While it is easy to say that Meltdown and Spectre prove that hardware is just as risky as software, I believe we should instead focus on how we got here.  I believe there is a lesson rooted in our approach to technological innovation as highlighted by Marc Andreessen’s seminal article Why Software Is Eating the World.

Software Defined Everything has become the rallying cry of organizations.  In a drive to reduce cost and speed up innovation we have started to treat hardware as a commodity and focus on software as the solution.  But there is a problem.  What if our hardware cannot keep up with our software?  Are we asking too much of our hardware?

Moore’s law states that processor speeds double every two years (or eighteen months according to Intel).  In technology two years is an eternity so engineers have devised ground breaking methods to speed up processors.   One such method, called speculative execution, allows a processor to perform a function before it knows whether the function is required.  If the function is not required then it is discarded but the act of completing it, just in case, allows the processor to perform operations more quickly.

Click to Subscribe

While designed as an optimization technique, Meltdown and Spectre proved that a cache timing attack could take advantage of speculative execution to expose secure kernel memory.  As described by The Register, “To make the transition from user mode to kernel mode and back to user mode as fast and efficient as possible, the kernel is present in all processes’ virtual memory address spaces, although it is invisible to these programs…It seems it may be possible to craft software in such a way that the processor starts executing an instruction that would normally be blocked – such as reading kernel memory from user mode – and completes that instruction before the privilege level check occurs.”

https://youtu.be/q3WZiiaXHps

Another example of the desire to use software to solve the limitations of hardware is the deployment of Virtual Machines (VMs).  VMs have truly changed the world, creating the cloud and allowing organizations to dramatically reduce cost.  VM technology allows collocated, software-based operating systems to share expensive hardware resources.  VM security is based on hardware Trusted Platform Module (TPM) storing secure information and software hypervisors scheduling access to hardware resources.

Despite these barriers, side channel attacks can still be used to cross the boundary between collocated VMs and steal private information.  These attacks involve an attacker VM alternating execution with a target VM to observe behavior of the underlying hardware.  They take advantage of the fact that, in order to conserve memory and speed up processing, VMs often share caches and libraries (i.e., memory page deduplication).  While difficult, multiple researchers have shown a side channel attack’s ability to retrieve secure information including private keys.  Other researchers have shown the ability to perform Denial of Service (DoS) attacks by using the VM scheduler to monopolize hardware resources at the expense of collocated VMs.

With the advent of Software Defined Networking (SDN) will the next attack be listening to other people’s traffic on bare metal switches?

If we are asking too much of our hardware what can we do to correct it?  Should we accept slower processors, which has been the result of Intel’s patches?  Should we no longer allow collocation of VMs or demand completely separate data centers for our servers?

I am sure we will not start accepting slower speeds or higher costs so the next best option seems to be education.  Developers need to understand how hardware and software interoperates in order to prevent future cybersecurity attacks.  For instance, in addition to a six week course on Python, developers should also invest in a six week course on machine language.  Perhaps if they understood how hardware resources are actually used by software they will know when to push hardware and when not to.

Eric Sharret is Vice President of Business Development at TELEGRID.  TELEGRID has unique expertise in secure embedded systems, secure authentication, PKI, and Multi-Factor Authentication (MFA).

Click to Subscribe

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  The Company will not be held liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post Hardware’s Burden: Meltdown and Spectre appeared first on TELEGRID.

The post Authentication Token Cybersecurity and NIST 800-63-3 appeared first on TELEGRID.

AAA servers like AD and Radius servers are the central point for all access requests.  Anytime a user wishes to access an application, server, etc. their credentials are sent to a AAA server to determine whether they are legitimate (authentication) and are allowed access (authorization).  Depending on their configuration, the AAA server will also log access (accounting) although this is more commonly performed in commercial mobile networks.

Since the AAA server communicates with multiple applications and devices, across multiple security domains, it has become a prime target for botnet and denial of service (DoS) attacks.  Hackers and cybersecurity researchers have begun to take notice.  Let’s look at three examples.
 

