Blog Blog

Direct iT at the DefCon 25 Security Conference

Direct iT at the DefCon 25 Security Conference 

Hackers and security researchers from all over the world descended on Caesar’s Palace in Las Vegas last weekend for the DefCon 25 security conference.  Direct iT’s security and compliance team was onsite to hear about the state of the art in network security, and hear from antivirus vendors, chip designers, penetration testers, as well as representatives from the FTC, the Department of Defense, the Navy, and many major security product companies.  There were a lot of hot topics under discussion about the role of security research in a world where hacking has been increasingly influential.
A few of the hottest hacking topics included:
  • Microsoft’s WannaCry bug and related exploits –  Egyptian security researcher Saif El-Sherei demonstrated techniques for analyzing and reverse-engineering Microsoft patches to identify undisclosed security holes that those patches were addressing, and showed how he used this technique to also identify a new related undisclosed security hole.
  • Hardware-level security problems – a lot of new research was presented about the security implications of hardware bugs, including the SandSifter — a program for detecting and analyzing undocumented, hidden, or buggy instructions in x86 CPUs ( which was used to find bugs in Microsoft Azure virtual machines and in virtually all common CPUs).  This is a growing field within security research, based on the idea that no matter how secure our software is, that software has to run on hardware and if that hardware is not also secure we will still get hacked.   Other research was presented about how simple it is to produce counterfeit or backdoored hardware ( including relatively simple methods for implanting a hidden transmitter inside RSA 2-factor tokens, inside computer mice, and even for making counterfeit versions of special USB password-storing keys).
  • Cloud, SaaS, and hypervisor security –  there was a lot of focus on a new set of advanced tools for detecting and mitigating breaches that Microsoft is going to be giving free with Enterprise versions
  • Counterfeit and backdoored hardware hacks – there was a lot of discussion about how governments around the world place backdoors in computer and networking hardware, as well as how individuals also can exploit hardware.  One group of researchers presented a method for doing secure computation on insecure hardware.
  • IoT hacking – the takeaway from the IoT security part of the conference was not that hackers using advanced techniques could break into a few IoT devices — more that virtually all IoT devices are designed so insecurely that very standard, well-known security exploits are often all it takes to break into these devices.
  • Car hacking  – similar to the IoT findings, several groups presented research about car-related security hacks and also brought a few modern cars to the conference for hackers to analyze on-site.  What the research revealed was that car manufacturers are using out-of-date components to begin with and not doing any significant security hardening of car systems — for instance, modern Nissan and Infiniti cars were found to use a 10-year-old cellular chip that was used in the original iPhone, which has a number of well-known security exploits that can be used against the cars.  Similarly, radio researchers analyzed signals from Jeep wireless keys and found that anyone recording the radio signal from a Jeep key can easily clone that key.
  • Voting machine hacking – hackers at the conference took apart and analyzed several different types of common voting machine, quickly finding that many were based on Windows XP and were vulnerable to a number of common security exploits, including one that could be exploited over wireless.  In fact, it took less than an hour for them to break into one of the voting machines. 

Direct iT Meets White House Cybersecurity Coordinator

DIT CEO David Javaheri with Rob Joyce

Special Assistant to the President and White House Cybersecurity Coordinator Rob Joyce visited the Foley Hoag offices in Boston on 5/22/17. Joyce was in Massachusetts to speak about the President’s May 11 Executive Order on Cybersecurity and how IT and security companies can collaborate.

Federal Government Focusing on Cybersecurity

The meeting focused on a number of new initiatives including:
  1. CyberMA: Part of CyberUSA, CyberMA is a new threat sharing platform that allows security companies to securely share information about new threats with each other in order to collaborate (like the cyber-criminals do)
  2. Education: There was also a lot of focus on introducing cybersecurity as a career choice at all educational levels.
  3. Executive Order: Joyce explained the three primary points of the May 11 executive order — (1) securing the federal government, (2) securing corporate systems that are vital to our infrastructure, and (3) securing the global internet.   He also hinted that the President’s new office of innovation could potentially offer more resources for security in the future.

