It was an amazing feeling seeing my logo all over the place at Security BSides London this year. In case you missed it, this blog post will bring you up to speed.
The EU Agency for Network and Information Security (ENISA) manages the programme of pan-European exercises known as Cyber Europe #CE2018.
The Cyber Europe exercises are simulations of large-scale cybersecurity incidents that escalate to become Cyber crises. I am part of ENISA's approved NIS Experts*, where I have both designed and reviewed different Cyber incidents/exercises for the pan-European Cyber Europe exercise, I wanted to share with you the opportunity to get to know more about this very important bi-annual European initiative. This year is the 5th pan European Cyber crisis exercise. The scenario
Cyber Europe 2018 planners developed a scenario revolving around Aviation which can include, Civil Aviation Authorities, Air Navigation Service Providers (ANSPs), Airport Companies, Air Carriers, with potential impacts in other sector.
The scenario will contain real life inspired technical incidents to analyse, from forensic and malware analysis, open source intelligence, and of course non-technical incidents.
The incidents will build up into a crisis at all levels: local, organization, national, European. Business continuity plans and Crisis management procedures will be put at test
The exercise is organised for IT security, business continuity and crisis management teams coming from EU and EFTA Member States only.
More: https://www.enisa.europa.eu/topics/cyber-exercises/cyber-europe-programme *NOTE: The CEI List of Experts is a tool used solely for the purposes of assessing and identifying suitable external experts for a potential future contractual working relationship with ENISA. It is emphasised that inclusion in the list does NOT mean that you are considered to be an official representative of ENISA or in any way entitled to represent the Agency.
Britain’s most critical industries are being warned to boost cyber security or face hefty fines, as the government acts to protect essential services from cyber attacks.
"We want our essential services and infrastructure to be primed and ready to tackle cyber-attacks and be resilient against major disruption to services," said the current Minister for Digital, Margot James.
In August last year, it was mentioned by the former Minister of Digital Matt Hancock, that a new government directive is being considered, that will allow regulators to inspect the Cyber Security status of companies.
More specifically, it was said that companies in the Energy, Transport, Water and Health sectors, are expected to have "the most robust safeguards".
Towards the end of each year, we tend to come across several reports and white papers that discuss the cyber-threat predictions/concerns for the following year. However, I do believe that very few of these reports really attempt to dig deep when it comes to emerging Cyber related threats and really discuss future trends.
I have had several discussions regarding the future of cyber risk exposure and how cyber risk assessments will start experiencing a significant shift in the following months. There is a bigger picture when it comes to cyber threats and cyber crime. It is not only how much a data breach or business disruption will cost, but at what scale it affects people's lives. This is the moment we need to take a step back and look at magnitude and implications. The main reasons why things should be expected to dramatically change in the Cyber front between 2018-2020, are briefly outlined below:
a) The General Data Protection Regulation (GDPR). GDPR has brought Information Security and Cyber Security into the boardroom as a discussion topic, "motivating" stakeholders to act upon the requirements before the regulation is finally in effect (25 May 2018). You should also consider that the disclosure of a breach needs to take place within 72 hours from the moment it was detected, the increased cost of responding to a data breach, and the fines imposed under GDPR.
b) The number of Cyber attacks expected in 2018 and their impact, according to the Cyber Security Breaches Survey conducted for 2017. (FYI: The official Cyber Security Breaches Survey 2018 detailing business action on cyber security and the costs and impacts of cyber breaches and attacks will be publish in April 2018).
c)Now consider the domino effect when it comes to the scale and magnitude of the cyberattacks anticipated by 2020, in contrast with the current state of readiness of business entities and their dependencies across all industries.
The recently published Global Risk Report by the World Economic Forum (www.weforum.org) has highlighted some very important facts regarding the risk perception for the year 2018. Cyberattacks are now perceived as a global risk of highest concern, especially to business leaders in advanced economies. Cyber is also viewed by the wider risk community as the risk most likely to intensify in 2018 according to the publish Global Risks Report.
Even though this is not an "official" term that is being used (well, at least not yet), it does describe the concern I am trying to explain to people at different occasions. I often discuss GDPR from the security perspective, and the conversations most of the time end up focusing at the implications of the regulation and the "next day". This is when I end up trying to describe the potential scenario of "GDPR Extortion", as I always like to see things through different lenses when it comes to forward-thinking in Information Security and CyberSecurity.