Click to Subscribe

 
First, IBM X-Force Research recently identified a banking trojan virus, Qakbot, that locked out thousands of AD users.  Qakbot is financial malware and is typically used to drain online bank accounts.  This was the first time researchers have seen it used as a DoS attack by preventing users from accessing applications and devices.

Second, researcher Guido Vranken used fuzzing, where malformed data is injected into a software application, to expose several vulnerabilities in FreeRadius, the most popular open source RADIUS server.  As Security Week pointed out, “The list of vulnerabilities includes memory leak, out-of-bounds read, memory exhaustion, buffer overflow and other issues that can be exploited to remotely execute arbitrary code or cause a DoS condition.”  Luckily the open source community was quick to address the vulnerabilities.

Third, at this year’s Black Hat conference, Threat Intelligence engineers gave a talk about a method to turn the AD Domain Controller into a botnet’s command and control server.  As they pointed out, the AAA architecture, where disparate computers take access instructions from a central controller, closely mimics that of a botnet.  If malware were installed it could take advantage of existing AD commands and user attributes to transfer information between infected clients and out of the network.  If there was only one AD domain controller for the entire network, this would allow data transfer between security domains.

For the moment many of these attacks can be prevented by patching, monitoring and constructing proper network architectures.  However, as the hacker community continues to turn its attention to AAA it is only a matter of time before widespread zero day Active Directory cyber attacks are unleashed.

Eric Sharret is Vice President of Business Development at TELEGRID.  TELEGRID has unique expertise in secure embedded systems, secure authentication, PKI, and Multi-Factor Authentication (MFA).

Click to Subscribe

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  The Company will not be held liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post Active Directory Cyber Attacks appeared first on TELEGRID.

It seems the scale and timing of the ransomware attacks should be a major cause for concern.  However, I believe that the nature in which these attacks are being dealt with highlights 3 rays of hope that we are turning a corner in cybersecurity.

The first ray of hope is the amount of money being raised from these ransomware attacks.  As mentioned, WannaCry affected 300,000 computers with each user being asked for $300 to unlock their data files.  That should equate to $90,000,000.  It is estimated, however, that only $50,000 was collected.  This means that the vast majority of users figured out another way to deal with the crisis.  Perhaps users backed up their data or, in the case of Rosneft, switched to an entire backup system.  With virtual machines and cloud computing, administrators can simply tear down infected systems and rebuild them to a previous image.  The way organizations are dealing with ransomware is a clear sign of better planning.

Click to Subscribe

The second ray of hope is how the attacks are being thwarted.  WannaCry was undone by a 22 year old white hat hacker who recognized a simple kill switch.  In short, ransomware is designed to recognize traps by sending a request to a fake website.  This test is designed to fail and lets the ransomware know that it is on a real machine and not trapped in a simulated sandbox.  To stop WannaCry this 22 year old simply bought the fake domain and set up a real website.  When the ransomware stopped getting a failed signal it shut itself off.  While interesting, the fact that the ransomware was undone by a simple fix is not the ray of hope.  The ray of hope is that WannaCry was undone by an anonymous 22 year old researcher, not a major cybersecurity company.  We should be happy that there is an army of white hat hackers out there working to keep the internet safe.

The third ray of hope is the scale of the attack.  While it is estimated that WannaCry infected 300,000 computers, this new variant has so far only affected 2,000.  The SMB protocol exploit, on which both attacks rely, can be resolved by a simple Windows patch.  The reason WannaCry was so widespread is that administrators did not update their systems.  Perhaps the reduced scale of this new attack points to the fact that administrators are becoming more careful with security patches.

While we can take comfort from these 3 rays of hope, we are not out of the woods yet.  Cybersecurity is a game of cat and mouse and this week’s ransomware attack will not be the last.  However, organizations spent over $80 billion on cybersecurity in 2016 and the rapid nature in which ransomware is being dealt with proves that this was money well spent.

Eric Sharret is Vice President of Business Development at TELEGRID. TELEGRID has unique expertise in secure embedded systems, secure authentication, PKI, and Multi-Factor Authentication (MFA).

