Tag Archives: Internet

Flush Times for Hackers in Booming Cyber Security Job Market

Standard
A recruiter advertises a QR code to attract hackers to apply for jobs at the Black Hat security conference in Las Vegas

A recruiter advertises a QR code to attract hackers to apply for jobs at the Black Hat security conference in Las Vegas, Nevada, U.S. July27, 2017.     Joseph Menn

“REUTERS”

“One of the outside firms that handle such programs, HackerOne, said it has paid out $18.8 million since 2014 to fix 50,140 bugs, with about half of that work done in the past year.

Mark Litchfield made it into the firm’s “Hacker Hall of Fame” last year by being the first to pull in more than $500,000 in bounties through the platform, well more than he earned at his last full-time security job, at consulting firm NCC Group.”


“In the old days, “The only payout was publicity, free press,” Litchfield said. “That was the payoff then. The payoff now is literally to be paid in dollars.”

There are other emerging ways to make money too. Justine Bone’s medical hacking firm, MedSec, took the unprecedented step last year of openly teaming with an investor who was selling shares short, betting that they would lose value.

It was acrimonious, but St Jude Medical ultimately fixed its pacemaker monitors, which could have been hacked, and Bone predicted others will try the same path.

“Us cyber security nerds have spent most of our careers trying to make the world a better place by engaging with companies, finding bugs which companies may or may not repair,” Bone said.

“If we can take our expertise out to customers, media, regulators, nonprofits and think tanks and out to the financial sector, the investors and analysts, we start to help companies understand in terms of their external environment.”

Chris Wysopal, co-founder of code auditor Veracode, bought in April by CA Technologies, said that he was initially skeptical of the MedSec approach but came around to it, in part because it worked. He appeared at Black Hat with Bone.

“Many have written that the software and hardware market is dysfunctional, a lemon market, because buyers don’t know how insecure the products they purchase are,” Wysopal said in an interview.

“I’d like to see someone fixing this broken market. Profiting off of that fix seems like the best approach for a capitalism-based economy.”

Reporting by Joseph Menn and Jim Finkle; additional reporting by Dustin Volz; Editing by Jonathan Weber and Grant McCool

The surge in far-flung and destructive cyber attacks is not good for national security, but for an increasing number of hackers and researchers, it is great for job security.

The new reality is on display in Las Vegas this week at the annual Black Hat and Def Con security conferences, which now have a booming side business in recruiting.

“Hosting big parties has enabled us to meet more talent in the community, helping fill key positions and also retain great people,” said Jen Ellis, a vice president with cybersecurity firm Rapid7 Inc, which filled the hip Hakkasan nightclub on Wednesday at one of the week’s most popular parties.

Twenty or even 10 years ago, career options for technology tinkerers were mostly limited to security firms, handfuls of jobs inside mainstream companies, and in government agencies.

But as tech has taken over the world, the opportunities in the security field have exploded.

Whole industries that used to have little to do with technology now need protection, including automobiles, medical devices and the ever-expanding Internet of Things, from thermostats and fish tanks to home security devices.

More insurance companies now cover breaches, with premiums reduced for strong security practices. And lawyers are making sure that cloud providers are held responsible if a customer’s data is stolen from them and otherwise pushing to hold tech companies liable for problems, meaning they need security experts too.

The non-profit Center for Cyber Safety and Education last month predicted a global shortage of 1.8 million skilled security workers in 2022. The group, which credentials security professionals, said that a third of hiring managers plan to boost their security teams by at least 15 percent.

For hackers who prefer to pick things apart rather than stand guard over them, an enormous number of companies now offer “bug bounties,” or formal rewards, for warnings about vulnerabilities that leave them exposed to criminals or spies.

In the old days, “The only payout was publicity, free press,” Litchfield said. “That was the payoff then. The payoff now is literally to be paid in dollars.”

There are other emerging ways to make money too. Justine Bone’s medical hacking firm, MedSec, took the unprecedented step last year of openly teaming with an investor who was selling shares short, betting that they would lose value.

It was acrimonious, but St Jude Medical ultimately fixed its pacemaker monitors, which could have been hacked, and Bone predicted others will try the same path.