By saying "GDPR Extortion" I tend to mean something similar to "DDoS Extortion", and it is easier to give an example to people in order to explain this type of potentially evolving threat.
This year is my first time to the Balcan Computer Congress, known as BalCCon (BalCCon2k17) in Novi Sad, in Serbia. I have visited Serbia a few times for work and it is a pleasure to have the opportunity be back, attending this amazing conference and present a talk.
BalCCon (@balcc0n) is a three-day conference with a great line-up of speakers, hackspace activities that include soldering and hardware hacking, retro gaming, workshops, and a pleasant atmosphere with a party-mood throughout the day.
This year’s event is the 5th BalCCon2k17. The conference opened on Friday 15/Sep/2017 by Jelena Georgijevic Krasojevic. She welcomed everyone and gave a small introduction about the event and its history. The event started at 14:00, which gave people enough time to fly to the country in the morning or make sure they had a really good night sleep if they arrived the previous night. If you haven't been to BalCCon, it is time for you to make plans for next year. The package includes, amazing talks, plenty activities for people to do, many workshops to attend, a friendly atmosphere, good food, and warm weather.
A vulnerability similar to the well-known heartbleed was discovered in the TLS/SSL stack of F5 BIG-IP appliances that allows a remote attacker to extract up to 31 bytes of uninitialized memory at a time. This vulnerability is called Ticketbleed as it lies in the implementation of Session Tickets, which is a resumption technique used to speed up repeated connections. The vulnerability affects the proprietary F5 TLS stack which exposes 31 bytes at a time.
Test You can test your domain using the automated script which you can find at: https://filippo.io/Ticketbleed/ Alternatively, you can test for Ticketbleed yourself with a Go script: here
Fixes and mitigation The full list of affected versions is available on the F5 website. At the time of this public disclosure not all releases have upgrade candidates available. Disabling Session Tickets is a complete mitigation, which will only cause a performance degradation in the set-up phase of resumed connections. Reproduced here are the instructions provided by F5 and available at the link above.
Log in to the Configuration utility
Navigate on the menu to Local Traffic > Profiles > SSL > Client
Toggle the option for Configuration from Basic to Advanced
Uncheck the Session Ticket option to disable the feature
I had the pleasure to be invited as a guest speaker to the University of South Wales by the Information Security Research Group (ISRG). The talk was about the Information Security community and more specifically how young professionals can step into the security industry.
During this talk, the students (graduates & postgraduates) had the opportunity to understand and discuss what they can do today in order to ensure they are well prepared when it comes to stepping into the security industry. The talk included an introduction to what is considered to be a security oriented mindset, provided a number of quick tips, mentioned several online resources, and last but not least how to prepare for an interview. The students among a number of subjects that were raised during the talk, were also introduced to penetration testing types, practices, methodologies, real stories from the industry, tools, and techniques. Black Box testing versus White Box testing was explained, the significance of white-listing was discussed and a brief comparison between Vulnerability Assessments and Penetration Testing was given.
IRISSCON 2016 - The 8th #IRISSCERT Cyber Crime Conference Ireland's first CERT (Computer Emergency Response Team) This year, my talk was all about Cyber Resilience. The talk provided the opportunity to participants to familiarise and understand what the term really means, and why it should not be considered as another buzzword used in the industry.
"Threats constantly evolve based on the way our defences counter-evolve, and this cycle is something that is going to happen no matter what. What matters the most, is in what way we act upon, and how our decisions need to be part of a bigger forward looking strategy that does not treat security in an ad-hoc manner, especially when it is too late"
The 8th IRISSCERT Cyber Crime Conference will be held this year on Thursday the 24th of November 2016 in the Ballsbridge, Pembroke Road, Dublin.www.iriss.ie
This all day conference, focuses on providing attendees with an overview of the current cyber-threats throughout the world and focuses especially on threats that affect businesses in Ireland, and what should be the best course of action when it comes to defending against these threats. You can find my recap blog post for last year's event here.