Click to Subscribe

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc. TELEGRID Technologies, Inc. will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis.

The post Ransomware and 3 Rays of Hope appeared first on TELEGRID.

As an embedded software developer I can go on and on about the many benefits of LINUX.  I can easily list hundreds of benefits.  What I believe is the greatest though is the LINUX repository.

The LINUX repository is an online archive of open source and proprietary software packages that programmers use for development or maintenance.  There is a repository for every LINUX distribution with compiled packages for a multitude of hardware configurations.  Software developers can create upgrades or security patches and upload them to the LINUX repository where they can be easily downloaded by users.

Click to Subscribe

Unfortunately, new security risks are forcing system administrators to limit connectivity between secure networks and the internet.   You can’t be hacked if a hacker can’t get in. While a closed network is ideal for security, it is a big problem for software maintenance.

Since the LINUX repository is online, the software upgrades are inaccessible on a secure network.  For years defense contractors, like TELEGRID, have had to go to great lengths to deploy software upgrades on secure networks.  This leads to delays in the deployment of security patches and seemingly endless upgrade cycles.

To resolve these issues we recommend replicating the LINUX repository inside secure networks with an offline LINUX repository.  But how do we update the LINUX repository if it is offline? One solution is to deploy a cross domain solution that straddles the secure and unsecure networks.  Another solution is compressing repository updates and sending them to a system administrator who can upload them into the offline LINUX repository.

While secure networks are important we must not forget that the main goal is functional, bug-free and secure code.  An offline LINUX repository will make it easier to maintain code on secure networks and apply needed security patches.  It seems the President agrees.

Beth Flippo is Vice President of Embedded Software at TELEGRID.  TELEGRID has unique expertise in secure embedded systems, secure authentication, PKI, and Multi-Factor Authentication (MFA).

Click to Subscribe

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  The Company will not be held liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post Does President Trump Want an Offline LINUX Repository? appeared first on TELEGRID.

• On December 30, 2016 the Congressional Internet of Things Working Group released a white paper on IoT stating that, “Recent examples of cyberattacks on IoT devices have exposed not just the potential impact on individual consumers, but the possible vulnerability on the broader Internet infrastructure.”

• On January 5, 2017 the Federal Trade Commission issued a complaint against D-Link claiming that D-Link’s “routers and cameras have been vulnerable to attacks that subject consumers’ sensitive personal information and local networks to a significant risk of unauthorized access.”

• On January 9, 2017 the Federal Drug Administration released a note about St. Jude Medical stating that its devices had vulnerabilities that, “if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device.”

• On January 12, 2017 the Department of Commerce released a Green Paper highlighting the security concerns around IoT. It states that the DDoS attack, “was the most visible and far-reaching example of the potential risks that must be mitigated when considering IoT.”

It appears that this the beginning of an activist approach taken by the Government to monitor IoT device manufacturers.  Indeed, the Congressional Internet of Things Working Group white paper states that participants, “grappled with whether or not a solution should rely on industry established standards, agency recommendations, legislation, or a combination of all the above.”

Click to Subscribe

TELEGRID is a designer of secure embedded systems for the US Military and has developed a framework to design systems in line with DISA’s Security Technical Implementation Guides (DISA STIGs).  While some commercial manufacturers follow NIST guidelines others ignore security completely.  As Senator Mark Warner, co-founder of the Senate Cybersecurity Caucus stated, “Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support.”

Is the Government going to “incentivize” commercial manufacturers to bake in security?  Will the Government shut certain companies out of the market for selling unsecure IoT devices?  What will be the cost impact to consumers?

These are all very tough questions and it seems the Government is moving quickly to try to answer them.  Are IoT manufacturers paying attention?

Eric Sharret is Vice President of Business Development at TELEGRID.  TELEGRID has unique expertise in secure embedded systems, secure authentication, PKI, Multi-Factor Authentication (MFA).

Click to Subscribe

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  The Company will not be held liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post Government Activism and IoT appeared first on TELEGRID.