“Us cyber security nerds have spent most of our careers trying to make the world a better place by engaging with companies, finding bugs which companies may or may not repair,” Bone said.

“If we can take our expertise out to customers, media, regulators, nonprofits and think tanks and out to the financial sector, the investors and analysts, we start to help companies understand in terms of their external environment.”

Chris Wysopal, co-founder of code auditor Veracode, bought in April by CA Technologies, said that he was initially skeptical of the MedSec approach but came around to it, in part because it worked. He appeared at Black Hat with Bone.

“Many have written that the software and hardware market is dysfunctional, a lemon market, because buyers don’t know how insecure the products they purchase are,” Wysopal said in an interview.

“I’d like to see someone fixing this broken market. Profiting off of that fix seems like the best approach for a capitalism-based economy.”

https://www.reuters.com/article/us-cyber-conference-business-idUSKBN1AD001

Advertisements

NATO Agency Seeking Bids for IT Modernization Program

Standard

NATO IT

Photo: NATO officials discuss future cyber initiatives at the NATO Communications and Information Agency. (NATO)

“NATIONAL DEFENSE MAGAZINE”

“The program will span at least four contracts and be worth up to $537 million, and is expected to be completed by mid-2018.

NATO’s communication and information technology arm is seeking industry partnerships as it takes on a multi-year modernization effort for its information-technology systems, according to the organization’s acquisition director.

The NATO Communications and Information Agency — which runs the information technology, communications and command and control for the multinational organization — has opportunities for defense and IT companies in various stages of the modernization program, Peter Scaruppe told National Defense in February.

“The IT modernization program is a very important one because it basically replaces all of the IT in all the NATO locations, and for all the NATO forces,” he said.

The program entails: streamlining NATO’s IT service offerings to increase efficiency and effectiveness; using a customer-funded delivery system to increase the flexibility and scalability of IT services; delivering services from a centralized set of locations; and implementing increased cyber security measures, according to the agency.

Next on the priorities list is introducing a cloud-based services enterprise design by this summer, which Scaruppe called a major part of the modernization program.

“Storage is an important issue for all current and future IT programs, because with big data and the availability of big data, it is increasingly important,” he said. “We are anxious to see what companies will provide.”

NCIA Agency also plans to develop new data centers in Mons, Belgium, and Lago Patria, Italy, by early 2018, Scaruppe said. A third site has not yet been publicly revealed, but is being considered as an option “if and when we need it,” he said.

“This is for the IT support and operational support for NATO locations and operations,” he said.

NCI Agency has made concerted efforts in recent years to work more closely with industry to beef up its cyber defense capabilities. The agency contracts out about 80 percent of its work to the defense and security industries of NATO’s 28 current member-nations, Scaruppe said.

This year, the agency will host its annual industry conference in North America for the first time since it kicked off six years ago, rather than in a European country, “to note the transatlantic alliance,” he said.

The theme of the NCIA Agency Industry Conference and AFCEA TechNet International — which will be held in late April in Ottawa, Canada — is “Sharpening NATO’s Technological Edge: Adaptive Partnerships and the Innovative Power of Alliance Industry.” The conference builds upon last year’s theme of why innovation is important to NATO’s technological needs, Scaruppe said.

“Especially in the IT and cyber world, we know that there are a lot of innovators out there … not exactly keen on working with an 800-pound gorilla like NATO,” he said. “Some are not familiar with the process, [so] we need to catch the right innovators.”

One major part of the conference is dedicated to innovation challenges where agency officials and industry will discuss pre-determined areas of study, he said. “We did this last year, very successfully, and we got lots of proposals, many more than we thought we would get.”

Conference attendees will learn of upcoming business opportunities with an overall budget of about $3.2 billion over the next two to three years, Scaruppe said.

Businesses also have the change to speak with agency experts ahead of potentially bidding on a project.

“We do this every year, but we’re dedicating a lot more time to this part than usual [this year],” he said, adding that the agency hopes to attract more U.S. and Canadian industry members as a result.

Attendance rates at previous conferences have been about 70 percent European-based, Scaruppe said.

The agency is also looking to attract more cyber experts through the conference by running a next-generation skills exercise and innovators program, he said.