Like every year, professionals that work in cybersecurity and tackle cybercrime / cyber threats on a daily basis, will be sharing their thoughts and experiences, while attendees have a unique opportunity to ask questions,discuss cybersecurity strategies, and most importantly will meet and network with likeminded individuals allowing them to share their views and opinions. I am honoured to be invited to speak at this event and get to share my thoughts and views on cybersecurity and most importantly, on cyber resilience, which is also reflected by my talk's title: "All aboard, next stop; Cyber Resilience". The abstract for my talk can be found below and I do hope you find it interesting. If you find yourselves in Dublin during the conference, I strongly suggest getting a ticket on time and join us at IRISSCON, and please come and say hi. It is always a pleasure to meet people who are passionate about information security and cybersecurity, and want to discuss/share their thoughts and opinions. Looking forwards to seeing you all there.
It was a great honour for me to present this year at a hacking conference like BruCON (brucon.org).
As many of you already know, I started this because I wanted to know how the payment process works behind the scenes (Payment Card Industry - PCI) and how secure these systems are, which we take for granted on a daily basis. After researching Point-of-Sales (POS), Point-of-Interaction (POI) devices and Virtual Terminals (VT) for almost 4 years, it was about time to do a presentation that wouldn't be behind closed doors as I usually do. I talked with a number of acquires, issuers, payments processors and POI OS manufacturers and let them know about my findings way before this talk.
There are so many things to say on this subject, that it is really difficult for me to decide where I should start. I do not want to create a very long post, so, I will try to keep this brief and to the point. I will not try to explain each point in more detail because it wouldn't be much of a help at this stage, but I will try to give a few pointers on why it is currently considered a very challenging task for companies to employ talents.
Even thought this is not an article for talents in the music industry, I have included the following video for you all to see. Believe me when I say, everything will make sense by the time you read through the article.
Again, before you read any further, keep in mind that everything I am writing here is about the process of: identifying and employing talents, and more specifically talents in information security and information technology, and especially those that have a 'growth mindset'. (I will talk about the 'growth mindset' at a different post).
When you find a job opening online, it is most likely to have been written/revised by the HR department based on what is currently being asked for this role, based on similar job opportunities on the Internet. You can actually spot such job openings by looking at the requirements and see that they ask for “a little bit of everything” that does not really make a lot of sense. If you are the person tasked with the responsibility to hire someone and you try to modify the HR’s “template/process” to suit the particular needs of this new job opening, good luck.
You are going to end up filling-in forms and forms, that do not ask the right questions on what you are trying to achieve, it is almost impossible to deviate from the HR’s template and at the end of the day after spending time on this, the HR will have the final say on what will be the final form of the job opening. On top, in most organisation the shortlisting phase is done by HR staff who in reality have no real understanding of what is your skillset for the particular job other than cross-checking the preset requirements in the job post. Hiring talents requires you as an organisation to rethink the whole process and ensure it actually invites talents to apply for the job openings your company has.
Talents do not fit in job descriptions. A talent does not live under a title saying I am a penetration tester, a security consultant, a security architect, etc. With talents, it works the other way around. They just know things (love to keep learning things) or they are really good on things that they do not know how good they are. They can combine information they already know to find solutions, they know how to solve problems, they have ideas, they think in a different way than other people do. Instead of trying to fit them in a job description, look behind the curtain and read between the lines during the selection process and the interview. Allow them to tell you what they can do for the company, and the role they are interested in.
Most of the time, the shortlisting process simply excludes talents from getting into an interview. Imagine you are the talent and you have to spend almost two-three hours of your time, trying to put your CV in an online web application, that asks you questions completely irrelevant, because it was meant to be generic. For example, when you are planning to hire a developer who is a talent, you want someone who really knows how to write code, who knows how to solve an algorithmic challenge because he/she takes pride on that, someone who is not going to reuse a solution from “stackoverflow” that has no idea how or why it seems to be working. These qualities cannot be put in a job description, cannot be highlighted in the automated shortlisting process. These qualities can only be identified during the interview when the person (talent) has a chance to answer the right questions.
The interview is the most important stage of the whole process. Let’s assume that the person being interviewed (who is a brilliant candidate and the talent the company is looking for) managed to overcome the aforementioned problems and got shortlisted for an interview (face-to-face or otherwise). The candidate, has now to face four major problems.