I believe that in order to answer this question properly we must make three comparisons:

1. The average loss for a home burglary versus the average loss for an identity theft
2. The probability of a home burglary versus the probability of an identity theft
3. The cost of a home security system versus the cost of identity theft protection

In its report on Crime in the United States, the FBI found that in 2014 the average dollar loss per burglary offense was $2,251.  This is higher than the average dollar loss for identity theft over the same time frame which was $1,343 according to the Department of Justice.

Click to Subscribe

However, when considering the number of occurrences, identity theft is far more likely than a burglary.  The DoJ reported 17.6 million cases of identity theft, or 7% of all US residents above the age of 16, in 2014.  This was 10 times more than the 1.7 million burglaries that were reported over the same time period by the FBI.

In terms of cost it is difficult to gauge exact figures based on the multitude of offerings for both home security systems and identity theft protection.  However, it seems that identity theft protection is the same or less per month than a home security system.

I understand that a home security system also provides the intangible value of personal protection and that there is no value that you can put on peace of mind.  However, I could counter that the majority of burglaries happen between the hours of 10AM and 3PM, when the homeowner is not home, and therefore personal protection has no inherent value.

So, should I protect my possessions or my identity? Based on this very simple statistical comparison it seems that, if I had to choose, I should protect my digital identity before I protect my physical possessions.  What would you pay to protect?

Eric Sharret is Vice President of Business Development at TELEGRID.  TELEGRID has unique expertise in secure authentication, PKI and Multi-Factor Authentication (MFA).

Click to Subscribe

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  The Company will not be held liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post Should I protect my possessions or my identity? appeared first on TELEGRID.

It all started as a harmless exchange between like-minded adults.  It was something I had experienced many times before either at work or in the privacy of my own home.  Normally I would not even have paid attention to it but it was what happened next that scared me.

I was at my desk when an email arrived with the familiar title, “Eric, please add me to your LinkedIn network”.  I normally ignore LinkedIn requests from people I don’t know but this one was different.  Alex was an executive at an oil & gas company.  He had a complete profile and a picture of him riding a bicycle.  I do not know how he found me but I assumed he had read one of my amazing blog posts ;).  Since he was in the oil & gas industry and my company sells cybersecurity and wireless mesh networking tools to utilities I decided to click Accept.

The next night Alex sent me a message thanking me for accepting his request and telling me about an amazing opportunity to sell his company’s jet fuel.  Turns out he needed help in the US and the job would pay extremely well for only 5 hours of work per week.  Within the message was a link to a job offer and another link to an overview of his company.  Now “this ain’t my first rodeo” so I reported the message as LinkedIn Phishing and blocked Alex.  (On second thought I should have had the white hat hackers in my company reply with a link to lock his computer.)

The exchange left me wondering, are companies doing enough to protect against LinkedIn Phishing?

Companies train their employees to ignore phishing emails and deploy sandboxes to protect networks.  Companies also put in protections against Facebook Phishing, normally by blocking access since Facebook is not considered a work application.  However, LinkedIn is not email and it is not Facebook, it is a great tool that professionals use to expand their networks.  For this reason companies do not have LinkedIn Phishing protections but rather encourage their employees to connect with as many people as possible.

So what can companies do?

Since this came over the LinkedIn messaging system it is unlikely that it would have been caught by a spam filter, and, even if it was, an employee could still access the message from the LinkedIn website. This means that in order to prevent LinkedIn Phishing a company would have to block all of LinkedIn.  Additionally, this was not a bulk email phishing attempt that could be tracked, but rather a concerted spear phishing effort by someone who connected one day and then came back the next day to phish.  LinkedIn could solve this problem, and I am sure they are working on it, but until then the only solution seems to be employee training.

Or, I could be completely wrong, Alex is real, and I just missed the opportunity to get into the fast growing jet fuel market.

Eric Sharret is Vice President of Business Development at TELEGRID.  TELEGRID has unique expertise in secure authentication, PKI and Multi-Factor Authentication (MFA).

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  The Company will not be held liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post LinkedIn Phishing – Are your employees safe? appeared first on TELEGRID.