“We have a lot more work than we have staff for — and the same is true with the private companies — [and] we want to find innovative ways of how to attract these people, how to retain these people and also keep us current in the cyber exercise.”

http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=2448

 

 

 

Industry Consensus Forming Around Cyber Security

Standard

cyber-security-industry-4-oct-2016-copy-jpg-scale-large

“MILITARY AND AEROSPACE ELECTRONICS”

“There’s much more to cyber security than hackers and attempts to thwart their efforts.

Moreover, there’s billions of dollars pouring into the cyber security industry today, which represents opportunities for a wide variety of companies.

Unfortunately cyber security has come to depict a range of nefarious computer break-ins by shadowy hackers with cryptic names that compromise the credit card accounts of retail store patrons, emails by notable politicians, and the control of cars and unmanned aircraft.

There’s a plethora of descriptive terms in the cyber industry today, among them system security, system integrity, and trusted systems. There have been terms that were in vogue in previous years that have fallen by the wayside, such as information assurance (IA), that authorities such as the U.S. Department of Defense (DOD) are abandoning.

In fact DOD officials issued an instruction last August to amend DOD Directive 5134.01, which establishes policy and assigns responsibilities to minimize the risk that DOD’s warfighting mission capability will be impaired due to vulnerabilities in system design or sabotage or subversion of a system’s mission-critical functions or critical components by foreign intelligence, terrorists, or other hostile elements.

The changes specifically substitute the word “cybersecurity” for information assurance. Why the government wants to join cyber and security into one word is beyond me, but I digress.

From this it appears that DOD leaders are setting on the term cyber security to describe outside interference to military computer systems and the embedded computing technology that underlies many of today’s sophisticated weapon systems.

Certainly that outside interference, described as vulnerabilities in system design or sabotage or subversion of a system’s mission-critical functions could be intentional, such as the results of hackers, or also could include bits and pieces of computer programs, or bugs, that in certain circumstances could undermine or otherwise interfere with other parts of the program.

The terms system security, system integrity, and trusted systems are describing aspects of the same thing: cyber security. Realizing this can help define what cyber security really means, and more importantly, can reveal a new perspective of the emerging new cyber security industry.

Much of this became clear to me this week while talking with computer experts attending the Association of the U.S. Army (AUSA) conference and trade show in Washington. Some of these people realize they’re part of the cyber security industry, and some don’t.

The computer scientist and companies involved with system security, system integrity, trusted systems, and perhaps even anti-tamper are working the same side of the street. These companies aren’t involved in separate and distinct endeavors; they’re all part of the cyber security industry.

So what does this mean? Well for one thing it places many embedded computing companies like Mercury Systems, Curtiss-Wright Defense Solutions, Extreme Engineering Solutions, and Abaco firmly in the cyber security camp.

It’s true, then that not only the big prime contractors like Lockheed Martin, Boeing, Raytheon, and Lockheed Martin are doing cyber security. We’re talking about an already-large and growing technology ecosystem that runs the gamut from software hypervisors all the way up to large and complex computer programs that run big weapons platforms like jet fighters, main battle tanks, surface warships, and unmanned vehicles.

There are plenty of enabling technologies that come to bear on cyber security today, and plenty that will become part of this emerging ecosystem in the future.

Perhaps the first step in jump-starting this new industry is to acknowledge that many of us are taking separate paths toward the same destination. So how many out there are part of the new cyber security industry?”

http://www.militaryaerospace.com/articles/2016/10/cyber-security-emerging-new-industry.html?cmpid=enl_MAE_EmbeddedComputing_2016-10-10&eid=297842363&bid=1551728

 

 

 

Scheme to Encrypt Entire Web Is Working

Standard

https-4877870301-1024x768

“WIRED”

Let’s Encrypt” is coming out of beta.

And it’s making serious headway toward helping tens of millions of unencrypted sites around the world switch from the insecure web standard HTTP to HTTPS, which encrypts your web browsing to protect it from surveillance.

The San Francisco based Internet Security Research Group (ISRG), a small non-profit, announced the initiative.

Without that layer of encryption, a regular HTTP connection can be intercepted and read by anyone between a web visitor’s browser and the site he or she is visiting—whether a hacker on the same Wi-Fi network, an internet service provider, or a government agency.