The person conducting the interview is not trained or suitable for conducting interviews in general. Some of the people tasked to do this, they either do not like it, or they are really bad at it (even after training). The interview ends up being a great opportunity for people who know how or willing to “charm” the interviewer, and tell him/her what exactly he/she expects to hear. A talent is not there to charm anyone and play sympathy games. A talent expects to be respected as a person, valued for what he/she knows, demonstrate how eager he/she is to learn, what he/she can offer in this role and to be asked the right questions.
It is true that talents might have awkward personalities but this is part of what makes them special and so good in what they do. Consequently, the interviewer not only needs to be really good at interviewing people but also needs to be able to read between the lines. Not all people are comfortable talking about themselves, or go into an interview with the right attitude, or reply to the questions like superstars, or say something catchy. Sorry to break it to you, but if this is what you want to see in an interview, then you are looking for a "used car salesman", not a talent. Allow people time to feel comfortable and open up slowly. If they cannot talk about themselves, ask things about them and they will tell you (their answers might be brief sometimes, and your role is to help them elaborate on them). There are occasions where the interviewee replies to a question with something brilliant or something the interviewer is not familiar with. Instead of having an empty expression on your face and try to change the subject, think about allowing the talent to elaborate on this. We all learn a new thing every day, and your pride won’t be hurt if you listen carefully for a change.
The almighty checklist of standardised questions and the tick in a box. Don’t do me wrong, having a checklist of questions that need/should be asked is fine, but make sure you are asking the right questions. Seriously, what is the purpose of the question “can you tell me the OWASP Top 10 by heart”. Such questions simply are asked to make the interviewer fill superior (establish his/her dominance in the room) and the interviewee to feel that he is not in charge (despite how "well" you respond to the question). Include questions that allow the interviewee to elaborate on his/her experiences and thought process (how do deal with problems, suggesting alternative solutions, investigating issues, proposing new project ideas, etc.), and not tricky/sneaky questions with a double meaning that he/she cannot think about at that particular moment mostly due to the stress of the interview. Also, make sure you took the time to read the CV (resume, for my US friends) of the person you are interviewing and allow him/her to tell you if they have done some amazing things (projects), and which are these (and how did they come up with the idea and why). Telling/Admitting to the interviewee that you haven’t read his/her CV before entering the room and conducting the interview, from where I stand, is simply unacceptable and you should not be conducting the interview (any interviews in general). If you haven't spend at least ten minutes to read through the submitted CV/Resume prior to the interview and highlight the thinks you would like the interviewee to elaborate upon, then clearly you are not interested in finding a talent for the company (and this lack of interest in finding a talent is currently being interpreted by many companies as a shortage of talents). You are simply wasting your time just to get away from work for an hour or so, wasting the interviewee's time and you just want another tick in a box saying that you conducted an interview.
The interviewee can do nothing about his/her future “team-mates” feeling threatened by the fact the company is about to hire the talent they were looking for, for so long. It is not uncommon for the first interview to be conducted by the person who is supposed to become your future boss. This is actually really good as you get a vibe of the person in charge and he/she gets an opportunity to get to know you (and explain what he/she is looking for to bring in the team, the real need, not simple a generic job description). Imagine now the case where the talent nails that interview and his/her future boss is really impressed. So impressed, the candidate is asked to stay and do the second interview on the same day and get things going as fast as possible. Sometimes, that second interview is given to someone the candidate will end up working with, which is usually considered to be the “number two” guy on the team. As we are only human, there have been cases where the interviewer felt like he/she is not going to be the “number two” for much longer, because the candidate is really a talent. In that case, the almost future boss ends up getting a disappointing report / feedback from his/her “number two”, saying that the candidate failed the technical part of the interview. In one occasion, believe it or not, the guys conducting the second interview said this to each other after the interview: "This person is brilliant, has everything the team needs and what the company is actually looking for at the moment. However, if we decide to recommend this person, he/she will be able to everything (every task) we assign him/her to do without any problems or training. I am afraid he/she will be able to demonstrate that he/she can do both of our jobs within two-three months time".
