[ISN] ASSESSMENT: Corporate Threat Intelligence Versus Actual Intelligence Products

http://www.infosecnews.org/assessment-corporate-threat-intelligence-versus-actual-intelligence-products/ By Scot Terban Special to InfoSec News March 10, 2014 Threat Intelligence: Threat intelligence is the new hotness in the field of information security and there are many players who want your money to give you their interpretation of it. Crowdstrike, Mandiant, and a host of others all offer what they call threat intelligence but what is it really in the end that the customer gets when they receive a report? Too often what I am seeing is reports based on suppositions and little critical thinking rather than the traditional raison dartre of a threat intelligence report on actors that may have an interest in your environment. A case in point is the report from HP that was conveniently released right in time for this years RSA conference in San Francisco. This report on the Iranian cyber threat was hard to read due to the lack of real product or knowledge thereof that would have made this report useful to anyone seeking true threat intelligence on an actor that may have interests in them. With a long winded assortment of Googling as Open Source Intelligence, this report makes assumptions on state actors motivations as well as non state actors who may, or may not, be acting on behalf of the Basij or the Iranian government altogether. While the use of Google and OSINT is indeed a valid way of gathering said intelligence, intelligence is not “intelligence” until proper analysis is carried out on it. This was one of the primary problems with the HP report, the analysis was lacking as was the use of an intelligence analyst who knew what they were doing. Clients and Products: When carrying out any kind of intelligence gathering and analysis you must first have a client for the product. In the intelligence game you have “products” that “clients” consume and in the case of the HP report on Iranian actors it is unclear as to whom the client is to be here. There are no direct ties to any one sector or actor for the intelligence to have any true “threat matrix” meaning and thus this report is of no real use. These are fairly important factors when generating an analysis of a threat actor and the threat vectors that may affect them when creating a report that should be tailored to the client paying for it. Of course the factors of threat actors and vectors of attack can be general at times and I assume that the HP analyst was trying to use this rather wide open interpretation to sell a report as a means to an end to sell HP services in the near future. I am also willing to bet that this report was a deliberate drop for RSAC, and they had a kiosk somewhere where they were hawking their new “Threat Intelligence” services to anyone who might want to pay for them. In the case of this threat intelligence report ask yourself just who the client is here. Who is indeed really under threat by the alleged Iranian hackers that are listed. What sectors of industry are we talking about and who are their primary targets of choice thus far? In the case of Iran there has been also a great deal of supposition as to these actors and their motives. The report makes allusions to state actor intentions, but only lists known Iranian hacker groups that may or may not have affiliations with the government. The same can be said for their TTP’s and other alleged data within the report. The important bit about threat intelligence in the world of information security is that you need hard data to model the threats and the actors for your specific company and this report generates none of this. This fact makes the report not really threat intelligence at all, not in the aspect of either true intelligence nor corporate intelligence. http://krypt3ia.wordpress.com/2014/03/09/assessment-corporate-threat-intelligence-versus-actual-intelligence-products/ […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Perspective: Microsoft risks security reputation ruin by retiring XP

http://www.computerworld.com/s/article/9246837/Perspective_Microsoft_risks_security_reputation_ruin_by_retiring_XP By Gregg Keizer Computerworld March 9, 2014 A decade ago, Microsoft kicked off SDL, or Security Development Lifecycle, a now-widely-adopted process designed to bake security into software, and began building what has become an unmatched reputation in how a vendor writes more secure code, keeps customers informed about security issues, and backs that up with regular patches. But the Redmond, Wash. company, which just touted SDL’s 10-year history with a flashy, anecdote-filled online presentation, seems willing to risk torching that hard-won reputation by pulling the plug on Windows XP. Microsoft plans to ship the final public patches for Windows XP on April 8. After that, it will not deliver fixes for security vulnerabilities it and others find in the 13-year-old operating system. The result, even Microsoft has said, could be devastating. Last October, the company said that after April 8, Windows XP would face a future where machines are infected at a rate 66% higher than before patches stopped. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] CanSecWest talk on infrastructure attacks canceled after being classified

http://blogs.csoonline.com/security-industry/3050/cansecwest-talk-infrastructure-attacks-canceled-after-being-classified By Steve Ragan Salted Hash CSO Online March 09, 2014 Eric Filiol, head of the Operational Cryptography and Computer Virology lab hosted by ESIEA in Laval, France, was scheduled to give a talk on Friday at the CanSecWest conference in Vancouver, British Columbia. However, that talk has been canceled after reviewers in the intelligence community deemed it a security risk. In addition to censoring the talk, they also threatened legal action against the conference and presenters. In a brief post on the subject, Dragos Ruiu, the founder and organizer of CanSecWest, outlined the basics. “The French Dept. of Interior (their DHS equivalent) and the U.S. DoD have decided that Eric Filiol’s material about network attacks on infrastructure is too dangerous, so they have classified it, disallowing its presentation, and to punctuate their desires with an exclamation point, rattling sabers about prosecution and lawsuits of conference organizers and presenters. To which I’d like to remind everyone concerned: ‘Security by Obscurity, is not much Security at all.’ Hiding vulnerability information hinders solutions and mitigation more than it hinders attackers.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Bad news for 169K after new HIPAA breach

http://www.healthcareitnews.com/news/bad-news-169k-after-new-hipaa-breach By Erin McCann Associate Editor Healthcare IT News March 7, 2014 Some 168,500 people are getting HIPAA breach notification letters after unencrypted computers were stolen from the Los Angeles County public health and health services departments, city officials announced Thursday. According to a public notice, third-party billing vendor Sutherland Healthcare Solutions reported a burglary Feb. 5 involving the theft of several unencrypted company computers. Officials confirmed the computers contained patient Social Security numbers, demographic data, billing information, dates of birth and protected health information, including medical diagnoses. “We sincerely regret any inconvenience or concern that this matter may have caused you,” said Karen J. Pugh, vice president and head of healthcare compliance, at Sutherland Global Services, in a March 6 statement. “We are reviewing our policies and procedures and have provided additional training to our workforce. Los Angeles County is also working with us to review our information privacy and security program and determine whether enhancements should be made.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Mt. Gox CEO’s blog goes blank after alleged hack

http://news.techworld.com/security/3505809/mt-gox-ceos-blog-goes-blank-after-alleged-hack/ By Jeremy Kirk Techworld 10 March 2014 Hackers attacked the personal blog of Mt. Gox CEO Mark Karpeles on Sunday and posted what they claim is a ledger showing a balance of some 950,000 bitcoins based on records they obtained from the defunct exchange for the virtual currency. They said the sum contradicts Mt. Gox’s claim in a Japanese bankruptcy protection filing Feb. 28 that it had lost about 850,000 bitcoins. Neither Karpeles nor Mt. Gox officials could immediately be reached to verify the claims. Karpeles has maintained a low profile since the filing in Tokyo District Court. Mt. Gox, which pulled the plug on its website three days before the court filing, had announced that about 750,000 customer bitcoins it held are missing along with 100,000 of its own bitcoins and $27.3 million in customer deposits. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail