InfoSec News

InfoSec

DoD Cyber Awareness training in less than three minutes

By

 

By William Knowles @c4i
Senior Editor
InfoSec News
October 4, 2019

Bozhe moy! Held every October, National Cybersecurity Awareness Month (NCSAM) is a collaborative effort between government and industry to raise awareness about the importance of cybersecurity and to ensure that all Americans have the resources they need to be safer and more secure online, yadda yadda yadda…

Let’s be honest, one month out of the year to concentrate on cybersecurity awareness is a real waste of time and resources, Every day should be National Cybersecurity Awareness Day. An informal poll of InfoSec News subscribers who have taken their annual DoD/DISA Cyber Awareness Challenge only really remember Jeff, Tina and that guy who steals your phone every year.

This slightly NSFW video covers a lot of ground in less than three minutes and might be onto something, another InfoSec News informal poll of non-cybersecurity aware people showed users were able to grasp the security concepts presented. (No idea if the low cut Russian military costume helped or hurt) Nevertheless, its free cybersecurity awareness training, Enjoy!

Bozhe moy!

So Who Hacked EC-Council Three Times This Week?

By

By William Knowles @c4i
Senior Editor
InfoSec News
February 28, 2013

On February 22nd, 2014 the EC-Council website was broken into and defaced by Eugene Belford (a.k.a. The Plague). For those of you living in a cave, or a compound outside of Abbottabad for the last 13 years, The EC-Council is an Albuquerque New Mexico based organization that offers security professionals a reasonably inexpensive certificate among other security certificates. to be compliant with DoD 8570. The website was defaced, and its content was replaced with a picture of Edward Snowden, and an HTML comment that gives away the identity of the “hacker” that compromised the EC-Council website.

After EC-Council wrestled back control of their site, a known password was reused, and two days later re-defaced the website showing the mail from Edward Snowden’s Yokota Air Base e-mail asking for an exam code, a copy of his U.S. Passport and a letter from John A. Niescier, an Information Security Officer with the Department of Defense Special Representative, Japan stating that he has verified Edward J. Snowden has at least five years professional information security experience in the required domains.

After the hacker mentioned “P.S It seems like lots of you are missing the point here, I’m sitting on thousands of passports belonging to LE (and .mil) officials” conspiracy rumors were swirling about who may have attacked the EC-Council website. Foreign training companies, secret squirrels, the Chinese, Russians, non-state actors.

On February 25th, EC-Council website was defaced a third time.

(Screenshot credit: @JamieCaitlin)

The folks at r000t’s Blag have found done some digging and on the surface, it’s pretty damning evidence.

As we’re unable to confirm this independently, read this first article: Who Hacked EC-Council?

Then read this second article: Inside Eugene’s Gibson (EC-Council, Part II)

Its NSFW – Not Safe For Work reading, but when has that stopped you in the past in the name of security research?

Since the EC-Council has been mum on whether or not there has been a massive disclosure of passports, drivers licenses, and CAC cards, I can promise you after reading the above articles, you will be angry at the U.S. Federal Law Enforcement community as it seems they have had this hacker in custody before, but were unable to charge him/her at the time.

Maybe this will be the event that changes this mindset in the future.

Pre-IPO online fashion marketplace Poshmark announces data breach

By

Pre-IPO online fashion marketplace Poshmark announces data breach

By William Knowles @c4i
Senior Editor
InfoSec News
August 1, 2019

Poshmark, the largest social commerce marketplace for fashion alerted users on Thursday via email and their blog that “data from some Poshmark users was acquired by an unauthorized third party.

“The data acquired does not include any financial or physical address information, and we do not believe your password was compromised.” Poshmark recommends that you change your password as a precaution and security best practice.”

According to Poshmark, Canadian users weren’t affected and this data breach was limited to U.S. users only.