Last but not least, asking the right questions. It was mentioned a few times during the article on purpose. First of all, keep in mind that is a lot easier for talents to identify talents in their particular area of expertise (I am not referring only to people with technical skills here). There is no point asking questions that anyone can answer using a search engine by simply clicking on the “I’m feeling lucky” option. Talents are being identified
a) by their achievements (up to that point in time),
b) the reason(s) why they did things in a certain way to solve a problem,
c) the way they challenge themselves on a daily basis and
d) what challenging projects they have completed successfully,
e) their particular and unique thought process,
f) their out-of-the-box thinking and novel ideas, etc.
Ensure the questions being asked reflect upon these qualities. Allow the questions to take twists and turns, be flexible based on the personality and background of the person being interviewed, allow the questions to be scalable and progress slowly towards the right direction, elaborate and engage with the candidate in order to reveal the hidden diamond behind the sometimes, rough surface.
Based on the alluded, and assuming that you took the time to watch the embedded video, consider a job opening in the music industry where a record company wants to put together a band. Imagine now this record company interviewing for bands the way the Information Security industry conducts interviews for talents (automated short-listing process, narrow and irrelevant questions, interviews that do not allow you to demonstrate your talent(s) but reply to standardise checklists, etc). Just image the questions:
Q: What instruments each member of the band knows to play? A: None
Q: Do you sing? A: Well, this guy does, there rest of us make noises.
Q: Can you dance? A: No, we just sit on stools most of the time.
and so on...
I would like to assume that you are now getting where I am going with this and I really hope you enjoyed reading this post (and the metaphor). I am considering making a proper presentation on the subject with more details and examples.
As most of you already know, October is Cyber Security awareness month. The aim of the Cyber Security awareness month is toraise awareness across the international community about cyber threats, discuss best practices, and educate the public and private sector, on how to stay safe online.
Cyber Security is promoted extensively during this month and many events are being organized with the sole purpose to engage and educate public and private sector entities, while provide them with the necessary tools and resource to stay safe when connected online. Given the opportunity let’s talk about the UK’s Cyber Security Clusters and how you could get to engage, participate, network and most importantly ask any questions that you currently have regarding your organizations cyber security posture and staying safe online.
The challenge of continuous security are going to be discussed at this year's annual "Securing Online Gaming" in London, on the 4th October 2016. It is a great to be among such amazing speakers and have the opportunity to speak about the challenges of securing online gaming.
I will be representing DeepRecce which already has a leading role in the market when it comes to its cyber security solutions and its under 15 minutes deployable managed SOC solution across any number of hosts.
My talk will discuss Online Gaming towards Cyber Resilience, and more specifically it will focus on:
Today's challenges & requirements towards security online gaming
How attacks are evolving, and what should we expect
Taking steps for an effective Cyber Resilience strategy
The event will take place near the St. Paul's Cathedral and The Barbican. This is directly opposite the Museum of London. Located at 200 Aldersgate etc.venues St Paul's is a state of the art conference centre with the largest room holding up to 400 along with a further 12 rooms for conference breakouts, training and meetings.
Another year, another 44CON in London. A line-up of great talks, and a very good opportunity to catch-up with friends from the industry. The event took place between 16-18/Sep 2016, at the ILEC Conference Centre.
This year you were able to solder your badge while you were there. There was a nice corner dedicated to soldering, with solder irons provided and all the bits to make it work.
I ended up making six of those in order to help out a couple of friends. It was really easy to make and really fun to do, especially when it started working as it should.
The badge is called HIDIOT and it is short for HID IO Toolkit. :) The Human Interface Device Input/Output Toolkit (HIDIOT) is a USB-based board for manipulating and experimenting with USB HID class devices. The version given out at 44CON is unreleased. In effect, we decided to make our badge a piece of 0day hardware.
I had the honour to be invited again this year by the Cyber Security Testing and Validation Team at British Telecoms (BT) in order to attend their annual internal conference, as a guest speaker. The conference is known as SnoopCon and it is BT’s Penetration Testing and Ethical Hacking annual meet-up event which lasts five days. The event is held behind closed doors, however it is customary that on the third day they invite people from the industry, recognising that their work would be an invaluable input if presented at their internal conference.