Since launching less than six months ago, Let’s Encrypt has helped 3.8 million websites switch to HTTPS encryption, taking a significant chunk out of the unprotected web data that’s available to those eavesdroppers.

“Frankly it’s irresponsible how much of our information goes flying around the web in the clear. Anyone can just pull it down and read it. That’s not what people should expect from such an important network today,” says Josh Aas, the founder of the Internet Security Research Group, who officially works for Mozilla but runs Let’s Encrypt for ISRG. “We want to feel that when we’re using [the web] we have privacy…Our goal is to get to one hundred percent encryption.”

Let’s Encrypt has tried to make it easier for websites to switch from HTTP to HTTPS by flattening one of the biggest hurdles in the process: certificates. Let’s Encrypt functions as a certificate authority, one of the dozen or so organizations like Comodo, Symantec, Godaddy and Globalsign that verify that servers running HTTPS web sites are who they claim to be. (A carefully-secured web connection isn’t much good if you’re sending private data to a spoofed site.) Once verified, these authorities issue those computers a “certificate” they need to make their HTTPS encryption work with your browser.

The certificate is designed to be an unforgeable signature that’s cryptographically checked by your browser so that you can be sure your communications are decrypted only by the intended site and not an impostor.

Unlike commercial certificate authorities, however, Let’s Encrypt is free, thanks to corporation sponsorship from companies including Cisco, Google and Akamai. It’s available to websites anywhere in the world—even far-flung countries like Cuba and Iran that sometimes aren’t served by other major certificate authorities. And it’s automatically configured with a piece of code that runs on any server that wants to switch on HTTPS.

“This is the silver bullet that…lowers the barrier to encrypted web communications,” says Ross Schulman, the co-director of the cybersecurity initiative at the New America Foundation. “It brings the cost of executing a secure website down to zero.”

All of that has led to a noticeable tectonic shift in the layer of encryption unfolding across the web. The 1.8 million certificates Let’s Encrypt has issued to 3.8 million websites make it the third-largest certificate authority in the world now, according to Aas, behind Comodo and Symantec. And because 85 percent of those sites never had HTTPS before, it’s already significantly boosted the total fraction of sites that are encrypted on the web as a whole.

Based on numbers Mozilla gathers from Firefox users, encrypted sites now account for more than 42 percent of page visits, compared with 38.5 percent just before Let’s Encrypt launched. And Aas says that number is still growing at close to one percent a month. “For the web, that’s a rate of change that you don’t usually see,” he says. “A lot of us have our eyes on that 50 percent mark.”

HTTPS-Growth-Rate-April-2016.pngClick to Open Overlay Gallery

Let’s Encrypt’s free and automated HTTPS certification is designed to make it easy for individuals without technical expertise or resources to encrypt their sites. But its automation also helps big companies trying to roll out HTTPS to a large number of customers. WordPress, for instance, announced just last week that all sites hosted on WordPress with custom URLs will now be encrypted by default using Let’s Encrypt’s certificates. And that automation is set to get more sophisticated in the coming months, says Peter Eckersley, a technologist with the Electronic Frontier Foundation, which has helped to create and maintain the Let’s Encrypt certification software.

Upcoming versions, he says, will be capable of more detailed configurations—geekier tasks like making sure the certificate properly displays its expiration date to browsers and uses the most secure encryption algorithms. “We want to not only get a certificate and install it for you, but also deal with all the behind the scenes settings to get things right and have HTTPS actually be secured,” Eckersley says.

Just how easy it is to get a Let’s Encrypt’s certificate hasn’t always been a good thing. In January, security firm Trend Micro pointed out that the group’s certificates were being used to encrypt the connections between malicious advertisements on a website the firm declined to name and on a server controlled by cybercriminals, who used that encrypted connection to install a banking trojan on visitors’ computers.

After all, Let’s Encrypt only certifies that a site—or in this case, an element of a site—is encrypted by the server from which that content is loaded. Unlike some commercial certificates, it doesn’t claim to check who the organization is behind that server, which is a more manual and involved process.