The data that was stolen includes “certain user profile information specified for public use such as username, first and last name, gender, and city.” “Certain internal account information such as email address, user ID, size preferences, and one-way encrypted passwords salted uniquely per user (making it nearly impossible to use these passwords to access an account), as well as social media profile information collected when users connect social media accounts to Poshmark” and “Certain internal Poshmark preferences for email and push notifications”

The Poshmark security notice continues to say “We take the trust you have placed in us extremely seriously, and immediately upon learning of this incident, we expanded our security measures even further. We conducted an internal investigation and retained outside experts, including a  leading security forensics firm. The security forensics firm we retained ran extensive testing designed to find vulnerabilities in our software and systems. After the testing, the firm reported that it did not find any material vulnerabilities. While our security was already strong, we have implemented enhanced security measures across all systems to help prevent this type of incident from happening in the future.”

How this data breach will affect Poshmark’s reported fall IPO is unclear, Poshmark has tapped Goldman Sachs Group Inc. and Morgan Stanley as its underwriters, according to the WSJ.

The Redwood City-based company was founded in 2011 by Manish Chandra, Tracy Sun, Gautam Golwala and Chetan Pungaliya and has raised about $153 million since its inception in 2011. Its last funding round, an $87.5 million Series E announced in November 2017, gave it a valuation of $600 million, according to its Crunchbase profile. Backers include Mayfield Fund , Menlo VenturesTemasek Holdings, and GGV Capital.

 

 

 

 

U.S. Army Cyber Command releases the DoD Identity Awareness and Protection Management Guide

By

 

By William Knowles @c4i
Senior Editor
InfoSec News
August 1, 2019

U.S. Army Cyber Command has posted the DoD Identity Awareness and Protection Management Guide for easy downloading.

The Identity Awareness, Protection, and Management (IAPM) Guide is a comprehensive resource to help you protect your privacy and secure your identity data online.

The IAPM Guide is divided into two-page chapters detailing key privacy considerations on the most popular online services, mobile apps, and consumer devices available in the market today. Each chapter provides you with tools, recommendations, and step-by-step guides to implement settings that maximize your security. The guide is updated twice a year, in March and September.

While some of the chapters in the IAPM Guide deal with technical issues, they do not require a technical background to follow.

The US Department of Defense creates this guide as a public service and hopes this guide will help readers keep their identities private and secure.

Riviera Beach Florida City Council Agrees to Pay Cybercriminals Nearly $600K Malware Ransom

By

By William Knowles @c4i
Senior Editor
InfoSec News
June 20, 2019

Riviera Beach Florida just became the newest member of a club no city or local government hopes to join. Taking only a few minutes and by a unanimous vote of 5-0 on Monday night the board authorized Riviera Beach’s insurer to pay 65 bitcoins valued at approximately $592K USD. Paying off a malware ransom that has crippled all of the city’s information technology infrastructure since May 29th after someone in the police department clicked on a malicious email.

But unlike the 2000 action flick Proof of Life, there’s no guarantee paying the ransom will unlock the affected computer network and all the encrypted files, and while its 2019, Its not likely Cyber-Insurance companies have former 22nd SAS and 75th Ranger Battalion types running around the world with machine guns blazing for a successful hostage rescue of a malware-infected network.

The council held a special meeting earlier in June to authorize $941,000 for 310 new desktop and 90 laptop computers and other hardware. Much of the existing hardware was a half-dozen-years old and vulnerable to another malware attack, so it was time to replace it anyway, Riviera Beach Councilwoman Julie Botel said.

In a 2016 survey, CIO’s for local governments across the country said more than a third of them were using outdated technology, making them more vulnerable to attacks. Riviera Beach will also spend an additional $25,000 coming out of their budget, to cover its insurance policy deductible.

With rising deficits and pension obligations, its understandable how a city like Riviera Beach or Baltimore Maryland can be compromised so easily when there isn’t the budget to hire a full-time information security professional and institute security awareness training for topics like not clicking on shit or scanning random QR codes.

Chad Loder, Founder & CEO of security awareness training firm Habitu8 posted on Twitter recently.

I’m astounded that some companies still purchase the cheapest security awareness training content “to save money”, but will put 2,000 employees each through an hour of terrible training.

You’re not saving money – you’re wasting it.

Chad Loder (@chadloder) – 19 Jun 2019

Cities across the United States and around the world will now have to decide, what is cheaper? hiring a full-time security professional, a part-time person, a managed service provider, or just paying the ransom and hope the files recover completely. However, hope is not a strategy.

With additional reporting from The Palm Beach Post