It was a great opportunity for me to catch-up with so many friends at SnoopCon. I also find out that Anoop Sethi has decided to retire after approximately 12302 days uptime (33 years) for BT. It is a great honour to have known Anoop, the man who fundamentally changed the way Security and Penetration Testing is viewed in BT. Given the opportunity, I would like to personally wish Anoop all the best with anything he decides to do and I would like to thank him for being such an amazing individual. I had a fantastic day at BT and the quality of the guest talks was over the roof. I am going to outline here briefly the content of the talks in the order they were presented.
ENISA (European Union Agency for Network and Information Security) is organising the European Cyber Security Challenge 2016 - the largest European challenge for cyber security talent. The Challenge will be held in November in Dusseldorf, Germany - and the Greek National Cyber Security team will compete with other national teams in various security-related challenges, such as web security, mobile security, crypto puzzles, reverse engineering, forensics.
The Greek team will be assembled in a qualifying round - in which we'd like to invite you to participate!
The qualifier will be held on Saturday, July 9 at the Department of Digital Systems of the University of Piraeus. The challenges will be similar to the ones outlined above, and the top 10 participants will comprise the Greek team that will travel to Germany. In order to be eligible, contestants need to legally reside in the country, be aged between 14-30, not have a Master's or higher degree or any professional experience in the information security sector - and of course have some InfoSec skills! Both competitions will be held in English, so contestants need to have at least basic understanding of the English language.
All you need to do to get the chance to compete in the qualifier is to register in the official website of the Greek team http://ecsc.gr/ Registrations are closing this week (Friday, July 1), so hurry up and register!
It has been a very busy year trying to organise this Security BSides event for the first time in Athens, Greece, with plenty of “hiccups” to overcome in the meantime.
Once we had a team of people who were equally excited and passionate about this, we started working towards the event details.
Given the opportunity, I would like to personally thank the team once again, all the volunteers who helped out on the day, the review committee who provided constructive feedback to all submissions, the speakers who travelled from all over the world to be there and present, and last but not least, all of YOU who attended the event.
Special thanks goes to our sponsors, who trusted us on our promise to deliver this information security community based conference. We couldn't be able to bring this event to Athens, especially for the first time if it wasn’t for them, and for that we really appreciate their contribution and support.
Of course, such an event would not be able to exist without the community support we had from fellow conferences all over Europe, the Universities that promoted the conference, the Hellenic Army General Staff, and all the people how were involved and made this event a success story.
We had some great feedback already and we are committed to tweak things according to the recommendations and suggestions we received in order to make the event next year even better. There is always room for improvement and for more people to get involved.
At the beginning of 2016 an article was published about the increasing threat of ransomware and provided advice on having an incident response plan that is ready to face this emerging threat. Our article focused on tips related to prevention, response and evading extortion. If you did not have a chance to read our article from January, we recommend that you read it as soon as possible.
Now, at the end of the first quarter of 2016, it is evident that ransomware has become a headache for those who did not take all the necessary precautions to avoid being the next target. Recently, the FBI released a statement to The Wall Street Journal that ransomware is a prevalent and increasing threat. As this recent article describes, attackers are trying new approaches to infection, such as ransomware ‘malvertising’, and have succeeded in creating the first Mac OS X ransomware. Have a plan, Be Prepared Due to the fact that it is not easy to deal with the situation after an organisation is hit by ransomware, the best course of action is to ensure there is a backup plan in place. It might come as a surprise but in order to understand the seriousness of the situation, consider that an official in the FBI’s Boston field office went against normal FBI policy and suggested to a conference audience that often the only solution is to pay the ransom. Sysnet wants to make sure you do not have to face that moral dilemma and for that reason we are trying to inform you about the increasing threat and ensure you have taken all the necessary steps towards prevention.
Badlock is a a crucial security bug in Windows and Samba. Samba 4.4.2, 4.3.8 and 4.2.11 Security Releases are available [here].
Microsoft and the Samba Team have been working together in order to get this problem fixed and for a patch to be released. You will have to update your systems as this security flaw is expected to be actively exploited soon enough. Badlock is referenced by CVE-2016-2118 (SAMR and LSA man in the middle attacks possible). There are additional CVEs related to Badlock. Those are:
CVE-2015-5370 (Multiple errors in DCE-RPC code)
CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
CVE-2016-2112 (LDAP client and server don't enforce integrity)
