewriting the same framework for custom extraction glue code.

 

Open Images Dataset

OpenScience Journal –   An app that allows one to gather information using the sensors in the Android phone. Also at https://makingscience.withgoogle.com/science-journal/

Science Journal allows you to gather data from the world around you. It uses sensors to measure your environment, like light and sound, so you can graph your data, record your experiments, and organize your questions and ideas. It’s the lab notebook you always have with you.

OpenWeave – open source implementation of Weave network app layer, secure communications backbone for NEST products. Also at OpenScience Journal

OpenWeave is an open-source implementation of the Weave network application layer, the secure, reliable communications backbone for Nest products.

At Nest, we believe the core technologies that underpin connected home products need to be open and accessible. Alignment around common fundamentals will help products securely and seamlessly communicate with one another.

Outline – an open source VPN software released by Jigsaw March 2018. also at https://getoutline.org/

The Outline software allows for the creation of a personal or corporate VPN server on a cloud provider of the user’s choice, with minimal effort. Once set up, Outline server administrators can share access with other users, who can connect to the VPN using Outline clients developed for Windows, macOS, iOS, Android and ChromeOS. Outline uses the Shadowsocks protocol (shadowsocks.org) for communication between the client and server.

Stackdriver – Monitors, logs, and diagnostics for cloud applications. Also at https://cloud.google.com/stackdriver/

Google Stackdriver provides powerful monitoring, logging, and diagnostics. It equips you with insight into the health, performance, and availability of cloud-powered applications, enabling you to find and fix issues faster.The Stackdriver agents and libraries are open source projects.

Upspin – experimental framework for sharing files securely. Also at https://upspin.io/

Upspin is an experimental project to build a framework for naming and sharing files and other data securely, uniformly, and globally: a global name system of sorts.

It is not a file system, but a set of protocols and reference implementations that can be used to join things like file systems and other storage services to the name space.

 

 

https://bugs.chromium.org/p/project-zero/issues/list

I have included several machine learning(ML) projects which I believe can be used to create many programs (including security based),  the future in security is in AI, of which ML is a piece of it.

There is an interesting article in Wall Street Journal:

Google’s Enemies Gear Up to Make Antitrust Case

The article goes into a case Yelp and TripAdvisor are making that Google is using it’s position as search engine to place it’s own services ahead of Tripadviser and Yelp.

I wonder if they know about these 70 projects on the Google projects list of which 27 have security implications in my opinion:

Abseil, Adanet, Angular, Apache beam, badssl.com, Bazel, Blockly,  Dart, Deepmind, Dopamine, Fastlane, FlatbuffersSDK, Flatbuffers, Flutter, Fontdiff, Fontview, Forseti Scurity, Gerrit, Go, Kritis, MOE(make open easy),mtail, Opensciencejournal, Openweave, Outline, Stackdrivers, Upspin

It definitely looks to me that Google is building a larger organization, does this mean that they should be broken into pieces? Maybe this was why the Sherman Antitrust act was created and passed by Congress in 1890. This law declared illegal all combinations “in restraint of trade”.  (from http://www.ushistory.org/us/43b.asp)

Google is building a future AI power house, that will make today’s search power  seem like a mouse versus a tiger.

 

Is Compliance Enough for Your Company?

If you accept credit cards you need PCI compliance

If you have health data then you need HIPAA compliance.

A financial company gets many pieces of compliance which depends on what types of financial instruments you sell. You may need other types of compliance.

Unfortunately PCI compliance does not require a backup of your critical data , so if you have critical data then it is up to your judgement to set up processes to make sure if they are corrupted then can be recovered.

This point of corruption of data to recovery is the single most likely reason for small businesses to fail six months after a major cybersecurity event.

In 2019 your company could be doing business as usual in January, then in February the right attack could cause problems for your company…  if you are not ready for it, six months later you could be out of business.

Which is why we want to highlight it and make sure you understand the inattention that can cause disaster.

We are here to go over your processes to make sure that this type of disaster does not happen. You can make it go away for a few dollars and attention. That is all it takes.

