Clearing the Perimeter for your CISO – John Powers Episode 3

We’ve been following the comedic “Meet John Powers – CISO” series from Tripwire. And they hit the ball out of park with their latest and last video, “The Spy Who Logged Me“. 

This one is my favorite by far.

I loved the line, “I was in ROTC I want to show you something real quick” – Classic!
I truly laughed out loud at the ending.

Great acting, perfect video!

Check it out!


Bank Cyber Security tested in ‘Quantum Dawn 2’ Drill

July 18 Trustedsec CEO David Kennedy on Bloomberg Television's "Taking Stock."
July 18 Trustedsec CEO David Kennedy on Bloomberg Television’s “Taking Stock.”

Major players in the financial industry are currently under a massive cyber attack. But no worries the attack is simulated and is being used to test bank security planning and response to a large scale attack.

Dubbed ‘Quantum Dawn 2’, the drill sounds like a large multi-player online game. The exercises that started today and will continue into tomorrow, will test how well financial institutions can work together to respond to and mitigate a large simultaneous attack on multiple areas of the financial market.

“Players” will use a software tool called “the Distributed Environment for Critical Infrastructure Decision-making Exercises — Finance Sector (DECIDE-FS).”

Basically the participants will be tasked with keeping the money flowing, as it were, in the face of scripted and timed attacks.

The drills could not be more timely as a recent report showed that nearly half of the worlds financial markets have come under some level of cyber attack in the last year. And many are not satisfied that their defense is up to the task of stopping advanced intruders:

Top bankers are increasingly aware of the possible threat but have little confidence in their ability to thwart attacks, with one quarter of respondents admitting their “current preventative and disaster recovery measures may not be able to stand up against a large-scale and coordinated attack”.

In the video link above, one of our favorite security gurus David Kennedy, CEO of Trustedsec currently gives our country’s financial cyber capabilities an ‘F’:

Bank Cyber Report Card

But his company and others are working hard to ensure that our financial cyber woes are fixed and exercises like “Quantum Dawn 2” will go a long way in preparing financial system for the worst before it happens.

For more information, check out David and Security Compass Managing Director Sahba Kazerooni in the video above discussing the “War Games on Wall Street” on Bloomberg Television’s “Taking Stock“.

Nice job guys!

Snowden Impervious to Torture, uses Unbreakable Encryption

Rest assured people, the secrets that Snowden has and still hasn’t released are protected by the most unbreakable encryption in the world in which Snowden has the only key. And even torture itself will not drag it out of him, because, as he says, he is “impervious” to torture…

According to The Guardian, Snowden made these bizarre claims in an e-mail exchange with former United States Senator Gordon J. Humphrey. During the exchange Snowden reasserts his claim that he only released what he did for the greater good, to educate and inform the American people about the spying that the government was involved in against its own civilians.

He then stated that he did not release any information that would harm our people and that the rest of the secrets he has are protected.

But how well?

Well, completely impervious to compromise. That is if you believe what Snowden says in this e-mail:

“… Further, no intelligence service – not even our own – has the capacity to compromise the secrets I continue to protect. While it has not been reported in the media, one of my specializations was to teach our people at DIA how to keep such information from being compromised even in the highest threat counter-intelligence environments (i.e. China).

You may rest easy knowing I cannot be coerced into revealing that information, even under torture.”

A pretty big boast. I know some guys who have been trained to resist torture. But these guys are high end operators, not IT guys.

And what about the reports that the Chinese took his laptops from him when he arrived in Hong Kong?

According to the NY Times,”Two Western intelligence experts, who worked for major government spy agencies, said they believed that the Chinese government had managed to drain the contents of the four laptops that Mr. Snowden said he brought to Hong Kong.”

Does he really think he could hold up under Russian torture?

I mean really?

And who is to say that they would just beat him? There are other ways to make a man talk.

What about drugs?

Or better yet, this:

Snowden Marriage

Yeah… I think this young man is in way over his head…

Android Patch Fixes Two File Vulnerability Attacks

Android Vulnerability

Google has released a security update that patches two separate vulnerabilities that could modify apps without changing their digital signature. Thus malicious apps could be installed without triggering a warning.

The first was discovered in February of this year by BlueBox Security. They found that if you took two application install files, one legitimate and one hacked – but using the exact same file name, you could get Android to install the hacked one.

When the resulting zipped APK file is processed and installed, Android would correctly check the digital signature on the first file to verify it’s legitimacy, but would actually install the second file!

According to BlueBox, 99% of Andoid devices are vulnerable to this attack. Sophos has a great step by step write up on it here, or if you are at Black Hat USA 2013 later this month be sure to check out Jeff Forristal’s talk, “Android: one root to own them all

The second vulnerability was published last week on a Chinese website called the ‘Android Security Squad Blog‘ (Google Translation). According to the site, the signature verification process can be attacked by modifying file headers.

Apparently malicious code can be added into the file headers, which at the time of the post’s writing was not checked by the Android’s signature verification process.

Both vulnerabilities have since been patched by Google. But the problem is how long will it take device manufacturer’s to implement the changes and push them out to end user devices? Of concern too is older devices that are no longer being updated.

According to The Verge, Google has made changes to the Google Play store updating mechanism to help prevent attacks like this from happening, and Sophos recommends using an Android Anti-virus program to protect against the vulnerability.