Aas doesn’t pretend that all Let’s-Encrypt-certified sites are benevolent. “People ask if the bad guys use Let’s Encrypt. The answer is basically ‘yeah,’” he says. “But they’re also using a server, an ISP, a domain name. [An HTTPS] certificate is only a small part of their plan, and taking it away wouldn’t really change what’s going on.”

Allowing that kind of occasional criminal use of web encryption, Aas adds, is a small price to pay to help shut down a kind of low-hanging surveillance fruit of the web—one that’s available to any interloper, from a snoop on the Starbucks Wi-Fi network to Comcast to the NSA. “For any country that spies on its citizens and other countries’ citizens, when you put your information out there in the clear, it makes widespread surveillance easy,” says Aas. With ubiquitous HTTPS, he adds, “the price of surveillance goes up. There’s no free lunch anymore.”

http://www.wired.com/2016/04/scheme-encrypt-entire-web-actually-working/

 

 

How Splitting a Computer Into Multiple Realities Can Protect You From Hackers

Standard

5d_vmhacking_f

“WIRED”

“Warsaw-based firm, Invisible Things Lab, started developing its own operating system known as Qubes. The free open source OS lets users set up a collection of virtual machines on their PC, with a simple central interface to manage each quarantined system. Careful users can keep their personal online activities isolated in one virtual machine, for instance, while they do their work in another, and their banking in a third.  Open a malicious email attachment or click on an infected website and the malware can’t break out of that one contaminated container.

If it works as promised, even NSA-level exploits would be contained to a single compartment in Qubes’ architecture, one that could be evaporated and re-created at will. Recovering from even the nastiest hacker attack, in other words, could soon be as easy as waking from a bad dream.”

5d_vmhacking_sb

Joanna Rutkowska | The metahacker turned the notion of spyware—and defenses against it—inside out. Image: Joe McKendry

http://www.wired.com/2014/11/protection-from-hackers/

 

The Next Big Thing To Fight Hackers? Self-Healing Computers

Standard

smartplant dot com

“DEFENSE ONE”

“We’ve talked about the need to go from static defenses,” such as firewalls, under so-called continuous monitoring, to “active cyber defenses — doing automated hardening, automated defense of our networks,” said Philip Quade, chief operating officer of NSA’s information assurance directorate. “But I think there is one more step that we’re not really talking about and that’s automated regeneration, automated resiliency.”

The pricey DHS-sponsored initiative now underway, known as continuous diagnostics and mitigation, or CDM, is expected to supply all agencies with sensors and specialists to move from traditional three-year vulnerability checks to real-time problem spotting. Agencies have until 2017 to achieve full implementation.

In between CDM and futuristic self-healing is active response, sometimes called “active defense,” which can include, for example, sharing threat intelligence with potential targets in real time.

Yet, “even with these automated defenses in place, bad things are still going to happen,” Quade said. Organizations need to be asking themselves: “What can you do to automatically regenerate to a minimally secure state, and be automatically resilient and get back to the operating position?”

Quade was speaking at a cyber industry forum in McLean, Virginia, hosted by the Chertoff Group.

Quade called automated resiliency “the next big thing,” but added, “I’m not optimistic that we’re getting anywhere close to that.”

Don’t panic yet, federal government. NSA and DHS are thinking ahead, he said.

Right now, the two agencies, are already collaborating on this sort of spontaneous regeneration, Quade told Nextgov after the discussion.

Ultimately, as arbiter of governmentwide cyber operations, DHS would make the decision whether to roll it out fully.

But it makes sense “to take the work that we and DHS are doing and define it as the natural next phase of CDM,” Quade said during the interview.

To be clear, he added, continuous monitoring “is a very, very good thing, but you need to have the ability to act.”

http://www.defenseone.com/technology/2014/11/next-big-thing-fight-hackers-self-healing-computers/98171/?oref=d-river

Image Credit:  Smartplanet.com

 

The Wonderful Possibilities of Connecting Your Fridge to the Internet

Standard

platformwars-inline-660x320

“WIRED”

“Connecting your refrigerator to your shopping list has been a dream of manufacturers since the first commercial Internet fridge launched in 2000 by LG. But do you—does anyone—want to scan bar codes as they put food into their so-called “smart” refrigerator?  What connectivity shouldn’t do is turn you into a slave to your devices, constantly monitoring them or, worse, feeding them data.