The Game Has Changed in CyberSecurity: The growing importance of managed workstation updates

The Game Has Changed in CyberSecurity:
The growing importance of managed workstation updates
A global cyberattack last weekend used a Microsoft security hole to infect businesses and government agencies worldwide. Microsoft Windows Update is
important but not enough….
Workstation Updates – Now Available and Fully Managed from DIT
 Our fully managed program not only will update Microsoft, but over 50 other third party applications such as Adobe Reader, Adobe Flash, Java, Skype, Win Zip, web browsers update and more. This service is now available at a highly discounted rate of 15 minutes per desktop per month.
 For more details or to enroll in this program,
  Contact Direct iT

 

Massive Stolen Password Lists From LinkedIn and MySpace Put Over 500 Million Passwords in Hackers’ Clutches

Massive Password Lists Stolen and Shared

In the past few weeks, there has been a massive uptick in cyber attacks involving the use of stolen passwords to gain access to corporate email and other IT systems.  This increase can be traced to two recent events from May.  First, a hacker sold a list of 167 million LinkedIn account credentials (many including email addresses, usernames, and passwords) on the dark web.  Then, a few weeks later, the same hacker sold a bigger list containing 427 million MySpace usernames and passwords.  Very soon, both of these lists had been re-sold, copied, and shared around with hacker groups around the world.

Why These Password Thefts Matter   vicepwds

Now, most of us aren’t particularly worried about hackers getting into our LinkedIn or Myspace accounts as nothing critically important is kept there. However, the real impact of these breaches is due to the fact that millions of people re-use the same usernames and passwords for everything, and therefore this same list of usernames and passwords can be used to login to many corporate e-mail, IT, online banking, and other vital accounts.

What You Can Do About It

1. Make sure you never re-use old passwords

2. Periodically review and change all important passwords on your network

3. Use strong passwords

4. If you ever used a password on LinkedIn or Myspace or any other breached site, make extra sure that you have not reused that password for anything else.

 

Sources:

https://motherboard.vice.com/read/another-day-another-hack-117-million-linkedin-emails-and-password

http://motherboard.vice.com/read/427-million-myspace-passwords-emails-data-breach

Microsoft Sues Justice Department Over Spying

lawsuitbuttonOn April 14th, Microsoft filed a lawsuit against the Justice Department in the Federal District Court in Seattle.  The lawsuit alleges that federal law enforcement agencies have used an unconstitutional interpretation of the Electronic Communications Privacy Act of 1986 in order to access to thousands of Microsoft customers’ data that is stored in the cloud (primarily email such as Office 365 and Hotmail).  Microsoft claims that because this spying is so widespread, and because many of the orders also demand that the spying be kept secret, and have no end date (either for the spying or the secrecy), this violates the Fourth Amendment right to protection from unlawful search and seizures. Microsoft also claims that their First Amendment right to inform customers they are being spied on is also being violated.

“From September 2014 to March 2016, Microsoft received 5,624 federal demands in the United States for customer information or data. Nearly half — 2,576 — were accompanied by secrecy orders.”

Often, gag orders prevent companies from reporting government spying on their customers.  However, some companies use what is referred to as a “warrant canary” — which is a statement somewhere on their website/service that they have never been subject to any warrants/spying.  The idea is that when the government begins spying, the company can remove the canary notice from their site, so that users can realize the notice is gone and become aware that spying may have occurred, without the company specifically notifying the users in violation of the gag order. You can read more about warrant canaries at https://canarywatch.org/  

You can also read the coverage in the New York Times at  http://www.nytimes.com/2016/04/15/technology/microsoft-sues-us-over-orders-barring-it-from-revealing-surveillance.html?_r=0

 


Call Direct iT Today!

781-996-4918

One of our IT specialists is waiting to talk to you.

About Direct iT

Direct iT, Inc. is a New England based IT services firm offering products and services for small businesses in Greater Boston, New Hampshire, Rhode Island, and the rest of New England. Cloud, compliance, and document management services are also available worldwide. Many of our customers are along the Route 128 technology corridor.

Direct iT, Inc. Main Offices

39 Emerson Rd. Suite 215
Waltham, MA 02451
Sales: 781-890-4400
Support 781-890-1907
sales@directitcorp.com