Contact Us to discuss – Three-One-Four-five -zero-four, three,nine, seven, four.  Leave me a message and I will get back to you.

TonyZ

 

 

How are Hackers Always a Step Ahead of Defense?

So the Defense (also known as Blue team) has been inundated with spam, the goal of the spam(for the hackers) is for an unsuspecting user to give up their credentials(username and password). Hackers are always trying to get your usernames and passwords.

Opening a word document? What if it included a small file that is unlikely  or even impossible to detect when first opening the file? because it gets resized to a small point in the document.

Notice the above image shows how to create a link inside a picture.

the above image is from ISC.sans.edu link.

So due to various dirty tricks in spam we have built 2FA (Two Factor Authentication) so that the connecting to the email server and getting your email will effectively shut out the spam merchants… until now with this nifty trick.  (Do you have to re-establish 2FA every time you get email? Or only when first logging in?)

When you open the word document the picture activates and tries to connect to the criminal-hacker-website.com which then sends the credentials of the computer to criminal-hacker-website.com.

Clearly only username and password defense is not going to do the job, as many tricks will pry the information to your account out of you.  And an incorrectly set up 2FA also would be a problem.

The defense must have a good logging and egress filter setup. (Block port 445/tcp , 137/tcp, 139/tcp, and 137/udp and 139/udp.

Back to my question “How are Hackers Always a step ahead of the Defense?”

The answer lies in logic actually:  If you have to defend 24 hours per day every day while trying to use software of the Internet then it is only a matter of time before a hacker uses ingenuity to break or bypass your defenses as shown above. We have to constantly be aware of new attacks and thus ways of defending against new vulnerabilities found every day.

True it would be nice if all software did not have security issues, but as we know security is not the highest effort while making a product. Making money is, and sometimes a security audit is not high on the priority scale.

So it is the same old story “The risk versus Security” see-saw.

The people who focus on Security might spend more in resources rather than others, so if you hear a new potential attack are you impulsively scoffing? Or saying I have to learn this attack and defend against it (thus spending resources?

if you are scoffing and wish to take on more risk by thinking the security problems might go away just by thinking they will go away. The risk on the internet these days is not that low, the ingenuity of new attacks are coming so fast that if you have not upped your ante, then one day it will be too late and the headlines will serve your epitaph.

So We believe that you should do both seek some risks while also staying secure  by employing Security Auditors.

 

Contact Us to discuss

Why Would Someone Want to Attack Me?

We see a lot of headlines in the news, but it stems from the nation states attacking.      Youtube video from Black Hat Asia2018

China attacks specific companies.

Russia also attacks in cyberspace and it culminated when Russia attacked Estonia 2008, also the next year a military physical attack in Georgia with a Cyberspace attack as well.

Snowden disclosed the US attack of Stuxnet into Iranian centrifuges.

This is a ‘right’ of the nation state attackers using their knowledge of Zero Days and encrypted keys.    Where the nation states say it is their right to attack other nation states, because “no one will know” as it is not a physical attack.

Except this culminated in a Russian attack on power infrastructure attack where Estonia lost power for several days.

The side effect of Stuxnet was that other hackers(criminal etc) figured out how the attack was done, then investigated this possibility and eventually was able to create a new attack with malware for ransomware.

So what does this mean? It means that attackers  will eventually figure out the defensive flaws that one normally cannot see or notice.

the actual methods of inserting programs are varied, sometimes the user allows the software to run with spearphishing or just clicking on the wrong site on the Internet.

Above picture is from “Decentralized malware youtube video“.

 

The trust the private sector has in their computers between customer and company is not in the thoughts of nation-states attacking each other.

A side effect of nation states attacking each other is the need for better defenses for all, since we are all on the Internet. Once the knowledge of attacks comes out of the shadows the criminal hackers take a little bit of time and develop the attacks also.

So you may not look like you have anything to attack, but if you are on the Internet you will be attacked.

 

The only thing you can do is to create a defense that can handle even sophisticated attacks.

Contact us to discuss this phenomenon.