The first refrigerator connected to the Internet was in a wired 100-year-old house in the Netherlands, where it existed alongside networked lights, doorbell, mailbox, and, yes, even a toilet. The refrigerator went online on July 12, 1998, and it’s still there. All it does is record and broadcast every time the fridge door opens. As of this writing, its owner, Alex van Es, has opened it almost 70,000 times in the last 16 years. Call it the Quantified Fridge.

Outside of the pure voyeuristic novelty, there’s not a lot of value from this information. It’s certainly not life altering, and it’s certainly not going to lead to everyone’s favorite new design pastime: behavior change. Not all data is created equal, and certainly not all of it is meaningful to collect and display. I’m pretty sure the number of times a refrigerator has been opened falls into this category.

However, one valid reason to put something on the Internet is to check its status. What is this object doing, and is that good or bad? How much energy/resources/time is it consuming? Is something broken? Connecting sensors to the right internal components and sending that data online where it can be viewed via an app or web page is a way of giving you x-ray vision. But the emphasis here is on “right.” I probably don’t care how many times the fridge door has been opened, but I do care if the compressor breaks and everything in my freezer starts melting.

And that’s the second reason to put anything on the Internet: to be able to adjust it if something is wrong. If I get an alert that the temperature inside my refrigerator is suddenly rising, it would be great to be able to do something about it: attempt to fix the problem right there, order a new part, or replace the device with a new one. You could summon a repairman to come fix it.

This kind of connecting of objects to services is the third reason to connect something to the Internet: to easily engage resources outside of the object to improve, fix, or extend the object. If my dishwasher runs out of detergent, reorder it or add it to my shopping list.

Problems that Internet-connected appliances must resolve:
• You don’t want to remove physical controls: In the early dawn light, as you groggily stand in front of your coffee machine, do you want to find your phone and launch an app so you can get your morning caffeine fix? No you do not.

• You don’t need to run general-purpose apps: “Hey, I’ve got a few minutes. How about I use the screen on my stove to surf Facebook?” said no one, ever.

• You don’t need irrelevant data: Knowing how many gallons of dishwashing detergent I’ve used over the years? Fascinating stuff.

• You don’t want unrelated data collected and sold: I don’t want my appliances spying on me, or even suspect that they do. Observe me and my patterns, yes. Spy on me, no. And there’s a big difference. Spying involves giving away private information (secrets) to people I don’t want to know them. If you are using information from my dishwasher to upsell me life insurance, that’s intrusive. It feels creepy in a way that knowing I’m out of detergent and offering to buy more does not.

Even if all of this get solved, why bother put your refrigerator on the Internet? Especially if hackers could turn it into a spam machine? So it can be smart.

The Right Kind of Smarts

Smart appliances humbly predict our needs and modestly adjust as little as possible to accommodate them. This sometimes requires connecting to the network for a better, bigger brain or to draw upon the collected intelligence of similar objects. You don’t need to stuff lots of processing power and memory into the object itself if it can use resources in the cloud. Imagine if your refrigerator could learn how to keep food cooler more cheaply by looking at the data from other refrigerators in the area? Collective machine intelligence and the benefits it could engender such as fixing model-specific problems and product efficiency are good reasons to enable network connectivity.

We can also have a conversation with smart appliances. They can tell us what they’re up to when we ask, or tell us something’s wrong when it’s essential. They can observe our lives and provide small insights we don’t even notice. They can talk to other appliances, and pass along helpful information, the way that Nest Protect will tell the Nest thermostat to shut off the furnace if it detects carbon monoxide.
We can have a new relationship with our appliances, one where the previously mute boxes of plastic and metal become new platforms—not for apps, but for meaning and value. By learning how we use them and how we live our lives, they’ll be able to provide services to us we can’t see right now. They’ll set themselves up and fit into the existing household by knowing what—and who—is there and adapting to them. Appliances will grow and change with you and the house.

Connectivity, just like installing a microprocessor was decades ago, has to be a means to an end: more effective, more efficient, more resilient, more transparent, more powerful, more interesting, more enjoyable, more adaptable products.”

http://www.wired.com/2014/10/is-your-refrigerator-running/