Stop “Over Exaggerating” to Scare Your Customers

In most organizations cybersecurity sales’ rule #1 is to scare potential customers. Salespeople “over exaggerate” by telling customers the barbarian hordes are at their gates and if the customer does not buy the solution today then they will lose hundreds of millions of dollars. Then salespeople back up their claims with impressive statistics like 110% of people were compromised by the exact problem that our solution resolves. As Homer Simpson once said “you can come up with statistics to prove anything. Forty percent of all people know that”.

The truth is that your customer knows the statistics and they understand the risks. Don’t sell to customers by fear mongering but rather by inspiring. Just last week a customer referred to TELEGRID’s Privileged Access Management tool as “elegant”. That is what you want to hear.

Show your customer how easy your solution is to install, how it will make their day-to-day job easier and most importantly how it will promote network best practices. Considering how many attacks are from an employee doing something they shouldn’t, network best practices are extremely important.

Click to Subscribe

Your Bathroom is as Important as Your Point of Sale System

When selling a cybersecurity tool salespeople should consider the impact of integrating it into a network. For instance enabling two-factor authentication requires the install of an agent on every application or host device. This forces customers to make difficult decisions about what should and should not be secured.

The first applications to be secured are always those that handle Personally Identifiable Information (PII). These applications are important but so are the “non-critical” applications. How would your organization fair if it was the victim of a ransomware attack on its inventory database or client relationship management system. Salespeople should consider these gaps and help customers to resolve them.

Taking it back to Ryan Lochte’s alleged incident, I bet that gas station owner in Brazil sent all of his credit card data securely and that his cash register had a lock on it. He even paid to have security guards protect the premises 24/7. What he could not afford to protect was his bathroom and we all know how that ended. Ok that might be a stretch but you get my point.

In my last post I discussed how we need to rethink cybersecurity tools from a security AND network performance standpoint. I think we also need to rethink how we sell cybersecurity tools.

Eric Sharret is Vice President of Business Development at TELEGRID.

Click to Subscribe

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  TELEGRID Technologies, Inc. will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post Ryan Lochte and Cybersecurity Sales appeared first on TELEGRID.

“WHAT ABOUT LATENCY?”

Three simple but powerful words that show where cybersecurity has started to go wrong.  How can you put every packet in its own tunnel without massively affecting network performance?  Does user experience even matter anymore?

Click to Subscribe

Is it just me or are new cybersecurity products just rehashes of old cybersecurity products?  We have gone from 128 bit encryption to 256 bit encryption.  We have gone from endpoint protection to advanced endpoint encryption.  We have gone from firewalls to next generation firewalls.  We have gone from deep packet inspection to deeper packet inspection to deepest packet inspection.  It is the same thing Hollywood did when they remade the greatest films of our generation like Ghostbusters and Vacation.

Do vendors stop and think about the effect they are having on network performance?  Indeed a Cisco survey found that 71% of Chief Executives think that cybersecurity slows down the pace of commerce.  So how are vendors improving cybersecurity without affecting latency?  The answer seems to be more blade servers, faster processors, and ASICs.  This may work but it also translates into higher costs for the customer.  Are cybersecurity vendors starting to price themselves out of the market?

We need to rethink cybersecurity.  We need to start designing solutions based on both network protection AND network performance.  We need to look at our network from a holistic standpoint and identify existing tools that we can use for cybersecurity.  Let’s call it Cybersecurity 3.0!  (I know we skipped 2.0 but I was at a social media talk last week and the speaker used the term Web 3.0 so cybersecurity needs to catch up.)

In the next few weeks TELEGRID will be launching the first Cybersecurity 3.0 product which promises to turn the field of authentication on its head.  If you are not on it already then Join Our Mailing List so you do not miss the release.  In the meantime if you are looking for a secure authentication tool give me a call at 973-994-4440 and I will give you a sneak peek.

Eric Sharret is Vice President of Business Development at TELEGRID.

Click to Subscribe

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  The Company will not be held liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post Why is Cybersecurity So Slow? appeared first on TELEGRID.